Private Right of Action vs. Statutory Damages. Which Has More Impact?
The CCPA, California’s new omnibus data privacy bill, includes a provision for statutory damages in suits against data-holding companies, but the CCPA only allows the state AG and a limited group to sue for these damages under the law.
A recently tabled proposed New York omnibus privacy act does not contain statutory damages but does allow a private right of action so that anyone who feels legally aggrieved could sue the data-careless companies.
Either/both of these legal features will change the way data exposure cases are tried in the United States, but which would have more impact?
At first, I thought that the California grant of statutory damages to data subjects whose information was stolen or otherwise exposed would create the most enormous wave in the waters of cybersecurity litigation. For the past fifteen years, the US plaintiff’s bar has pushed to make data incident lawsuits – where a business or other enterprise holding the information about individuals is attacked and loses containment of that information – as profitable as asbestos litigation. They have filed enormous class actions alleging that companies are not taking their data security seriously enough, and that failure caused the data of each member of the class to be exposed to bad people who would use the captured information to commit identity theft.
These cases almost never see a courtroom. Either they settle because the defendant business is worried about the reputation damage of an ongoing case questioning the defendant’s competence and commitment to customer safety, or they are dismissed by the court at an early stage, usually because the judge determines that, as a matter of law and pleading, the plaintiff class is unable to demonstrate damages from the exposure of data. If the loss is credit card data, for instance, nearly everyone’s credit cards these days come with a promise that, if fraudulent purchases are made, the cardholder is not responsible to pay for the fraud. Class members are issued new cards and life moves on with minimal headache and no actual pecuniary losses for class members. The banks and card companies may have provable damages in these cases, but generally not the cardholders.
It is also difficult to make a connection between an instance of identity theft and, for example, a specific exposure of social security numbers. Unless the plaintiffs can show a distinct and clearly timed pattern of abuse of one set of information from multiple plaintiffs, they generally can’t connect the loss of data to a subsequent crime. It is just too easy to find people’s social security numbers on the dark web, or buy them from data aggregators.
So, with proving damages being a primary impediment to successful class actions against companies who lose consumer data, removing this requirement seems like the easiest way to open up the sluices to a flood of successful class actions based on breaches in information security. But the California law holds back the flood with strategic placement of barriers. For many potential violations of the Act, only the State Attorney General can sue the business. Even an aggressive AG determined to use this law to make an impact can only sustain a limited number of suits at any given time, and most AGs don’t sue unless they are almost certain to win, so new laws create uncertainties that naturally hold back state-initiated lawsuits. At the moment – many changes to CCPA are roiling up through the legislature – regular California citizens can only sue if their data was exposed, they provide notice of the exposure to the entity that exposed the data, and where that entity does not “cure the breach” in 30 days. This gives businesses time to head off private litigation, and another tool for judges who want to stop the suit in its tracks.
Restriction of the private right of action was instrumental to the passage of the CCPA in the first place. This is because the legislators understood the power of unrestricted lawsuits. This is why I now believe that, should New York pass its omnibus privacy law or should California pass an amendment to the CCPA proposed in February of this year by the state Attorney General, then the entire practice of privacy law in the US will be rocked to its core in the same way that GDPR affected consumer businesses in the EU.
With private rights of action under these expansive laws, not only will every lapse in security or clever phishing attack spawn a set of class action lawsuits dragging huge resources out of the unfortunate business hit, but also every foot fault and picky little action (or inaction) outside the scope of the omnibus privacy law will also garner its own collection of lawsuits. Plan to see class action suits in instances where companies comply with the privacy laws in 47 days rather than the prescribed 45 days. This would be similar to the plaintiff’s bar reaction to the passage of consumer lending laws in the states, where every failure to check a box on a form fomented a slew of essentially frivolous lawsuits.
On the positive side, a private right of action quickly demonstrates the limits of a statute and how it will be applied, reducing the natural uncertainty that businesses have when a new law is passed. For example, the states of Washington, Texas, and Illinois all have restrictive laws regarding the use of biometrics. Only Illinois has a private right of action. We know nothing about how the restrictions on the use of biometric data truly work in Washington or Texas, but multiple lawsuits have defined the boundaries of the Illinois statute and given businesses an understanding of what behavior is acceptable and what behavior violates the law.
The private cause of action can certainly be used to hold a company to its legal obligations. But as it is practiced in this country, the private right tends to over-correct before it reaches a sensible equilibrium. So strap in and buckle up for a bumpy ride when the first omnibus law presents us with a full private right of action.
And if any state passes BOTH a broad private right of action against companies that suffer data exposure from network hacks plus the availability of statutory damages for the same unfortunate circumstances, Katy bar the door — barbarians will be swarming the gates and the cost of fighting data exposure litigation will rise geometrically.