Reasonable Security Measures: The State of Cybersecurity Laws


The landscape of consumer data protection and privacy continues to evolve with more and more states considering and enacting laws. As cybersecurity risks grow, state governments are responding, creating a widening web of laws that have become a compliance nightmare for organizations. This nightmare is especially vivid for enterprises that don’t take a proactive approach to delivering on the “reasonable security measures” required by many state regulations.

Currently, three states including California, Virginia and Colorado have enacted comprehensive data privacy laws. While all these data privacy measures seek to protect consumers, the provisions for improving consumer data privacy and security vary from state to state.

  • California Consumer Privacy Act (CCPA)/California Privacy Rights Act
    The California Consumer Privacy Act passed in 2018 and was amended by voters in November 2020 with the approval of the California Privacy Rights Act (CPRA). The CPRA, which goes into effect in 2023, expands the CCPA, giving consumers the right to correct inaccurate information and the right to ask businesses to stop selling, sharing and using their data. The CPRA also requires businesses to minimize the use, retention and sharing of personal information to only what is reasonably necessary for the purpose it was collected for and requires businesses to give people special notice if they plan to collect or use any sensitive personal information. The CPRA also creates the first state agency devoted entirely to privacy law enforcement. This data privacy law includes $7,500 fines per intentional violation and $2,500 per unintentional violation.
  • Virginia Consumer Data Protection Act (CDPA)
    The Virginia Consumer Data Protection Act gives consumers the ability to access, correct, delete and obtain a copy of personal data. The law also enables consumers to opt out of having their personal data processed for specific advertising purposes. Under the CDPA, consumers impacted by a data breach are not be able to pursue their own civil claims - this differs from the California law which does provide for a private right of action. Infringement of the CDPA will result in fines of $7,500 per violation.
  • Colorado Privacy Act (CPA)
    The Colorado Privacy Act, which goes into effect July 1, 2023, gives consumers the right to access, correct and delete personal data. Under this law consumers have the right to opt out not only of the sale of personal data but also the collection and use of personal data. The law also requires enterprises to ask for consent to hold certain sensitive information such as Social Security Numbers, driver’s license numbers and more. The maximum penalty for each violation of the Colorado law is $20,000.
    The CPA applies to companies that control or process personal data of more than 100,000 consumers per calendar year; or collect data from 25 000 Colorado residents and derive some revenue from the sale of that data. This provision makes Colorado’s law unique in that it seeks to ensure smaller companies are not impacted by the law, while at the same time holding larger enterprises responsible at a higher standard.

Many other states are considering their own privacy laws and cybersecurity laws. In 2021, at least 45 states and Puerto Rico introduced or considered more than 250 bills or resolutions that deal significantly with cybersecurity, according to the National Council of State Legislatures.

Corporate concerns are rising along with the number of state privacy laws being considered and enacted. A Bloomberg Law 2021 Technology Transactions Survey asked legal professionals which potentially forthcoming legal or regulatory changes they are most concerned about in the context of their work on technology matters and found that 63% of respondents were most concerned about state privacy legislation.

Proactive approach to privacy and security

As data privacy and security regulations evolve, enterprises must take steps to ensure they are compliant with the ever-growing patchwork of state laws. This is particularly challenging for organizations today operating in an environment where sophisticated cybercriminals continue to increase the frequency and severity of their attacks.

To comply with laws, organizations must understand what consumer data they have, what systems house the data and how the data being used. Data assessments like this ratchet up in complexity considering these questions must be asked and answered across operations including vendors.

Enterprises can reduce this complexity by taking a proactive approach to privacy and security that includes vetting solution providers based on how bulletproof their cybersecurity is.

Collaboration solutions can be an organization’s cybersecurity Achilles' heel when it comes to complying with privacy and security laws. To minimize the risks of noncompliance and data leakage, enterprises should ensure they have a secure and compliant by design mobile messaging solution like NetSfere. A collaboration platform like NetSfere, built from the ground up with enterprise-grade security, encryption and control, not only can help organizations deliver on the growing imperative for data privacy now but futureproofs compliance for enterprises as new data privacy and security laws are enacted.

Today, most state laws require “reasonable security measures” to ensure the privacy of confidential data. It is more than reasonable for enterprises to expect this level of data security and privacy from their mobile messaging and collaboration platform.