Update from LitLand: A Review of Data Breach Litigation Risk

LitLand is a monthly feature that reviews developments in litigation as they relate to privacy matters and highlight any past, current, and future cases about which you should know.

Welcome to LitLand! In recognition of the fact that the Privacy Oracle was born from demand to track developments such as California’s passage of the CCPA, it seemed only appropriate that our first LitLand feature pay homage to our humble beginnings.

The California legislature earlier this month advanced A.B. 561, an amendment that would expand the private right of action under the Consumer Privacy Act. As it stands, the CCPA limits the private right of action to breaches in which “a consumer’s nonencrypted or nonredacted personal information is subjected to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure to maintain reasonable security procedures to institute a civil action for various damages.” If the amendment passes, consumers would have a private right of action for any violation of their rights under the CCPA. This includes the failure of a business to provide required disclosures on its website or honor a deletion or access request. Statutory damages continue to be set at not less than $100 and not greater than $750 per incident or actual damages per violation, whichever is greater, even when plaintiffs do not show harm from the violation. In many cases, including security breaches, each consumer affected would be considered one violation, and 3-figure damages could easily become 7- and 8- figure damages.

Even if defeated, the private right of action provision that is currently in the statute arguably lowers the procedural bar for plaintiffs who have historically faced standing hurdles by making failure to notify regarding a breach a “harm” that would confer standing. A look at the largest consumer data breach class actions implicating California residents in recent years (as reported in the California Office of the Attorney General (“California AG”) 2016 Data Breach Report) provides some insight into the scope of the risk that companies doing business in California will face as of next January:

1. Anthem
   Nationwide Consumer Settlement: $115 Million
   Potential CCPA Statutory Fine: $1.4B – $7.8B
   Anthem suffered a cyberattack in 2015 that resulted in the exposure of 78.8 million consumer records, including their names, addresses, Social Security numbers, dates of birth, and employment histories. 10.4 million California residents were affected.
2. Target
   Nationwide Consumer Settlement: $10 Million
   Potential CCPA Statutory Fine: $750M – $5.6B
   During the holidays in 2013, hackers accessed Target’s point-of-sale reader using credentials stolen from a third-party vendor. The breach exposed the credit and debit cards of approximately 40 million shoppers who had visited Target stores. 7.5 million California residents were affected.
3. LivingSocial
   Nationwide Consumer Settlement: $4.5 Million
   Potential CCPA Statutory Fine: $750M – $5.6B
   The personal information of more than 50 million people, including names, email addresses, encrypted passwords, and some users’ dates of birth were compromised in a cyberattack on LivingSocial in 2013. 7.5 million California residents were affected.
4. UCLA Health
   Nationwide Consumer Settlement: $7.5 Million
   Potential CCPA Statutory Fine: $450M – $3.4B
   In 2014, hackers breached the hospital’s networks, resulting in the unauthorized access of the personal health information of 4.5 million California residents.
5. PNI Digital Media (Costco/RiteAid/CVS)
   Nationwide Consumer Settlement: $250 per person
   Potential CCPA Statutory Fine: $280M – $2.1B
   The company was targeted in a cyberattack between 2014 and 2015, where payments processed online by Costco, CVS, or Rite Aid were affected. The personally identifiable information and credit cards of 2.8 million California residents were affected.
6. T-Mobile USA, Inc. (Experian)
   Nationwide Consumer Settlement: $22 Million
   Potential CCPA Statutory Fine: $210M – $1.6B
   Fifteen million T-Mobile customers were potentially affected when credit check bureau Experian was hacked in 2015, exposing the customers’ names, addresses, dates of birth, social security numbers, and driver’s license numbers. Over two million California residents may have been affected.