Starting January 2020, financial institutions will need to keep their data security procedures in check as California’s new consumer protection act goes into effect.
The legislation gives California consumers the “private right of action,” or the ability to sue companies, if their personal information is the subject of a data breach resulting from a business’s failure to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
What do “reasonable security procedures” look like and what are the consequences of failing to keep up such standards? AFE spoke with Scott Hyman, a lawyer and data protection officer at Orange Country, Calif.-based law firm Severson & Werson, to find out. Below are two issues lenders should know about the California Consumer Privacy Act.
What “reasonable” means
The CCPA will require businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information,” which relates to the kind of data businesses may have, Hyman explained. “If a lender has very sensitive information about consumers,” such as Social Security Numbers or financial information, “one could argue that language would require higher levels of security procedures,” he said.
The first requirement is having policies and procedures in place, Hyman stated. After that, “we have some guidelines that we have seen from the way the [Federal Trade Commission] has looked at reasonableness, the way that the courts have treated reasonable policies and procedures in other California data protection statutes,” he said, noting that it can often depend on what the industry standard is.
In fact, a cybersecurity breach can still happen, Hyman said, notwithstanding the fact that you have reasonable security procedures adapted to avoid the breach. “Case law has demonstrated that the mere fact of the breach itself doesn’t mean that your procedures were unreasonable,” he said.
The CCPA requires the California Attorney General to issue guidelines to interpret the legislation. “We don’t know if the AG will do that before the CCPA becomes effective Jan. 1,” Hyman said.
Liability on a per-victim basis
The potential liability for failing to implement and maintain reasonable cybersecurity practices and procedures “is staggering,” Hyman said. Businesses nailed by the CCPA can expect to pay from $100 to $750 per data breach victim, and class actions are permitted. “The plaintiff’s class action bar are calling this ‘the new TCPA,’” he added.
In addition to the private right of action, individuals don’t have to prove compensable damage or loss resulting from the hypothetical data breach, as has been the case in previous data breach litigation predating the CCPA, Hyman said.
“The thing that courts struggled with in regards to consumer breach litigation was the absence of damages – whether someone whose data was the subject of a hypothetical data breach had suffered any compensable loss,” he said. “The CCPA changes that because it has this statutory provision that does not require proof of actual damages.”
Join us for Auto Finance Summit 2019, October 28-30 at the Bellagio Las Vegas. The summit continues to bring together the best and brightest executives in auto lending and leasing for unparalleled networking and education. Register now at www.autofinancesummit.com.