In many of the settlement agreements and stipulated orders in the FTC’s recently released 2019 Privacy and Data Security Update, the FTC repeatedly imposed a set of uniform mandates for businesses to implement following a data breach. Businesses subject to the new California Consumer Privacy Act may be able to use this mandate to mitigate heightened class-wide data breach litigation risk.
In that report, the FTC claimed “a record year for enforcement actions aimed at protecting consumer privacy and data security.”
CCPA Notice and Cure Provision
The CCPA allows consumers to bring an action for statutory damages in the event of a data breach due to a business’s failure to implement reasonable security procedures. Before seeking these statutory damages, the consumer must provide a 30-days’ written notice identifying the specific CCPA violation (i.e., the business’s failure to implement reasonable security procedures).
If the business cures the noticed violation and provides the consumer a written statement indicating that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.
The CCPA does not define “cure,” but businesses may be able to look to California’s Consumers Legal Remedies Act (CLRA) for guidance. The CLRA regulates unfair and deceptive practices related to the sale or lease of goods and services but prohibits damages under the act when “an appropriate correction, repair, replacement, or other remedy is given.”
Under the CCPA, the “correction, repair, replacement, or other remedy” arguably ties to the business’s security procedures, as the failure to maintain such procedures is what triggers the CCPA’s private right of action. Thus, the “cure” in the event of a data breach may be an appropriate correction or repair to a business’s security procedures.
To continue reading the article, please visit Bloomberg Law.