By Rudy E. Verner and Jacob Scarr
Now that the California Consumer Privacy Act (“CCPA”) is in effect, businesses face even more risks around data breaches. Much like other privacy laws, the CCPA provides for enforcement by the California Attorney General’s office, which is beefing up their staff with additional attorneys. However, the real risk to businesses is from the CCPA’s new private right of action. With the CCPA now in effect as of January 1, 2020, consumers will have the right to bring civil suits for statutory damages following data breaches that expose their personal information.
Under the law, consumers are entitled to recover up to $750 “per consumer per incident or actual damages, whichever is greater.” Even a data breach involving a relatively small number of consumers could result in a class action suit seeking a significant amount in statutorily-mandated damages. Although plaintiffs must provide the business 30-days notice and the opportunity to cure the violation, the statute is unclear what “cure” means or how it would be applied to data breaches.
This private right of action gives the CCPA’s requirement that businesses maintain “reasonable security procedures and practices” a lot more teeth than similar laws in other states. The very real risk of not only regulatory enforcement, but also a private right of action and related statutory damages following a data breach, make it even more imperative that companies assess their data security and privacy practices and ensure they conform to industry standards and best practices.
One of the best ways to demonstrate compliance with these requirements is through a written information security program, or “WISP.” WISPs have long been the standard for developing an organization’s data security practices, and for communicating them company wide. A WISP is one of the critical documents businesses should have in place to demonstrate compliance with “reasonable security practices and procedures” if a breach occurs.
However, WISPs are only the beginning. In addition to developing and maintaining written protocols, companies should update them regularly, keep their staff trained and up-to-date, and monitor adherence to their WISPs as well.
If you have any questions regarding WISPs or California’s new Consumer Privacy Act, or other privacy or data security matters, contact Rudy E. Verner or Jacob Scarr at BHGR Law at 303-402-1600.
 See Cal. Civ. Code § 1798.150(a)(1)(A).