Under the California Consumer Privacy Act (“CCPA”), effective January 1, 2020, California consumers  will have a private right of action if their unencrypted or unredacted personal information is the subject of a data breach that results from a business’s failure to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”  Victimized consumers may recover damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater.  To calculate statutory damages, courts will look at the seriousness of the violations, the number of violations, the length of time over which violations occurred, the willfulness of the business’s conduct, and the business’s assets, liabilities, and net worth.  Before filing suit for statutory damages, a consumer must notify the business of the alleged wrongdoing and provide the business 30 days to cure.  If a cure is possible and completed, the business must provide the consumer with written confirmation of the cure and a statement that no further violations will occur. If these requirements are met, the consumer may not file a lawsuit (individually or on a class-wide basis) for statutory damages, unless and until future violations occur.  No notice and opportunity to cure is required prior to filing an action for actual pecuniary damages. 
While the CCPA does not provide guidance on what must be done to cure,  two California statutory schemes with “cure” provisions may provide guidance to courts: the Consumer Legal Remedies Act (“CLRA”) and the Rosenthal Fair Debt Collection Practices Act (the “Rosenthal Act”)—both of which provide defendants a right to cure a purported violation of the statute. The CLRA, for example, provides two frameworks from which the CCPA might draw: the adequacy of the pre-suit notice and the whether the business cured the violation.
The CLRA provides that “(a) [t]hirty days or more prior to the commencement of an action for damages  pursuant to this title, the consumer shall do the following: (1) [n]otify the person alleged to have employed or committed methods, acts, or practices declared unlawful by Section 1770 of the particular alleged violations of Section 1770[;] (2) [d]emand that the person correct, repair, replace, or otherwise rectify the goods or services alleged to be in violation of Section 1770”.  There has been significant litigation in California regarding the adequacy of pre-suit notice under the CLRA. A pre-suit letter that fails to identify the particular § 1770 violations that the plaintiff alleges fails to comply with the CLRA and, consequently, prohibits a suit for damages.  The court found that strict application of the requirement was necessary in order to achieve this goal.  The same should be true with the CCPA: strict application of the notice requirement, not substantial compliance, should be necessary to put a business on notice.
Similarly, a pre-suit notice under the CCPA should be considered inadequate where it gives notice only of the data breach without alleging and providing any factual basis as to why the data breach was caused by a business’s failure to implement and maintain reasonable policies and procedures since a plaintiff must plead and prove both elements under the CLRA.  A pre-suit notice must provide why the business failed to “implement and maintain reasonable security procedures and practices” and why that failure caused the data breach. The plaintiff’s bar will undoubtedly argue that such notice is not reasonable or even possible given consumer’s lack of insight into the business’s practices and procedures. Nonetheless, liability only results if the data breach is the result of a business’s failure to “implement and maintain reasonable security procedures and practices.” Therefore, if a business is to cure or, in the parlance of the CCPA, to provide the plaintiff with written confirmation of the cure, the business must be advised where its failure lies.
A business’s efforts to cure under the CLRA generally have been met by California courts with some hostility. Despite businesses’ attempts to cure this CLRA violation during the 30-day period, consumers repeatedly sue anyway.  Such filings have led to lengthy and contentious litigation over whether the business cured the violation to the satisfaction of the consumer’s counsel, whether other claims existed beside the cause of action requiring the 30-day notice,  whether the business imposed conditions on the cure that the reviewing court found unacceptable,  or whether the claims filed despite the cure (aka tender) did or did not arise under the CLRA.
In Benson v. S. Cal. Auto Sales, Inc., 239 Cal. App. 4th 1198 (2015), for example, the Court of Appeal denied a purchaser’s request for $182,273 in attorneys’ fees and costs after the purchaser rejected the seller’s pre-litigation tender. The Court of Appeal applied “a hybrid standard [of review] to evaluate whether the circumstances identified in the statute as criteria for an award exist [and] . . . whether substantial evidence supports the exercise of the court’s discretion.” The Court of Appeal rejected Benson’s contention that the dual requirements of a mutual release and giving up non-CLRA claims rendered the seller’s cure inadequate. The Court of Appeal found no error in the trial court’s conclusion that the non-CLRA claims added no value to Benson’s CLRA claim and found that requiring a mutual release was both routine and wise. 
The Ninth Circuit Court of Appeals, however, distinguished the Benson case in Gonzales v. CarMax Auto Superstores, L.L.C., 845 F.3d 916 (9th Cir. 2017). There, the Court of Appeals granted summary judgment to Gonzales on his CLRA claim, and held that the dealer’s tender did not protect the dealer against an attorneys’ fees award because Gonzales did not seek damages under the CLRA. The Court of Appeals remanded the case for the district court “to determine in the first instance whether Gonzales qualifies as a prevailing plaintiff.” Unfortunately, the case was settled and dismissed, so there will be no answer on remand.
Benson and Gonzalez leave unanswered whether a trial court should focus in the first instance on the CLRA claim or the non-CLRA claim when both are pleaded and a Benson-style tender is made. Gonzales, despite outward appearances, did not bridge the gap left by Benson, which had “declined to ‘address the requirements for an attorney fee award based on a request for injunctive relief.’ ”  Instead, Gonzales only muddied the waters further by remanding the case to determine whether the purchaser prevailed in the first instance. And, Courts critical of Benson have distinguished Benson on the basis that Benson applies no hard-and-fast rule, but instead merely reflects well-settled rules of appellate procedure giving deference to trial court’s discretionary decisions.
The cure provision in the Rosenthal Act may provide an additional source of guidance for businesses attempting to rely on the CCPA’s 30-day cure provision. The Rosenthal Act provides that a debt collector shall have no civil liability if “within 15 days either after discovering the violation which is able to be cured, or after the receipt of a written notice of such violation, the debt collector notifies the debtor of the violation, and makes whatever adjustments or corrections are necessary to cure the violation with respect to the debtor.”  Two notable differences appear, however, between the Rosenthal Act’s and CCPA’s respective cure provisions. First, unlike the CCPA (and CLRA), the Rosenthal Act’s cure provision is not a pre-suit notice requirement.  Second, “whether” a violation can be cured under each statute’s language differs. The Rosenthal Act permits a defendant to cure where the violation is “able to be cured.”  Accordingly, decisions interpreting this provision have focused on whether the violation can be cured and return a debtor to the position she was in before the violation.  The CCPA’s cure provision differs, stating that “[i]n the event a cure is possible, if within the 30 days the business actually cures the noticed violation,” and provides the consumer with confirmation of such cure and assurance that such a breach will not occur in the future, then “no action for individual statutory damages or class-wide statutory damages may be” filed. 
While decisions focusing on the Rosenthal Act’s “able to be cured” requirement would, arguably, seek to return the debtor to the position the debtor was in before the violation,  the same limitation would not necessarily be true under the CCPA’s “if possible” cure provision. First, of course, the language between the statutes differs. Second, but more importantly, a business suffering a data breach cannot undo a data breach, turn back time, or return the proverbial genie to the bottle. But, still the CCPA’s right to cure must have meaning, and courts cannot ignore express statutory language as mere surplusage.  Thus, arguably, the opportunity to cure under the CCPA cannot apply to curing a data breach that itself cannot be cured but, instead, must apply to curing the business’s failure to implement and maintain reasonable security procedures and practices that caused the breach. This is true because a data breach itself is not actionable without being caused by a business’s failure to implement and maintain reasonable security procedures and practices. 
The California legislature has substantial experience in providing businesses with a right to cure in other statutory schemes. The legislature provided a right to cure to a business suffering a data breach,  despite knowing that the business’s customers who have no damages cannot be returned to their same pre-breach position. That is why the legislature prohibited businesses from avoiding liability by curing for those customers who suffer actual damages.  Taken as a whole, the notice requirement and opportunity to cure were intentional and must be given meaning consistent with the purpose of the statute. 
So, what can a business who suffered a data breach do to “cure”? At a minimum, a business must cure its failure to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”  After all, to effectuate a cure, a business must provide written confirmation to the consumer of the cure and include a statement that no further violations will occur.  But, a business responding to a pre-suit CCPA notice must also critically examine the notice and its specificity. For example, does the notice merely state that a data breach occurred? Or does the notice contain specifics about the purported failure to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” that caused the data breach?  Benson and its progeny, and jurisprudence under the Rosenthal Act’s cure provision, suggest both judicial hostility and a narrow interpretation of cure provisions and that businesses who cure are likely to be sued anyway.