On March 6, 2018, the state of California filed a lawsuit seeking civil penalties against credit reporting agency Experian Data Corporation and others. This case has important implications for companies that collect or store consumers’ personal identifying information (“PII”), including possible exposure to hefty fines at the hands of state and local government entities for failure to comply with breach notification laws.
California filed suit against Experian, Court Ventures, Inc. (“CVI”), and U.S. Infosearch.com, LLC (“USI”) (collectively, the “Defendants”), alleging that the Defendants failed to notify victims that their PII was stolen in a large-scale data breach. This lawsuit comes on the heels of another suit that California filed against Equifax in September 2017 under a similar theory following the data breach that company experienced.
CVI and USI aggregate and sell access to consumers’ PII. According to the Complaint, CVI and USI entered a Data Sharing Agreement and pooled their aggregated consumer PII. This provided paying customers with access to a larger database of PII (the “Database”). In March 2012, Experian allegedly acquired CVI and became a party to the Data Sharing Agreement.
In July 2010, Heiu Minh Ngo allegedly posed as a private investigator and purchased access to the Database. Ngo then sold access to Database information to criminals via two illicit websites. As many as 30M consumers’ PII may have been compromised. According to media reports, criminals stole $65M by filing fraudulent tax returns using PII obtained via Ngo’s illicit websites.
California’s Basis for its Suit
California has sued the Defendants under California’s unfair competition and breach notification laws. The breach notification law provides:
A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person…. Cal. Civ. Code § 1798.82(a)
The statute requires that disclosure “shall be made in the most expedient time possible and without unreasonable delay.” Id.
The Complaint alleges the Defendants have yet to notify affected persons of the data theft. The Complaint seeks penalties of up to $2,500 per violation, plus an additional $2,500 for each affected person who is elderly or disabled. With an estimated 3.6M affected Californians, this sum could exceed $9B.
There are four important takeaways from this case.
– Companies’ exposure from data breaches could increasingly stem from fines and penalties imposed by state and local government entities.
– California’s UCL and breach notice provisions could become an increasingly popular tool for California government entities eager to crack down on privacy or cybersecurity violations. In fact, a separate suit against Equifax filed in September 2017 seeks to hold Equifax responsible for penalties under the UCL for its alleged six-week delay (and other deficiencies) in providing notification of the breach to victims.
– Security vulnerabilities are not necessarily the product of a technical deficiency. Indeed, the Complaint alleges that consumers’ PII in this instance was compromised not through any technical vulnerability, but rather through a failure to properly vet Ngo and recognize his large-scale criminal operation.
– Liability for companies could result from agreements reached with third parties or other companies during the course of mergers and acquisitions. Here, Experian acquired CVI and, thereby became party to the Data Sharing Agreement. This acquisition, and Experian’s later part in the Data Sharing Agreement, were key vulnerabilities exposing it to potential liability. Companies would, therefore, be wise to properly vet all agreements with third parties to prevent vulnerabilities that can result from unknown entities’ ability to gain access to the PII they collect.
The information in this blog post (“post”) is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from Fields Howell or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the reader’s state, country or other appropriate licensing jurisdiction.