As Cybersecurity Awareness Month 2018 continues, we highlight the California Consumer Privacy Act of 2018 (CCPA), a game-changing law that some estimate will impact more than 500,000 U.S. companies that do business with residents of California.
The CCPA, originally signed into law on June 28, 2018 and recently amended on September 23, 2018, provides California residents with numerous rights with regard to their personal information, including rights of access and erasure that are truly precedent-setting when compared against other, existing U.S. laws. Our previous article highlighted many of the features of the CCPA (and can be found here), and this alert focuses on cybersecurity.
The CCPA provides that a California resident may bring a private right of action under the CCPA against a business that is subject to the CCPA for its failure to implement and maintain reasonable security procedures and practices appropriate to the nature of the information that results in an unauthorized access and exfiltration, theft, or disclosure of unencrypted or nonredacted personal information. The recent amendment to the CCPA clarified that this private right of action applies only to data breaches and no other violations of the CCPA. Any other violations of the CCPA may be remedied only by the California Attorney General, any penalties of up to $7,500 per violation are available for such violations.
The categories of personal information that, if breached, may trigger liability is defined to only include more sensitive data types such as social security number; driver’s license number; California identification card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; medical information; health insurance information; or a username or email address in combination with a password or security question and answer that would permit access to an online account. This definition of personal information is narrower than a broader definition of personal information that is used throughout the majority of the CCPA.
This cybersecurity component of the CCPA is further evidence that the absence of comprehensive U.S. Federal legislation regarding cybersecurity will continue to fuel states to set their own requirements with potentially significant monetary and reputational consequences for businesses. Notably, the CCPA’s private right of action is paired with minimum statutory damages (not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages whichever is greater). As plaintiffs often have difficulty providing actual damages in data breach-related litigation, the presence of minimum statutory damages in a cybersecurity law tilts the scales in favor of plaintiffs and class action attorneys. The statute also expressly provides that plaintiffs may seek injunctive or declaratory relief, which can also be a powerful incentive for class action lawyers. Notably, however, the law as currently written does not include an express provision allowing prevailing plaintiffs to recover their attorneys’ fees, although it does include broad language allowing the court to award “[a]ny other relief the court deems proper.”
In addition, as the CCPA does not define “reasonable security procedures and practices appropriate to the nature of the information,” it will be critical for businesses to design cybersecurity programs that map to well-known, internationally recognized standards, in order to be in the best position possible to offer a defense should a data breach occur. For example, successful litigation defense will require businesses to have documented evidence of:
- The existence and complete implementation of appropriate policies, procedures, standards, and controls;
- Ongoing efforts to identify and mitigate vulnerabilities and improve cybersecurity posture;
- A robust internal audit program designed to areas of high risk;
- Appropriate internal training and education of personnel;
- Proper responses to data security incidents, including through use of an incident response plan that is regularly updated and drilled through tabletop exercises; and
- Supplier/vendor management, including use of appropriate contracts, due diligence, and auditing.
The recent CCPA updates also made several other changes, including delaying by six months the enforcement deadline for the law, from January 1, 2020 to July 1, 2020 and limiting Attorney General-imposed penalties to $2,500 for each violation of the CCPA or up to $7,500 per each intentional violation.
Businesses will need to closely monitor the CCPA as it continues to evolve, in particular because many of its requirements will take significant time and resources to achieve.