It’s 2020, which means (among many other things) that we’ll start to see how the many predictions about the California Consumer Privacy Act will fare. Chief among those predictions: the CCPA’s private right of action for certain breaches of Californians’ “nonencrypted and nonredacted personal information” will spur an increase in data breach litigation. Predicting that consumers will take advantage of a statutory right to sue companies seems as easy as predicting tomorrow’s sunrise. But just how much such litigation will increase and how successful litigants will be turn on a number of questions courts will need to answer.
Of course, litigation over data breaches has existed for years. Plaintiffs have asserted claims under various federal and state statutory or common law theories, and they have been successful—at least in obtaining settlements. But plaintiffs have struggled to show any actual damages from the exfiltration or disclosure of their personal information, either because they cannot show any actual injury (in the form of out-of-pocket monetary losses) or because the breached companies essentially provided a cure by paying for credit monitoring and similar services or reimbursing customers for actual out-of-pocket losses. As courts have noted when approving settlements, plaintiffs’ difficulty in showing actual damages has resulted in settlements with payouts between $0.15 to $1.47 per claimant. The CCPA changes that dramatically, giving California residents the possibility of recovering $100-$750 “per consumer per incident or actual damages, whichever is greater.” So while the CCPA does not provide plaintiffs with any new legal theory for recovering from a data breach, the CCPA offers an exponential increase in the amount that potentially could be recovered.
Or does it? One key provision in the CCPA limits a consumer’s private right of action by giving businesses 30 days to cure any violation of the CCPA. That provision prohibits actions where a business “actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur.” Courts and businesses will struggle with a number of questions about this provision: what does it mean for a business to “actually cure” a data breach? Is it sufficient that a business provides credit monitoring or reimburses out-of-pocket losses? Or must a business also be able to demonstrate that it has taken adequate steps to improve its cybersecurity posture such that no similar breach will occur? And if so, what will those steps look like? What is the scope of a statement that “no further violations” will occur? Underlying these questions is whether a court can resolve them at the pleading stage or early enough in the litigation to protect a company against the settlement leverage plaintiffs wield simply by threatening a company with the substantial costs of defending itself in protracted litigation.
Those questions notwithstanding, this much is clear: there are already steps companies can take to minimize a possible data breach and, if one occurs, to be in the best position to avail themselves of the CCPA’s cure defense.
First, now is the time to assess your company’s security posture and information storage practices, and position yourself to demonstrate that your security is reasonable and adequately protects any personal information. Consider conducting a security maturity assessment in-house or with the benefit of a consultant—working with either in-house or outside counsel. Working with counsel ensures that your assessment will address the legal questions raised by the CCPA, which requires companies to (among other things) “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” For any business to determine that its security posture is not just technically sound but also complies with this requirement, counsel will need to understand your security posture and provide legal advice about your company’s compliance with the CCPA.
Second, be prepared to cure any data breach. The CCPA’s cure provision could be a key litigation defense or bargaining chip following an incident, particularly if there is a question as to whether the company’s security is reasonable. You can expect plaintiffs’ counsel to send you the notice starting that 30-day clock within days, if not hours, of any announcement of a cybersecurity incident. So get ready now and make sure:
Your incident response plan is up to date, vetted, and tested.
You have a forensic incident response provider standing by to help in the event of a cybersecurity incident.
You have a plan for providing customers with credit monitoring services or other remedial measures, when appropriate, in the event of a breach.
Only with advance planning can you position your company to face potential CCPA litigation following a data security incident, and thus to best protect your company against inevitable data breach claims seeking exorbitant statutory penalties under the CCPA.