For good reason, there has been much discussion about the new privacy rights created by the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020. Perhaps one of the most significant provisions of the CCPA, though, will be one that has been somewhat overlooked: Section 1798.150, which provides for statutory damages of between $100 and $750 per consumer per incident for certain data breaches. Indeed, had California enacted Section 1798.150 alone, it would have garnered scores of articles on how its statutory damages remedy will likely lead to an explosion in “bet-the-company” private class action litigation over data breaches. The fact that it was enacted as just one provision in a first-in-the-nation privacy law has resulted in commentators spending less time analyzing its impact on businesses.

We will try to remedy this by taking a look at this provision and analyzing how it will apply to businesses covered by the CCPA. We begin by discussing existing California laws that are referenced in the CCPA’s private right of action. We then track the private right of action through its various forms, starting with the ballot measure and ending with its current version as reflected in Senate Bill 1121. Finally, we discuss how the private right of action likely will be used by private litigants and what steps businesses should take to avoid costly litigation.

Pre-Existing California Laws

1. Data Breach Notification Statute

California Civil Code § 1798.82 requires persons or businesses that conduct business in California to notify California residents if the person or business suffers a security breach involving “personal information.” Notably, Section 1798.82(h), defines “personal information” much narrower than the CCPA, to be either of the following:

1. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

(A) Social security number

(B) Driver’s license number or California identification card number

(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account

(D) Medical information

(E) Health insurance information

(F) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5

2. A user name or email address in combination with a password or security question and answer that would permit access to an online account

The statute requires notice to be provided to affected individuals “in the most expedient time possible and without unreasonable delay, consistent with the needs of law enforcement . . . or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”

2. Duty to Implement and Maintain Reasonable Security Measures

California Civil Code § 1798.81.5 provides that a “business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

The law also requires any business that discloses personal information pursuant to a contract with a nonaffiliated third party to require that nonaffiliated third party to implement and maintain reasonable security procedures and practices.

The definition of “personal information” in Section 1798.81.5 is nearly identical to that in Section 1798.82, except that Section 1798.82 covers automated license plate recognition systems and Section 1798.81.5 excludes redacted information as well as encrypted information.

While the definition of “reasonable security procedures and practices” remains elusive, in February 2016, the California Attorney General’s office issued a report stating:

The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.

The CIS controls are available here.

3. Private Right of Action

Prior to the CCPA, California law already provided for a private right of action for violations of the data breach notification and information security statutes. Cal. Civ. Code § 1798.84(b). However, that private right of action does not provide for statutory damages like the CCPA’s private right of action.

History of the CCPA’s Private Right of Action

1. Ballot Measure

The CCPA originated as a ballot measure. Section 1798.108 of the ballot measure would have permitted consumers to bring a civil action for statutory damages for “a violation of this Act.” Consequently, that private right of action would have covered not only security breaches, but also violations of the CCPA’s various privacy rights.

The ballot measure also specified that a violation of the Act “shall be deemed to constitute an injury in fact to the consumer who has suffered the violation.” That provision was directed at assuring that consumer plaintiffs could overcome a motion to dismiss based on lack of standing due to not having suffered a cognizable injury. The statutory damages set forth in the ballot measure were $1,000 “for each violation” or $3,000 for knowing and willful violations.

Additionally, Section 1798.112 would have allowed California residents to sue businesses for the same statutory damages for a security breach of consumer personal information under Section 1798.82 if the business failed to implement and maintain reasonable security procedures and practices.

The ballot measure was withdrawn from the ballot because of the passage of the CCPA.

2. Assembly Bill 375

In order to cause the withdrawal of the ballot measure, the California legislature quickly pushed through AB-375. For a discussion of the enactment of AB-375, see our blog post here. The private right of action in AB-375 was vastly different from the one in the ballot measure, stating:

Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action . . .

Thus, AB-375 eliminated—in theory—the private right of action for violations of the CCPA’s privacy-related rights that would have been covered by the ballot measure’s private right of action.

We write “in theory” because one of the final changes to this section before it was enacted was that the phrase “an unauthorized access and exfiltration, theft, or disclosure” was inserted in place of “a security breach of the business as defined in Section 1798.82.” Therefore, it was foreseeable that plaintiffs’ attorneys would argue that the change signaled an intent to broaden the private of action beyond security breaches to the privacy-related rights in the CCPA. For example, a business’s failure to allow a consumer to opt out of the business selling the consumer’s personal information to a third party could be interpreted as an “unauthorized access [and] disclosure.”

Unlike the ballot measure, AB-375’s private right of action did not provide that a violation constituted an “injury in fact,” and it lowered the statutory damages to not less than $100 and not greater than $750.  However, it changed “per violation” to “per consumer per incident.” In theory, the ballot measure could have been interpreted on a per consumer basis; however, AB-375 made this explicit, thereby creating a significant statutory penalty.

Additionally, if a consumer sought statutory damages (as opposed to pecuniary damages), AB-375’s private right of action required the consumer to provide a business with notice of the alleged violations and 30 days to “cure” them. A consumer was barred from filing suit if the business cured the violation and provided the consumer with “an express written statement that the violations have been cured and that no further violations shall occur.”

The consumer also had to notify the Attorney General’s office within 30 days of filing the lawsuit and provide the Attorney General’s office with the opportunity to (1) prosecute the alleged violation, (2) instruct the consumer not to proceed, or (3) allow the lawsuit to proceed.

3. Senate Bill 1121

Only a few months after AB-375 was enacted, California passed SB 1121, which began what is expected to be a year-plus long process of modifying the CCPA prior to its January 1, 2020 effective date.

SB 1121 modified the private right of action in significant ways. First, in an apparent attempt to address the scope of the private right of action, SB 1121 added Paragraph (c) to Section 1798.150, which states, in relevant part:

The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title. Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.

The preamble to the bill further explained that “[t]his bill would clarify that the only private right of action permitted under the act is the private right of action . . . for violations of unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information.”

SB 1121 also deleted the requirement that a consumer bringing a private right of action must notify the Attorney General and wait for authorization to proceed with the lawsuit. This change was most likely made in response to a letter from California Attorney General Xavier Becerra, stating that “[t]his provision has no purpose as the courts not the Attorney General decide the merits of private lawsuits” and the provision “imposes unnecessary personnel and administrative costs” on the Attorney General’s office.

Notably, in that same letter, Attorney General Becerra urged the California legislature to expand the private right of action to cover violations of the CCPA’s privacy-related rights:

Finally, the CCPA does not include a private right of action that would allow consumers to seek legal remedies for themselves to protect their privacy. Instead, the Act includes a provision that gives consumers a limited right to sue if they become a victim of a data breach. The lack of a private right of action, which would provide a critical adjunct to governmental enforcement, will substantially increase the [Attorney General’s Office’s] need for new enforcement resources. I urge you to provide consumers with a private right of action under the CCPA.

While SB 1121 did not adopt the Attorney General’s recommendation, it is certain that privacy advocates (and plaintiffs’ attorneys) will push the legislature to make this change prior to the January 1, 2020 effective date. If it does happen, the CCPA will lead to scores of privacy-related lawsuits.

What Should Companies Do?

You may already be aware that SB 1121 delayed the start of the Attorney General’s enforcement of the CCPA’s privacy rights to July 1, 2020. However, SB 1121 did not delay the January 1, 2020, effective date for the private right of action. Therefore, businesses should be taking steps now to avoid the CCPA’s significant statutory damages.

In so doing, businesses should bear in mind that the private right of action is not a strict liability statute. Rather, a litigant will need to prove that any data breach was due to a business’s failure to implement and maintain reasonable security procedures. Stated differently, private litigants will need to prove that a business was negligent and that the negligence was a cause of the breach.

Conversely, businesses that are able to demonstrate a documented history of taking affirmative steps to protect personal information will be well-situated to defend any data breach litigation. Perhaps the best starting point is to focus on existing California guidance. As explained, the California Attorney General’s office has stated that the CIS’s Controls are a minimum level of information security that organizations should meet. Therefore, performing a gap analysis of your organization’s information security practices against the CIS’s Controls is a logical place to start.

Additionally, businesses should document their information security procedures and practices through a written information security program. To develop such a program, businesses can look to information security standards promulgated by federal and state agencies. This would include, but not be limited to, HIPAA’s security and privacy rules, Federal Trade Commission guidance, Massachusetts regulation 201 CMR 17.00, and the New York Department of Financial Services cybersecurity regulations.

A written information security program should document administrative, technical, and physical safeguards that are appropriate for the size of the business and nature of the personal information the business maintains. Among other things, the program should document the business’s risk assessment and the controls employed to mitigate foreseeable risks, describe employee training measures, incorporate the business’s internal privacy policy, set forth the business’s policy for the discipline of employees who violate the privacy or security policies, and address third-party vendor management issues. It also is imperative that the organization develop a written cyber incident response plan addressing foreseeable types of incidents.

Finally, in an upcoming series of blog posts, we will continue to examine the concept of reasonable data security and offer further thoughts on what policies and practices businesses ought to adopt to meet this elusive and slippery standard.