Data Breach Litigation In California is Evolving

A class action underway in California is instructive for businesses of all sizes in showing how plaintiff's lawyers are starting to think about claims under California's privacy law and related laws.

The California Pizza Kitchen chain suffered a breach in the fall, which exposed personal data including Social Security numbers for thousands of employees. A group of affected employees has reached an apparent settlement, but some believe the proposed settlement doesn't go far enough to protect them. 

Among other things, the objectors think the class should hold out for statutory damages for CPK's alleged failure to use "reasonable" security measures. These damages are at a set dollar amount and do not require plaintiffs to prove that they suffered any actual harm -- only that the defendant failed to act reasonably in preventing attack. CPK, like the vast majority of companies in the US, is not governed by any laws that prescribe a defined standard of reasonable protection for personal information. In other words, whether a hacked company's defenses were "reasonable" will always be a question at trial. In this case, the plaintiff's lawyers are using known security benchmarks -- notably, the NIST cyber framework -- to establish a reasonableness standard and to argue that CPK failed to meet that standard. In addition, plaintiff's counsel are advancing arguments under a host of other theories including state unfair practices and breach of contract.  

Why It Matters

The proliferation of privacy laws -- and the absence of actual industry requirements for cybersecurity -- means that most US companies are on their own to figure out what is a "reasonable" way to protect the information they hold. A third-party benchmark like the NIST framework or a third-party certification program is one way to secure some guidance on what is reasonable and establish a paper trail of having made reasonable efforts. Making a case that you used reasonable efforts to secure personal information, and showing that your efforts compare favorably to a known standard, could be very useful in minimizing exposure under a law like California's, which allows for high damages with little standards benchmarking.