A cure under the CCPA does not require Plaintiffs be put back in their original position.

On a motion to dismiss, Judge Denise Cote of the Southern District of New York, dismissed Plaintiffs’ CCPA cause of action.  In re Waste Mgmt. Data Breach Litig., No. 21cv6147 (DLC), 2022 U.S. Dist. LEXIS 32798, at *18-19 (S.D.N.Y. Feb. 24, 2022).

[T]he [complaint] fails to state a claim for violation of the CCPA, because it does not plausibly allege that Waste Management breached its “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Id.; see also Maag v. U.S. Bank, Nat’l Assoc., No. 21-cv-31m, 2021 WL 5605278, at *2 (S.D. Cal. Apr. 8, 2021). For similar reasons, the [complaint] does not plausibly allege that Waste Management failed to cure its alleged violations of the CCPA. The [complaint] alleges in conclusory terms that Waste Management has not changed its securities practices.  But the [complaint] contains no allegations regarding any notice of cure from Waste Management, and does not explain what violations need to be remedied.

The plaintiffs argue that Waste Management has failed to cure its alleged violations of the CCPA because the plaintiffs’ data are still out there, and can still be exploited to the plaintiffs’ detriment. But the CCPA does not require businesses that have experienced a data breach to place consumers in the same position they would have been absent a breach. It just requires them to remedy any “violation” of their “duty to implement and maintain reasonable security procedures and practices.” Cal. Civ. Code §§ 1798(a)(1), 1798(b). The [complaint] does not plausibly allege that Waste Management has failed to do so. Accordingly, the CCPA claim must be dismissed.