This article was originally published in the July/Aug 2021 issue of San Diego Lawyer Magazine.
By Chelsea Staskiewicz, Maddy Swoy, and Justine Phillips
Viruses (both biological and digital) plagued businesses in 2020 and 2021, causing disruption and unprecedented loss. COVID-19 forced employees from company premises into their homes. Businesses scrambled to provide remote access to their networks and systems. While the coronavirus relentlessly traversed through our communities, malware viruses also spiked. Continuous ransomware attacks on critical infrastructure, like hospitals and gas pipelines, signal that our supply chain remains vulnerable even though the pandemic is winding down. Cyber experts report a 400%-plus increase in ransomware attacks in the past 18 months, many caused by exploiting vendors and weak links in the supply chain. Containing and recovering from a cyberattack is only the first phase in managing risk. Regulatory inquiries and consumer litigation are also on the rise. Here we will explore why California is a fertile battleground for managing cyber liability.
California Consumer Privacy Act Is Thorny
The California Consumer Privacy Act (CCPA) came into effect January 1, 2020, producing two landmark rights for California residents if a business fails to reasonably secure their data: (1) a private right of action to sue a business on behalf of themselves and all residents similarly situated; and (2) statutory damages from $100-$750 per incident, per person. California law also requires businesses that experience a breach impacting 500-plus California residents to report to the California Attorney General (AG), who then publicly posts the notices and breaches on its website. The number of breaches is increasing exponentially. In 2019, 159 businesses reported breaches to the AG. In 2020, 271 businesses reported. In the first 6 months of 2021 alone, more than 209 businesses have reported breaches to the AG. These laws, coupled with persistent cyberattacks, make the Golden State ripe for class action breach litigation.
Harvesting Wisdom from Backroads
Nearly 100 CCPA cases have been filed in California state courts in the past 18 months. One recently filed case against an adventure travel company, Backroads, illustrates common claims Plaintiffs’ allege and difficulties businesses face post-breach.
Backroads discovered it was the victim of a cyberattack on October 16, 2020. On November 19, 2020, Backroads notified individuals and the Attorney General. Less than six months later, on April 26, 2021, a CCPA class action lawsuit was filed alleging Backroads failed to reasonably secure employee data. Yoshida v. Backroads, No. 3:21-cv-03034, ECF No. 1 (N.D. Cal.). (Backroads.) The Complaint provides valuable lessons to plant seeds of change for all organizations managing cyber risk.
- Safeguard Employee Data. The Complaint alleges Backroads failed to reasonably secure employee data. Businesses regularly collect sensitive data from employees (Social Security number, government identification, COVID data, medical information, health insurance data, and usernames/passwords) to comply with legal requirements. These data elements trigger notice obligations, statutory damages, and CCPA liability if the data is compromised. Map employee data and implement defensible technical and procedural safeguards to keep this data secure.
- Review Online Privacy Policy. Plaintiffs allege Backroads made promises in their privacy policy to “protect the private information that you provide to us.” The Federal Trade Commission (FTC) has taken the position that failure to live up to promises made in a privacy policy may constitute an unfair or deceptive trade practice. California’s Bus. and Prof. Code § 17200 similarly prohibits unlawful, unfair, or fraudulent business practices. In addition to increased risk of consumer litigation, the FTC and AGs have increased their investigative and enforcement authority to levy substantial fines and penalties on businesses. Review and revise the privacy policy to ensure what you think/say/do about securing data is in harmony with it.
- Get Specific in Notices. Plaintiffs allege Backroads failed to inform employees of the specific data elements compromised and as a result Plaintiffs suffered additional harm. Understanding the specific data elements compromised is a time-consuming process and can be complicated if the threat actor encrypts systems and deletes files. Providing specific information in notices gives consumers some transparency about the type of data compromised.
The 2020 viruses have taught us that even in isolation, we are wildly interdependent and interconnected with one another. All eyes are on California as the decisions in these CCPA class actions will start to shape what is (and is not) considered “reasonable security.” Other states will continue to watch how CCPA litigation plays out in California courts as they introduce similar CCPA legislation.
Chelsea Staskiewicz, Associate at Sheppard Mullin Richter & Hampton LLP (cstaskiewicz@sheppardmullin.com)
Maddy Swoy, Legal Intern at Sheppard Mullin Richter & Hampton LLP (mswoy@sheppardmullin.com)
Justine Phillips, Partner at Sheppard Mullin Richter & Hampton LLP (jphillips@sheppardmullin.com)