What is the Risk, Under the CCPA, if a Company Has a Data Breach?
By Kimberly Culp and Kari Kelly
October 2, 2019
If you are confused about the potential liability for a company that experiences a data breach in violation of the CCPA, you are not alone. One of the biggest reasons for this confusion is that there are a variety of remedies and penalties under the CCPA.
Of course, the harm to a brand after a data breach may exceed the scope of these penalties. But, if you are looking to better understand the risk to your business or are looking for ammunition to get your business team to address the CCPA, this summary should be helpful.
Standing For A Private Action
As of now, a consumer can only bring a private action for certain types of violations under the CCPA, mainly data breaches of certain personal information. A consumer, whose non-encrypted or non-redacted personal information (as defined) is the subject of a breach, must also prove that a business failed to maintain, “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” What that phrase actually means in practice will certainly be the subject of litigation, if not regulation. Until the law is more fully developed, companies should benchmark what their peers are doing and follow suit. When it doubt, it may be helpful to get an opinion from a cybersecurity professional regarding the reasonableness of the security measures that the company has employed.
There have been efforts to amend the CCPA to broaden the standing for a private action to include violations of any part of the CCPA. This would have enabled consumers to sue a business for violating any of the core consumer rights established in the CCPA (i.e., right of deletion, or right to opt-out). So far, efforts to expand the right to private action have simmered.
CCPA Remedies
An injured consumer may sue for statutory damages or actual damages, injunctive relief, or declaratory relief. A consumer must provide a written notice to cure the violation before bringing action if they are seeking statutory damages.
Statutory and Actual Damages
It will likely be rare that a consumer can demonstrate actual damages or that such damages will be great enough to justify a lawsuit seeking actual damages. It will also likely be rare that a class of consumers will be certified who are pursuing actual damages.
Instead, it is expected that most lawsuits will come in the form of class actions pursuing statutory damages. The CCPA opens the door for these class actions because actual damages do not need to be demonstrated to pursue the substantial statutory damages available under the CCPA.
CCPA provides for statutory damages not less than $100 and not more than $750 per consumer per incident.
Guidelines To Assess The Amount of Statutory Damages
The CCPA outlines guidelines for Courts to apply in determining how to assess the statutory remedy. Courts will look to the circumstances presented by parties in a consumer action and the CCPA outlines a non-exhaustive list of factors for the Court to consider: the nature and seriousness of the business’ misconduct, the number of violations, the persistence of the misconduct, the length of time that the misconduct occurred, the willfulness of the business, and the breaching business’ assets, liabilities, and net worth. It is possible that case law or regulations will further elucidate factors that courts will consider when determining the appropriate amount of the statutory damages to assess.
Injunctive Relief or Declaratory Relief
The CCPA expressly provides that consumers may seek injunctive or declaratory relief while they wait for the outcome of their case. Depending upon the reason for the breach and the nature of the injunction, some breaching businesses may see their business halted or significantly curtailed during the pendency of a consumer lawsuit.
“Any Other Relief The Court Deems Proper”
Courts are granted wide latitude in fashioning relief for aggrieved consumers. It is most likely that courts will use this remedy in the rare circumstances where damages and/or injunctive relief do not fully remedy the harm suffered by the consumers. For example, the injunctive relief may be coupled with an affirmative action – such as a reasonable measure to prevent breaches – on a going forward basis. Because this kind of remedy must be tied to the harm proven, it should not come as surprise to businesses ordered to do more than cease certain practices and pay damages.
Civil Penalties Sought by the California Attorney General Under The CCPA
The California Attorney General (“CAG”) is the enforcer of the CCPA and may pursue civil penalties (fines) against those who violate the CCPA (and not just the data breach provisions). Where there has been a data breach, companies may face both a private action and enforcement by the CAG.
Notice To Cure
Similar to the prerequisite notice a consumer must give to a business before filing a private lawsuit seeking statutory damages, the CAG must also give businesses a 30 day notice to cure before assessing any penalties for violations of the CCPA.
Penalty Limitations
The civil penalty for each violation is capped at $2,500, with a higher cap of $7,500 for each intentional violation. It remains to be seen whether a violation will be construed on a per consumer basis or not. If the former, the civil penalties sought by the CAG can be quite substantial.
The CAG is rumored to be planning to release draft regulations on CCPA as early as this Fall, 2019. Businesses can expect more information about CCPA enforcement from these regulations.
Best Practices for Businesses to Consider NOW
- Implement reasonable policies and procedures for handling and protecting consumer data;
- Test your cyber practices and identify any weaknesses;
- Consider cyber insurance; Limit the data you collect; and
- Establish policies and procedures for handling a breach, response to a notice to cure, and otherwise communication to the public about a breach.
Nothing in this article should be construed as legal advice or as a comprehensive understanding of everything you need to know about data privacy and protection. We recommend that you retain an attorney to lay out your CCPA strategy.
