LAW.COM had a very good reminder that you really need to keep in mind. Here is an extract: "With just days to go before the California Consumer Privacy Act (CCPA) compliance date, some companies may be scrambling to get their data collection and management processes in order.
"Others, however, might be taking a wait-and-see approach before fulling investing into large-scale changes. Whatever an organization’s plan, there are certain things all covered entities should know about the far-reaching privacy law before January 2020.
“Reasonable” Security is Required
"The CCPA isn’t all about privacy. In fact, the regulation also mandates that covered entities maintain reasonable security procedures, something that does not get as much attention as the data handling requirements. “It certainly hasn’t been focused on and it ought it to be,” Mark Schreiber, partner at McDermott Will & Emery said.
"To be sure, exactly what constitutes 'reasonable' security isn’t clarified in the CCPA. Still, Schreiber said that there are hints in what the state expects given its past positions. “The California attorney general years ago in other pronouncements identified the 20 CIS [security] controls —which is this fairly intense and robust set of security standards—as being what California would look to. So that’s been out there for some years and those are fairly granular in terms of the different components that need to be in place. Here is the full article.
You have to implement a Security Awareness and Training Program
Number 17 on the CIS list, in the section Organizational CIS Controls requires your organization to roll out a Security Awareness Training Program. If you get hacked because a user falls for a social engineering attack and your suffer a data breach that has California-related records in there—and who hasn't— you are in violation and can get fined.
Here is a whitepaper that clarifies the legal concept of "Reasonable" measures. It's excellent ammo to communicate to your budget holder that this is not an option, it's legally required.