SB 1121, which is making its way through the California Legislature, would allow businesses to be sued for data breaches even when no one was actually injured. This includes being sued for failing to implement and maintain reasonable security procedures as well as for failing to properly notify affected individuals of a breach of their personal information. Opponents of this bill are calling it a “job killer”.
Think there is enough litigation in California? Well, California could soon surpass its own record of being the most litigious state in the history of the world by opening the floodgates to more lawsuits in the aftermath of a data breach. Introduced on February 13, 2018, SB 1121 is currently moving through the California Senate and generating an uproar among business leaders. If enacted, SB 1121 would empower anyone “whose personal information has been or is reasonably believed to have been breached” to file a civil lawsuit against a business on whose watch the personal information was breached, whether or not the person suffered any actual harm or monetary loss.
Specifically, under SB 1121, an individual who believes they were a victim of a data breach can assert a claim against the business responsible for the breach for any violation of the California statute that requires the business to (a) implement and maintain “reasonable” security measures to protect personal information from falling into the wrong hands, and (b) disclose a data breach to all California residents whose unencrypted personal information fell into the wrong hands. Existing law contains a more concrete injury requirement that limits claims to only those who were injured by a violation of the statute. In contrast, SB 1121 appears to lower the threshold so anyone whose personal information has been leaked, whether or not they actually suffered any injury as a result of the leak, can file a lawsuit even for technical violations of the statute. SB 1121 also expands the statute of limitations for claims under this statute to four years.
It is no surprise that a coalition of business and industry groups have banded together to advocate against SB 1121, calling it a “Job Killer.” Among the voices in opposition are the California Chamber of Commerce, at least ten other local chambers of commerce, California Bankers Association, California Hospital Association, California Retailers Association, and various technology advocacy groups and trade organizations. These groups argue that SB 1121 would drastically expand the civil liability of businesses without much added benefit to consumers, and that consumer class action attorneys stand to benefit greatly if this bill is enacted into law.
SB 1121 would impose a minimum of $200 in damages per consumer without requiring any proof of consumer injury. This would turn even a small data breach in which no one was actually injured or where the disclosed information was actually recovered and there was no risk of identity theft resulting from the breach into a potential class action lawsuit.
Although this bill has a long way to go in the Legislature before getting to the Governor’s desk, the prospect of such a bill being enacted should be of concern to all businesses and employers in California. If your business has not recently undergone a computer security assessment, now is the time to plan this in your budget for the remainder of 2018. As data breaches occur at a more frequent rate, it may just be a matter of time when you find yourself having to call a Fisher Phillips attorney at 7pm on a Friday asking whether a leak of information qualifies as a data breach under the statute and having to quickly respond to a data breach. Employers are wise to see the introduction of SB 1121 as an opportunity to stay ahead of the data breach trend and focus on prevention and compliance.