"Working out those details is important, because many companies that collect personal data continue making "fundamental mistakes" in how they protect it, said Richard Forno, assistant director of the UMBC Center for Cybersecurity.
"In 2018, we should not be seeing these types of incidents and breaches," he said.
California's law is not quite as expansive as the European Union's General Data Protection Regulation. But even Europe's tougher regulations can't do much to prevent leaks and breaches, because they don't require companies to tell consumers they have your data, according to Troia.
Ensuring 100% security is impossible. "However, we do have to keep trying to reach that goal," Forno said. To that end, he and other security experts said companies should follow established best practices like encrypting data, drafting comprehensive security protocols, and alerting consumers to breaches. Such things won't stop breaches, but, like locking a front door or installing an alarm, they will make it much harder for the bad guys to get in -- which is the whole point."