CCPA Landmine No 2
Document Your Approach to Information Security
No one wants to get sued after a data breach. But you can avoid or mitigate liability if you “implement and maintain reasonable security procedures appropriate to the nature of the information” Civil Code 1798.150.
- We expect that the “implementation and maintenance of reasonable security procedures” will rest upon the company’s efforts to proactively identify, document and control risks throughout the enterprise. Assessments done pursuant to a common
framework, such as ISO or NIST would seem to be the bare minimum. But beyond the assessment process is the implementation of findings from the assessments, monitoring of controls, and, of course, training employees on obligations to support the business’s risk management efforts.
- Generally, encryption, anonymization and pseudonymization are all fairly established as “reasonable security procedures”. But security procedures are changing rapidly and constantly, and business must make decisions that are credibly defined by the availability of resources. Document your approach and articulate why it is reasonable and “appropriate to the nature of the information”.
- Start with the standards laid out by ISO, NIST, or even the 20 controls proposed by the Center for Internet Security. Document the controls that you have in place, the roadmap for the future and the justification for decisions in delaying or prioritizing controls. Aggrieved consumers and their attorney will have a hard time challenging an approach to security that is reasoned, mature and defensible.