Beginning on Jan. 1, 2020, companies that collect personal information of California residents need to be prepared to prevent and defend against potentially catastrophic litigation if such personal information becomes compromised. Specifically, under the California Consumer Protection Act (CCPA), any California consumer whose nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

(A) To recover damages in an amount not less than $100 and not greater than $750 per consumer per incident or for actual damages, whichever is greater.

(B) Injunctive or declaratory relief.

(C) Any other relief the court deems proper.

Cal. Civ. Code 1798.150(a)(1). When some security incidents involve the disclosure of personal information of millions of individuals, the potential statutory damages in class litigation can be catastrophic.

The CCPA provides one potential savior for some businesses: a cure opportunity before a plaintiff may bring a civil action for statutory damages. Specifically, prior to initiating any action against a business for statutory damages on an individual or classwide basis, a consumer must provide the business with 30 days’ written notice identifying the specific provisions of the CCPA the consumer alleges have been or are being violated. Cal. Civ. Code 1798.150(b). In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and no further violations will occur, no action for individual or classwide statutory damages may be initiated against the business. Businesses must be careful, however, because they may be subject to additional statutory damages if they breach the express written cure statement.

Furthermore, the statutory language specifies that a business can cure if a cure is possible. In many security incidents, by the time the business even realizes that there has been a compromise, there is no ability to undo it, so this cure provision may ultimately be of limited application. Nevertheless, the notice is a pre-suit requirement, so plaintiffs will have to comply if they want to seek statutory damages. Importantly, no pre-suit notice is required if the consumer initiates an action solely for actual pecuniary damages or for injunctive or declaratory relief.