Data breaches have become a lot more dangerous in California. Joining the dubious ranks of Minted Inc., Zoom, TikTok, and Salesforce.com, Wal-Mart is the latest target of a CCPA-related class action lawsuit due to a data breach. This has now exposed Wal-Mart to a maximum of $750.00 in damages to each and every consumer within the class action. With Wal-Mart's comparative size, massive reach, and approximately thirty nine million persons residing in California, this creates a scenario where Wal-Mart may easily face a billion-dollar class action. So what happened to create this lawsuit? What risks do other businesses face for a failure to take appropriate actions? How can businesses avoid suffering the same fate and ending up in litigation?
- The exposure of private IP addresses disclosed in the public website code;
- 44 instances of password autocomplete, allowing cookies to be accessed by a personal computer (permitting pre-existing malware to manipulate and access cookie data);
- Over 93,000 instances of an exploit permitting cookies to be accessed through unencrypted connections; and
- Over 8,000 instances where the Wal-Mart website was allegedly vulnerable in a way that would allow the hacker to steal account information through interactive areas.
The plaintiff also utilized other vulnerability assessment tools, including the Nessus tool used by government agencies, to identify 13 additional issues which would be considered automatic failures.
What Risks Exist?
The lawsuit against Wal-Mart puts the risk to businesses in a harsh relief. While there are certainly reputational costs, as had occurred with the massive Target breach, the lawsuit against Wal-Mart also highlights that there are high financial costs for companies doing business in California. The CCPA permits individuals to sue for $100 to $750 per person if their information is compromised and the business failed to maintain reasonable security measures. For Wal-Mart, this means that a potential class of two million Californians could result in $200 million to $1.5 billion in damages. While this would scale down for smaller businesses, even a business subject to the CCPA with 50,000 consumers would face damages ranging from $5 million to $37.5 million.
How Can Other Businesses Avoid Similar Lawsuits?
The solution for other businesses is a murky one that can be roughly categorized in two areas:
Engage in “reasonable” security measures.
This can be difficult as "reasonable security measures" has never been defined within the CCPA, and thus, it may interpreted as a sliding scale, as it seems permissible based on the Attorney General's guidelines regarding the different authentication measures needed for different kinds of personal information. However, general rules will apply (i.e.: implementing firewalls, partnering with IT services for basic security, avoiding "scams," and engaging in safe computing).
One of the most basic and essential measures that can be taken is training employees to avoid phishing or social engineering efforts. Social engineering hacking has been shown to be among the easiest ways a hacker can create massive damage to a business, and social engineering has been the cause for the Twitter hack of high-profile verified accounts on July 15, 2020, as well as various other infamous "hacks" such as the hack of the Democratic National Committee in 2016, the Target data breach in 2013, the Yahoo account breach in 2013, and the 2014 Sony Pictures hack. All of these incidents occurred due to phishing or spear phishing attempts through the respective entities, compromising accounts with extensive access to sensitive information.
While this may be difficult to consistently manage, it emphasizes that social engineering hacking can result in massive damage to entities. Using the Target breach as an example, the Target breach resulted in an $18.5 million settlement. Furthermore, Yahoo's breach resulted in a settlement of $117.5 million. Notably, both of these occurred before the CCPA became law. This is crucial to train against, as unlike "brute force" methods of hacking where a hacker attempts to crack passwords or forcibly obtain access, the users are the source of the vulnerability. Additionally, businesses’ use of assessment and security auditing tools like those used by the plaintiff may help remediate risks, and address concerns proactively.
Review privacy policies.
Why Conscious Steps Now Are So Important
While these efforts may seem momentous, the hardest part is taking the first step forward. While there is admittedly not much guidance within the law yet, staying informed, and taking proactive measures to better security measures is key. For example, implementing readily-available training regarding avoidance of social engineering hacking schemes will help bolster efforts to show reasonable security, even if a company cannot afford the use of assessment or auditing tools.
An important aspect to remember is that a business should be prepared to respond after a hack occurs. California, as well as other states, have statutes dictating how businesses need to respond to consumers after becoming aware of a breach where personal information is compromised, or believed to have been compromised.