California Consumer Privacy Act: The Challenge Ahead – The CCPA’s “Reasonable” Security Requirement

Bret Cohen, Paul Otto, Nathan Salminen, and Morgan Perna (law clerk) of Hogan Lovells write:

….This installment of the Hogan Lovells’ CCPA series explains the CCPA’s security requirement and consequences for non-compliance, and describes security controls that most organizations can implement to mitigate this risk.

Available statutory penalties

The CCPA allows consumers to sue businesses when their “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Violations of this provision are subject to statutory penalties of $100 to $750 per incident (which did not previously exist for breaches involving California residents’ personal information), additional actual damages, and injunctive relief. Judges may consider a defendant’s “assets, liabilities, and net worth” in determining the precise award.

Read more on Chronicle of Data Protection.

About the author: Dissent