author photo
By Bruce Sussman
Wed | Feb 12, 2020 | 9:04 AM PST

If you need more proof that privacy and security are inextricably linked, then check out the first lawsuit filed citing the California Consumer Privacy Act.

It follows a company's data breach announcement which came just two weeks after the CCPA took effect on January 1, 2020.

Who got sued in first CCPA lawsuit?

Cyberlaw attorney Antonia Dumas of XPAN Law Group just posted the details:

"The complaint alleges that both Hanna Andersson and Salesforce failed to properly safeguard customers' sensitive data and failed to detect the breach (and subsequent sale of information on the dark web). Further, the complaint alleges that even once customers' data was taken, Hanna did not sufficiently provide accurate notice of the details of the data breach."

Hanna Andersson is a children's apparel retailer, and it uses Salesforce for its cloud-based e-commerce payments on the company website. 

What led to the first CCPA lawsuit?

The data breach came to light during the heart of the 2019 holiday shopping season. But breach discovery did not come from the IT or cybersecurity teams, or even the vendor involved. Instead, it came from a police agency. 

Hanna Andersson's data breach announcement explains:

"On December 5, 2019, law enforcement informed Hanna
Andersson that credit cards used on its website were available for purchase on a dark web site.

Hanna Andersson immediately launched an investigation. The investigation has confirmed that Hanna Andersson's third-party ecommerce platform, Salesforce Commerce Cloud, was infected with malware that may have scraped information entered by customers into the platform during the purchase process."

The data breach occurred from September 16, 2019, to November 11, 2019, and may have affected "tens of thousands" of people, including more than 10,000 California residents. 

[Read: Hanna Andersson data breach announcement letter]

What are the specifics of the first CCPA lawsuit?

According to XPAN Law Group, the specific allegations in the case claim Hanna Andersson and Salesforce were negligent regarding the following:

  • Exercising reasonable care in processing (i.e., obtaining, retaining, securing, safeguarding, deleting) and protecting the PII of the potential class in their possession;
  • Using reasonable and adequate security procedures that are compliant with industry-standard practices;

[RELATED: How Are Courts and Counsel Defining Reasonable Security?]

  • Implementing processes to "quickly detect a data breach and timely act on warnings about data breaches," including prompt and accurate notification of the data breach.  

And the lawsuit also takes a shot at Hanna Andersson's breach notice:

"First, they allege that Hanna's notification given to the affected consumers was not until a month after the discovery of customer's PII from law enforcement. Second, they allege that Hanna's notification that was provided did not provide detailed information (only stated unauthorized access) and provided far less information than the notification provided to the Attorneys General."

And the lawsuit also points out that Salesforce did not issue any kind of breach notification itself.

How high could costs go in first CCPA related lawsuit?

While we wait to see what happens in this case, and others to follow, we at least know a couple of things. For starters, we know this:

"It is no longer a myth that consumers and data subjects will take advantage of these new rights in California," says Antonia Dumas of XPAN Law Group.

New law, new litigation.

And Dumas says we also know what this new law allows for damages. It sounds expensive:

"Under the CCPA, CA residents could seek up to $750 per affected class member, per violation. For large data collectors with a large amount of data subjects that are CA residents, damages could mean millions of dollars. This may not be the 4% global income as under the GDPR, but it could still be a big number."

If this case has your attention and you're wondering how to approach the rapidly evolving cybersecurity and privacy landscape, you are not alone.

Listen to The SecureWorld Sessions podcast for ideas on where to start and how to proceed:
Check out the XPAN Law Group post here on this CCPA related case.

Read the lawsuit yourself: Barnes v. Hanna Andersson, LLC 

Comments