On March 10, a putative class action complaint was filed by Hector Fuentes in the U.S. District Court of California against Sunshine Behavioral Group, LLC, (Sunshine) in connection with a September 2019 data breach that resulted in the exposure and exfiltration of the sensitive personal and medical data of approximately 3,500 patients. Among other claims, Mr. Fuentes alleges a violation of the California Consumer Protection Act (CCPA).
Notably, the CCPA’s private right of action only allows individuals to bring suit if their personal information is compromised “as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.”
Having an up-to-date security program and incident response plan can help your company prepare a strong defense to claims like Mr. Fuentes’.
Sunshine operates drug and alcohol rehabilitation facilities in several states, including California. On September 4, 2019, Sunshine learned it had suffered a data breach exposing numerous types of personal and medical information (including credit card numbers, Social Security numbers, medical information, and insurance information).
This personal and medical information was viewable online, and then exfiltrated (taken without authorization). According to the complaint, although Sunshine learned of the data breach on September 4, 2019, it did not notify those persons affected by the breach or regulators until on or about January 21, 2020.
Moreover, according to the California Attorney General, the data breach began on March 1, 2017.
The complaint and the CCPA
Mr. Fuentes, individually and on behalf of the class, alleges several causes of action, including traditional common law claims, as well as several California state law claims. In particular, the complaint alleges a violation of the CCPA, and specifically Cal. Civ. Code Section 1798.150(a):
(a) (1) Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper. Of note, Mr. Fuentes specifically alleges, consistent with Cal. Civ. Code Section 1798.150(b), that plaintiff's counsel served Sunshine with notice of the alleged CCPA violations prior to filing the complaint.
Of note, Mr. Fuentes specifically alleges, consistent with Cal. Civ. Code Section 1798.150(b), that plaintiff's counsel served Sunshine with notice of the alleged CCPA violations prior to filing the complaint.
Alleged harm and standing
Mr. Fuentes is alleging that he and the putative class members have suffered several different types of harm as a result of the breach. The allegations include almost every type of theoretical and concrete harm that could befall an individual affected by a data breach, including general allegations of theoretical harm such as being placed at an increased risk of identity theft, and more concrete allegations like out-of-pocket costs incurred for things like credit monitoring.
The damages alleged by an individual in a data breach lawsuit are crucial because they affect the individual’s ability to prove standing. A class representative in a class action must demonstrate actual injury, as opposed to potential or theoretical damages.
In recent years, the issue of whether an individual affected by a data breach has suffered an “injury-in-fact” sufficient to entitle the individual to bring suit in federal court has been hotly contested all over the country. For instance, if an individual’s data has been accessed in a breach, but his identity is not stolen or otherwise affected, has he suffered harm? The case law interpreting the CCPA’s private right of action will almost certainly generate more cases analyzing the contours of the standing requirement as it relates to the fallout from a data breach.
Likewise, the court’s determination in this case of whether individual issues (for example the need to determine data breach damages for each particular class member) outweigh those issues common to all members of the class, will be closely scrutinized.
Adams and Reese’s previous alerts on the CCPA provide more detail on the data privacy rights established by the act, as well as additional potential action items for covered entities.
Our Privacy, Cybersecurity and Data Management team will continue to share the latest developments and provide insights on the CCPA.