Do Data Privacy Laws Go Far Enough?

Information privacy laws balance the interests of large corporations that use valuable data for various purposes and individuals who have a right to safety and security. The number of data breaches in 2021 increased significantly, which indicates that stronger laws might be necessary. In response, lawmakers in states like Illinois and California have approved tougher data breach laws. 

Politicians must balance the interests of separate parties, but a New York commercial litigation attorney has their client’s best interest in mind. We understand your personal information needs and how unnerving it is when this data falls into the wrong hands. We’re also committed to protecting your safety in other areas. Regardless of the injury, we work hard to obtain the compensation you need and deserve.

Breaking Down California’s Model Data Privacy Laws

The California Consumer Privacy Act (CCPA) is widely regarded as the broadest data privacy laws in the country. A similar privacy law in Illinois is a close second. Originally, the CCPA was exclusively a consumer information protection act, but a 2023 amendment extended the protections to certain human resources information. 

However, a subsequent amendment took the CCPA in the opposite direction. This amendment extended certain protections, exemptions, and loopholes that allow businesses to avoid compliance. These exemptions included additional data security requirements, as well as disclosures regarding the categories of personal information they collected about employees and job applicants, and the purpose of collection.

Other legal provisions are equally business-friendly. For example, even after it takes effect, the CPRA still allows companies to monitor employee computer activity, although employees do receive some additional rights regarding that data. 

These rights include the right to access, delete, or opt out of the sale of their personal information, including data collected by employee monitoring software. Employers that collect employee computer activity data must develop systems that allow the deletion of this data at the request of their employees. Their employees will also be granted the right to know where, when, and why their employers are using their personally identifiable data. 

The bottom line is that, even under the amended CCPA, California employers must notify employees, contractors, and job applicants of the personal information that they collect and how they use it. 

As for damages, this employee data also falls within the purview of CCPA. Specifically, the private right of action for data breaches resulting from the failure to implement reasonable security measures.  Under CCPA, the potential damages for such data breaches can be based on statutory damages of $100 to $750 per consumer per security breach or actual damages (whichever is more). 

Many data breaches affect millions of people. These damages add up quickly. Because of the private right of action, a New York commercial litigation attorney is able to obtain them in court. Victims need not wait for government bureaucrats to do something.

Most observers expect additional such legislation not only in the Golden State but in other jurisdictions as well.

What Causes Data Breaches?

In one way or another, corporate negligence has caused almost all data breaches nationwide.

Large financial and medical companies invest millions of dollars into robust, nearly impenetrable security systems. So, unless such a company has a lax device policy (more on that below), personal information should be safe.

Smaller companies don’t have that kind of money, or at least don’t want to invest it in data security. Normally, these companies don’t see themselves as targets. These companies assume that hackers are thieves who want valuable information.

Credit cards and Social Security numbers obviously have immense value. But other information, such as phone numbers and email addresses, is almost as valuable.

New York commercial litigation attorneys also deal with lax device policies. Some companies have liberal BYOD (bring your own device) policies. Employee negligence, like leaving a thumb drive on a desk could also be a source of a data breach. Similarly, many companies allow employees to log into unsecured WiFi signals which are easy to hack.

Physical Safety Duty

Companies have a duty to protect online information. They also have a duty to protect the physical safety of customers and employees.

A data privacy duty of care usually depends on the nature of the business and the information. The negligent security duty of care usually depends on:

  • Type of business,
  • Location of the business,
  • Prior similar incidents at that location,
  • Area’s reputation as a “high crime” area, and
  • Prior similar incidents in the neighborhood.

Data privacy breaches give someone else an opportunity to cause injury, which means the property owner is liable for damages.

Compensation in a negligent security injury case usually includes money for economic losses, such as medical bills, and noneconomic losses, such as pain and suffering.

All injury victims need and deserve financial compensation. For a free consultation with an experienced personal injury attorney in New York, contact Napoli Shkolnik.