Over the past 15 years, Bryan Cave Leighton Paisner has assisted thousands of clients with responding to data security breaches and navigating the myriad legal requirements that may be triggered as a result. We first prepared our Data Security Breaches: Incident Preparedness and Response handbook in 2014 in partnership with the Washington Legal Foundation. The goal was to empower in-house counsel with a comprehensive guide not only on how to respond when a breach happens, but also how to prepare your organization before one occurs. We were honored to have then-U.S. Federal Trade Commissioner Maureen K. Ohlhausen provide the following commentary in her foreword:
The following monograph is a useful guide to the role of in-house counsel in the continuous process of data security. Although written by lawyers, the monograph is not – to the authors’ great credit – a legal treatise. Instead, it is a practical guide to help in-house counsel understand security incidents and the role of in-house counsel in dealing with such incidents.
As the laws have continued to change, so has our handbook. Beginning in January 2020, the California Consumer Privacy Act (the “CCPA”) is set to become the first U.S. state law to expressly permit consumers to recover statutory damages in the event of a data breach. The CCPA may be a game-changer, likely enabling plaintiffs’ counsel to overcome the persistent hurdles they have faced when attempting to bring data breach class action lawsuits -- namely establishing Article III standing and proving injury. Because the CCPA provides for a minimum of $100 and a maximum of $750 per incident in statutory damages for each California resident impacted by a breach, and because California’s data breach notification law requires public reporting of breaches impacted 500+ California residents, companies face significant liability.
Fortunately, companies defending against such lawsuits can take steps now – before a breach occurs and before the CCPA takes effect – to best position themselves to both respond to a breach and to meet the CCPA’s requirement that they “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” We hope that our Data Security Breach Handbook (2019 Edition) (attached) provides a useful starting point for companies focusing on breach readiness.
In conjunction with the handbook’s release, BCLP will be issuing a series of data security articles on topics to empower organizations to focus on breach readiness. If you are interested in receiving these emails or scheduling a call to discuss how BCLP can assist, please email Jena Valdetero ([email protected]) or David Zetoony ([email protected]).