When the California Consumer Privacy Act (“CCPA”) takes effect in January 2020, California will become the first state to permit residents whose personal information is exposed in a data breach to seek statutory damages of between $100-$750 per incident, even in the absence of any actual harm.  The class actions that follow are not likely to be limited to California residents, but will also include non-California residents pursuing claims under common law theories.  A successful defense will depend on the ability of the breached business to establish that it implemented and maintained reasonable security procedures and practices appropriate to the nature of the personal information held.  The more prepared a business is to respond to a breach, the better prepared it will be to defend a breach lawsuit. To help our clients get ready for the CCPA, Bryan Cave Leighton Paisner is issuing a series of data security articles to empower organizations to focus on breach readiness.

Understanding the Nature and Scope of Data Security Events, Incidents, and Breaches

It has been several years since data breaches first emerged as the lead news story.  In 2016, then attorney general Kamala Harris published the California Data Breach Report to provide a comprehensive analysis of reported data breaches from 2012 to 2015.  During that four-year time period, nearly 50 million records of Californians had been breached, the majority resulting from security failures.  Despite increasing security and technology advancements, companies are still grappling with how to stay ahead of hackers and when