Court of Appeal (Cal.) Finds that Customer Records Act Does Not Obligate Former Owners or Licensees of Computerized Data Containing PII to Notify California Residents of Data Breach

In People v. Ct. Ventures, Inc., No. G061093, 2023 WL 4673750, at *3–4 (Cal. Ct. App. July 21, 2023), the Court of Appeal in an unpublished decision limited the scope of the CRA to current owners/licensees of PII.

Civil Code section 1798.82 provides in relevant part: “(a) A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California …. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” Under the plain language of section 1798.82(a), after discovery or notification of a data security breach, the current owner or licensee of the data must provide prompt notice of the data security breach to California residents. Thus, the owner or licensee of the computerized data containing personal information who is obligated to provide notice under section 1798.82 is determined at the time of the discovery or notification of the data breach. Not only does this interpretation comport with the plain language of the statute, it also effectuates the purpose of the law, which is to provide disclosure in “the most expedient time possible and without unreasonable delay.” (§ 1798.82, subd. (a).) A person or business who owns or licenses the data at the time of the discovery or notification of the breach would have both access to consumer information, such as names and addresses, and assets to pay for the required disclosure. Appellant contends that the “discovery or notification” language only modifies the subsequent notice or disclosure to California residents, and not the phrase “owns or licenses.” Appellant thus argues that because CVI owned or licensed the data at the time of the breach, it is obligated to provide the required disclosure under section 1798.82(a). We disagree for several reasons. First, appellant’s interpretation ignores the statutory language. Although in many cases the current owner or licensee at the time of the breach will be the same as at the time the breach was discovered, that was not the case here. Section 1798.82(a) only mentions “discovery or notification of [a] breach.” There is no reference to the breach itself as triggering or limiting any disclosure obligation. Thus, there is no basis in the statutory language to expand the disclosure obligation beyond an owner or licensee at the time of the discovery or notification of a breach. Second, appellant’s interpretation can lead to absurd results. As appellant acknowledged, under its interpretation, an owner or licensee of the data at the time of a breach is obligated to provide notice, even if the owner or licensee no longer exists when the breach is discovered. It is easy to contemplate a situation where it would be impossible for a nonexistent corporation to provide notice, for example if it lacks access to consumer data or lacks paying assets. Because “[t]he law never requires impossibilities,” (Civ. Code, § 2531), appellant’s interpretation is suspect. Finally, interpreting the statute in the manner suggested by appellant is not required to effectuate the law’s purpose. As noted, our interpretation provides the prompt notice required by the statute. Although more persons or businesses would be obligated to notify California residents under appellant’s interpretation, the additional obligation to disclose a security breach finds no support in the plain language of the statute. “We cannot ‘ignore the language employed by the Legislature merely because of a subjective evaluation that a differently worded statute would more effectively achieve the statutory goal.’ [Citation.]” (Faria v. San Jacinto Unified School District (1996) 50 Cal.App.4th 1939, 1945, fn. 2.) “If the Legislature meant to say something other than what it said, then it, not [the] court, should change the statute. The judicial function is to interpret the language of a statute, not to rewrite it.” (Id. at p.1947, fn. 4; see also California Fed. Savings & Loan Assn. v. City of Los Angeles (1995) 11 Cal.4th 342, 349 [“We may not, under the guise of construction, rewrite the law or give the words an effect different from the plain and direct import of the terms used.”].) In sum, respondents showed that they were entitled to summary judgment.