May 26, 2020

Litigation Case Claims Violation of CCPA Under Statutory Private Right of Action

One of the most significant consumer rights offered by the new California Consumer Privacy Act (CCPA) is what we call the “private right of action” afforded by the law. A private right of action under a law basically means that if someone violates the law and a person is damaged, the person can assert a specific claim against the offender by citing the specific law. If the person damaged can prove that s/he was damaged and that the damage was caused by the one who violated the law, that person can potentially get past a Motion to Dismiss.

It is significant that CCPA provides a private right of action, and there has been much speculation about whether the CCPA will open the floodgates of litigation.

One of the first cases that specifically alleges a violation of CCPA was filed on March 10, 2020 in California federal court against Sunshine Behavioral Health Group, LLC (Sunshine). The suit alleges that Sunshine, a drug and alcohol rehabilitation facility, violated CCPA when it suffered a data breach in September of 2019 and did not have appropriate security measures in place. The Plaintiff, a resident of Pennsylvania, alleges that following the data breach (which affected 3,500 patients’ protected health information), someone tried to open a credit card account in his name and that he has received magazine subscriptions he did not order.

The plaintiff is attempting to represent a class of individuals affected by the data breach, and is seeking an order requiring Sunshine to implement “reasonable” security measures. It is unknown whether the plaintiff provided 30 days’ notice to Sunshine to implement security measures before the suit was filed, which is required under CCPA.

Nonetheless, we predict that there will be many more suits alleging a private right of action following a data breach under CCPA, and this case is a good reminder of the CCPA statutory requirement for companies to have appropriate security measures in place to protect personal information in its possession relating to California residents.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...