The CCPA permits consumers to bring suit if a data breach occurs that was “a result of” the business failing to “implement and maintain reasonable security procedures and practices . . . .” 1   As a result, strict liability should not attach simply because a data breach occurred.  Put differently, a plaintiff must prove both that the breach was a result of the business’s security procedures and that those procedures were not reasonable given a number of factors such as the type of data that the business collected, the industry segment, the size of the business, the type of breach that occurred, etc.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Civil Code 1798.150(a)(1).