Update From LitLand: Early CCPA Suits Posit Various Interpretations of Law

LitLand is a monthly feature that reviews developments in litigation as they relate to privacy matters and highlight any past, current, and future cases about which you should know.

In the current environment, it might be easy to forget that just last year spectators were predicting a different type of pandemic for 2020—numerous lawsuits that would be unleashed by the California Consumer Privacy Act’s (CCPA) private right of action. Four months after the law’s effective date, a trickle of cases has been filed.

Fuentes v. Sunshine Behavioral

Fuentes, a Pennsylvania resident, sued Sunshine Behavioral Health Group LLC, a drug and alcohol rehabilitation center, for a data breach that occurred in September 2019. Fuentes had been a patient at the center from January 2019 to February 2019 and alleged that his personal medical data, along with that of approximately 3,500 other patients, was exposed and exfiltrated because “a cloudbased system used to store certain patient records [] was inadvertently set-up in such a manner that permitted the records to be made available on the Internet.”

Notably, Fuentes did not allege that his time at the center was sufficient to establish California residency, nor did he address the fact that while the defendant notified affected individuals of the breach in January 2020, after the CCPA took effect, the breach itself occurred before the CCPA the law was in effect.

Llamas v. TrueFire, LLC

Plaintiff alleged that defendants, which are Florida companies offering online guitar lessons, violated the CCPA when they failed to secure their websites from malware. According to the complaint, from August 2019 until January 2020, hackers using malware scraped plaintiffs’ personal information from the defendants’ websites, capturing credit card information, names, and contact information.

Llamas also alleged that in October 2019 the FBI had issued a warning about the type of hacking to which the defendants were subject and advised companies to take certain protective measures, which defendants did not do. The case was filed on April 14, 2020.

Lopez v. Tandem

Plaintiff alleged that Tandem Diabetes Care, Inc., a medical device manufacturer, suffered a data breach on January 17, 2020, resulting in the exposure and exfiltration of the medical information of over 140,000 patients. The breached data included the name, contact information, Social Security number, and information related to the products and treatments that individual patients used. Lopez, who had purchased an insulin pump from the company in December 2019, learned about the breach when Tandem issued a press release in March 2020.

Presumably to establish a legally cognizable injury, Lopez claimed that he subsequently discovered that an insurance policy that does not belong to him was associated with his Tandem account, that he worries about fraudulent insurance claims being made with his information, and that he spent over one hour ensuring that he does “not become victimized.” To support his claim that Tandem’s security measures were inadequate, Lopez pointed to a general warning about cybersecurity issued by the FBI to the healthcare industry in August 2014 and general American Medical Association guidance about protecting patient medical information.

Key Takeaways for Businesses

While the facts of each lawsuit vary, they all suffer from one or more of the following issues that may prove fatal to recovery and offer learning opportunities for potential defendants:

• First, establishing standing remains an issue in privacy cases, notwithstanding Sec. 1798.150’s establishiment of a private right of action. The timing of a number of the suits raises questions about whether the plaintiffs whose personal information was subject to an alleged breach satisfied the statutory requirement that all consumers seeking anything other than actual pecuniary damages provide “a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated,” and an opportunity to cure prior to filing a lawsuit.
  
  As a workaround, these plaintiffs assert that the complaint provides notice and reserve the right to seek statutory damages if the defendant fails to cure. A court might find a CCPA complaint premature if the statutory language is read to strictly require a notice and then the passage of 30 days before the filing of any lawsuit.
• Second, in several cases, the named plaintiff hails from a state other than California. This may subject the CCPA to criticism for extraterritorial reach, and non-state residents will have to show why they should be considered a consumer under the CCPA.
• Third, a few cases do not specifically allege any acts that indicate defendants failed to appropriately “implement and maintain reasonable security procedures” to protect personal information. Rather, they rely on the occurrence of a breach as sufficient proof that security measures were insufficient. This lack of specificity could serve as the basis for a motion to dismiss.

Finally, in each of these lawsuits, the CCPA claims are tacked on to a long list of other causes of action. If courts dismiss the CCPA claims early, we may have to wait longer still for the first case clarifying ambiguities in the law.