Caroline Lee explains that in 2013, California became the first state in the nation to enact a Data Breach Notification law.
Under this law:
All persons, businesses, state and local agencies that own or license a database that contains personally identifiable information must notify a California residents when his or her personal information was, or is, reasonably believed to have been acquired by an unauthorized person.
Back in January 2016, the statute was amended clarify what constitutes "encrypted."
Rendered unusable, unreadable, or indecipherable to an unauthorized person through security, technology, or methodology generally accepted in the field of information security.
In Feb 2016 the California Attorney General released a report looking back over the previous four years on California data breaches to understand what should be implemented going forward. In that report, guidance was provided for the first time as to what constitutes reasonable security practices.
Failure to implement all 20 Center for Internet Security's Critical Security Controls would constitute a lack of reasonable security.
Implementing and navigating these laws and policies can be tricky.
Any time you're procuring technology goods and services, these laws should be considered.