A Pennsylvania resident (“Plaintiff”) has filed a class action complaint (the “Complaint”) in the United States District Court for the Central District of California against Sunshine Behavioral Health Group LLC (“Sunshine Behavioral”), which operates drug and alcohol addiction rehabilitation centers. The Complaint alleges, among other things, violations of the California Consumer Protection Act (Cal. Civ. Code § 1798.100, et seq.) (“CCPA”) in connection with a September 2019 data breach. The complaint alleges that Sunshine Behavioral violated the CCPA by exposing class members’ personal and health information because of a failure to “implement and maintain reasonable security procedures and practices appropriate to the nature and protection of that information.” Plaintiff seeks injunctive relief enjoining further violation of the CCPA, as well as potential “actual, punitive, and statutory damages[.]” The Complaint further alleges that, although Sunshine Behavioral was made aware of the data breach in September 2019, it failed to provide affected individuals and the California Attorney General notice of the breach until January 21, 2020.
The CCPA offers a limited private right of action to consumers “whose nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure” resulting from a failure to implement reasonable security measures. Except for specific pecuniary damages, however, plaintiffs may only seek damages after notifying defendant of the purported violation and allowing 30 days to cure the violation.
The CCPA does not define what constitutes “reasonable security procedures and practices,” but direction may be gleaned from regulatory guidance (such as from the U.S. Department of Health and Human Services with respect to HIPAA), enforcement actions, and statements from standards-setting bodies. In the context of the California Customer Records Act (Cal. Civ. Code § 1798.80, et seq.), which also requires businesses to maintain reasonable security, California has already weighed in on what constitutes reasonableness. In 2016, Attorney General Kamala Harris cited the twenty Center for Internet Security’s Critical Security Controls (“CIS Controls”), stating that “[t]he failure to implement all the [CIS] Controls that apply to an organization’s environment constitutes a lack of reasonable security.” Although this guidance predates enactment of the CCPA, courts and regulators may see consideration of the CIS Controls as a benchmark of reasonableness for the purposes of determining liability for alleged CCPA violations.
In this instance, the breach of patient data purportedly resulted from a misconfiguration of Sunshine Behavioral’s cloud storage space on Amazon Web Services. Whether Plaintiff will be successful in their CCPA cause of action may turn on whether the misconfiguration was unreasonable under either the CIS Controls or another rubric for understanding reasonable security measures adopted by the court. Plaintiff may also suffer from other infirmities in their Complaint, such as the failure to await the 30-day notice period, or because the breach of Plaintiff’s data happened prior to the CCPA’s effective date. This litigation (and other newly filed CCPA litigation) should help set the standard for CCPA litigation in the future.
Companies should take this and the other litigation filed as a warning to take time to ensure reasonable security now. The foundation of any reasonable security program is a comprehensive, legally compliant, and defensible risk assessment. Should you need any help or have any questions on responding to CCPA litigation or on thorough and protective security risk assessments, please contact Venable.