In many of the settlement agreements and stipulated orders in the FTC’s recently released 2019 Privacy and Data Security Update, the FTC repeatedly imposed a set of uniform mandates for businesses to implement following a data breach. Businesses subject to the new California Consumer Privacy Act may be able to use this mandate to mitigate heightened class-wide data breach litigation risk.
In that report, the FTC claimed “a record year for enforcement actions aimed at protecting consumer privacy and data security.”
CCPA Notice and Cure Provision
The CCPA allows consumers to bring an action for statutory damages in the event of a data breach due to a business’s failure to implement reasonable security procedures. Before seeking these statutory damages, the consumer must provide a 30-days’ written notice identifying the specific CCPA violation (i.e., the business’s failure to implement reasonable security procedures).
If the business cures the noticed violation and provides the consumer a written statement indicating that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.
The CCPA does not define “cure,” but businesses may be able to look to California’s Consumers Legal Remedies Act (CLRA) for guidance. The CLRA regulates unfair and deceptive practices related to the sale or lease of goods and services but prohibits damages under the act when “an appropriate correction, repair, replacement, or other remedy is given.”
Under the CCPA, the “correction, repair, replacement, or other remedy” arguably ties to the business’s security procedures, as the failure to maintain such procedures is what triggers the CCPA’s private right of action. Thus, the “cure” in the event of a data breach may be an appropriate correction or repair to a business’s security procedures.
FTC 2019 Update
The FTC 2019 update demonstrates a trend with respect to the mandates the FTC imposes on businesses in the event of a breach of consumer privacy and data security.
In several settlement orders, including those with respect to Facebook, Equifax, ClixSense.com, Retina-X, and InfoTrax Systems, the FTC consistently prohibited the sale, sharing, collecting, maintaining, or storage of personal information unless the business implemented and maintained a comprehensive information security program that protects the security, confidentiality, and integrity of personal information (mandated information security program—MISP).
The MISP required subject businesses to, among other things:
- document the content, implementation, and maintenance of the program;
- designate a qualified employee to coordinate and be responsible for the program;
- assess, at least once every 12 months of internal and external risks to the security, confidentiality, and integrity of personal information;
- design, implement, and document safeguards that address the internal and external risks;
- assess at least every 12 months the sufficiency of any safeguards;
- test and monitor the effectiveness of the safeguards at least once every 12 months;
- select and retain service providers capable of safeguarding personal information and require them to implement safeguards for personal information; and
- evaluate and adjust the information security program if there are changes to the businesses’ operations or circumstances that the businesses know to have an impact on the effectiveness of the program, at a minimum every 12 months.
In connection with the MISP, the FTC also often required businesses to obtain recurring data security assessments by qualified, objective, independent third parties who use procedures and standards generally accepted in the profession.
Mitigating CCPA Data Breach Class Action Risk
It’s important to note that not every data breach results from a failure to implement reasonable security procedures. Indeed, even the most secure organizations are not immune to a data breach. Thus, to the extent a breach occurs, and a business believes reasonable security procedures were intact, the business’s breach notice, written response and actions should communicate this message consistently. Indeed, the only CCPA violation available to litigants is a business’s failure to maintain reasonable security procedures. Where no such violation has occurred, statutory damages are arguably not available.
Care must be taken in how a company addresses the cause of the breach in its notification letter and public statements. In addition to balancing the detail of the cause of the breach required by some states and prohibited by others (e.g., Massachusetts), companies must now decide if they intend to preempt the cure request in the notice letter without admitting its procedures were not reasonable.
Before the event occurs, companies should implement a program that meets the requirements of the MISP. In the breach response letter (or response to the cure demand), companies should mimic to the extent possible these requirements, affirming continued compliance.
However, the “cure” required will depend on the facts at hand, but given that businesses will only have 30 days to implement its cure, businesses must move quickly. Careful consideration should also be given to the express written statement following a cure and what businesses may be representing when indicating that “no further violations shall occur.”
Now, more than ever, the value of a well-crafted incident response plan combined with a sound written information security program, both involving outside counsel from the outset, cannot be overstated.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Ron Raether is a partner at Troutman Sanders in Orange County, Calif., where he leads the firm’s Cybersecurity, Information Governance and Privacy practice group and is a member of the firm’s Consumer Financial Service group. He is known as the interpreter between businesses and information technology and has assisted companies in navigating federal and state privacy laws for over 20 years, defending hundreds of putative class actions making privacy-based claims.
Sadia Mirza is an attorney at Troutman Sanders in the firm’s Orange County, Calif., office. A Certified Information Privacy Professional in the U.S (CIPP/US) and a Certified Information Privacy Manager (CIPM), she works with clients on privacy and security matters, including the recently enacted CCPA, and specializes in pre- and post-incident response.
Paul S. Kim is an attorney at Troutman Sanders in the firm’s Orange County, Calif., office. He advocates for corporate clients in a wide array of litigation matters involving privacy, class action, and business disputes. He also counsels clients in various compliance and regulatory matters.