Data breaches have become a lot more dangerous in California.  Joining the dubious ranks of Minted Inc., Zoom, TikTok, and Salesforce.com, Wal-Mart is the latest target of a CCPA-related class action lawsuit due to a data breach.  This has now exposed Wal-Mart to a maximum of $750.00 in damages to each and every consumer within the class action. With Wal-Mart's comparative size, massive reach, and approximately thirty nine million persons residing in California, this creates a scenario where Wal-Mart may easily face a billion-dollar class action.  So what happened to create this lawsuit? What risks do other businesses face for a failure to take appropriate actions? How can businesses avoid suffering the same fate and ending up in litigation?

What Happened?

On July 10, 2020, Lavarious Gardiner filed a class action lawsuit against Wal-Mart, for the following claims: violation of the CCPA's security provision, negligence with reference to the California Customer Records Act (a law which, before the CCPA, had encouraged businesses to take reasonable steps to secure personal information and inform consumers when their information was compromised), unfair business practices, explicit breach of contract arising from the privacy policy, and implicit breach of contract. Furthermore, this lawsuit was not borne from a singular incident, so much as it has been from Wal-Mart's past incidents, as the plaintiff alleges two million Wal-Mart accounts are up for sale on the dark web, as well as an evaluation of Wal-Mart's systems performed by Open Web Application Security Project Zed Attack Proxy (OWASP ZAP).  The plaintiff outlines the following vulnerabilities:

1. The exposure of private IP addresses disclosed in the public website code;
2. 44 instances of password autocomplete, allowing cookies to be accessed by a personal computer (permitting pre-existing malware to manipulate and access cookie data);
3. Over 100,000 instances where hackers could insert malicious Javascript;
4. Over 93,000 instances of an exploit permitting cookies to be accessed through unencrypted connections; and
5. Over 8,000 instances where the Wal-Mart website was allegedly vulnerable in a way that would allow the hacker to steal account information through interactive areas.

The plaintiff also utilized other vulnerability assessment tools, including the Nessus tool used by government agencies, to identify 13 additional issues which would be considered automatic failures.

What Risks Exist?

The lawsuit against Wal-Mart puts the risk to businesses in a harsh relief.  While there are certainly reputational costs, as had occurred with the massive Target breach, the lawsuit against Wal-Mart also highlights that there are high financial costs for companies doing business in California.  The CCPA permits individuals to sue for $100 to $750 per person if their information is compromised and the business failed to maintain reasonable security measures.  For Wal-Mart, this means that a potential class of two million Californians could result in $200 million to $1.5 billion in damages.  While this would scale down for smaller businesses, even a business subject to the CCPA with 50,000 consumers would face damages ranging from $5 million to $37.5 million.

How Can Other Businesses Avoid Similar Lawsuits?

The solution for other businesses is a murky one that can be roughly categorized in two areas:

This can be difficult as "reasonable security measures" has never been defined within the CCPA, and thus, it may interpreted as a sliding scale, as it seems permissible based on the Attorney General's guidelines regarding the different authentication measures needed for different kinds of personal information.  However, general rules will apply (i.e.: implementing firewalls, partnering with IT services for basic security, avoiding "scams," and engaging in safe computing).

One of the most basic and essential measures that can be taken is training employees to avoid phishing or social engineering efforts.  Social engineering hacking has been shown to be among the easiest ways a hacker can create massive damage to a business, and social engineering has been the cause for the Twitter hack of high-profile verified accounts on July 15, 2020, as well as various other infamous "hacks" such as the hack of the Democratic National Committee in 2016, the Target data breach in 2013, the Yahoo account breach in 2013, and the 2014 Sony Pictures hack.  All of these incidents occurred due to phishing or spear phishing attempts through the respective entities, compromising accounts with extensive access to sensitive information.

While this may be difficult to consistently manage, it emphasizes that social engineering hacking can result in massive damage to entities.  Using the Target breach as an example, the Target breach resulted in an $18.5 million settlement.  Furthermore, Yahoo's breach resulted in a settlement of $117.5 million.  Notably, both of these occurred before the CCPA became law.  This is crucial to train against, as unlike "brute force" methods of hacking where a hacker attempts to crack passwords or forcibly obtain access, the users are the source of the vulnerability.  Additionally, businesses’ use of assessment and security auditing tools like those used by the plaintiff may help remediate risks, and address concerns proactively.

This can also be challenging, as privacy policies require careful drafting and review between those drafting the privacy policy and those managing the security efforts.  While the privacy policy is generally seen as an ancillary document, it has led to actions against other large entities, such as Facebook's $5 billion penalty from FTC when Facebook failed to adequately inform consumers about how to control their personal information, and Facebook's inability to abide by its statements regarding privacy.  Careful and deliberate phrasing of the privacy policy may not curtail all legal actions against a business, especially as it may give rise to accusations that a business has failed to engage in reasonable security measures, even if the privacy policy states that it does.  However it is still important in setting expectations, letting consumers know that they are, at least partially, responsible for some of their own online security.

Why Conscious Steps Now Are So Important

While these efforts may seem momentous, the hardest part is taking the first step forward.  While there is admittedly not much guidance within the law yet, staying informed, and taking proactive measures to better security measures is key.  For example, implementing readily-available training regarding avoidance of social engineering hacking schemes will help bolster efforts to show reasonable security, even if a company cannot afford the use of assessment or auditing tools.

Putting some attention into the privacy policy itself will also aid businesses in becoming more aware of the limits of their ability to protect information, and the business's responsibility to abide by the terms of its own privacy policy.  Furthermore, the careful formulation of a privacy policy is important to avoid the impression of a contractual obligation by the business to protect and secure the consumer's data.  Instead, the privacy policy should set reasonable expectations with the consumer, potentially addressing any contractual arguments while acknowledging that a data breach can and may occur, no matter the security system in place.

An important aspect to remember is that a business should be prepared to respond after a hack occurs.  California, as well as other states, have statutes dictating how businesses need to respond to consumers after becoming aware of a breach where personal information is compromised, or believed to have been compromised.