Class action lawsuits hurt businesses in at least three ways: they harm reputation, disrupt continuity, and are expensive to defend. In a privacy and cybersecurity context, even when dismissed at an early stage – when it is clear consumers have failed to show they have suffered a compensable injury – the legal fees for class actions can still reach hundreds of thousands of dollars.
At a popular global privacy event earlier this month, a leading privacy professional predicted that the amount of class actions in the next ten years “will be explosive.” That could prove to be true as courts continue to lower the compensable injury requirement. Earlier this month in a case involving Saks Fifth Avenue, a court ruled that “230 minutes and $4.68” was enough time and money spent by a single consumer for a class action to move forward. The data breach at issue in that case could involve millions of consumers. Last week Equifax was downgraded by ratings agency Standard and Poor’s, from stable to negative, after announcing it could cost $690 million to defend and settle class action lawsuits. The data breach in that case could involve tens of millions of consumers.
While privacy and cybersecurity class actions for consumers may seem en vogue, for now at least California will only allow them for a narrow set of circumstances under the California Consumer Privacy Act (“CCPA”). As noted in an earlier alert, while the California Attorney General has primary responsibility for enforcement of the CCPA, a consumer’s right to sue is limited to when a business’s non-compliance (failure to maintain “reasonable” security procedures and practices) results in the “unauthorized access and exfiltration, theft, or disclosure” of their personal information. A consumer may seek either actual damages or statutory damages up to $750 per incident.
In April, Special Bill 561 was proposed as an amendment to the CCPA to expand a consumer’s right to sue. Under SB 561, consumers would have had a private right of action for violations of the CCPA, or as the bill’s sponsor State Senator Hannah-Beth Jackson stated, it would have allowed “individuals whose privacy is ignored or violated, or whose wishes are not honored, to be able to sue for those breaches of their privacy.” SB 561 seemed to have widespread support. Even California Attorney General Xavier Becerra supported it, acknowledging that his office does not have enough resources to fully enforce the CCPA. But on May 16, the California State Senate rejected SB 561, effectively confirming that consumer class actions would be limited to a business’s failure to maintain “reasonable” security procedures and practices.
Expanding enforcement to consumers under a private right of action will remain controversial in California and other states considering similar legislation. For example, in Washington the legislature was poised to enact a statute addressing a similar range of privacy and security issues to the CCPA. A sticking point, whether a private right of action like that proposed in SB 561 should extend to consumers. As a result, the legislation expired and was not enacted.
It remains to be seen whether the CCPA can be plausibly connected to other potential legal claims, such as California’s Consumers Legal Remedies Act and Unfair Competition Law, but the CCPA seems to foreclose such attempts when stating, “nothing in this act shall be interpreted to serve as the basis for a private right of action under any other law.”
In other news, and perhaps as an instance of art imitating life, yesterday a laptop containing six of the most destructive malwares ever deployed was sold for $1.3 million dollars, as a work of art. Livestreamed as The Persistence of Chaos, the art piece was created by Guo O Dong and was isolated and air-gapped to prevent the malware from spreading. The malware contained on the laptop is said to be responsible for $95 billion in financial damages and included the ILOVEYOU virus, the MyDoom worm, SOBig spam, and WannaCry ransomware.
