This blog post is the third in a series of Q&A posts following Dykema’s February 27, 2019 webinar on the California Consumer Privacy Act (“CCPA”). The statute takes effect on January 1, 2020–which is less than six months away. Please feel free to reach out to us if you have a unique question or would like to discuss in detail how the CCPA may apply to you.
Thanks for reading!
Who can sue under the CCPA?
After efforts to expand the private right of action under the CCPA stalled when Senate Bill 561 did not make it out of the Senate Appropriations Committee, data breach violations remain the only privately-actionable claims under the CCPA. Specifically, consumers whose “nonencrypted or nonredacted personal information… is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information…” may sue.
The CCPA’s other provisions (for example, provisions requiring covered entities to respond to consumer’s requests to opt-out from the sale of their personal information or to delete it) are not privately-actionable based on the current codified CCPA. One can anticipate further efforts to either revive SB 561, or potentially additional proposed legislation to expand the CCPA’s private right of action.
Private litigants suing under the CCPA may recover between $100 and $750 in statutory damages per incident, or actual damages, whichever is greater. Consumers may also seek injunctive or declaratory relief.
Can any data breach lead to lawsuit under the CCPA?
No. Only a breach resulting in unauthorized access, of only specific types of personal information, is privately-actionable. And even then, a consumer must also show that the breach resulted from the company’s unreasonable security procedures and practices. As with many of the CCPA’s provisions, concepts such as “reasonable” will likely be left for judicial definition.
The CCPA’s private right of action for data breaches applies to information “as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5.” That section lists the following:
(A) An individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(i) Social security number.
(ii) Driver’s license number or California identification card number.
(iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(iv) Medical information.
(v) Health insurance information.
While this does limit private lawsuits for unauthorized disclosure of only names, telephone numbers, or e-mail addresses, it does not limit the considerable liability for institutions–especially financial institutions–that allow their customers to log on to their accounts and where that customer logon information is hacked.
Notably, while the CCPA contains a carve-out from its definition of personal information for data already covered by certain other privacy statutes, including the Gramm-Leach-Bliley Act (GLBA), that carve-out does not apply to the CCPA’s private right of action for a data breaches. In other words, unauthorized disclosure of information subject to the GLBA would still support a data-breach claim under the CCPA.
To prevail in a private data-breach lawsuit under the CCPA, a consumer will also need to show that the company’s data-security procedures and practices were unreasonable in light of the nature of the information. The fact of the breach itself–while not dispositive on the point–could support the requisite showing.
What is the anticipated impact of the “cure” provision?
The CCPA contains a “cure” provision that requires consumers who want to bring a lawsuit to notify the covered entity of the alleged violation. The provision then permits that entity to “cure” the violation within 30 days.
The provision, however, may not be as helpful for CCPA-covered entities as it may seem. First, it applies only to claims for statutory damages. It does not apply to consumers who allege they suffered actual monetary damages as a result of a data breach.
Second, there is no definition in the CCPA as to what constitutes an acceptable “cure.” The CCPA states only that “[i]n the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur,” the entity may avoid the suit. If the private information has already been hacked, however, a court may well hold that anything short of retrieving it would not “cure” the breach. Indeed, courts analyzing similar “cure” provisions in other California statutes have held that merely stopping a violation is insufficient to “cure” it. And retrieving hacked information may simply not be possible in most cases.
Because it may be impossible to retrieve hacked information in most cases, i.e., to “unring the bell,” the Legislature arguably intended to allow for businesses to provide some other type of “cure” to affected consumers. One possible strategy to consider is to examine the terms of some of the recent high-profile data-breach lawsuit settlements and note the terms offered to affected consumers. It could then be argued that providing the same relief afforded consumers in these data-breach settlements is a “cure” under the CCPA.
For example, the recent Equifax data-breach settlement includes cash reimbursement for customers who complained about time spent trying to avoid or recover from fraud or identity theft (the Equifax settlement provided $25 an hour for up to 20 hours for affected consumers), as well as free credit monitoring for an extended period of time. Notably, unlike other California consumer statutes that contain cure provisions (such as the California Consumer Legal Remedies Act), the CCPA’s language suggests that businesses would only need to cure the identified individual violation to invoke the “cure” provision (as opposed to curing the violation as to an entire class of similarly-situated individuals). Providing such cure options as cash reimbursement and free credit monitoring to an individual litigant to avoid a claim would not be as onerous than attempting to do so on a class-wide basis.
The CCPA takes effect in less than six months. As we have seen with the recent Equifax settlement, the stakes are high and will be even higher when regulators and private attorneys have another statutory basis upon which to seek monetary damages. Companies that believe they may be subject to the CCPA should take steps to prepare, beginning with developing a complete understanding of what CCPA-covered data they potentially hold and how it may be at risk of exposure.
Scott D. Pressman provided substantial research assistance for this post.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2019 Dykema Gossett PLLC.