There are numerous cybersecurity regulations and requirements for businesses to worry about but they may not be considering their cybersecurity regulations under privacy statutes. California was at the forefront of privacy regulations with the passage of the California Consumer Privacy Act (CCPA). Lawsuits under the CCPA began almost immediately after it was enacted in 2020. Since its enactment, there have been over 300 cases filed under the CCPA. Although enforcement of the CCPA largely lies with the California Attorney General (and is now shared with the California Privacy Protection Agency), this has not stopped plaintiffs from creatively trying to expand the statute’s private right of action which includes data breaches.  

The CCPA authorizes a private cause of action against a covered business if its failure to implement reasonable security safeguards results in a data breach affecting personal information. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

Plaintiffs’ counsel are attempting to use this requirement under the CCPA to bring class action lawsuits. In a recent case in California district court, the plaintiff brought claims under the CCPA’s reasonable security safeguards requirement for the defendant’s alleged sharing of consumer data.

The CCPA claim was eventually dismissed in part because the court found the CCPA’s right of action is limited to the data breach context and not to the intentional sharing of data.

But this may not be the final word on the use of the CCPA cybersecurity requirements. It is likely plaintiffs’ counsel will continue to look for ways to use the reasonable security safeguards requirements to their advantage.

If you have questions about the CCPA Cybersecurity requirements or related issues, contact a Jackson Lewis attorney to discuss.