Key Takeaways
| Point |
Summary |
| Core requirement |
Implement and maintain reasonable security procedures |
| Private right of action |
Consumers can sue for breaches due to security failures |
| Statutory damages |
$107-$799 per consumer per incident (2025 amounts) |
| Encryption safe harbor |
Encrypted data may be exempt from breach penalties |
| No specific standards |
CCPA does not mandate specific controls, but guidance exists |
Quick Answer: CCPA requires businesses to implement "reasonable security procedures and practices" appropriate to the nature of the personal information. Failure to do so can result in private lawsuits with statutory damages of $107-$799 per consumer, in addition to regulatory enforcement.
The "Reasonable Security" Standard
What Does "Reasonable Security" Mean?
| Aspect |
Details |
| Definition |
Not explicitly defined in CCPA |
| Standard |
Appropriate to the nature of the information |
| Reference |
California Attorney General has referenced industry standards |
| Evolution |
Standard evolves with technology and threats |
California AG Guidance
In the 2016 California Data Breach Report, the Attorney General referenced the CIS Critical Security Controls as a baseline for "reasonable security." CIS Controls v8 (the current version with 18 controls) represents the updated framework businesses should consider implementing.
| Control Area |
Examples |
| Asset management |
Inventory of authorized devices and software |
| Access control |
Principle of least privilege |
| Continuous vulnerability management |
Regular vulnerability scanning |
| Controlled use of administrative privileges |
Limited admin access |
| Secure configuration |
Hardened system settings |
| Maintenance, monitoring, and analysis of audit logs |
Log collection and review |
| Email and web browser protections |
Filtering and security settings |
| Malware defenses |
Anti-malware solutions |
| Network security |
Firewalls, segmentation |
| Data protection |
Encryption, backup |
| Incident response |
Response plans and procedures |
Private Right of Action
Unique Liability Under CCPA
The CCPA creates a private right of action for data breaches, making it distinct from most privacy laws.
| Aspect |
Details |
| Who can sue |
California consumers affected by breach |
| Cause of action |
Non-encrypted/non-redacted PI breached due to security failure |
| No actual damages required |
Statutory damages available without proving harm |
| Class actions |
Permitted and common |
Damages Available
| Damage Type |
Amount (2025) |
| Statutory damages (minimum) |
$107 per consumer per incident |
| Statutory damages (maximum) |
$799 per consumer per incident |
| Actual damages |
Whatever is greater |
| Injunctive relief |
Available |
| Declaratory relief |
Available |
Calculating Potential Exposure
| Scenario |
Calculation |
| 10,000 affected consumers |
$1,070,000 to $7,990,000 |
| 100,000 affected consumers |
$10,700,000 to $79,900,000 |
| 1,000,000 affected consumers |
$107,000,000 to $799,000,000 |
Pre-Suit Requirements
30-Day Notice Period (Private Right of Action)
Before filing a private lawsuit for a data breach, consumers must provide written notice to the business.
| Step |
Details |
| Consumer notice |
Written notice identifying specific CCPA provisions violated |
| Notice period |
30 days before filing lawsuit |
| Cure limitations |
A data breach cannot be "cured" after it has occurred |
| Avoiding damages |
Business may avoid statutory damages only if it actually cures the violation, provides written assurance of no future violations, AND no actual damages occurred |
Important: Unlike the regulatory 30-day cure period (which applies to AG enforcement), this pre-suit notice for private actions rarely prevents lawsuits because breaches cannot be undone. Most breach cases proceed despite the notice period.
Regulatory vs. Private Action Cure
| Type |
30-Day Provision |
Practical Effect |
| Regulatory (AG/CPPA) |
AG must give 30 days to cure before civil action |
May prevent enforcement if violation is addressed |
| Private action (breach) |
Consumer must give 30 days notice before lawsuit |
Rarely prevents lawsuit since breach already occurred |
Notice Requirements
| Element |
Requirement |
| Format |
Written notice |
| Content |
Identify specific CCPA violations |
| Delivery |
To the business |
| Timing |
Before filing lawsuit |
Encryption Safe Harbor
How Encryption Protects Businesses
| Scenario |
Private Right of Action Available? |
| Unencrypted PI breached |
Yes |
| Encrypted PI breached, key secure |
No (safe harbor) |
| Encrypted PI breached, key also compromised |
Yes |
| Redacted PI breached |
No (safe harbor) |
Encryption Best Practices
| Practice |
Details |
| At rest |
Encrypt stored personal information |
| In transit |
Use TLS for data transmission |
| Key management |
Secure keys separately from data |
| Strong algorithms |
Use current encryption standards |
| Regular review |
Update encryption as standards evolve |
What Counts as "Encrypted"?
| Element |
Requirement |
| Algorithm |
Industry-accepted, strong encryption (AES-256, etc.) |
| Implementation |
Properly implemented |
| Key protection |
Keys stored securely, separately |
| Documentation |
Able to demonstrate encryption was in place |
Note: Simple encoding (Base64, etc.) or weak/deprecated algorithms do not qualify for safe harbor. The encryption must render data unreadable without the key.
Building a Reasonable Security Program
Risk Assessment
| Activity |
Purpose |
| Data inventory |
Understand what PI you have |
| System mapping |
Know where PI is stored and processed |
| Threat analysis |
Identify potential threats |
| Vulnerability assessment |
Find security weaknesses |
| Risk prioritization |
Focus resources on highest risks |
Security Controls
| Category |
Examples |
| Administrative |
Policies, procedures, training |
| Technical |
Firewalls, encryption, access controls |
| Physical |
Facility security, device protection |
Framework Alignment
| Framework |
Benefit |
| CIS Controls v8 |
AG-referenced baseline |
| NIST Cybersecurity Framework |
Comprehensive, widely recognized |
| ISO 27001 |
International standard, certifiable |
| SOC 2 |
Third-party attestation |
Breach Response Requirements
California Breach Notification Law
California has a separate breach notification law (Cal. Civ. Code § 1798.82) that works alongside CCPA.
| Requirement |
Details |
| Who must notify |
Businesses that own or license computerized data |
| When |
Most expedient time possible, without unreasonable delay |
| Threshold |
Unauthorized acquisition of unencrypted PI |
| AG notification |
Required if 500+ California residents affected |
Breach Notification Content
| Element |
Requirement |
| Title |
"Notice of Data Breach" |
| What happened |
Description of the incident |
| Data involved |
Types of PI affected |
| Business response |
Steps taken to address breach |
| Consumer steps |
Recommended protective actions |
| Contact information |
How to get more information |
| Credit monitoring |
Offer if SSN or financial info exposed |
Response Timeline
| Action |
Timing |
| Discovery |
When breach is known or should have been known |
| Investigation |
Complete expeditiously |
| Notification |
Without unreasonable delay |
| AG reporting |
If 500+ consumers, submit sample notice |
Documentation and Evidence
Why Documentation Matters
| Purpose |
Explanation |
| Defense |
Evidence of reasonable security measures |
| Compliance |
Demonstrate ongoing compliance |
| Improvement |
Support continuous improvement |
| Response |
Aid breach investigation and response |
What to Document
| Element |
Examples |
| Policies |
Information security policy, acceptable use |
| Procedures |
Access provisioning, incident response |
| Assessments |
Risk assessments, vulnerability scans |
| Training |
Security awareness training records |
| Audits |
Internal and external security assessments |
| Incidents |
Incident logs and response documentation |
Upcoming Requirements (2026)
Cybersecurity Audits
Regulations effective January 1, 2026, require certain businesses to conduct cybersecurity audits.
| Aspect |
Details |
| Who |
Businesses meeting specific criteria |
| Frequency |
Annual or as specified |
| Scope |
Compliance with reasonable security requirements |
| Documentation |
Audit reports and certifications |
Risk Assessments for Automated Decision-Making
| Aspect |
Details |
| Who |
Businesses using automated decision-making technology |
| What |
Risk assessments for processing activities |
| When |
Before implementation and periodically |
| Submission |
Certifications to CPPA |
Common Security Gaps
| Gap |
Recommendation |
| No data inventory |
Map all personal information |
| Weak access controls |
Implement least privilege |
| Missing encryption |
Encrypt PI at rest and in transit |
| No monitoring |
Deploy logging and alerting |
| Untrained staff |
Regular security awareness training |
| No incident response plan |
Develop and test response procedures |
| Unpatched systems |
Implement patch management program |
| No vendor security |
Assess third-party security practices |
How Bastion Helps
Implementing reasonable security requires systematic approach and ongoing attention.
| Challenge |
How We Help |
| Security assessment |
Gap analysis against CCPA requirements |
| Framework implementation |
CIS Controls, NIST CSF, ISO 27001 alignment |
| Policy development |
Security policies and procedures |
| Breach preparation |
Incident response planning and testing |
| Vendor security |
Third-party risk assessment |
| Audit readiness |
Documentation and evidence collection |
Need help with CCPA data security requirements? Talk to our team →
Sources
