UNTIL DATA DOES US PART - THE CALL FOR A FEDERAL ANALOG TO THE CALIFORNIA CONSUMER PRIVACY ACT: A LITIGATION PERSPECTIVE.

• Author: Chaisson, Brendan

"The world's most valuable resource is no longer oil, but data. " (1)

1. INTRODUCTION

   American consumers often receive emails from companies whom they have transacted with. (2) Among the seemingly endless stream of coupons and brand announcements, consumers may encounter a message that takes on a more serious tone: a company--entrusted with customers' Personally Identifiable Information ("PII")--has failed to adequately protect that information from hackers and cyber-criminals. (3)

   On September 7, 2017, this message became an unfortunate reality for roughly 44% of Americans as Equifax, a credit reporting company, suffered a cyberattack so large that the company was compelled to notify citizens of the data breach. (4) The breach--likely orchestrated by high-ranking members of the Chinese military--compromised 145 million Americans' PII. (5) While no evidence existed that the hackers had misused consumers' personal information at the time consumers were notified, many Americans were left with the same question after their private information was compromised: what now? (6) In fact, consumers nationwide have increasingly asked this question as large-scale data breaches continue to infect the consumer marketplace. (7) In Equifax's case, the answer to this question relied on--as it often has in mass data breaches--the statutorily-prescribed enforcement powers of the Federal Trade Commission ("FTC"), a government agency designed to protect consumers nationwide against deceptive and unfair business practices. (8) Using its broad authority under Section 5 of the FTC Act, the FTC filed a complaint in federal district court seeking an injunction against Equifax, which ultimately resulted in the largest settlement for a data breach in United States' history. (9) In total, the parties settled for $650 million, with $300 million reserved for a "Consumer Fund" to settle the multidistrict litigation brought on behalf of the individuals affected by the breach. (10) While this judicial resolution was an ostensible success, consumers were still faced with a different set of challenges, which included increasing credit monitoring to police their exposed PII and finding an effective way to actually collect damages from Equifax. (11) As it turned out, the FTC settlement did not account for such a large number of consumers seeking cash compensation, which meant that the amount set aside in the "Consumer Fund" was grossly underestimated; thus, a deadline was given to consumers to either file more paperwork to receive their payout or opt for a non-cash settlement. (12)

   The Equifax settlement is illustrative of a common theme in data breach litigation: while government regulations may cause businesses to enhance their cybersecurity regimes, the consumer-plaintiffs harmed by data breaches face significant impediments in attempting to redress their injuries through judicial process. (13) Enabling consumer access to federal courts has become a weighty concern in the context of data breaches, with no current consensus regarding how the courts or legislature should address the issue. (14) The California legislature, however, has adopted a seemingly common-sense method to confer standing to individual consumers affected by data breaches. (15) With the passage of the California Consumer Privacy Act ("CCPA") (16), California residents now have a private right of action against certain businesses if their "nonencrypted and nonredacted information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices...." (17)

   This Note will focus on the implementation of the CCPA and its inevitable effect on data breach class actions nationwide. (18) With California residents' claims being distinguished from the other subclasses in multidistrict litigation, it is likely that those suffering from the same data breaches will be received with stark distinctions in federal courts. (19) A brief analysis of prior data breach class actions across different circuits will further illustrate the burden that class action plaintiffs outside of California must overcome to recover damages. (20) Throughout this Note, this author will analyze the current state of data breach class actions involving both class plaintiffs and the government (FTC). (21) This Note will then forecast the outcome of conflicts arising out of favored CCPA class treatment, ultimately leading to the conclusion that a comprehensive, federal scheme of privacy legislation is necessary to provide all American consumers the same rights to recover monetary damages in data breach class actions. (22)

2. HISTORY

   The collection of consumer data has rapidly become one of the most pressing privacy issues in our legal system. (23) The proliferation of the digital world has far outpaced the government's responses to how businesses must handle consumer data, and there is still little to no comprehensive regulatory scheme in place. (24) In 2006, without a federal privacy law, "the FTC created the Division of Privacy and Identity Protection ("DPIP") to protect consumer data." (25) Since adopting this leadership role, the FTC has brought enforcement actions against companies "using its general authority under section 5 of the FTC Act ... [which] prohibits 'unfair or deceptive acts or practices in or affecting commerce.'" (26) As demonstrated in Equifax's case, this practice may be effective in ensuring corporate compliance, but it fails to adequately redress individual consumer injuries stemming from data breaches. (27) Similarly, consumer class actions involving data breaches have increasingly been thwarted by federal judges at both the motion to dismiss and class certification stages of litigation. (28)

   Still, from both a compliance and individual rights standpoint, global privacy law entered a new age in 2018 when the European Union adopted the General Data Protection Regulation ("GDPR") as the first attempt to create a strict, regulatory scheme that enumerates and protects consumers' rights to their personal data shared with companies. (29) The GDPR "declares the 'right to protection of personal data' to be a fundamental right held by all natural persons." (30) In its ninety-nine articles, the GDPR sets out consumers' rights and the corresponding obligations of companies "controlling" their personal information. (31) Under the GDPR, consumers are provided with eight rights, with perhaps the most prominent being the right to be informed--that is, a company must tell individuals "what data is being collected, how it's being used, how long it will be kept and whether it will be shared with any third parties." (32) Further, individuals protected by the GDPR maintain the "right to be forgotten," which allows them to request that companies erase their personal data in certain circumstances. (33) The GDPR's enactment put many American companies conducting business in Europe on notice and forced businesses to update their internal cybersecurity regimes to avoid hefty fines for non-compliance. (34)

   1. The California Consumer Privacy Act (CCPA)

      Proposed as a ballot initiative in 2018, the California Consumer Privacy Act sought to address the problem of the United States' lackluster data privacy policies and drew from our European counterparts in the adoption of a comprehensive set of regulations similar to the GDPR. (35) The national impact of this legislation is noteworthy as California is the most populous state in the nation, which means that California citizens likely comprise a large portion of the plaintiffs suffering from unauthorized disclosure and use of their PII in large-scale breaches. (36) To combat this harm, the CCPA draws from the GDPR by providing "California consumers with eight new privacy rights and [imposing] eight corresponding as well as three independent obligations on businesses processing California consumers' [PII]." (37) The CCPA, however, goes beyond the GDPR in some respects as well. (38)

      In addressing the unique, American issue of standing in federal courts for data breach class actions, the CCPA provides California residents with a statutory right to damages if they are subject to "an unauthorized access, exfiltration, theft, or disclosure as a result of the business' failure to implement and maintain reasonable security procedures and practices." (39) Under this right, California consumers may: (1) recover damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater; (2) seek injunctive or declaratory relief; and/or (3) any other relief the court deems proper. (40) This fast-track to the courtroom comes with some caveats, however, as "[p]rior to initiating any action, a consumer must give the business 30 days' written notice identifying the specific CCPA provisions that have been or are being violated." (41) Still, this provision adds to a Californian plaintiff's arsenal in federal court because, if a business is notified and does not properly redress the injuries suffered, a plaintiff's future risk of harm will only increase without remedial measures. (42) Thus, the CCPA's private right of action has properly set the stage for a new era of data breach jurisprudence with federal courts at the forefront of the debate over who may join CCPA subclasses in court. (43)

   2. Nationwide Data Breach Class Actions

      Prior to the CCPA's enactment, the Ninth Circuit, in which California lies, pioneered a new, plaintiff-friendly era of standing in data breach class actions. (44) For standing purposes, the Ninth Circuit, along with the Seventh Circuit, set the legal standard for "injury in fact" as the increased risk of future harm stemming from consumers' compromised PII--a decidedly low threshold compared to other federal circuit courts, and perhaps even the Supreme Court of the United States...