Certified Information Privacy Professional – United States (CIPP/US) — Question 48

John, a California resident, receives notification that a major corporation with $500 million in annual revenue has experienced a data breach. John’s personal information in their possession has been stolen, including his full name and social security numb. John also learns that the corporation did not have reasonable cybersecurity measures in place to safeguard his personal information.
Which of the following answers most accurately reflects John’s ability to pursue a legal claim against the corporation under the California Consumer Privacy Act (CCPA)?

Answer options

• A. John has no right to sue the corporation because the CCPA does not address any data breach rights.
• B. John cannot sue the corporation for the data breach because only the state’s Attoney General has authority to file suit under the CCPA.
• C. John can sue the corporation for the data breach but only to recover monetary damages he actually suffered as a result of the data breach.
• D. John can sue the corporation for the data breach to recover monetary damages suffered as a result of the data breach, and in some circumstances seek statutory damages irrespective of whether he suffered any financial harm.

Correct answer: D

Explanation

The correct answer is D because the CCPA allows individuals to sue for damages caused by data breaches, including statutory damages in specific situations, regardless of financial harm. Options A and B are incorrect as they misinterpret the rights provided by the CCPA regarding data breaches. Option C is also incorrect as it limits John's ability to seek statutory damages which the CCPA permits.