Overview
The phrase reasonable security procedures and practices appears in California law, including the new California Consumer Privacy Act (CCPA).
The phrase is left undefined except that reasonable is to relate to the nature of the information, the security procedures and practices must be reasonable to protect that information.
In the lead-up to and into the early-years of California’s experience with the CCPA we can expect a vigorous dialogue over what the phrase reasonable security procedures and practices will eventually come to mean.
SecureTheVillage believes the security practices described here are a minimum set of security practices that a company (subject to CCPA) must implement and maintain for it to claim that it has reasonable security procedures and practices.
The security practices described here are designed to be a floor: If you are not doing these things, then you do not have reasonable security procedures and practices.
Most definitively, SecureTheVillage is not claiming that a company that implements these practices has reasonable security practices; we are saying that a company’s failure to do so is prima facie evidence that the company’s security procedures and practices are not reasonable.
Visit Resource
