CCPA Private Right of Action – Data Breach Security Requirement
The new California privacy law includes a private right of action against companies that fail to adopt reasonable data breach security practices. Although the California Consumer Privacy Act (CCPA) was largely a “privacy” bill, this could be a major new deterrent to insufficient cybersecurity efforts. It will go into effect on January 1, 2020.
When can a Consumer bring a Lawsuit?
The CCPA private right of action provides consumers the right to bring an individual cause of action or a class action if their nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. It is essentially a cause of action against businesses that suffer data breaches.
The private right of action under the CCPA provides for an amount of statutory damages set at between $100 and $750 dollars per consumer per incident. The Consumers may also receive actual damages (in lieu of statutory damages if they are greater), injunctive or declaratory relief, and any other relief the court deems proper.
In evaluating the amount of statutory damages to compensate consumers, the court may consider, among other things, the nature and seriousness of the misconduct, the number of violations, the persistence of misconduct, the length of time of the misconduct, the willfulness of the misconduct, and the amount of the defendant’s resources (assets, liabilities and net worth). The court may also take into account other relevant circumstances presented by the parties.
Businesses that are preparing for California need to make sure that they have reviewed and enhanced their cybersecurity procedures and practices. Although enforcement by the California Attorney General has been delayed, the private right of action for data breaches will still go into effect on January 1, 2020.
Why was this Section Necessary?
There have been various impediments to successful consumer class actions seeking compensation for data breaches. This section may remove one of those problems by specifying a range for statutory damages that do not have a quantifiable injury from the loss of control over their personal information.
History of the Private Right of Action
The private right of action was a part of the ballot initiative that preceded the drafting of AB375. However, it was much broader than the existing measure. It permitted a lawsuit by a consumer for any violation of the law – it was not limited to data breaches like the current version. It also permitted higher penalties – as much as $3,000 for statutory damages resulting from an intentional violation. The version that passed is limited to a maximum statutory fine of $750 per consumer.
SB 1121 Amendments to the Cause of Action from AB 375
The “technical corrections” bill passed by the California legislature at the end of August made two changes to this section.
First, California residents initiating an action for statutory damages under the privacy law will not need to notify the Attorney General within 30 days of the filing of the lawsuit. This measure remained from the language providing for whistleblower qui tam lawsuits from the proposed ballot initiative. As the authorization for whistleblower rewards was removed before the passage of AB-375, the language requiring notification of the CaAG was removed as well.
Second, SB-1121 clarified that the private cause of action was limited and did not provide a cause of action for other violations of the California Consumer Privacy Act. The legislative intent behind the section is fairly clear – to provide the ability for consumers to recover money for data breaches due to poor cybersecurity practices. The scope of this section will probably still be litigated with respect to the term “disclosure”, but businesses will have a stronger argument than they did before the law was amended.
Reasonable Security Procedures
The legal requirement for reasonable security in California is not new. California Civil Code § 1798.81.5 contains the existing requirement. In February 2016, then California Attorney General released a data breach report that indicated that implementation of the Center for Internet Security’s Critical Security Controls was the minimum needed for reasonable security. The report also called for multi-factor authentication and encryption of portable devices.
The 20 controls in the CIS list are:
– Inventory and Control of Hardware Assets
– Inventory and Control of Software Assets
– Continuous Vulnerability Management
– Controlled Use of Administrative Privileges
– Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
– Maintenance, Monitoring, and Analysis of Audit Logs
– Email and Web Browser Protections
– Malware Defenses
– Limitation and Control of Network Ports, Protocols, and Services
– Data Recovery Capabilities
– Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
– Boundary Defense
– Data Protection
– Controlled Access Based on the Need to Know
– Wireless Access Control
– Account Monitoring and Control
– Implement a Security Awareness and Training Program
– Application Software Security
– Incident Response and Management
– Penetration Tests and Red Team Exercises
Implications for Data Breach Notifications
The CCPA does not implicate the California breach notification law – which is addressed for businesses and persons by California Civ. Code s. 1798.82(a). California was the first state in the country to adopt a data breach notice requirement and the new California privacy law did not change it.
California republicans have said that they intend to propose a bill requiring data breach notifications within 72 hours as part of their #YourDataYourWay legislative package. However, the bill was still being drafted in early February 2018. As the details have not been released, it is currently unclear whether this change will be tied into the CCPA’s privacy requirements or not.
Other Proposed Amendments
The California Attorney General supports expanding the CCPA private right of action to apply to all violations of the law. The bill, SB 561, was introduced by California Senator Jackson, chair of the Senate Judiciary Committee. It was approved by the Senate Judiciary Committee by a 6-2 vote.
Contact Clarip for Help with Your Privacy and Compliance Program
The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.