When the California Consumer Privacy Act (“CCPA”) takes effect in January 2020, California will become the first state to permit residents whose personal information is exposed in a data breach to seek statutory damages of between $100-$750 per incident, even in the absence of any actual harm. The class actions that follow are not likely to be limited to California residents, but will also include non-California residents pursuing claims under common law theories. A successful defense will depend on the ability of the breached business to establish that it implemented and maintained reasonable security procedures and practices appropriate to the nature of the personal information held. The more prepared a business is to respond to a breach, the better prepared it will be to defend a breach lawsuit. To help our clients get ready for the CCPA, Bryan Cave Leighton Paisner is issuing a series of data security articles to empower organizations to focus on breach readiness.
Security breaches impact all types of entities. Two organizations—Privacy Rights Clearinghouse and Cyber Risk Analytics—systematically track publicly reported security breaches and provide up-to-date reports on evolving trends. According to the former source, in 2018, approximately 53.4% of reported breaches impacted medical organizations, 11.6% impacted for-profit businesses, including retail and financial organizations, 3% impacted educational institutions, and 1.2% impacted government agencies and nonprofit entities. The industries remain unknown for the last 30.7% of incidents reported.
Data breaches typically impact organizations in a number of ways:
Reputational Costs: A data breach can erode the confidence of customers or clients, which can significantly impact sales or the reputation of your organization. Often the indirect cost to the organization from adverse publicity outweighs direct costs and potential legal liabilities.
Business Continuity Costs: Breaches that create, expose, or exploit vulnerabilities in network infrastructure may require that a network be taken off-line to prevent further data-loss. For organizations that rely heavily on IT infrastructure, removing or decommissioning an affected system may have a direct impact on the organization.
Competitive Disadvantage: Breaches that involve competitively sensitive information such as trade secrets, customer lists, or marketing plans may threaten the ability of your organization to compete.
Investigation Costs: Security incidents involving IT infrastructure may require the services of a computer forensics expert in order to help investigate whether a breach has occurred and, if so, the extent of the breach.
Legal Costs: An investigation often will be led by experienced outside breach counsel who can protect communications under the shield of the attorney-client privilege and guide the company through the myriad legal and contractual requirements.
Contractual Costs: Your organization may be contractually liable to business partners in the event of a data security breach. For example, a breach involving an organization’s electronic payment system typically will trigger obligations under agreements with its merchant bank or its payment processor. Those obligations may include, among other things, the assessment of significant financial penalties. As another example, some outsourcing contracts require companies that provide services to other companies to pay for the cost to notify impacted individuals and to indemnify their business partner from lawsuits.
Notification Costs: If your organization is required to, or voluntarily decides to, notify consumers of a data security incident, it may incur direct notification costs such as the cost of printing and mailing notification letters. Although most statutes do not formally require organizations to provide consumers with credit monitoring, identity−theft insurance, or identity−theft restoration services, in some situations offering such services at the organization’s own cost has become an industry standard practice.
Regulatory Costs: A regulatory agency may decide to investigate whether an organization should have prevented a breach or whether it properly investigated and responded. In addition, some regulatory agencies are empowered to impose civil penalties or monetary fines in the event that they determine the organization’s security practices were unreasonable or that the organization failed to properly notify consumers or the agency itself in a timely matter. Significant legal expenses are associated with a regulatory investigation.
Litigation Costs: Bryan Cave Leighton Paisner LLP’s own 2019 Data Breach Litigation Report found that approximately 4% of publicly reported data security breaches result in the filing of a federal putative class action lawsuit. This number is expected to rise considerably following the effective date of the CCPA in January 2020. Under the CCPA, in addition to the statutory damages of $100-$750 per incident, successful plaintiffs will also be able to recover attorney’s fees. Although most suits have not resulted in a finding of liability, defense costs and settlement costs can be significant.
For additional information, BCLP’s Data Security Breach Handbook provides a comprehensive guide on how to respond when a breach happens and how to prepare your organization before one occurs. Click here for the handbook. BCLP is working with clients to assess – and mitigate – risks by putting in place the policies, procedures, and protocols needed to address data security breach issues.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
1. See https://www.privacyrights.org/data-breaches and https://www.cyberriskanalytics.com/. In addition, several consulting firms that offer forensic investigation services publish annual reports concerning trends identified in their investigations of security incidents. These reports differ from the publicly reported breaches insofar as they largely rely on non-public data (i.e., incidents that may not have turned into breaches or that were not publicly reported). See, e.g., Verizon 2019 Data Breach Investigation Report available at http://www.verizonenterprise.com/verizon-insights-lab/dbir/tool/
2. See Privacy Rights Clearinghouse, Data Breaches by Organization Type, available at https://www.privacyrights.org/data-breaches/organization?taxonomy_vocabulary_11_tid=2434 (referencing data security incidents from 2018)
This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.