The Coming Wave of California Consumer Privacy Act Lawsuits

By:  Kent Schmidt, Partner and Bob Cattanach, Partner

 

Since the beginning of the year, industry leaders and counsel advising clients on data security issues have held their collective breath in anticipation of the tsunami of California Consumer Privacy Act (CCPA) lawsuits. The CPPA, ballyhooed over the past few years as the next big thing in consumer litigation, is now the law in California. The most comprehensive cybersecurity and information privacy statutory scheme in the nation, the CCPA creates an express private right of action for individuals whose data is breached by hackers and mandates that significant penalties be assessed against the company that violates cybersecurity standards.

While no CCPA lawsuits were filed in January, a consumer privacy lawsuit filed February 3 in the U.S. District Court for the Northern District of California has garnered a great deal of attention. Touted by some as the “first” CCPA case, a closer reading of the Complaint filed in Barnes v. Hanna Anderson, LLC (No. 3:20-CV-00812) shows that the plaintiff does not assert a direct claim under the statute. There is a simple reason for this. The data breach alleged in Barnes occurred in 2019, before the effective date of the CCPA. Although the Complaint alleges acts or omissions in 2020 by stating that the retailer did not tell customers or the Attorneys General about this in January, the fact that the data breach occurred before the effective date of the CCPA would render a direct claim subject to a motion to dismiss.

As the industry pivots from the compliance questions that dominated the pre-effective period and begins to focus on CPPA litigation, this lawsuit gives us a few insights into future CCPA claims coming to a California courthouse near you:

  1. The Reasonable Security Measures Standard. The Barnes Complaint illustrates the framing of the core issue in a CCPA data breach claim: whether the company utilized “reasonable security measures” under the statute—whatever that may mean. Recognizing that swiftly evolving technology in this area makes it unworkable to incorporate specific technical requirements in the statutory standard (although previous guidance by California’s then-Attorney General Kamala Harris gives us some clues), the California Legislature has opted for a qualitative standard. The statutory predicate for a civil cause of action illustrates this: “Any consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.” Cal. Civ. Code § 1798.150(a)(1) (emphasis added). Although this standard has the benefit of being adaptable to changing technology, it perpetuates a “hindsight” problem often encountered in data breach litigation: it is exceedingly easy for a plaintiff, with the benefit of hindsight, to persuasively argue that some further act would have been reasonable at the time and that the breach was foreseeable. The Complaint filed in Barnes contends that this standard was not met in a variety of ways and cites to another provision of the law which requires companies to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” Cal. Civ. Code § 1798.81.5(b). Whether it will be inadmissible as a subsequent remedial measure, the Complaint even cites to a LinkedIn posting after the alleged data breach in which Hanna Andersson announced it was searching for a new “Director of Cyber Security,” suggesting that this position was not filled when the data was hacked. (Compl. ¶ 33.) The Complaint further alleges that the reasonable measures standard is informed by not only the CCPA but the Federal Trade Commission Act (“FTC Act”) (15 U.S.C. § 45(a)) and various other standards and FTC publications. (Compl. ¶ 33.) These are all paths to one destination—the core litigated issue in this case and every other CCPA lawsuit that will be filed—whether the plaintiff will be allowed to use hindsight to prove that the defendant breached these evolving standards of care in cybersecurity.
  2. Interplay Between CCPA and other Statutory and Common Law Remedies: In lieu of a direct claim for violation of the CCPA, the Barnes Complaint alleges a common law claim for negligence as well as a claim for violation of the California’s Unfair Competition Law (“UCL”) (Cal. Bus. & Prof. Code § 17200). The negligence claim is presumably included to provide a basis for claims by non-California residents based on the theory that defendants breached a duty of care to those class members. The inclusion of the UCL claim is a staple of any California consumer class action. That statute provides remedies for any business practice that is proven to be unfair, fraudulent or unlawful. It will be interesting to see how the courts address the interplay between the UCL and the CCPA since the latter provides that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” Cal. Civ. Code § 1798.150(c). In response to future CCPA claims, defense counsel may argue that a direct claim under the CCPA is the exclusive remedy and a separate UCL claim predicated solely on the CCPA is not actionable by the plain language of the statute.
  3. Contribution and Indemnity Issues in Secondary Litigation. This lawsuit names both the retailer (Hanna Andersson, LLC) and the ecommerce vendor (Salesforce.com, Inc.) that supplied the platform. The inclusion of both defendants is a reminder that, like other consumer protection lawsuits, these claims may trigger a secondary category of cross-claims between businesses and their ecommerce and cybersecurity vendors, including claims for contribution and indemnity. This will often be the case regardless of whether the secondary party is also named directly by the consumer (as Salesforce was here). It advisable to review provisions in contract documents with third party vendors—including caps and limitations on damages—as such contract language will be paramount in secondary claims. These second-tier claims are in addition to insurance coverage questions and lawsuits that these cases will likely spawn.
  4. The Learning Curve for Courts: Even a cursory reading of the Complaint serves as a reminder that CCPA cases bring inherent challenges for litigants on both sides stemming from the fact that most individuals are unfamiliar with all but the most rudimentary aspects of cybersecurity. In theory, a trier of fact may have to address the reasonableness of the defendant’s cybersecurity measures and get ‘deep into the weeds’ of these technical issues. But as noted earlier, as a practical matter, juries, and perhaps even some judges, will be attracted to the hindsight argument of “how did the defendant not protect against this obvious vulnerability?” Effectively litigating these cases will require trial counsel experienced not only with an understanding of the technical aspects of cybersecurity and the requirements of the statutes and regulation, but also savvy enough to appreciate and dismantle the attractive “hindsight” arguments plaintiffs’ counsel are sure to appeal to, if not expressly espouse.

The fact that there has only been one quasi-CCPA lawsuit in the first several weeks of 2020 is not an indication that the predictions of tidal wave of CCPA class actions were overblown. As the Barnes filing illustrates, there are thorny questions concerning the retroactive application of the CCPA to data breaches that occurred before January 1. It is likely that there will be a lag of a few months as plaintiff lawyers wait to find cleaner cases in which the data breach occurred after the effective date. As this and other lawsuits make their way through motion practice, trials and appeals, there will be greater clarity to these and other questions in this emerging sector of class action litigation.

Ain’t No QSA 4 CCPA

By:  Jamie Nafziger, Partner; Divya Gupta, Partner; Cody Wamsley, Associate

 

As of January 1, 2020, the California Consumer Privacy Act (CCPA) is in effect and impacts numerous businesses that collect or process the personal information of California residents.  The CCPA carries potentially stiff penalties for noncompliance, but the actual text of the law does not provide a clear roadmap for companies to feel comfortable that they are doing things the right way.  As such, we are already seeing dramatic disparities in how companies across the world are interpreting the CCPA and choosing to implement its requirements.  They can’t all be right.

To compound matters, the California Attorney General has not yet issued its final regulations on how the CCPA will be enforced, so many companies are feeling like compliance is a guessing game at this point and are desperate for answers.  As we witnessed with the advent of the EU’s General Data Protection Regulation (GDPR), there are plenty of people willing to give advice on how to comply with the law, but many are ill-equipped to provide both technical guidance and legal interpretation.  And so, as we saw with the GDPR, there is a rampant proliferation of bad advice from vendors and consultants clogging up Google searches through their SEO efforts.  Anyone that has tried to find answers to GDPR questions over the last few years should know exactly what we’re talking about.

In this article, we are going to cut through the vapid regurgitation of what the statute says (that you can find pretty much anywhere) and get to the heart of what companies should be focused on to address the largest risk under the CCPA: class action data breach liability.

The CCPA, unlike anything we’ve seen before in the United States, carries statutory minimum penalties of $100-750 per record per incident for data breaches resulting from a failure to implement “reasonable security procedures and practices.”  Unlike the rest of the CCPA, these penalties are in full effect as of January 1, 2020 and we have already seen the first class action filed that implicates the CCPA in Barnes v. Hanna Andersson, LLC et al., Case 4:20-cv-00812-DMR (N.D.CA. 2020) which is seeking damages in excess of $5,000,000.  So, as we should suspect, many companies are scrambling to determine what controls constitute “reasonable security procedures and practices” and are working to put whatever they think that means into place.  Enter the charlatans.

The term “reasonable” is a legal term that has a basis in centuries of jurisprudence and is not something that lends itself to any prescriptive checklist.  Indeed, although a previous California Attorney General discussed reasonable security, the current California Attorney General, to date, has issued no guidance whatsoever on what constitutes “reasonable security” and so interpreting this amorphous standard can only be competently done by a lawyer.

There is no such thing as a CCPA certification.  Any vendor or consultant that claims to be able to provide such a document is, at best, wrong.  Much like the GDPR, the CCPA attempts to establish a standard of care for how to protect data, but it is doing so through a legal mechanism.  This isn’t like PCI DSS, ISO 27001, NIST 800-53, or any other technical standard.  Unlike PCI DSS, which is not a law, there are no CCPA auditing bodies, and there are no CCPA QSAs.  Only the California Attorney General could feasibly fulfill such a role and that is certainly not what the AG’s office is going to do.  Anyone that is providing a certificate or stamp-of-approval on a company’s privacy or security posture for CCPA purposes is wrong and no competent lawyer would sign off on such a document.  One day a California court may recognize some certification as establishing reasonable security, but that is not something we expect in the near term.

This, however, is not to say that it is impossible to meet this standard.  Far from it.  Companies should be used to having to interpret legal requirements and develop internal policies and processes to meet them in a variety of other areas like accounting, employment, health and safety, etc.  There is no reason to believe that the same approach that has worked for these areas will now be useless simply because we are applying it to a perhaps seemingly more technical field like “cybersecurity.”

So, instead of freezing up and waiting for Superman to save them, how can companies begin to tackle the development of reasonable security for CCPA purposes?  We have developed a simple initial 5-step process to help companies get moving so that they can feel better prepared for when their security posture comes into question:

  1. Recognize that the CCPA is a law and so it is important to involve counsel when interpreting it.  What constitutes “reasonable” will largely be dependent upon what a large number of similarly-situated companies are also doing.  Outside counsel will have the exposure to large numbers of clients to be able to guide companies on what others in the same field are doing.  Acting as an outlier is rarely going to be considered a “reasonable” position.
  2. Identify relevant industry standards and work to conform the company’s information security posture towards them.  We have written on this topic before [here].  While this step certainly helps move the needle towards “reasonable” security, it is also critically important to remember that compliance =/= security and so even perfect adherence to an industry standard does not guarantee that a company has been acting reasonably in their efforts to secure data.  So more is needed.
  3. Prioritize patch and vulnerability management.  As we discussed in the previous article [here], there are studies that indicate that 60% of data breaches are the result of poor patch management practices.  Assuming the veracity of these findings, this is the area of greatest risk and should be priority #1 from a technical implementation standpoint.
  4. Develop or enhance third party risk and security management.  Anytime a company shares any data or access to critical systems, it is relying on that third party’s own information security program to protect the company’s data.  If the company isn’t performing adequate diligence with continuing oversight, it is creating a gaping hole in its security posture.  Offloading data does not offload the risk, the company is still responsible for the failings of its subcontractors.
  5. Develop a solid incident response plan and practice it.  We’ve all heard the cliché “it’s not if but when,” which means that courts will have heard it too.  As we have seen with multitudinous AG and FTC actions related to data breaches in other jurisdictions, the lack of reasonable and timely incident response processes is not something for which we expect there to be much forgiveness.  Developing a solid incident response plan will require stakeholder input from across an organization and will take time to implement and practice.  Companies may have a difficult time establishing reasonableness for incident response processes that only exist on paper.

The CCPA is an extensive law that impacts much more than a company’s website privacy policy.  It’s important to recognize that there is no Easy Button and, as enticing as it might seem, there is no checklist or certificate that will ensure “CCPA Compliance.”  The California AG has issued estimates for initial CCPA compliance costs [here] and these need to be considered as companies weigh the risk of noncompliance.  Perhaps the most obvious takeaway from all of this though is that the best way to avoid class action liability for data breaches is to avoid data breaches.  Enacting reasonable security will help both avoid data breaches and avoid CCPA class action liability.

 

© Computer Fraud / Data Protection 2020

FREE GUIDE

Cybersecurity Readiness Check List


Top