On February 26, 2019, the Daily Journal hosted its annual Cyber Forum in Beverly Hills, California.  The event, entitled “A California Perspective from the Epicenter of Data Security and Privacy,” focused primarily on the California Consumer Privacy Act of 2018 (CCPA) and federal law enforcement’s approach to data breach investigations.

The panel members discussing the CCPA expressed concern about preparing to comply with the Act when there is less than a year before it goes into effect and the Act is still undergoing changes.  One panel member explained that it is uncertain whether the 12-month look back requirement of the CCPA should be calculated based on the July 1, 2020 date that the California Attorney General can begin bringing enforcement actions, or the January 1, 2020 effective date of the Act.  The panel member, however, recommended that businesses take the conservative approach and assume that the 12-month look back requirement should be calculated from the CCPA’s January 1, 2020 effective date.

In addition, the panel members felt that the statutory damages of up to $7,500 per violation for enforcement actions and $750 per incident for private actions are very high, and could expose companies to billions of dollars in damages because of the extent of data breaches.  One panel member explained that lawsuits involving data breaches typically settle for as little as $1.50 per violation, and the high statutory damages will drive up the cost of settlements and exposure to an unreasonable amount.

The panel was also skeptical regarding the private right of action under the CCPA for data breaches.  The provision stating that businesses could be subject to private claims if they fail to “maintain reasonable security procedures and practices” is vague because it is not defined and not tied to a specific industry standard.  The panel members explained that companies who implement strong security procedures can still be subject to data breaches because some vulnerabilities are not apparent until after the incident.  This creates an opportunity for the plaintiffs’ bar to file class action lawsuits every time there is a data breach because security issues can be identified after the fact, and plaintiffs’ attorneys can argue that companies did not do enough to protect consumers’ data.

Lastly, the keynote panel provided an insightful view on law enforcement’s approach to cyber attacks and data breaches.  Specifically, the speakers made it clear that federal law enforcement agencies view companies subject to data breaches as victims, instead of culprits that need to be investigated for ancillary issues, such as securities violations, non-compliance with civil statutes, or tax issues.  The panel members further said it is important to get law enforcement involved at the outset of a data breach so that IT professionals do not inadvertently destroy evidence while trying to remedy the harm caused by the cybersecurity incident.

In sum, the 2019 Cyber Forum provided an insightful view on the CCPA, and law enforcement’s views on data breaches.