Pasha Sternberg and John Cleary Pasha Sternberg and John Cleary of Polsinelli

For more than a year, companies all over the country have been worrying and preparing for the California Consumer Privacy Act (CCPA), mostly without a clear sense of what they were worrying about or preparing for. With the California legislature's finalization of a set of amendments in mid-September, the statute is finally taking shape, and companies can now more effectively focus their energies on preparation, rather than worrying.

The CCPA provides California residents with a variety of new rights when it comes to their personal information. While the governor has not yet signed the amendments, and the California attorney general still needs to issue guidance about how to interpret the law—a guidance which is expected in October—the broad strokes of the statute appear to be set: personal Information is somewhat more narrowly defined than it originally was; employee data and information collected in the course of B2B transactions is largely excluded from the law, although not from the data breach provisions; and the consumer rights remain in place.

Among these rights is a consumer's ability to bring a private right of action against a company if that company experiences a data breach affecting that consumer's personal information. This right exists even if the consumer does not suffer any monetary damages as a result of the data breach.

Demonstrating a lack of actual damages has traditionally been one of the most effective ways for defendants to get data breach lawsuits dismissed or settled, so eliminating this avenue creates a significantly greater litigation risk for companies. Such risk is also increased by the CCPA's substitute for actual damages—consisting of statutory damages of $100 to $750 "per consumer per incident." This $100 minimum statutory damage figure not only adds dollar exposure to a single or multi-plaintiff case, but dramatically increases the potential class action exposure, both in dollar terms and in complicating or negating defense arguments for opposing class certification.

In addition to increasing the level of risk, the private right of action also poses a unique challenge when it comes to CCPA compliance; while companies can take concrete and proactive steps to become compliant and eliminate the risk stemming from the other parts of the law, to completely eliminate the risk of someone bringing a private right of action, a company would essentially have to prevent a data breach from occurring in the first place. As evidenced from the nearly daily news stories, this is something that companies have not been able to do, and it is unreasonable to expect that the enactment of CCPA will change this.

While companies are unlikely to eliminate the risk of consumers exercising their private right of action, there are strategies they can adopt to reduce that risk. Under the current iteration of the law, the private right of action only comes into effect if there is a data breach of personal information. As mentioned above, it is very difficult for a company to completely eliminate the chance that it falls victim to a breach of its network. Therefore, the most effective way for a company to reduce CCPA-related litigation risk is to reduce the probability that personal information is impacted by such a breach.

The first risk reduction strategy is encrypting or redacting data assets. Under one of the amendments the legislature adopted, encrypted and redacted data does not constitute "personal information" and is therefore outside the purview of CCPA. It would therefore not give rise to a private right of action even if it was involved in a data breach. Thus, encrypting or redacting information would help a company manage its risk under CCPA.

Similarly, because CCPA's statutory damages are based on the number of consumers whose information is compromised as part of a data breach, reducing the amount of information the company holds will reduce the magnitude of the risk stemming from a data breach. The best way to do this is to adopt and implement a comprehensive data retention policy that ensures that records are deleted once they are no longer needed. Often it is the forgotten databases or unnecessary files found in employee email accounts that are the source of the largest data breaches, so removing these types of extraneous data from a company's environment can greatly reduce the magnitude of the risk that results from a data breach.

Finally, as a last line of defense in the event of a data breach, companies can argue that their information security was reasonable and that, as a result, they should not be held liable for a compromise of personal information. Under the statute, the private right of action can be brought when there is a breach that is "a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information." Under this standard, if a company can demonstrate that it had reasonable security procedures and practices in place, then it can defeat a CCPA lawsuit even if personal information that it had in its possession was compromised.

Somewhat frustratingly, the statute does not define what "reasonable" is, and the definition of "reasonable security" is not spelled out elsewhere in California law. In 2016 the California attorney general's office issued a report, which alluded to certain measures it considered necessary for security to be reasonable. This may be an area where the AG will weigh in when the expected CCPA guidance is issued. Most likely, however, these "reasonableness" issues will be fleshed out in the courts on a case-by-case basis, with supporting expert opinion and input where appropriate. And, as in the common law negligence context, whatever might be deemed "reasonable" today could well be found less than "reasonable" in a future case where expectations, foreseeability, and the technological context could be quite a bit different.

Separate and apart from implementing the measures that the AG may highlight, it is also important that organizations conduct periodic proactive risk assessments of their systems. These assessments involve analyzing the external and internal risk landscape and assessing how the organization is poised to respond and protect against them. There are various types of risk assessments, including one called a duty-of-care risk assessment, and having prior documented assessments would undoubtedly help demonstrate that the organization has been thoughtful, deliberative, and responsive in its approach to cyber security. This could be instrumental in demonstrating that the organization's security measures are reasonable as required by CCPA.

 

Pasha A. Sternberg is an attorney in the Tech Transactions & Data Privacy practice at Polsinelli. Pasha regularly advises clients of all sizes, and across industry segments, on domestic and international privacy and cybersecurity regulations. Pasha works to help clients implement compliance and remediation efforts to comply with these laws, as well as to investigate and respond to cyber incidents.

John Cleary is also an attorney with Polsinelli, whose practice focuses on serving the Technology Transaction and Data Privacy needs of U.S. companies, with an emphasis on data security incidents and other cyber controversies. John previously served as an Assistant U.S. Attorney in Washington, D.C., representing U.S. government agencies and officials across a range of constitutional and other federal sector issues