[BreachExchange] California May Lower the Standing Threshold in Data Breach Litigation

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jul 11 20:33:21 EDT 2018 

https://www.natlawreview.com/article/california-may-lower-
standing-threshold-data-breach-litigation


A key issue for any business facing class action litigation in response to
a data breach is whether the plaintiffs, particularly consumers, will have
standing to sue. Standing to sue in a data breach class action suit,
largely turns on whether plaintiffs establish that they have suffered an
“injury-in-fact” resulting from the data breach. Plaintiffs in data breach
class actions are often not able to demonstrate that they have suffered
financial or other actual damages resulting from a breach of their personal
information. Instead, plaintiffs will allege that a heightened “risk of
future harm” such as identity theft or fraudulent charges is enough to
establish an “injury-in-fact”.

Federal circuits court over the past few years have struggled with the
question whether plaintiffs in a data breach class action can establish
standing if they only allege a heightened “risk of future harm”.  For
example, the 3rd, 6th, 7th, 10th and 11th circuits have generally found
standing, while the 1st, 2nd, 4th, 5th, 8th and 9th circuits have generally
found no standing where a plaintiff only alleges a heightened “risk of
future harm”. This circuit court split is in large part to due to lack of
clarity following the U.S. Supreme Court’s decision in Spokeo, Inc. v.
Robins which held that even if a statute has been violated, plaintiffs must
demonstrate that an “injury-in-fact” has occurred that is both concrete and
particularized, but which failed to clarify whether a “risk of future harm”
qualifies as such an injury.

California Senate Tackles Issue of Standing in Data Breach Class Action
Suits

While businesses await the U.S. Supreme Court to address this issue, it
looks like the California legislature may take matters into its own hands.
Senator Bill Dodd (D.) recently introduced a bill, S.B. 1121 Personal
Information (an amendment to the California Customer Records Act) that
would allow consumers to sue a business in response to a data breach
without any showing of harm at all. The California Senate recently passed
the bill in a vote of 22-13, after accepting an amendment from the Assembly
to create a safe harbor for businesses that protect consumer’s personal
data. The bill now moves to the California Assembly that must vote on the
bill by August 31st. If the bill passes the Assembly, Governor Jerry Brown
will have 30 days to sign or veto the bill.

Key Aspects of the S.B. 1121 Personal Information Include:

- Each consumer could recover damages in an amount of not less than $200
and not greater than $1,000 per incident or for actual damages, whichever
sum is greater.
- Defines “breach” as “unauthorized access, use, modification, or
disclosure of personal information.”
- Consumers would have up to 4 years to sue for violation of the California
Customer Records Act if their personal information was breached.
- The current California Customer Records narrowly defines “customer” as an
individual who provides personal information to a business for the purpose
of purchasing or leasing a product or obtaining a service from the
business. This bill would instead make those provisions applicable to
consumers and consumer records, and define “consumer” for purposes of those
provisions broadly to include any natural person.
- A safe harbor for businesses that have implemented and maintained
reasonable security procedures and practices appropriate to the nature of
the information.

Response to Senator Dodd’s Bill

 S.B. 1121 Personal Information if passed would substantially lower (if not
eliminate) the standing threshold in data breach consumer class action
lawsuits. While consumer groups including the Consumer Attorneys of
California, the California Public Interest Research Group, and others have
come out in support, business organizations are, strongly opposed to the
bill. Opposition includes a coalition of over 70 groups (and growing)
including the

Senator Dodd in his introduction of S.B. 1121 stressed the importance of
providing consumers a measure to sue following a data breach of their
personal information, however Senator Dodd has said he is open to
amendments of the bill to prevent “a mecca for lawsuits when no harm has
been done”.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180711/36f11cbb/attachment.html>

More information about the BreachExchange mailing list