Section 1798.150 of the CCPA permits consumers to “institute a civil action” if consumer “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices . . . .” 1 As a result there appear to be five elements necessary for a plaintiff to prove in order to successfully bring suit under the CCPA:
- A business incurred a data breach;
- The data breach involved a sensitive category of information identified in Cal. Civil Code Section 1798.81.5;
- The business had a legal duty to protect the personal information from breach;
- The business failed to implement reasonable security procedures and practices; and
- The business’s failure resulted in (i.e., caused) the data breach.