It has been a year for the record books for data privacy litigation (and we are only into Q2-who knows what Q3 and Q4 will bring!) CPW has been tracking significant developments in this area of the law—including in regards to the California Consumer Privacy Act (“CCPA”). While the statute has been in effect for a little over a year, it has already become a battleground for plaintiffs seeking to assert statutory claims against defendants for failing to maintain reasonable security procedures (even if the only harm plaintiffs allegedly suffered is speculative risk of future injury). In fact, the flood of litigation under the CCPA was cited this week as a reason for the Florida legislature to consider dropping a private right of action from a data privacy bill under consideration.
The underlying reasons for this trend are clear. First, the number of data breaches continues to rise. Current estimates place the number of cyberattacks occurring in Q1 in the U.S. as ~320. This is a slight uptick from Q1 2020. Most significantly, however, the number of individuals in the U.S. whose information was disclosed in a data event in 2021 is up 500%. Second, the CCPA is an attractive option for plaintiffs who claim they were “harmed” from the disclosure of their personal information as the statute purportedly provides for significant liquidated statutory damages (even in the absence of proof of identity theft, fraudulent charges on accounts, and the like—although how that actually shakes out in litigation is far from settled).
We are going to dig into what this all means and where things may be headed. But first, let’s go back to the basics for any CCPA newbies out there.
A quarter into 2021, our review confirms that the slew of lawsuits filed under the CCPA remains concentrated in the area of data events. But there should be no surprise there. Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied). Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).
So what do most of the CCPA cases filed in 2021 look like? Good question.
Over one third of the CCPA litigations filed thus far are related to the account hacks on the California Employment Development Department’s (“EDD”) prepaid debit cards issued through Bank of the America. In case you missed it, a number of individuals had the balances on their EDD debit cards wiped out (without any prior notice or security alert). On January 14, 2021, the first class-action lawsuit related to this event was filed against Bank of America, claiming the bank did not do enough to stop the scammers. Since then, over 13 other similar lawsuits have been filed, which may be consolidated down the road.
In these litigations, plaintiffs raise claims under the CCPA concerning Bank of America’s alleged “failure to secure” private account information. To put it differently, Bank of America allegedly breached its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of individuals personal information, including “issuing EDD debit cards to plaintiff and class members with magnetic stripes but without EMV chip technology.” Most of the filed complaints allege the lack of chip technology enabled scammers to access the funds in the debit cards resulting in accounts being frozen and many individuals being left without payments for weeks (and some to date).
Bank of America is not the only institution that has been a victim of recent cyber theft. Accellion’s File Transfer Appliance was also recently compromised, resulting in a number of CCPA class action lawsuits filed this year relating to—you guessed it—its alleged failure to maintain reasonable security procedures. As alleged in one of the complaints:
Defendant [Accellion Inc.] violated § 1798.150 of the CCPA by failing to prevent Plaintiffs’ and class members’ nonencrypted and nonredacted personal information from unauthorized access and exfiltration, theft, or disclosure as a result of Defendant’s violations of their duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information
Brown v. Accellion, Inc., Case No. 5:21cv1155, Dkt. #1 at ¶70.
Another major data breach this year involving a large number of CCPA suits related to Automatic Funds Transfer Services, Inc. (“AFTS”). On February 17, 2021, the California Department of Motor Vehicles announced that AFTS had been the subject of a “security breach” and ransomware attack that may have compromised “the last 20 months of California vehicle registration records that contains the names, addresses, license plate numbers and vehicles identification numbers” of California drivers. Not surprising to those in the consumer privacy space, this resulted in numerous class action lawsuits being filed under the CCPA. In those litigations, plaintiffs allege “AFTS violated the CCPA by subjecting Class Members’ PI to unauthorized access and exfiltration, theft, or disclosure as a result of AFTS’s violation of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature and protection of that information.” Atachbarian v. Automatic Funds Transfer Services, Inc., Case No. 2:21-cv-02645, Dkt. #1 at 61¶.
And while cyber theft remains on the rise, plaintiffs (and plaintiffs’ attorneys) have not lost sight of other data use implications mandated by the CCPA. For example, Flo Health Inc., an ovulation-tracking app has been hit with a number of class action lawsuits alleging the app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers. The lawsuits follow FTC’s investigation into related concerns. Some of the complaints against Flo Health reference the CCPA as supporting other claims raised by plaintiffs, such as violation of the California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), without asserting a direct CCPA claim. See, e.g., Tesha Gamino v. Flo Health Inc., Case No. 5:21-cv-00198-JWH-SHK, Dkt. #1. This is something we have noticed in a handful of other lawsuits filed this year–listing the CCPA without asserting a direct cause of action or under the statute.
So there you have it. A quarter into 2021, CCPA cases continue to fill the docket, and occupy our attention. Stay tuned while we continue to break the latest developments for you. It is going to be a wild 2021 but CPW will be there.