Companies doing business in California may face a heightened risk of litigation when the state’s new privacy law takes effect in January, litigation and privacy attorneys say.
The California Consumer Privacy Act clears the way for state residents to sue companies for data breaches involving certain information, if a company fails to maintain reasonable security. Californians can seek damages of between $100 and $750 per consumer per incident under the law. That may mean millions of dollars for some companies, attorneys said.
The new, limited CCPA private right of action and possibility of statutory damages increase companies’ potential exposure to lawsuits in California, trial and privacy attorneys said. The attorneys said they expect a flood of litigation after the law takes effect on Jan. 1, 2020.
“The fact that it has a limited private right of action makes the flurry of litigation activity even more likely because the plaintiffs’ bar will be keen to press the limits of that limitation and what can and cannot be litigated,” Amy Lally, a Los Angeles, Calif.-based trial lawyer who leads Sidley Austin LLP’s CCPA litigation task force, said.
Corporate and plaintiffs’ attorneys alike expect some questions to be fleshed out in litigation, including what constitutes sufficient reasonable security and an adequate cure, because neither are defined under the law, attorneys said.
“The first few rulings will have a significant, outsized impact on shaping the scope of the litigation going forward, as interested parties and their attorneys assess how some of the earliest complaints are approached, as well as the defense strategies taken by defendants, and how courts respond,” Jad Sheikali, an associate at class action litigation firm McGuire Law P.C., said in an email.
Consumers can sue any company that does business in California and collects consumers’ personal information, and that meets one or more thresholds, including if it has an annual gross revenue above $25 million.
Right to Sue
Attorneys that represent plaintiffs in class action lawsuits said there won’t necessarily be a stampede to the courthouse.
“We aren’t looking at this as some silver bullet that we’re waiting for Jan. 1” to file lawsuits, Christopher Dore, a partner at plaintiffs’ class and mass action law firm Edelson PC, said.
Under the law, a consumer can sue if nonencrypted or nonredacted personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
The types of personal information that fall under that definition are different from, and narrower than, other provisions of the law, and align with the state’s data breach notification statute, attorneys said.
The private right of action only applies to these situations. A bill aimed at expanding the private right of action to allow consumers to sue businesses for any violation of the privacy law didn’t advance in the California legislature this year.
Californians can seek up to $750 “per consumer per incident or actual damages, whichever is greater” under the law. Consumers may not have to prove they suffered actual damages in order to sue.
The provision for statutory damages “is unique on the data breach landscape,” Alejandro Cruz, a partner at Patterson Belknap Webb & Tyler LLP, said in an email.
“California’s preexisting data breach statute allows for a private right of action, but the reality is that proving damages in a data breach case can be a heavy lift,” Cruz said. “The CCPA eliminates that hurdle for some plaintiffs by dispensing with the need to prove actual damages.”
Companies that are subject to potential class actions could face could steep damages in the millions of dollars, attorneys said.
“If you look at availability of damages through calculation, the numbers are staggering,” Scott Lashway, a disputes partner and co-leader of Manatt, Phelps & Phillips LLP’s privacy and data security group, said.
Courts have to consider a variety of elements, including the “nature and seriousness of the misconduct” and the number of violations, among other things, when deciding the statutory damages under the law.
“The statute provides for a significant range of statutory damages, and it will be interesting to see how courts apply those damages, given the many factors that courts are permitted to consider,” Sheikali said.
Security, Cure Provisions
Some attorneys said they expect the courts to have to address what reasonable security in particular situations mean, since the law doesn’t define what constitutes reasonable security procedures and practices.
Companies can look to best practices and guidance, such as those from the National Institute of Standards and Technology, and prior guidance from the California Attorney General’s office, among other recommendations that identify security controls and procedures to handle information with “reasonable” security, attorneys said.
Besides ensuring reasonable security practices are in place, companies should be working to determine whether they’re covered under the law, if they hold information on California consumers and whether its encrypted, and what they need to do to comply with the law’s other privacy principles, attorneys said.
The statute also allows businesses to potentially avoid private suits for statutory damages if they cure a violation after being notified by a consumer.
A consumer wanting to bring suit—on an individual or class basis—for statutory damages has to give a business 30 days’ written notice specifically identifying alleged violations before starting an action. If the business can remedy the alleged violation, does so within 30 days, and gives the consumer an “express written statement” that it’s been cured, the individual can’t seek statutory damages.
The law doesn’t define what a company needs to do to effectively fulfill the provision, attorneys said. The cure provision could protect businesses against costly class actions, some attorneys said. Others see the potential ability to remedy an alleged violation as a get-out-of-jail-free card.
“Courts will need to decide what kind of remedial action by a defendant is sufficient to cure a data breach,” Allen Lanstra, a litigation partner at Skadden, Arps, Slate, Meagher & Flom LLP, said in an email.
“Companies should start thinking about what curing a data breach would look like in their respective industries, so they can be ready to take advantage of this potentially useful provision of the CCPA,” Lanstra said.
Edelson’s Dore said that the provision “incentivizes companies to violate the law until they get caught.” The availability to cure an incident is “not helpful to the cause of keeping businesses in line” and protecting consumers, he said.