On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) went into effect. The CCPA applies to a wide range of companies and broadly governs the collection, use and sale of personal information of California residents (i.e., consumers and certain other individuals) and households.
The CCPA provides that consumers may seek statutory damages of between $100 and $750, or actual damages if greater, against a company in the event of a data breach of nonredacted and nonencrypted personal information that results from the company’s failure to implement reasonable security. The amount of the statutory damages depends on factors such as the nature and seriousness of the company’s misconduct, the number of violations, the persistence of the company’s misconduct, the length of time over which the misconduct occurred, and the company’s assets, liabilities and net worth. To defend against these consumer actions, a company must show that it has implemented and maintains reasonable security procedures and practices appropriate to the nature of the personal information it is processing.
This CCPA private right of action promises to shake up the data breach class action landscape in which such actions have generally been settled for small amounts or dismissed due to lack of injury. With the CCPA, companies now face potentially staggering damages in relation to a breach. To provide some context, a data breach affecting the personal information of 1,000 California consumers may result in statutory damages ranging from $100,000 to $750,000, and a data breach affecting the personal information of one million California consumers may result in statutory damages ranging from $100 million to $750 million. These potential statutory damages dwarf almost every previous large data breach settlement in the United States.
To mitigate the risk of this increased exposure, companies need to take key steps to ensure they have implemented reasonable security procedures and practices.
What Is Reasonable Security?