CEB Prac. Guide § 10A.68 -- Private Right of Action for Data Breach

On a motion to dismiss, Judge Cormac Carney in the Central District of California discusses whether plaintiff alleged sufficient facts to show that defendant lacked reasonable security procedures for a cause of action under the CCPA: MKS first argues that Plaintiff's CCPA claim must be dismissed because his “threadbare and conclusory” allegations “fail[ ] to allege any facts to support… Read More

Judge Larry Alan Burns of the Northern District of California addressed four different arguments on a Motion to Dismiss a CCPA cause of action. Holding No. 1:  allegations that a business failed to utilize alleged industry technology was sufficient to plead a failure to implement and maintain reasonable security measures. [Defendant] argues that the CCPA doesn't impose a duty to… Read More

A District Court in Washington dismissed Plaintiffs' claim for statutory damages because they failed to give pre-suit notice under the CCPA.  The Court dismissed the request for statutory damages without prejudice meaning Plaintiffs can give notice (despite the pending action) and then seek to amend and add back in a request for statutory damages. Plaintiffs ... insist that they seek… Read More

Ruling on a motion to dismiss a claim for violation of the California Consumer Privacy Act, the Hon. Mary M. Rowland of the United States District Court in the North District of Illinois, held: Defendants argue that [Plaintiff] fails to allege a specific action Defendants took or failed to take that breached a duty under the CCPA to maintain "reasonable"… Read More

On August 11, 2022, the CFPB issued a circular on data security and the question "[c]an entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?"  The short answer is "yes." The CFPB highlights specific security measures to minimize risk. In line with the new… Read More

Ruling on Defendant's Motion to Dismiss (Aviva Kirsten v. Cal. Pizza Kitchen, Inc., No. 2:21-cv-09578-DOC-KES (C.D. Cal. July 29, 2022), Judge David O. Carter of the Central District of California held: Defendant argues that Plaintiffs’ CCPA claim fails because Plaintiffs provide no facts to maintain that Defendant failed to maintain reasonable security procedure and practices. Mot. at 20. However, Defendant… Read More

Judge David O. Carter, in the Central District of California, made the following findings on a motion to dismiss: the CCPA is not retroactive despite allegations of an ongoing pattern and practice; the CCPA does not include a private right of action for "§§ 1798.100(b), 110(c), and 115(d)"; the "disclosure of consumers’ non-anonymized data was not a result of a… Read More

On a motion to dismiss, Judge Denise Cote of the Southern District of New York, dismissed Plaintiffs' CCPA cause of action.  In re Waste Mgmt. Data Breach Litig., No. 21cv6147 (DLC), 2022 U.S. Dist. LEXIS 32798, at *18-19 (S.D.N.Y. Feb. 24, 2022). [T]he [complaint] fails to state a claim for violation of the CCPA, because it does not plausibly allege… Read More

Addressing what constitutes a cure under the current version of the CCPA, Judge Cote in the Southern District of New York, held that: the [Complaint] fails to state a claim for violation of the CCPA, because it does not plausibly allege that Waste Management breached its "duty to implement and maintain reasonable security procedures and practices appropriate to the nature… Read More

In Danfer-Klaben v. JPMorgan Chase Bank, N.A., No. SACV 21-262 PSG (JDEx), 2022 U.S. Dist. LEXIS 25553, at *16-17 (C.D. Cal. Jan. 24, 2022), Judge Gutierrez in the Central District of California held that: The CCPA provides relief to "any consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access . . . or… Read More

On October 6, 2021, Governor Newsom signed several new bills into law: AB 1391 Adds section 1724 to the Civil Code and makes it unlawful for anyone to sell or sell access to data that was unlawfully obtained.  Similarly, it is unlawful for anyone to buy or use data that they know, or should know, was unlawfully obtained. AB 694 … Read More

In Walmart v. Gardiner, Judge Koh - again and for a final time - held that the CCPA was not retroactive. Plaintiff [] argues that the allegation that he discovered his PII for sale in 2019 is “clearly the result of scrivener’s error.” (Opp. at 2.) The Court’s previous Order put Plaintiff on notice that his CCPA claim could not… Read More

In Karter v. Epiq Systems, Inc., et al., Judge Carney denied Epiq's Motion to Dismiss the CCPA cause of action. For two reasons, the Court found that Plaintiff sufficiently alleged Epiq is a "business" under the CCPA and therefore, subject to the private right of action.  "First, Plaintiff alleges that in order to perform its services, which it performs pursuant to… Read More

In Gardiner v. Walmart Judge Koh held that the CCPA was not retroactive. The CCPA went into effect on January 1, 2020, and it does not contain an express retroactivity provision. See Cal. Civ. Code § 1798.198 (providing the CCPA “shall be operative January 1, 2020); see also Cal. Civ. Code § 3 (“[n]o part of [this Code] is retroactive, unless expressly so declared.”). Moreover,… Read More

On February 2, 2021, Judge Susan Van Keulen, in the Northern District of California, denied in part and granted in part Defendant's Motion to Dismiss.  Flores-Mendez et al v. Zoosk, Inc. et al. (N.D. CA; 3:20-cv-04929-WHA). Evaluating Article III standing based on Plaintiff's consent to Defendant's online privacy policy and terms of use, the Court held that: [i]f “the contract language… Read More

On January 28, 2021, Judge Alsup, in the Northern District of California, denied in part and granted in part Defendants' Motion to Dismiss.  Flores-Mendez et al v. Zoosk, Inc. et al. (N.D. CA; 3:20-cv-04929-WHA). Zoosk, a dating app, is a subsidiary of Spark.  Spark's principal place of business is in Berlin.  Spark filed a 12(b)(2) motion challenging the Court's personal… Read More

The CCPA went live on January 1, 2020, creating a cause of action and potential liability of between $100 to $750 per person for a data breach deriving from a business' failure to maintain reasonable policies and procedures.  Unfortunately, the CCPA does not define the term "reasonable".  While compliance lawyers and consultants properly have been advising their clients to shore… Read More