The law firm of Bryan Cave has done some interesting analysis.
On January 1, 2020, California became the first U.S. state to allow a breach victim to sue a company that was breached without having to prove they were damaged. The breach alone was proof of damage. The amount any one person can sue for is small – between $100 and $750, but when you multiply that by any reasonable number of victims – say 10,000 which by today’s standard is a small breach – and now you are talking money. In this example, between a million and 7.5 million dollars.
So what did Bryan Cave’s analysis show?
27 of the 84 breaches reported to the CA AG so far this year have resulted in litigation. There have been 34 actions filed referencing CCPA.
Of course a lot of this is garbage.
Some of the suits were filed for breaches that happened before CCPA went into effect. Some were filed before the 30 day cure period expired (although it is hard to cure a breach, the law says ya gotta let ’em try).
Some were filed for non-breach related CCPA violations. Note: the law does not allow for private rights of action in these cases.
Some of this could be attorneys practicing. Or testing the courts so see if they have read the law or want to create a law of their own. This part will pass.
Still 30% of the breaches reported to the AG have resulted in some form of legal action. This is up from 4-6 percent in previous years.
So what does this mean for a company with customers in California?
It means the economics of cyber security is changing and changing rather rapidly. This is, in my opinion, exactly what the framers of the ballot initiative (Alastair Mactaggart) that force AB 375 to be passed into law wanted.
Whether you agree with Alastair or not, you need to recognize that the economics of cybersecurity for companies that have customers in the world’s 5th or 6th largest economy has changed.
Likely it will continue to change.
Will insurance companies, understanding that their risk profile has changed, start demanding better security if you want insurance? Don’t know, but they understand math. Either better security, higher premiums or no insurance
Will banks start demanding better security for companies who want loans. Certainly bad security increases loan risk?
Will investors start demanding better security for companies that they invest in? Some already have.
So what does this mean for companies?
Consider the new economics. Then consider your security profile. Finally consider what would happen if you were breached?
Credit: Bryan Cave