The Daily Journal
June 17, 2014 – Brian Kabateck and Shant Karnikian wrote a column published in the Daily Journal on July 17, 2014 about the growth in cloud storage, the resulting risk of identity theft and how consumer protection laws have not been keeping up. The column mentions, in particular, the Target data breach this past December which resulted in more than 50 class action lawsuits, and the fact that statutory damages are not available to any of the plaintiffs in those cases.
“The likelihood of success for negligence-based data breach class actions, like the ones brought by victims of the Target data breach, is doubtful at best,” the authors note. “No other form of legal recourse is readily available to consumers in California either, as consumer protection laws do not provide for statutory damages.”
Ironically, according to Kabateck and Karnikian, the California had been a pioneer in security breach laws, passing Senate Bill 1386 in 2002 which requires entities to disclose to residents whenever their encrypted data is exposed. The law, however, remains toothless compared to other confidentiality legislation, giving corporations and financial institutions little incentive to protect consumer data and prevent breaches in the first place.
The authors cite, among other laws, the Confidentiality of Medical Information Act (CMIA), which requires medical providers to keep their patients’ medical information confidential and allows patients affected by breaches to seek statutory damages of $1,000 per violation, without having to allege injury.
“Consumer protection laws mirroring the protections and recourse offered by the CMIA can bring the state’s once trailblazing security breach statutes up to date with the increasing risks of identity theft and other ramifications stemming from storing consumer data in the cloud,” they wrote.