Data breaches are inevitable. And no amount of security protocols can provide absolute assurance that consumer information is protected. With increasing threats of identity theft, who should be responsible for the majority of data breach risk, the consumer or the business? California lawmakers argue that the majority of that burden on the business owner.
They incentivized stricter security measures by broadening the requirements needed to file a lawsuit in the case of a data breach. By lowering this bar, they have essentially shifted more liability to businesses. Prop 24’s amendments go into effect January 1st 2023, but has a look back period starting on January 1st 2022. Whether businesses should or should not bear the majority of risk, they will need to examine the parameters of these changes closely and update their data security to the most recent standards in order to prevent these lawsuits.
Prop 24’s Changes in the CPRA (California Privacy Rights Act)
The CPRA (California Privacy Rights Act) is an addendum to the historic California Consumer Privacy Act (CCPA) . It is a series of amendments that:
- Allow consumers to limit access to sensitive data
- Stop businesses from keeping data beyond its use
- Triple the fine for violating children’s privacy rights
- Create a new agency with enforcement power
Expand the definition of sensitive data to include email and password information in the list of items covered during a negligent data breach.
Since it is difficult for consumers to track identity theft to a specific data breach, this particular amendment expands the CCPA right of action to consumers that can’t prove a financial loss.
This particular change has two profound implications. First, it makes it much harder to agree on damages if there is no financial loss. As a result, violations range between $100-$750 per record. Secondly, this incentivizes bad actors to exploit the system for profit.
Since many companies will not be able to keep up with increasing standards for security measures, they will need to update their SAAS agreement indemnification clauses to account for this type of dispute.
Consumer Actions under the CCPA and the CPRA
Consumer actions hinge on a company’s failure to protect their personal information from a breach. CPRA (Prop 24) broadens what is considered personal information.
The most critical amendments to the CCPA are just two or three letters. The CCPA previously required that information be either nonencrypted or nonredacted to qualify under the Act. Lawmakers used the word “or ” instead of “and ” when adding email and password to the list. This has significant implications on what qualifies the data and how companies failed to protect the breach.
If one were to read the qualification before the amendment, the only data that would qualify would be anything that could reveal someone’s identity or any personal data lacking encryption. Now email and password information neither need to be encrypted nor reveal someone’s identity to qualify. This amendment means that anonymous throwaway emails are included. This critical two-letter word significantly broadens the scope of liability in data breach lawsuits.
The second change to the law slightly limits the scope of liability by changing the “or” between “nonencrypted OR nonredacted” to “nonencrypted AND nonredacted.” This change means any data other than email and password needs to lack encryption and reveal personal data’s identity to qualify.
If the data in a breach meets the two combined conditions or any personal information includes someone’s email and password, a breach would need to be the result of a company not implementing and maintaining reasonable security procedures and practices. While previous administrations have interpreted “reasonable” in one matter, there’s no guarantee that will hold in the future.
What Constitutes Reasonable Security Procedures and Practices against data breaches?
The AG established the baseline by using 20 data security controls published by the Center for Internet Security. Any agreement with a SaaS company should warrant compliance with these control as a minimum standard.
While these guidelines may not protect you, or your vendors, in the future, failing to meet the reasonable standards enumerated by the state’s AG in 2014 and 2016 would likely hurt any defense you might make in case of a violation.
Managing Privacy Standards In SAAS Agreements
Security is often a point of negotiation when striking a SAAS agreement with third party vendors. Businesses don’t want to accept the risk if a vendor’s security isn’t up to par. Yet, most SaaS agreements don’t go far enough to protect the business. For example, companies can neglect to include who is responsible for notifying customers of a breach. Identifying each party’s data security obligations is critical to establish who will be accountable in the case of a lawsuit.
When there is a breach of consumer data, the effects can last for years. According to UISM and the Ponemon Institute’s research, the average cost of a data breach in 2020 is $3.86 million. This cost includes the time and direct costs from dealing with a breach, regulatory fines, potential lost opportunity costs from customer churn and negative publicity, and a data breach lawsuit.
Expect More Legal Challenges and Data Breach Lawsuits
Regardless of the steps that businesses take to protect themselves from security breaches, lawsuits, and regulatory fines, Prop 24 vastly increases the likelihood that additional data breach lawsuits will occur.
More than 50 lawsuits had already been filed by July – just six months into the CCPA – covering data breaches, noncompliance with the CCPA, and violations of California’s Unfair Competition Law (UCL). Because of the potential monetary awards, most of these actions come in the form of class-action lawsuits.
The increase in class action suits came due to the CCPA’s requirement that offers statutory damages rather than providing actual damages. CPRA, or Prop 24, could increase the number of class action lawsuits.
Increasing security isn’t enough
Since encryption may not be enough to protect this information from a breach, companies need to update indemnification clauses for these types of scenarios. The new amendments provide a wide range from $100 to $7,500 per record in applicable damages. Establishing an agreed-upon damage amount in the indemnification clause will help protect against costly class-action suits. A full understanding of the rapidly evolving security standards and legal precedence is critical to making these updates to your SAAS agreements.
We can make these changes for you.
Take advantage of our free consultation to see how we can help your business prepare for legislation changes like prop 24.