Consumer Privacy Rights of Action in California: What Businesses Can Do to Prepare
Cybersecurity incidents are a question of “when,” not “if,” for any business that collects and stores large amounts of sensitive consumer personal information. The brand-new California Consumer Privacy Act (“CCPA”), Cal. Civ. Code §§1798.100 et seq., contains, among other things, a private right of action for any California consumer whose nonencrypted and nonredacted personal information is subject to a data breach. Cal. Civ. Code § 1798.150. This provision took effect on January 1, 2020. The statutory penalties are steep: $100 to $750 per consumer; injunctive or declaratory relief; and any other relief the court deems proper. Cal. Civ. Code § 1798.150(a). However, there are several best practices to keep in mind that go a long way towards eliminating or at least mitigating liability.
First, redact or encrypt consumer personal information. The private right of action does not lie where the stolen or disclosed data is encrypted or redacted. Cal. Civ. Code § 1798.150(a). Although the term “nonencrypted” is not defined in the CCPA, “encrypted” is defined in the related California Civil Procedure Code §1798.82(i)(4) to mean “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” There are useful industry standards for encryption such as those in the National Institute of Standards and Technology’s (“NIST”) Advanced Encryption Standard, available at https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.197.pdf.
Second, evaluate the type of consumer personal information a business maintains. Only a theft or disclosure of “personal information” as defined in California Civil Code § 1798.81.5(d)(1)(A) will give rise to the private right of action. As defined in that Section, “personal information” means an individual’s first name (or first initial) and the individual’s last name in combination with one or more of the certain data elements, such as social security number, driver’s license number, account number, credit or debit card number, medical information, health insurance information, or biometric data. Personal information can also mean an account number in combination with a password (or security question that would allow access). Therefore, redaction or encryption can be applied on a selective basis to the above information to ensure that unprotected data does not fall into the wrong hands—and thus forestall liability under the CCPA.
Third, institute and maintain “reasonable” security practices. The CCPA’s private right of action is further limited only to situations where the data breach was a result of a business’s violation of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information. Cal. Civ. Code § 1798.150(a)(1). The CCPA does not define “reasonable security.” However, there are several resources business can draw on to formulate reasonable practices. For example, the former California Attorney General’s 2016 California Data Breach Report cited to the International Organization for Standardization’s 27002 series and the NIST’s cybersecurity framework, both of which are available at https://www.iso27001security.com/html/27002.html and https://www.nist.gov/cyberframework, as reputable frameworks for businesses to follow. Notably, in its 2019 court-approved settlement of data-breach related claims, Yahoo! Inc. agreed that its information security program would be compared against the NIST or similar cybersecurity framework as part of the remedial efforts. A few of the most salient steps that these frameworks recommend include the following:
(1) Documenting data security policies, procedures and practices in a written information security plan (“WISP”), which is a document memorializing the administrative, technical and physical safeguards businesses use to protect the privacy of the personally identifiable information it stores.
(2) Training employees on cybersecurity and data security issues and hiring a Chief Information Security Officer. The CCPA already requires employees who handle consumer inquiries about a business’s privacy practices or compliance to be informed of various CCPA requirements. See Cal. Civ. Code § 1798.130(a)(6). The purpose of hiring a Chief Information Security Officer is to ensure that security policies and procedures are robust, conform to industry norms, and are being followed.
(3) Conducting regular risk assessments. Businesses should regularly conduct information security risk assessments and utilize a third party vendor to evaluate the information security program. These risk assessments, at a minimum, will consider risks associated with: (i) employee training and management; (ii) software design and testing; and (iii) vendor data management and security practices. A business should then evaluate and adjust, as reasonably necessary, its systems on which and by which customers’ personal information is stored in light of: (i) the results of the testing and monitoring required by the settlement agreement; (ii) any material changes to its operations or business arrangements; or (iii) any other circumstances that it knows or has reason to know may have a material impact on the effectiveness of its security program.
The CCPA’s private right of action provides a powerful tool to plaintiffs in the event of a data breach. However, the above steps, if taken proactively, can help to eliminate or at least limit liability for a business.