Hopes that privacy regulators and litigants would grant a reprieve to businesses during the COVID-19 pandemic may prove ill-founded. On July 21, 2020, the New York Department of Financial Services announced its first enforcement action under its cybersecurity regulation, just as reports of California Attorney General (AG) enforcement-related inquiries began under the California Consumer Privacy Act (CCPA). To make matters worse, since January 1, plaintiffs have brought more than 50 class action lawsuits based, in part, on the CCPA.
This trend will only continue, and many in-house litigators who have never dealt with privacy before are destined to become privacy experts before too long. The best strategy to cope with this fast-emerging reality is two-fold.
First, reason back from litigation and enforcement, incorporating the key lessons from these worst case outcomes in proactive policies and procedures.
Second, consider developing or updating an overall digital strategy, not only to accommodate US cyber and privacy developments, but global developments as well. The recent decision out of the European Union, Schrems II, was seismic in significance, severely curtailing the ability to transfer personal data from the EU to the US and other countries.
The California Consumer Privacy Act
The California AG has resisted calls to delay enforcement of the CCPA, which took effect on January 1, 2020, putting a premium on ensuring your business is CCPA compliant. The Act established sweeping regulation of any business that collects, or determines the processing of, personal information of California residents and does business in California, and has annual gross revenues of $25 million, uses the personal information of 50,000 California residents, households, or devices, or derives 50% or more of its annual revenue from selling the personal information of California residents.
The CCPA requires increased transparency from businesses and grants four new privacy rights to California consumers: (1) the right to know what personal information is collected, used, shared, or sold, both as to the categories and specific pieces of personal information; (2) the right to delete personal information held by businesses, and by extension, those businesses’ service providers; (3) the right to opt-out of the sale of personal information; and (4) the right to non-discrimination in terms of price or service when a consumer exercises a private right under the CCPA. Businesses subject to the CCPA must provide notice to consumers at or before data collection and create procedures to respond to consumer requests to opt-out of sharing personal information.
Those businesses that fail to declare that they do not sell personal information, or, if they do, fail to provide a clear and conspicuous opt-out link, as well as those companies which do not provide a workable webform to accept access or deletion requests, may soon find themselves in the crosshairs of the California AG.
The California AG became authorized to begin enforcement of the CCPA on July 1, 2020. At a panel hosted by the International Association of Privacy Professionals, a representative of the California AG stated that on July 1, 2020, the AG sent an initial wave of notice letters to companies believed to be in violation of the CCPA. These initial letters, according to the AG’s representative, focused on online-only businesses, with an emphasis on violations of the CCPA’s rules governing the sale of personal information. These businesses had 30 days from the notice letters to cure their noticed violations before the AG could bring an enforcement action against them.
Private rights under the CCPA
While the threat from regulators is substantial, the threat from litigators may be existential.
The CCPA provides a private right of action to institute a civil action against a business whose failure to implement and maintain reasonable security procedures resulted in the unauthorized access and exfiltration, theft, or disclosure of the consumer’s nonencrypted and nonredacted personal information, under Cal. Civ. Code § 1798.150. “Personal information” is defined more narrowly in this context than in other CCPA provisions, and applies only to an individual’s name, together with an identifying data element, such as a Social Security number, driver’s license number, or medical information. Under this right of action, a plaintiff may seek injunctive or declaratory relief, actual damages, or statutory damages in an amount not less than $100 and not greater than $750 per consumer, per incident.
Emerging trends of early CCPA litigation
The first wave of private lawsuits filed under the CCPA reveal several already emerging trends in how plaintiffs will vindicate their newly protected rights. At the broadest level, CCPA lawsuits tend to be brought as class actions and tend to be filed in federal courts. Few complaints are limited to claims based on the CCPA; many suits leverage the CCPA to make other, factually related claims, such as unjust enrichment, breach of contract, negligence, misappropriation of confidential information, invasion of privacy, unlawful and unfair business practices, and unfair competition.
While the CCPA’s private right of action is theoretically limited and gives rise to suit only where there has been an “unauthorized access and exfiltration, theft, or disclosure” as a result of the business’s violation of the duty to “implement and maintain reasonable security procedures and practices,” the plaintiffs’ bar has been creative and taken a broad view of the term “unauthorized disclosure.” Complaints have not been factually limited to circumstances where there has been a data breach or theft. Instead, many complaints have alleged that sharing a consumer’s personal information with third parties without the consumer’s authorization is an “unauthorized disclosure.”
Additionally, while the CCPA’s private right of action does not extend to failure to provide adequate privacy disclosures, the plaintiffs’ bar has nevertheless brought suits alleging just that. For instance, over half the cases implicating the CCPA involve allegations of a failure to implement and maintain reasonable security procedures and practices, and half of these cases allege violations of the obligation to comply with adequate privacy disclosures—failures to provide adequate advance notice or provide adequate notice of disclosure opt-out rights. Three cases allege that collecting, using, storing, and disclosing personal information of minors without parental consent is a CCPA violation. How federal judges will address these claims (and how prone such claims will be to defense motions to dismiss) remains to be seen.
The New York Department of Financial Services’ first enforcement action
The New York Department of Financial Services (NYDFS) has also recently begun to enforce its groundbreaking Cybersecurity Regulations (23 NYCRR 500). These regulations, released in four phases between 2018 and 2019, cover all entities operating under or required to operate under the NYDFS licensure, registration, or charter, or which are otherwise NYDFS-regulated (as well as unregulated third-party service providers to regulated entities, by extension). The regulations impose strict cybersecurity rules on the covered entities, including the installment of a detailed cybersecurity plan, the designation of a Chief Information Security Officer, the enactment of a comprehensive cybersecurity policy, and the initiation and maintenance of an ongoing reporting system for cybersecurity events.
Though the final phase of the NYDFS Cybersecurity Regulation went into effect on March 1, 2019, the NYDFS has only just brought its first cyber enforcement action, against First American Title Insurance Company, on July 21, 2020. According to the NYDFS, First American Title Insurance Company failed to safeguard mortgage documents, including bank account numbers. The NYDFS alleges that the flaw in First American’s data storage system was first introduced during a May 2014 update. First American has stated that it strongly disagrees with the enforcement action and contends that only a limited number of documents were at risk, none of them belonging to New York consumers.
Cybersecurity compliance on a global scale
Enforcement concerns extend well beyond the United States. There is every reason to expect an onslaught of European privacy actions to enforce the Schrems II decision, which invalidated the Privacy Shield and called into question the continuing viability of the other mechanism under the GDPR to transfer personal data from the EU/UK to the US.1
Key to avoiding and surviving these actions will be determining which personal data streams (be it employee data, customer data, etc.) must transit across borders, documenting the extent to which surveillance authorities impact those streams, and implementing any supplementary measures to protect that data in transit (e.g. encryption).
Considerations moving forward
Amidst the unyielding volatility around privacy and cybersecurity, and the increasing penalties for noncompliance, companies have an opportunity to approach their data handling as a strategic matter.
As part of that holistic strategy, companies may want to consider:
Ultimately, proactivity may be more involved at the beginning, but proactivity is far less involved and expensive than continuing to react, defend and adjust to the ever-changing world of cyber and privacy.
Max Schrems v. Data Protection Commissioner, Case No. C-311/18, CJEU ruling (July 16, 2020). See also Michael Bahar, Sarah E. Paul, Mary Jane Wilson-Bilik, The Seismic Shift of Schrems II and What You Can Still Do to Transfer Personal Data to the US from the EU, Eversheds Sutherland Legal Alerts (7/28/20), https://us.eversheds-sutherland.com/mobile/NewsCommentary/Legal-Alerts/234317/The-seismic-shift-of-Schrems-ll-and-what-you-can-still-do-to-transfer-personal-data-to-the-US-from-the-EU.