Palm Trees

Encryption’s Impact on Potential Liability Under CCPA

(This article is brought to you courtesy of the International Association of Privacy Professional (IAPP) and first appeared in The Privacy Advisor, IAPP’s original content publication for privacy professionals).

In the last decade, California has suffered twice as many data breaches as any other state, with roughly 1,493 breaches affecting nearly 5.6 billion records. For an organization that handles the data of California consumers, adopting a robust security system is prudent.

Encrypting consumer data is one strategy that an organization can adopt as part of a comprehensive information security and privacy program. Encryption benefits consumers by rendering compromised data unreadable, so that even if encrypted data is disclosed, the risk of harm to an individual, such as identity theft or physical safety, is significantly limited. Where California’s privacy laws apply to an organization, encrypting customer data will provide immunity from the private right of action under the California Consumer Privacy Act and limit obligations of notification in the event of a data breach under California’s data breach notification law.

How will encrypting data benefit your organization in California?

Under CCPA, California consumers are provided a private right of action, which permits them to file civil suits against businesses for certain types of data breaches and potentially recover either statutory damages of up to $750 or actual damages, whichever is greater. In class-action litigation involving millions of consumers, these damages can add up quickly. Compared to the EU General Data Protection Regulation, which allows for fines of up to 4% of global turnover, damages under the CCPA do not have a similar liability cap. As a result, a business’s damages under the CCPA could conceivably dwarf the fines permitted by the GDPR.

As mentioned above, this private right of action only applies to certain types of data breaches. First, the breach must consist of a California resident’s first name (or first initial) and last name in combination with one of the following: Social Security number, some unique identification number issued on a government document that is commonly used to verify an individual’s identity, account number or credit or debit card number in combination with any required security code, medical information, health insurance information, or unique biometric data used to authenticate an individual. Collectively, all these categories are referred to as “covered personal information.”

Even if covered personal information is compromised, the private right of action under the CCPA only applies to breaches of nonencrypted or nonredacted covered personal information resulting from a business’s failure to implement and maintain reasonable security procedures and practices. In determining reasonableness, the attorney general may look to the 20 security controls promulgated by the Center for Internet Security, which the California Department of Justice identified in 2016 as establishing the minimum controls required to show a reasonable security system. These controls recommend encryption. Thus, for an organization seeking to limit liability under the CCPA, encrypting covered personal information of California consumers is a very effective way to do so.

Moreover, under California’s data breach notification law, an organization that does business in California and maintains personal information of California residents may be required to notify the residents if they have been affected by a data breach. However, if the compromised personal information is encrypted, it falls outside the scope of the data breach notification law and the obligation to notify is not triggered. Though the definitions of personal information are not identical under the CCPA and California’s data breach notification law, there is a significant amount of overlap.

Like the CCPA, California’s data breach notification law also provides consumers with a right of private action if they have been injured by a violation of the law. Unlike the CCPA, though, the data breach notification law does not provide statutory damages. As a result, if an organization encrypts the personal information it maintains on California consumers, it can avoid the obligation to notify consumers of a data breach and it reduces the likelihood of civil actions.

CCPA in action

On Feb. 3, a California consumer filed a class-action suit, arising from a data breach, against high-end children’s clothing retailer Hanna Anderson and Salesforce, a software-as-a-service company specializing in customer relationship management. The claim alleges, among other things, a violation of the CCPA and states that consumers’ unencrypted and unredacted personal information, including financial information, was compromised by a breach. The complaint alleges the information accessed by the hackers was for sale on the dark web. Had the personal information stored been encrypted, the plaintiff’s chances at recovering any damages under the CCPA would be significantly limited as their claims would not be covered by the CCPA’s private right of action. Moreover, any harm to consumers would have been limited or eliminated due to the hacker’s conceived inability to decrypt the data.

If your organization handles covered personal information, encrypting it would be a smart decision. Not only does it help mitigate the risks of harm consumers face in the event of a security incident, but it shields your company from liability under the CCPA’s private right of action.

Photo by Ev on Unsplash

About the Author

Soliman Hatef, CIPP/US
Research Editor at Santa Clara Law Review
Soliman Hatef is a J.D. candidate at Santa Clara University School of Law, where he is a research editor for the Santa Clara Law Review and a candidate for the Privacy Law Certificate. While in law school, Soliman served as a legal intern for various tech companies. Soliman holds a B.A. in Political Science from the University of California San Diego.