District Court (Az.) Allows CCPA Claim to Proceed; Finds Plaintiff’s Allegations Regarding the Absence of Reasonable Policies and Procedures to be Adequately Pleaded

In Felicia Durgan, et al., Plaintiffs, v. U-Haul Int’l Inc., Defendant., No. CV-22-01565-PHX-MTL, 2023 WL 7114622, at *6–7 (D. Ariz. Oct. 27, 2023), the Arizona district court allowed a CCPA claim to proceed past the pleadings stage.  The Court found that the Plaintiff had properly pleaded an absence of reasonable policies and procedures under the CCPA.

The CCPA provides a private right of action to consumers whose “personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of [a] business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Cal. Civ. Code § 1798.150(a). To prevail on a CCPA claim, “a plaintiff must allege that his personal information was subject to ‘unauthorized…disclosure as a result of’ a business’s failure to implement and maintain reasonable security procedures and practices.” Gershfeld v. Teamviewer US, Inc., No. SACV 21-00058-CJC (ADSx), 2021 WL 3046775, at *2 (C.D. Cal. June 24, 2021), aff’d, No. 21-55753, 2023 WL 334015 (9th Cir. Jan. 20, 2023) (internal marks and citation omitted).  The Court previously found “sufficient the Complaint’s allegations that [Defendant] could have prevented the [d]ata [b]reach by encrypting Plaintiffs’ PII.” (Doc. 31 at 15-16.) Defendant contends that this was inappropriate as “the CCPA applies only to consumers ‘whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access.’ ” (Doc. 34 at 9 (quoting Cal. Civ. Code § 1798.150(a)(1).) Thus, Defendant argues that “the fact that the data at issue here was unencrypted is already a prerequisite to Plaintiffs’ claim; the failure to encrypt information cannot also serve as the alleged unreasonable security practice.” (Id. at 9-10.) Plaintiffs do not dispute Defendant’s interpretation of the statutory language but emphasize that the Court did not solely base its earlier decision upon Defendant’s failure to encrypt Plaintiffs’ PII. (Doc. 35 at 14-15.) The Court need not determine whether Defendant’s interpretation of the CCPA is correct because it finds that Plaintiffs allege a failure to implement reasonable security procedures, notwithstanding Defendant’s failure to encrypt the PII. Plaintiffs allege that Defendant should have “destroyed the data it no longer had a reasonable need to maintain or only stored data in an Internet-accessible environment when there was a reasonable need…to do so and with proper safeguards.” (Doc. 33 ¶ 57.) Additionally, Plaintiffs identify fourteen cybersecurity best-practices that Defendant should have followed but allegedly did not. (Id. ¶¶ 58-59.) These allegations are sufficient to plead a “violation of the duty to implement and maintain reasonable security procedures and practices” independent of Defendant’s failure to encrypt the PII. See Cal. Civ. Code § 1798.150(a).  Defendant also argues that Plaintiffs’ CCPA claim must be dismissed because they do not allege a sufficient causal connection between Defendant’s purported failure to implement reasonable security procedures and the hackers’ ability to exfiltrate the PII. (Doc. 34 at 10.) Not so. Plaintiffs allege that their PII was stolen by hackers employing a phishing scheme.4 (Doc. 33 ¶ 44.) Defendant’s alleged shortcomings directly relate to the hackers’ ability to successfully utilize such a scheme. For example, if Defendant had utilized adequate filtering software, the phishing emails would never have reached the employees’ inboxes. (Id. ¶ 44.) If Defendant’s employees had been adequately trained, the phishing emails, even if they reached the employees’ inboxes, would not have been successful. (Id. ¶ 40.) If Defendant had implemented multi-factor authentication, the hackers would not have been able to access Defendant’s systems even if the phishing emails had been successful. (Id. ¶ 42.) If Defendant had not stored the PII in an unencrypted form in an internet-accessible system, the hackers would not have been able to access or read it even if they had gained access to Defendant’s systems. (Id. ¶¶ 4, 42, 44.) Finally, if Defendant had destroyed the PII when it was no longer in use, much of the PII would not have been stolen regardless of how successful the hackers’ scheme was. (Id. ¶ 44.) Thus, the Court will not dismiss Plaintiffs’ CCPA claim.