In Karter v. Epiq Systems, Inc., et al., Judge Carney denied Epiq’s Motion to Dismiss the CCPA cause of action.
For two reasons, the Court found that Plaintiff sufficiently alleged Epiq is a “business” under the CCPA and therefore, subject to the private right of action. “First, Plaintiff alleges that in order to perform its services, which it performs pursuant to contracts with other entities, Epiq collects consumers’ personal information from consumers. (Id. ¶¶ 23–24, 28.) This is an activity for a business, not a service provider, which receives personal information from the business. Compare Cal. Civ. Code § 1798.140(c)(1) with Cal. Civ. Code § 1798.140(v).” Second, Plaintiff plausibly alleged that Epiq (alone or jointly) determines the purpose and means of processing personal information.
Additionally, the Court found that “[t]here is no question that Plaintiff has alleged that his personal information was exfiltrated in a nonencrypted and nonredacted form” as is required to plead a private right of action. This finding was made despite Epiq’s arguments that the type of ransomware used in this attack undermines the plausibility of Plaintiff’s allegation.