Overview:
Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant's misconduct, and the defendant's assets, liabilities, and net worth.
In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant's misconduct, and the defendant's assets, liabilities, and net worth.
Action Items:
1) Document security policies and procedures in a written information security plan or "WISP."
2) Review whether your WISP conforms to a known industry standard or framework
3) Consider whether there are any security policies or procedures that have not been drafted, but should be included within your WISP.
4) Review the substance of your WISP on an annual basis.
5) Conduct periodic risk assessments to identify the primary risks to information
6) Train employees on your security policies and procedures.
Related Documents:
1) Written Information Security Plan (WISP)
2) Privacy Policy / Notice
3) Documented Risk Assessments
4) Documentation of training records to validate employees are being trained on security policies and procedures
5) Sample training content
Additional Guidance:
Comparison to Other Privacy Laws
There are over thirty statutes in the United States that require that companies take steps to protect personal information. Indeed, California Civil Code 1798.81.5 – which predated the CCPA by almost 15 years – contains a near identical standard to that used within the CCPA. The only significant change that the CCPA makes to the existing data security law within California is the prospect that a plaintiff may be able to recover statutory damages that exceed any real harm that he/she actually incurred. From an international perspective, while California's security standard is nearly equivalent to that used within the GDPR, it shows a clear preference for private class action enforcement whereas the GDPR incentivizes enforcement through supervisory authorities.
Article ID: 57
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/ccpa-implementation-of-reasonable-security-procedures-150-a-57.html