Countdown to the CCPA: What are the Potential Costs of a Data Breach?

Bryan Cave Leighton Paisner

When the California Consumer Privacy Act (“CCPA”) takes effect in January 2020, California will become the first state to permit residents whose personal information is exposed in a data breach to seek statutory damages of between $100-$750 per incident, even in the absence of any actual harm.  The class actions that follow are not likely to be limited to California residents, but will also include non-California residents pursuing claims under common law theories.  A successful defense will depend on the ability of the breached business to establish that it implemented and maintained reasonable security procedures and practices appropriate to the nature of the personal information held.  The more prepared a business is to respond to a breach, the better prepared it will be to defend a breach lawsuit. 

What types of organizations have been impacted by security breaches?

Security breaches impact all types of entities.  Two organizations—Privacy Rights Clearinghouse and Cyber Risk Analytics—systematically track publicly reported security breaches and provide up-to-date reports on evolving trends.[1]  According to the former source, in 2018, approximately 53.4% of reported breaches impacted medical organizations, 11.6% impacted for-profit businesses, including retail and financial organizations, 3% impacted educational institutions, and 1.2% impacted government agencies and nonprofit entities.  The industries remain unknown for the last 30.7% of incidents reported.[2]

What are the potential costs of a data breach?

Data breaches typically impact organizations in a number of ways:

Reputational Costs:  A data breach can erode the confidence of customers or clients, which can significantly impact sales or the reputation of your organization.  Often the indirect cost to the organization from adverse publicity outweighs direct costs and potential legal liabilities. 

Business Continuity Costs:  Breaches that create, expose, or exploit vulnerabilities in network infrastructure may require that a network be taken off-line to prevent further data-loss. For organizations that rely heavily on IT infrastructure, removing or decommissioning an affected system may have a direct impact on the organization.

Competitive Disadvantage: Breaches that involve competitively sensitive information such as trade secrets, customer lists, or marketing plans may threaten the ability of your organization to compete.

Investigation Costs:  Security incidents involving IT infrastructure may require the services of a computer forensics expert in order to help investigate whether a breach has occurred and, if so, the extent of the breach. 

Legal Costs:  An investigation often will be led by experienced outside breach counsel who can protect communications under the shield of the attorney-client privilege and guide the company through the myriad legal and contractual requirements.

Contractual Costs:  Your organization may be contractually liable to business partners in the event of a data security breach.  For example, a breach involving an organization’s electronic payment system typically will trigger obligations under agreements with its merchant bank or its payment processor. Those obligations may include, among other things, the assessment of significant financial penalties.  As another example, some outsourcing contracts require companies that provide services to other companies to pay for the cost to notify impacted individuals and to indemnify their business partner from lawsuits.

Notification Costs:  If your organization is required to, or voluntarily decides to, notify consumers of a data security incident, it may incur direct notification costs such as the cost of printing and mailing notification letters.  Although most statutes do not formally require organizations to provide consumers with credit monitoring, identity−theft insurance, or identity−theft restoration services, in some situations offering such services at the organization’s own cost has become an industry standard practice.

Regulatory Costs:  A regulatory agency may decide to investigate whether an organization should have prevented a breach or whether it properly investigated and responded.  In addition, some regulatory agencies are empowered to impose civil penalties or monetary fines in the event that they determine the organization’s security practices were unreasonable or that the organization failed to properly notify consumers or the agency itself in a timely matter.  Significant legal expenses are associated with a regulatory investigation.

Litigation Costs:  Bryan Cave Leighton Paisner LLP’s own 2019 Data Breach Litigation Report found that approximately 4% of publicly reported data security breaches result in the filing of a federal putative class action lawsuit.[3]  This number is expected to rise considerably following the effective date of the CCPA in January 2020. Under the CCPA, in addition to the statutory damages of $100-$750 per incident, successful plaintiffs will also be able to recover attorney’s fees.  Although most suits have not resulted in a finding of liability, defense costs and settlement costs can be significant.

For more information and resources about the CCPA visit 

1. See and In addition, several consulting firms that offer forensic investigation services publish annual reports concerning trends identified in their investigations of security incidents.  These reports differ from the publicly reported breaches insofar as they largely rely on non-public data (i.e., incidents that may not have turned into breaches or that were not publicly reported).  See, e.g., Verizon 2019 Data Breach Investigation Report available at

2. See Privacy Rights Clearinghouse, Data Breaches by Organization Type, available at (referencing data security incidents from 2018)

3. David Zetoony, Jena Valdetero, Andrea Maciejewski 2019 Data Breach Litigation Report (available at

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bryan Cave Leighton Paisner | Attorney Advertising

Written by:

Bryan Cave Leighton Paisner

Bryan Cave Leighton Paisner on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.