Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

District Court: Company must face CCPA class action after ransomware attack

Courts Privacy/Cyber Risk & Data Security CCPA State Issues California Class Action

Courts

Earlier this summer, the U.S. District Court for the Central District of California denied a motion to dismiss a putative class action accusing a legal services company and its subsidiaries of failing to implement and maintain reasonable security procedures and practices to protect consumers’ data as required by the California Consumer Privacy Act (CCPA). Following a 2020 ransomware attack, class members claimed that sensitive information (including nonencrypted and nonredacted personal information) stored on the defendants’ network was compromised. The defendants countered that class members failed to establish that the defendants qualify as a “business” under the statute as opposed to a “service provider.”

As previously covered by a Buckley Special Alert, the CCPA, which became effective January 1, 2020, defines a “business” as an entity “that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information.” The CCPA defines a “service provider” as an entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.” While the CCPA provides a limited private right of action for actual or statutory damages against a business, actions against service providers can only be brough by the California attorney general. According to the court, class members adequately alleged that the defendants act as a business rather than a service provider based on allegations that they, among other things, collect consumers’ personal information from consumers (instead of receiving personal information from another business), and determine “the purposes and means of the processing of consumers’ personal information.” The court also rejected the defendants’ argument that class members failed to “plausibly” establish that their information was stolen because the ransomware attack merely encrypted the data on the defendants’ computer systems. “It may be that [p]laintiff’s personal information was not exfiltrated in a nonencrypted and nonredacted form,” the court stated, “[b]ut at this stage, especially when the bases for dismissal upon which [d]efendants rely do not appear in the complaint, the Court concludes that [p]laintiff’s allegations are sufficient to survive a motion to dismiss.”