CIPP-US Exam QuestionsBrowse all questions from this exam
Go to Exam

CIPP-US Exam - Question 105

John, a California resident, receives notification that a major corporation with $500 million in annual revenue has experienced a data breach. John’s personal information in their possession has been stolen, including his full name and social security numb. John also learns that the corporation did not have reasonable cybersecurity measures in place to safeguard his personal information.

Which of the following answers most accurately reflects John’s ability to pursue a legal claim against the corporation under the California Consumer Privacy Act (CCPA)?

Show Answer
Correct Answer: CD

John can sue the corporation for the data breach to recover monetary damages suffered as a result of the data breach, and in some circumstances seek statutory damages irrespective of whether he suffered any financial harm. The California Consumer Privacy Act (CCPA) provides consumers with a private right of action and allows them to recover actual damages or statutory damages of between $100 and $750 per incident. This is provided that the data breach involved unauthorized access, exfiltration, theft, or disclosure of personal information due to the business's failure to implement and maintain reasonable security procedures.

Discussion

4 comments
Sign in to comment
[Removed]Option: D
Apr 28, 2023

The answer is D. CCPA includes statutory damages of $100 and $750 per incident, irrespective of actual damages.

RomeoktonOption: D
Feb 2, 2024

Agree with the rest that D is the correct one.

AmbulocetusOption: D
Aug 20, 2023

The right answer is D, but C makes more practical sense because it's better for John to immediately sue for actual damages. If he sues for statutory damages, he would have to give the business an opportunity to cure and, if they cured, he couldn't bring a claim for statutory damages. He doesn't have that same obligation if suing for actual damages. California Code, Civil Code Section 1798.150(a)(1))

BhimeshOption: D
Apr 12, 2024

The CCPA provides consumers with a private right of action and is the first U.S. statute to expressly allow consumers to recover statutory damages as a result of data security incidents. The CCPA provides consumers with special remedies for data breaches, including statutory damages of between $100 and $750 per incident, actual damages, or other remedies the court deems appropriate To be entitled to these remedies, the breach must consist of (1) “an unauthorized access and exfiltration, theft, or disclosure” of the consumer’s personal information resulting from (2) the business’s failure to “implement and maintain reasonable security procedures and practices.” These remedies do not apply to personal information that has been “encrypted or redacted. “

Bhimesh
Apr 12, 2024

These remedies also only apply to a certain subset of the most sensitive personal information under the CCPA (such as Social Security number), and are not available for all categories of personal information.