An Internet advertising agency that specializes in lead generation for law firms failed to properly secure databases that included the records of about 150,000 individuals. The ad agency, X Social Media, utilizes campaigns on Facebook that target potential plaintiffs for personal injury cases, medical malpractice lawsuits, and mass tort claims. Since the Facebook ads that X Social Media uses to generate these leads are designed to collect and store medical information along with contact details, the database records themselves likely trigger many state breach notification statutes that list “medical information” as “personally identifiable information” — including California’s.
Lately, a lot of the discussion around privacy and advertising has focused on how California’s new privacy law is going to impact programmatic advertising. Easily forgotten, however, is that the CCPA includes a private right of action for data breach.
The private right of action, as it stands now, allows a consumer to bring a civil action against a company that fails in its duty to implement and maintain reasonable security which leads to the unauthorized disclosure of the consumer’s nonencrypted or nonredacted personal information. The statute provides for damages of “not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.” While the CCPA private right of action is limited to a narrower definition of “personal information” than the rest of the law, this definition does include medical information linked to an identified person, among other data points. It doesn’t take complex math to predict X Social Media’s potential exposure if this incident happened next year.
This is a clear example of how the CCPA, in the near future, could turn a very bad situation into a crippling one. Once CCPA takes effect, companies have to consider the risks associated with CCPA’s private right of action and statutory damages.