In response, in part, to the Equifax data breach the California Legislature is considering Senate Bill 1121.  This bill proposes to change existing California law and make it possible for a business to be sued for data breaches even if no one was actually injured due to a business’s data breach.  Thus, eliminating the current proof of injury requirement under current California law. 

Under SB 1121 any individual who believes they were a victim of a data breach can assert a claim against the business allegedly responsible for any violation of the California statute requiring the business to (a) implement and maintain “reasonable” security measures to protect personal information from falling into the wrong hands, and (b) disclose a data breach to all California residents whose unencrypted personal information fell into the wrong hands.

SB 1121 imposes a minimum penalty of $200 per incident and a maximum penalty of $1,000 penalty per incident—quite shockingly—without requiring any proof of injury to any consumers.  Use of the term “consumer” also can be read to expand the scope of the bill to include almost anyone in California (and even beyond).  One obvious legal repercussion of the bill is a flurry of high cost class action lawsuits. 

Opposition to the bill has been described by Sen. Bill Dodd—the bill’s author—as “pretty fierce.”  Those opposed to the bill include the California Bankers Association, the California Cable and Telecommunications Association, the California Hospital Association, the California Retailers Association, the Personal Insurance Federation of California, and the Securities Industry and Financial Markets Association. 

While this bill has not yet reached the Governor’s desk, companies doing business in California should monitor this bill closely as it imposes disproportionately severe penalties with low thresholds of proof.