The CCPA went live on January 1, 2020, creating a cause of action and potential liability of between $100 to $750 per person for a data breach deriving from a business’ failure to maintain reasonable policies and procedures.  Unfortunately, the CCPA does not define the term “reasonable”.  While compliance lawyers and consultants properly have been advising their clients to shore up their cyber-security procedures, judges will have to determine what the standard means, lawyers will have to write jury instructions and verdict forms, and IT and standard-of-care experts will be subject Daubert disputes as to the admissibility of their opinions.  Here’s a litigator’s look at why the term “reasonableness” means what it says, and why it derives from a term that litigators and courts have used for decades. 


Hyman, S.J. & Walser-Jolly, G., Farrell, E., “What is a Reasonable Security Procedure and Practice under the California Consumer Privacy Act’s Safe Harbor”, 73 Conf. Cons. Fin. L. Q. 73-3 (Winter 2020)