Reasonable Security Measures: The Next Focus in Data Breach Litigation
For years, the big issue in data breach lawsuits focused on standing. However, the California Consumer Privacy Act’s (CCPA’s) private right of action with statutory damages means standing likely will not be the central issue in many future data breach cases. The battle line will shift to whether or not a company implemented reasonable security measures, an element under the CCPA and common-law claims frequently asserted in data breach litigation.
CCPA does not define reasonable security measures. Industry-specific standards, like the Gramm-Leach-Bliley Act (GLBA), provide more detail. While helpful, recognized standards such as NIST, CIS, and ISO contain subcontrols that may only apply in some situations, creating factual issues that are difficult to prove.
Colorado’s attorney general recently released straightforward guidance. It suggests nine steps an organization can take to ensure that it implements reasonable security measures for protecting consumers’ personal information. While the Colorado guidance is not binding across all common-law claims, it provides a map for how companies can document reasonable security measures through policies a jury can easily understand.
Step No. 1: Know What You Have and Who Has Access
The first step includes taking inventory of the types of personal information collected and creating a system for storing and managing such information. Organizations should monitor employee access to personal information and have a written data retention and destruction policy.
Step No. 2: Have a Written Information Security Policy
Organizations should memorialize their data security practices in a written information security policy (WISP). Some standard data security practices include data minimization, access control, password management, and encryption. An organization’s information security procedures should also adhere to industry standards where possible (e.g., ISO/IEC 27000 standards for storing employee data, Payment Card Industry’s Data Security Standard for organizations that collect credit card information, etc.). The WISP should not simply be a spreadsheet of controls. It should be a comprehensive overview of the program written in plain language.
Step No. 3: Have a Written Incident-Response Plan
Adopt a written incident-response plan in physical and digital form if a cyberattack renders the digital copy unusable. The plan should detail steps the organization would take in the event of a security incident, like notification procedures and remedial actions. To ensure the organization can execute the response plan, the organization should conduct response training and simulated, interactive exercises that test an organization’s incident-response procedures.
Step No. 4: Know Your Vendors
Reasonable security measures to protect personal information include effective vendor management. Organizations should vet potential vendors and must require by contract that vendors adopt and take reasonable and appropriate security measures to protect the personal information that they process on behalf of the organization, allow for at least annual audits by the organization of the vendor’s security procedures, and aid the organization in the event of a security breach.
Step No. 5: Train Your Employees
Implement an effective employee-training program as a reasonable security measure. Training employees on cybersecurity preparedness and identifying and reporting suspicious emails and other network activity can be critical in preventing potential cyberattacks. The training program should be documented.
Step No. 6: Follow the Colorado AG’s 2021 Ransomware Guidance
Follow the Colorado attorney general’s 2021 ransomware guidance to help bolster cybersecurity and resilience against ransomware attacks. Per the 2021 guidance, best practices for responding to ransomware attacks include multifactor authentication, encryption, end-point detection and response, data backup and ensuring that backup copies are readily accessible off-line, regular system updates and patching, testing incident-response plans, and network segmentation.
Steps 7 and 8: Promptly Conduct Investigations and Provide Notifications, When Necessary
Organizations that process personal information have a duty to protect such information and should conduct a prompt investigation in case of a security breach. Depending on the type of personal information affected and the magnitude and severity of the breach, organizations may be required to notify consumers and follow any additional notification obligations determined by other state laws. Organizations should also be prepared to compensate affected individuals by providing free credit-monitoring services.
Step No. 9: Regularly Review and Update Your Security Policies
Organizations should regularly review and update their security policies where necessary. Assessing whether data collection, storage, and use practices are updated for changes to internal processes and applicable risks is key to ensuring that the organization is undertaking reasonable security measures. As organizations introduce new products and services or adopt different business practices, the policies governing security practices should be updated accordingly.