In many of the settlement agreements and stipulated orders in the FTC’s recently released 2019 Privacy and Data Security Update, the FTC repeatedly imposed a set of uniform mandates for businesses to implement following a data breach. Businesses subject to the new California Consumer Privacy Act may be able to use this mandate to mitigate heightened class-wide data breach litigation risk.

In that report, the FTC claimed “a record year for enforcement actions aimed at protecting consumer privacy and data security.”

CCPA Notice and Cure Provision

The CCPA allows consumers to bring an action for statutory damages in the event of a data breach due to a business’s failure to implement reasonable security procedures. Before seeking these statutory damages, the consumer must provide a 30-days’ written notice identifying the specific CCPA violation (i.e., the business’s failure to implement reasonable security procedures).

If the business cures the noticed violation and provides the consumer a written statement indicating that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.

The CCPA does not define “cure,” but businesses may be able to look to California’s Consumers Legal Remedies Act (CLRA) for guidance. The CLRA regulates unfair and deceptive practices related to the sale or lease of goods and services but prohibits damages under the act when “an appropriate correction, repair, replacement, or other remedy is given.”

Under the CCPA, the “correction, repair, replacement, or other remedy” arguably ties to the business’s security procedures, as the failure to maintain such procedures is what triggers the CCPA’s private right of action. Thus, the “cure” in the event of a data breach may be an appropriate correction or repair to a business’s security procedures.

To continue reading the article, please visit Bloomberg Law.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Photo of Sadia Mirza Sadia Mirza

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’ cybersecurity strategies.

Photo of Paul Kim Paul Kim

Paul is an associate attorney in the firm’s Consumer Financial Services and Cybersecurity, Information Governance and Privacy practice groups. Paul’s practice focuses on representing corporations in the financial services industry in both state and federal litigation and class actions lawsuits. Paul also counsels…

Paul is an associate attorney in the firm’s Consumer Financial Services and Cybersecurity, Information Governance and Privacy practice groups. Paul’s practice focuses on representing corporations in the financial services industry in both state and federal litigation and class actions lawsuits. Paul also counsels clients in various compliance and regulatory matters.