Four to six percent. That’s the likelihood of being sued in a federal class action lawsuit after a company experiences a publicly reported data breach.
While this relatively low statistic should provide some comfort for organizations that fall victim to a breach, the chances of being sued dramatically increase if your company is a well-known, consumer-facing business. This is one area where brand recognition really can hurt—the more that people recognize your name, the more likely they are to sue you.
But being sued does not automatically result in multi-million dollar judgments.
For years, class action plaintiffs have struggled with two primary issues:
- establishing harm has flowed from the mere fact that personally identifiable information (PII) may have found its way into the wrong hands (also known as Article III standing); and
- establishing that any injury was causally connected to one particular breach.
In other words, how can you establish that the line of credit opened in your name by an unknown scoundrel was the direct result of a particular breach when you were notified of multiple large and highly public breaches? You often cannot. However, that is about to change with the recent passage of the California Consumer Privacy Act (CCPA).
Substantial Statutory Damages
In January 2020, California is set to become the first state to provide for statutory damages as a result of a breach, regardless of whether affected California residents have suffered any actual harm. The statutory damages are substantial, ranging from $100 to $750 per incident.
The act has a safe harbor of sorts to recovering statutory damages. It requires 30 days’ written notice and an opportunity to cure the violations in that time period before an action may be initiated. As a practical matter, it is difficult to say what would constitute a “cure” of a breach.
The CCPA requires the breach to have occurred “as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Depending on the nature of the breach and the readiness of the organization, 30 days may not be a sufficient cure period, and you better believe that plaintiffs will argue that any alleged cure was not sufficient and/or was not actually implemented.
The net result is that businesses subject to the CCPA (i.e., with annual gross revenue of more than $25 million and/or data sellers) who report a breach involving California residents’ data can expect to receive cure demands and be sued in a class action in California.
Non-California Subclasses Expected
But the CCPA is likely to be a game-changer for the non-California class members as well. A class lawyer will almost certainly not limit the class to California and will seek to represent a nationwide class under the same legal theories they have pursued for years with mixed results, e.g., negligence (still the most predominate legal theory utilized), breach of contract, or consumer fraud.
While these non-California subclasses may still face uphill battles, if a plaintiff can survive a motion to dismiss with regard to a California CCPA subclass by circumventing traditional arguments against Article III standing, a court may permit claims relating to the non-California subclass to survive as well.
Because it is difficult to argue that a breach occurred notwithstanding a company’s top notch data security practices, there will often be a question of fact about whether the company breached its duty to maintain reasonable security procedures and practices.
Most companies facing high defense costs and a battle of expert witnesses may feel the best course of action is to settle. The lowered bar to recovery under the CCPA will provide incentive to settle with the California subclass, and any class certified for settlement will almost certainly need to include relief for the nationwide members as well.
The primary impact will likely only be on how much the organization agrees to pay the non-California class member, not whether to settle with the nationwide class. This could add up to big dollars, and we are likely to see some companies decide not to publicly report breaches despite their legal obligation to do so if they think reporting will cost them millions of dollars in litigation.
Mitigating Breach Exposure
If you are reaching for a bottle of Xanax right now, rest assured it’s not hopeless. Businesses can do a lot to mitigate their exposure before a breach occurs:
- Ensure adoption of policies and procedures for handling/securing PII: California has suggested the Center for Internet Security (CIS) as a starting point of a comprehensive program to provide reasonable security;
- Minimize PII: Now is a good opportunity to take a page from Marie Kondo—if the PII doesn’t give you joy because you don’t use it, need it, or shouldn’t have it, securely dispose of it (there are laws about how to do that);
- Consider cyber insurance while lawsuits are still insurable: The market is currently soft, but that may change if costs of insuring 3rd party claims increase substantially;
- Train management to respond to a data breach: A good incident response plan that outlines key steps to take in the event of a breach and training on how an organization will respond can help minimize mistakes, particularly since your plan and how well you followed it will be the subject of discovery in litigation;
- Build into your breach response a “cure” to fix the source of the breach, if possible, in anticipation of the 30-day cure period: That could include implementing multi-factor authentication, end point monitoring, or social engineering training
The old adage holds true: An ounce of prevention is worth a pound of cure. Getting ready now will help create the best defense later.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Jena Valdetero is a partner with Bryan Cave Leighton Paisner LLP in Chicago. She heads up the firm’s data breach response team, where she helps her clients assess their cyber security risks, prepare for a data breach, and respond to security incidents.