On a motion to dismiss, Judge Cormac Carney in the Central District of California discusses whether plaintiff alleged sufficient facts to show that defendant lacked reasonable security procedures for a cause of action under the CCPA:

MKS first argues that Plaintiff’s CCPA claim must be dismissed because his “threadbare and conclusory” allegations “fail[ ] to allege any facts to support the notion that MKS’s security was deficient.” (Mot. at 9.) But in similar employer data breach situations, courts have held that plaintiffs plausibly alleged the defendant failed to maintain reasonable security procedures and practices when there were sufficient allegations that unauthorized parties were able to access the plaintiffs’ personal information. Kirsten v. California Pizza Kitchen, Inc., 2022 WL 16894503, at *3 (C.D. Cal. July 29, 2022), reconsideration denied, 2022 WL 16894880 (C.D. Cal. Sept. 8, 2022) (denying motion to dismiss CCPA claim, citing Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898, 924 (S.D. Cal. 2020) and Mehta v. Robinhood Fin. LLC, 2021 WL 6882377, at *8–9 (N.D. Cal. 2021)).
It appears that other courts have required a plaintiff to allege more. See, e.g., Griffey v. Magellan Health Inc., 562 F. Supp. 3d 34, 57 (D. Ariz. 2021) (granting motion to dismiss with leave to amend when the plaintiff “did not allege sufficient facts to establish how or why Magellan’s systems were inadequate or unreasonable or how or why Magellan knew or should have known its systems were inadequate or unreasonable,” but instead contended that “because there was a breach, Magellan’s data security was inadequate”); In re Waste Mgmt. Data Breach Litig., 2022 WL 561734, at *6 (S.D.N.Y. Feb. 24, 2022) (granting motion to dismiss when the plaintiff alleged “an unauthorized actor hacked into and stole the plaintiffs’ [personally identifiable information, “PII”] from Waste Management’s systems,” but did “not allege facts to explain what security measures Waste Management did or did not take”). But at the pleading stage, a plaintiff ordinarily will have few facts in his possession to allege precisely how a data breach occurred and how a defendant’s security procedures were inadequate to prevent the data breach. In this early phase, Plaintiff’s allegations regarding inadequate security procedures are sufficient to state a CCPA claim.
JOHN DOE v. MKS INSTRUMENTS, INC. et al., No. SACV2300868CJCKESX, 2023 WL 9421115, at *3 (C.D. Cal. Nov. 3, 2023).