Because of Covid 19, remote working has become highly popular. In the year 2020, every employee received some instruction on how to operate remotely. It has become a serious concern, particularly for small businesses, because they only have the necessities of network defenses to safeguard their central offices from cyber attacks.

What are the requirements under CCPA and CPRA for reasonable security measures?

California Consumer Privacy Act (CCPA)

Under the California Consumer Privacy Act (CCPA), adopting “reasonable security” is a defense against a customer’s private right of action, which provides them the power to sue for a data breach.

A client can seek remedy only if,

  • his personal information was not encrypted or erased, or
  • the organization failed to establish adequate protection to their personal information

It means that if a company implements security measures but still has a data breach, the company may be immune from liability provided the security measures are ruled acceptable. As a result, while reasonable security is not legally an affirmative need under the CCPA, it has become an unofficial requirement due to the reduced risk of consumer responsibility.

California Privacy Rights Act (CPRA)

When it comes to CCPA compliance and CCPA regulations, California was the first in the United States. Both CCPA and California Privacy Rights Act (CPRA) have been introduced in the state. It is essential for all organizations to comply with these data privacy laws and CCPA regulations.   

According to California Privacy Rights Act (CPRA), it is mandatory to implement reasonable security. Therefore, any firm that collects a consumer’s personal information must have adequate security processes and policies to secure such information under the updated California Civil Code 1798.100.

An organization must meet specific criteria to be classified as a “business” under the CCPA or CPRA. Unfortunately, many small and even large enterprises are often exempt from the CCPA because of these thresholds.

According to the CCPA and CPRA, every firm, large or small, that controls the personal data of California citizens must take reasonable security measures.

What is a CIS control?

CIS control, also known as the Centre of Internet Security, is a critical security control for effective cybersecurity. The CIS controls are divided into twenty categories, each organized into an Implementation Group (IG) based on the organization’s risk profile. For example, an IG1 organization is often a tiny business with minimal resources dealing with limited data. An IG3 organization, on the other hand, is a huge company that deals with extremely sensitive data and has the resources to hire in-house security professionals.

A solid first step toward reasonable security is to review the CIS controls, do a gap assessment to establish which controls are now in existence and inadequately implemented, and document the process.

What is the Difference in Rules in the implementation of reasonable security in CCPA and CPRA?

Investigating the security of service suppliers utilized by the company is also part of implementing reasonable security. The CCPA requires businesses to prohibit their service providers from keeping, utilizing, or sharing information for any purpose other than to carry out the contract under the CCPA. However, there are no further responsibilities in terms of supervising the privacy of the service provider.

The CPRA modifications demand that a company’s contract with service providers include many additional clauses not needed under the CCPA. Under CPRA, any company that collects personal details and shares them with a third-party service provider must engage in an agreement with the third-party service provider that includes the following provisions:

  • The third-party can share information only for specific purposes.
  • The third-party must provide the same level of data protection as the company.
  • The businesses must ensure that the service provider must comply with CPRA.
  • The third-party needs to inform the firm if they are unable to comply with CPRA.
  • Businesses can stop the illegal use of personal data by a service provider.

What is cyber liability insurance?

While most organizations have various insurance plans in place, such as commercial general liability and workers compensation liability, they mainly ignore cyber liability insurance.

Nobody can ensure the 100 percent security of all the systems, and a corporation may still be liable to a cyberattack even if it meets the standard of reasonable security. Ransomware is a hacking attack that can affect any company, large or small and is costly to repair. The global cost of ransomware is expected to be around $19 million by 2020. While the organization’s data may be successfully recoverable from backups to avoid having to pay the ransom, some fraud groups want to tell the data publicly, resulting in additional expenditures for addressing a public breach.

Cyber Attacks
Some major facts show the importance of cyber insurance for small businesses.

  • Small businesses are the target of 45% of cyber-attacks.
  • Cyber-attacks cost small firms on average $35 in 2018.
  • Seventy percent of small businesses fail within seven months of a cyber-attack.

Any firm with sensitive information should look into cyber insurance coverage to help limit the dangers of a devastating attack. It’s also a good idea to include minimal cyber insurance coverage criteria in contracts with service providers when thinking about its supply chain.


Reasonable security is critical to secure remote working, particularly for small organizations struggling to adapt to this popular trend. All firms under the CCPA and CPRA that handle the personal information of California residents must take adequate security precautions. The CCPA mandates businesses to restrict their service providers from retaining, using, or exchanging information for any reason other than to fulfill the CCPA contract. The CPRA amendments require that a company’s service provider contracts include numerous extra terms that were not required under the CCPA. Similarly, cyber liability insurance is critical because no one can guarantee that all systems are completely secure.