InfoBytes Blog
District Court: Cloud computing company must face class action CCPA claims in data breach suit
On August 12, the U.S. District Court for the District of South Carolina issued a ruling in a consolidated putative class action against a cloud software company alleging several state consumer protection and data reporting law violations related to a 2020 data breach. The plaintiffs asserted that the data breach was a result of the company’s “deficient security program” and contended that the company “failed to comply with industry and regulatory standards by neglecting to implement security measures to mitigate the risk of unauthorized access, utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields.” They further claimed, among other things, that the company’s narrow internal investigation did not address the full scope of the ransomware attack (in which it was eventually revealed that Social Security numbers and other sensitive personal data were compromised) and that plaintiffs were not provided timely and adequate notice of the data breach.
The court found that the plaintiffs failed to adequately plead their claims for violations of consumer protection laws in New Jersey, Pennsylvania, and South Carolina, but allowed certain claims to proceed, including plaintiffs’ allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to implement and maintain reasonable security procedures. The CCPA, which became effective January 1, 2020 (covered by a Buckley Special Alert), provides for a limited private right of action for actual or statutory damages to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information[.]” The company countered, however, that it is not a “business” regulated under the CCPA.
The court disagreed, writing that “the plain text of the statute is instructive” and that the plaintiffs had adequately alleged that the company qualified as a “business” under the statute because it (i) uses consumers’ personal data to provide, develop, improve, and test its services; (ii) “develops software solutions to process its customers’ patrons’ personal information”; (iii) has annual gross revenues of more than $25 million; and (iv) is allegedly registered as a “data broker” in California under a law that “provides that a ‘data broker’ is a ‘business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.’” The court also rejected the company’s contention that because it qualifies as a “service provider” under the CCPA it is not a “business.” The court further allowed claims under New York General Business Law Section 349 to proceed, finding the plaintiffs had sufficiently alleged that the company had misrepresented its security measures and the scope of the breach and had prevented consumers from protecting their data. The court also allowed the plaintiffs to seek declaratory and injunctive relief under Florida’s Deceptive and Unfair Trade Practices Act.