The California Chamber of Commerce and a large coalition are working to stop a job killer proposal that will subject businesses and nonprofits to massive liability for data breaches, even if no consumer was injured and no data was actually extracted during a breach.
SB 1121 (Dodd; D-Napa) passed the Assembly Judiciary Committee on Tuesday, despite strong opposition pointing out that the drastic increase in liability would fail to provide any corresponding benefit to California consumers. The only beneficiaries would be consumer class action attorneys.
Recent amendments to SB 1121 fail to address major concerns of opponents and include confusing language that will prompt even more litigation, the CalChamber and coalition pointed out in a letter to the committee.
More Civil Liability/Penalties
SB 1121’s expansion of civil liability will be costly for businesses and nonprofit groups.
The bill imposes a minimum of $200 and a maximum of $1,000 in damages per person, per incident—without requiring any proof of consumer injury. Such damage awards would be enough to put companies out of business.
For example, a small business with just 1,000 customers that suffers a data breach will face civil liability of up to
$1 million just in statutory damages.
Moreover, SB 1121 explicitly makes these new penalties cumulative to penalties that already exist in current law. If adopted, this will create a complicated overlay of state, federal, and potential new fines that will make the entity breached liable multiple times over for the same incident.
For example, the November privacy ballot initiative, if passed, would impose $1,000 in statutory damages per person, per incident of data breach. If the ballot initiative passes and SB 1121 is adopted, the small business referenced above with 1,000 customers will face civil liability for at least $2 million just in statutory damages if it suffers a data breach.
SB 1121 also vastly expands the scope of who can sue companies for data breaches. Under current law, a California customer who has been injured by a data breach can bring a lawsuit to recover.
In addition to removing the injury requirement, SB 1121 creates a new, private right of action for any consumer whose data has been breached. Even non-California residents will be able to sue the state’s businesses and nonprofits.
SB 1121 will cause “shakedown” data breach lawsuits as businesses and nonprofits faced with the risk of such massive damages are leveraged into immediate settlement—regardless of the strength of their defense.
The bill is an attempt to bypass the will of the voters, who approved Proposition 64 in 2004 by an 18-point margin. Proposition 64 limits private lawsuits against businesses under the state’s Unfair Competition Law (UCL) to individuals who have actually been injured.
Businesses and nonprofits already have significant incentives to prevent data breaches, which already result in private and public lawsuits, as well as enforcement actions.
Current law requires companies to immediately report a data breach to California consumers—even if no harm has been detected. (Many states require a showing of harm to trigger their data breach reporting requirement.)
Once reported, news of a data breach results in damage to a company’s relationship with its customers, as well as its brand and its reputation. It also opens a company up to UCL lawsuits by customers who can allege injury.
Moreover, if a data breach involves more than 500 California consumers, businesses and nonprofits must report the breach immediately to California’s Attorney General. This means the reporting businesses and nonprofits may be subjected to a civil enforcement action brought by the Attorney General or another government enforcement agency.
Finally, current law already requires businesses that have been breached to provide free identity theft and mitigation measures, like credit reporting services, to their customers for at least one year.
The June 19 vote in Assembly Judiciary was 6-3:
Ayes: M. Stone (D-Scotts Valley), Chiu (D-San Francisco), Gonzalez Fletcher (D-San Diego), Holden (D-Pasadena), Kalra (D-San Jose), Reyes (D-Grand Terrace).
Noes: Cunningham (R-Templeton), Kiley (R-Granite Bay), Maienschein (R-San Diego).
No vote recorded: Chau (D-Monterey Park).
SB 1121 will be considered next by the Assembly Privacy and Consumer Protection Committee.
The CalChamber is asking members to contact their Assembly representatives and members of Assembly Privacy and Consumer Protection to urge them to oppose SB 1121.