Data breaches and the 30 day cure
The California Consumer Privacy Act provides a business a 30-day cure period that consumers must give the business before suing for statutory damages. I’ve had many discussions with other security professionals about how long it takes to implement security safeguards (typically longer than 30 days) and whether implementing a safeguard after a breach could be considered a cure for a data breach at all. There are a couple of clarifying sections in the California Privacy Rights Act (CPRA) regarding cybersecurity and protection of Personal Information. Changes in Section 16 with amendments to 1798.150 is one of them. It clarifies that implementing “reasonable security procedures and practices” after a data breach cannot be considered a cure.
CPRA and Reasonable Security
Regulatory changes will be forthcoming regarding requirements for security risk assessments and what organizations need to supply to the new California Consumer Protection Agency (CCPA), This discussion about risk assessments also points the way to clarifying what will be required to show reasonable security procedures and practices. It will not be sufficient to implement the CIS Top 20 controls. But more importantly for the business, it will be able to document that some technical controls are not required because they could be unreasonable to the business.
Here is a link to a blog post on “reasonable security” that may offer additional insight
Here is a link to the text of the California Privacy Rights Act
For a more detailed discussion of laws and reasonable security, read our white paper called Reasonable Security.
Learn more about our virtual CISO services here.