In a recent blog, we discussed the laws that enable individuals affected by data breaches to receive compensation.
There are three main methods to do this. The first is to use laws that allow private rights of action. The second is to use laws that require breaches to be reported. The third is to use the tort of negligence and get around the Spokeo case with an identification of concrete harm.
Plaintiff lawyers use these methods because they work. Cybersecurity lawsuits in the U.S. have increased exponentially in the past two years and show no signs of stopping.
Here, I discuss two of the most important laws for the private right of action. The first is the CCPA (California Consumer Privacy Act). The second is the Illinois BIPA (Biometric Information Privacy Act). Both laws have private rights of action.
What is the private right of action?
A private right of action is an independent method of enforcing a government objective. The standard method would be for the government to use its police powers to enforce a law.
In some areas, this is fairly straightforward. For example, if someone is murdered, the police work to bring the perpetrator to justice. They appear to be up to the job. Murder rates in the U.S. are 7.5 per 100,000, substantially less than automobile deaths, which are 12.4 deaths per 100,000 people.
Still, over the past 40 years, authorities have not been able to solve 185,000 murders. Does this mean that the victims or their relatives do not have any redress?
No, restitutions are available through the common law courts. The only problem is that the punishment can only be monetary – and this is often not paid. O.J. Simpson was acquitted of the murder of Ron Goldman in a criminal trial, but he lost the civil wrongful death trial.
Goldman’s family was awarded $33.5 million, but has received only a fraction of this. Nevertheless, there was at least some redress.
In contrast, until very recently, most victims of a cybersecurity breach in the U.S. had no redress. With the passage of the CCPA and the BIPA, plaintiff lawyers have a vehicle for class action lawsuits.
The CCPA’s private right of action is rather odd. The statute is supposed to be about privacy, but the private right of action is for a cybersecurity breach. Section 1798.150 specifically grants a private right of action with statutory damages of $100 per incident to any consumer who was the victim of a security breach.
While $100 may not sound like much, it is “concrete and particularized.” The prohibition in Spokeo does not apply and the lawsuit can go forward.
Like the CCPA, the BIPA also grants a private right of action. If you hold biometric information without getting the subject’s permission, you can be fined $1,000. Most of the lawsuits that establish jurisdiction through either the CCPA or the BIPA complain of a cybersecurity breach.
This can be very destructive to businesses. For example, last year, two class action lawsuits were filed against T-Mobile in the U.S. District Court for the Western District of Washington, accusing the telecommunications company of violating the CCPA.
Two plaintiffs from California alleged that T-Mobile USA lost millions of records containing personal information. By citing the CCPA, the plaintiffs could take advantage of the statute’s private right of action.
To date, there have been approximately 171 lawsuits filed citing the CCPA, which has been in effect for only two years.
Cases relying on the BIPA are also exploding. In 2020, there were at least 54 court rulings referencing the Act, which is more than double the count in 2019.
These cases have yielded impressive results. Facebook settled for $650 million and TikTok settled for $92 million in actions brought by their respective users based on facial recognition technology.
In early 2021, Walmart settled for $10 million in a lawsuit under the BIPA based on employees’ use of a palm scanner when checking out and returning cash register drawers. This case was interesting because Walmart stopped the practice in 2018 and deleted the data.
Avoiding lawsuits
To avoid lawsuits under the CCPA or the BIPA, or other private rights of action, it is essential that organizations know what type of data they possess and what they do with it.
At IT Governance USA, we are familiar with data protection and regulatory challenges. One of the first steps to compliance is to create an inventory of all the information your organization holds, and to perform a risk assessment of how it is used and stored.
Inventories and risk assessments are also important for building a zero-trust environment, which is crucial for creating a robust cybersecurity defense.
As time goes on, there will be more data breaches followed by more laws as legislatures struggle to prevent damage. But the real damage from poor cybersecurity will always be to the organization, regardless of what the lawyers do.
Subscribe to our Weekly Round-up to get the latest cybersecurity news and tips delivered straight to your inbox.