California Considering Lowering Bar For Data Breach Lawsuits

Victims of data breaches could sue companies without showing they were harmed under a bill advancing in the California Legislature.

The Assembly has three months to consider S.B. 1121 bill and send it to Gov. Jerry Brown (D). Senators passed the measure 22-13 after the bill author, Bill Dodd (D), accepted amendments from the Assembly to create a safe harbor for businesses that protect consumer data.

“It is important that we put in reasonable protections for businesses so that they’re not going to be subject willy-nilly to lawsuits out there that are essentially fishing expeditions,” state Sen. Ben Allen (D) said during debate on the Senate floor.

Dodd’s bill was inspired in part by the 2017 Equifax data breach. A measure to give consumers similar standing to sue for data breaches is expected to qualify for the November statewide ballot.

Ballot Measure, Too

Both S.B. 1121 and the California Consumer Privacy Act would lower the threshold for consumer lawsuits.

Consumers would have four years to sue for violation of the California Customer Records Act if their name, Social Security number, driver’s license number or financial account information is breached. Companies that hold breached data would be liable for $200 to $1,000 per violation for not protecting consumer information or notifying consumers, Dodd said.

Individuals currently must be customers to sue a company for damages and must show they were harmed by a breach.

“The Equifax breach demonstrated that consumers cannot always be defined as customers,” Dodd said.

‘Mecca for Lawsuits’

Dodd said he is open to changing the bill “to make sure this doesn’t become a mecca for lawsuits when no harm has been done.”

The California Public Interest Research Group, the Consumer Attorneys of California, and several other consumer groups and labor unions support the legislation. It faces stiff opposition from a coalition of about 70 business groups including TechNet, CompTIA, the Internet Association, and the California Chamber of Commerce.

Another bill inspired by the Equifax breach is on the legislative agenda. A.B. 1859 by Assemblyman Ed Chau (D) would make consumer credit reporting agencies liable if they ignore to address a known system vulnerability that causes a data breach involving personal consumer information.

The bill passed the Assembly 57-15 on May 31 and awaits action in the Senate.

Both bills must pass by Aug. 31 to reach the governor’s desk.

Alternatives Possible

Lawmakers are waiting for the secretary of state to announce if the California Consumer Privacy Act has qualified for the November ballot. Supporters submitted more than enough signatures to place the measure before voters.

The measure would allow consumers to demand companies disclose what information it collects on individuals, and would allow consumers to tell businesses not to sell their personal information to a third party. It also would bar companies from discriminating against consumers who ask that their personal information remain private.

The bills on deck could emerge as alternatives to the ballot measure in the next few weeks. Under state law, the Legislature must hold a hearing on qualified ballot measures and can propose alternatives if it wants to withdraw a measure from the ballot.

Don’t Hold Your Breath

Alastair Mactaggart, chairman of the privacy act campaign, told Bloomberg Law he would consider withdrawing the ballot initiative by the June 28 deadline “if lawmakers come up with a measure that does all or most of what we think is important.”

“I’m not holding my breath,” he said.

A political action committee opposed to the ballot measure has support from Microsoft Corp., Uber Technologies Inc., Alphabet Inc.’s Google, Comcast Corp., and AT&T Inc.

“We believe the California measure could have unintended consequences for both businesses and consumers and that there is a better way to give consumers the privacy rights they deserve,” a Microsoft spokesman said in an emailed statement.

The Alliance of Automobile Manufacturers Inc., Association of National Advertisers Inc., and Data Marketing Association also have donated to the opposition effort, according to campaign filings.

“We are prepared to run a strong campaign against the ballot measure,” spokesman Steve Maviglio told Bloomberg Law.

Mactaggart, president of residential developer Emerald Fund Inc., has contributed the bulk of the campaign contributions on the favorable side, according to campaign filings.

(Updates with Microsoft statement.)

With assistance from Daniel R. Stoller

To contact the reporter on this story: Laura Mahoney in Sacramento, Calif. at lmahoney@bloomberglaw.com

To contact the editor responsible for this story: David Mark at dmark@bloomberglaw.com