Strategies for Minimizing Exposure to Potential CCPA Damages
The most effective way for a company to lower the risk of CCPA-related litigation is to reduce the chance that personal information would be impacted if the company's network were breached.
October 02, 2019 at 11:29 AM
7 minute read
For more than a year, companies all over the country have been worrying and preparing for the California Consumer Privacy Act (CCPA), mostly without a clear sense of what they were worrying about or preparing for. With the California legislature's finalization of a set of amendments in mid-September, the statute is finally taking shape, and companies can now more effectively focus their energies on preparation, rather than worrying.
The CCPA provides California residents with a variety of new rights when it comes to their personal information. While the governor has not yet signed the amendments, and the California attorney general still needs to issue guidance about how to interpret the law—a guidance which is expected in October—the broad strokes of the statute appear to be set: personal Information is somewhat more narrowly defined than it originally was; employee data and information collected in the course of B2B transactions is largely excluded from the law, although not from the data breach provisions; and the consumer rights remain in place.
Among these rights is a consumer's ability to bring a private right of action against a company if that company experiences a data breach affecting that consumer's personal information. This right exists even if the consumer does not suffer any monetary damages as a result of the data breach.
Demonstrating a lack of actual damages has traditionally been one of the most effective ways for defendants to get data breach lawsuits dismissed or settled, so eliminating this avenue creates a significantly greater litigation risk for companies. Such risk is also increased by the CCPA's substitute for actual damages—consisting of statutory damages of $100 to $750 "per consumer per incident." This $100 minimum statutory damage figure not only adds dollar exposure to a single or multi-plaintiff case, but dramatically increases the potential class action exposure, both in dollar terms and in complicating or negating defense arguments for opposing class certification.
In addition to increasing the level of risk, the private right of action also poses a unique challenge when it comes to CCPA compliance; while companies can take concrete and proactive steps to become compliant and eliminate the risk stemming from the other parts of the law, to completely eliminate the risk of someone bringing a private right of action, a company would essentially have to prevent a data breach from occurring in the first place. As evidenced from the nearly daily news stories, this is something that companies have not been able to do, and it is unreasonable to expect that the enactment of CCPA will change this.
While companies are unlikely to eliminate the risk of consumers exercising their private right of action, there are strategies they can adopt to reduce that risk. Under the current iteration of the law, the private right of action only comes into effect if there is a data breach of personal information. As mentioned above, it is very difficult for a company to completely eliminate the chance that it falls victim to a breach of its network. Therefore, the most effective way for a company to reduce CCPA-related litigation risk is to reduce the probability that personal information is impacted by such a breach.
The first risk reduction strategy is encrypting or redacting data assets. Under one of the amendments the legislature adopted, encrypted and redacted data does not constitute "personal information" and is therefore outside the purview of CCPA. It would therefore not give rise to a private right of action even if it was involved in a data breach. Thus, encrypting or redacting information would help a company manage its risk under CCPA.
Similarly, because CCPA's statutory damages are based on the number of consumers whose information is compromised as part of a data breach, reducing the amount of information the company holds will reduce the magnitude of the risk stemming from a data breach. The best way to do this is to adopt and implement a comprehensive data retention policy that ensures that records are deleted once they are no longer needed. Often it is the forgotten databases or unnecessary files found in employee email accounts that are the source of the largest data breaches, so removing these types of extraneous data from a company's environment can greatly reduce the magnitude of the risk that results from a data breach.
Finally, as a last line of defense in the event of a data breach, companies can argue that their information security was reasonable and that, as a result, they should not be held liable for a compromise of personal information. Under the statute, the private right of action can be brought when there is a breach that is "a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information." Under this standard, if a company can demonstrate that it had reasonable security procedures and practices in place, then it can defeat a CCPA lawsuit even if personal information that it had in its possession was compromised.
Somewhat frustratingly, the statute does not define what "reasonable" is, and the definition of "reasonable security" is not spelled out elsewhere in California law. In 2016 the California attorney general's office issued a report, which alluded to certain measures it considered necessary for security to be reasonable. This may be an area where the AG will weigh in when the expected CCPA guidance is issued. Most likely, however, these "reasonableness" issues will be fleshed out in the courts on a case-by-case basis, with supporting expert opinion and input where appropriate. And, as in the common law negligence context, whatever might be deemed "reasonable" today could well be found less than "reasonable" in a future case where expectations, foreseeability, and the technological context could be quite a bit different.
Separate and apart from implementing the measures that the AG may highlight, it is also important that organizations conduct periodic proactive risk assessments of their systems. These assessments involve analyzing the external and internal risk landscape and assessing how the organization is poised to respond and protect against them. There are various types of risk assessments, including one called a duty-of-care risk assessment, and having prior documented assessments would undoubtedly help demonstrate that the organization has been thoughtful, deliberative, and responsive in its approach to cyber security. This could be instrumental in demonstrating that the organization's security measures are reasonable as required by CCPA.
Pasha A. Sternberg is an attorney in the Tech Transactions & Data Privacy practice at Polsinelli. Pasha regularly advises clients of all sizes, and across industry segments, on domestic and international privacy and cybersecurity regulations. Pasha works to help clients implement compliance and remediation efforts to comply with these laws, as well as to investigate and respond to cyber incidents.
John Cleary is also an attorney with Polsinelli, whose practice focuses on serving the Technology Transaction and Data Privacy needs of U.S. companies, with an emphasis on data security incidents and other cyber controversies. John previously served as an Assistant U.S. Attorney in Washington, D.C., representing U.S. government agencies and officials across a range of constitutional and other federal sector issues
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFederal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
2 minute read'Almost an Arms Race': California Law Firms Scooped Up Lateral Talent by the Handful in 2024
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250