CCPA: Potential consumer litigation risk

A U.S. law firm has recognized that consumers who file lawsuits for data breaches resulting from security negligence must give 30-days notice of their intentions. This rule applies to data breaches that occur due to the failure to implement “reasonable security procedures”.

If the violation is rectified within the 30 days, written correspondence must be sent to the complainant stating that no further violations will occur. However, any further violations can potentially make businesses liable for statutory damages.

American consumers can bring legal action if their unencrypted data is breached as a result of:

  • failure of a business to implement and maintain ‘reasonable security procedures’, provided that;

  • the consumer gives 30 days written notice before filing, to allow the business time to resolve the violation.

If the violation is successfully resolved, the business must inform the consumer of the resolution in a written statement. They must also state that no further violations will occur.

However, if the security violation does reoccur, the consumer can take action to enforce the statement. They could claim statutory damages for each breach that post-dates the written statement, and any other subsequent CCPA violations.

CCPAPeter BornerCCPAComment