Cynthia J. Larose and Natalie Prescott of Mintz discuss a lawsuit previously noted on this site: Fuentes v. Sunshine Behavioral Health Group, LLC. The lawsuit followed a data leak of PHI due to a misconfiguration of a database. The leak was first reported by DataBreaches.net who had alerted the entity to their leak.
I’m going to jump to one section of their legal analysis, because it stopped me cold:
Will This Claim Survive?
Despite being the first, we do not see this CCPA class claim being long-lasting, for many reasons. First and foremost, Mr. Fuentes is currently the only named plaintiff, and he is not a California resident. While some commentators and law firms have already written about the Fuentes complaint, no one seems have picked up on the critical fact that this particular CCPA claim is a three-legged stool, with one missing leg. There are three potentially fatal defects with respect to (1) standing, (2) notice, and (3) timeliness.
Most fundamentally, the CCPA does not protect non-California residents.
I had totally missed that consideration when I blogged about the case. Read their full commentary on Mintz’s Insight Center.