Skip to main content
Top Button
Hurry Up and <i>Don’t</i> Wait: First Class Action Citing CCPA Seeks $1 Million in Damages Hurry Up and <i>Don’t</i> Wait: First Class Action Citing CCPA Seeks $1 Million in Damages

Hurry Up and Don’t Wait: First Class Action Citing CCPA Seeks $1 Million in Damages

If your company has taken the “wait and see” approach to California Consumer Privacy Act (CCPA) compliance, it seems you won’t be waiting much longer. Plaintiffs filed a class action lawsuit against high-end children’s clothing retailer Hanna Andersson, LLC and its e-commerce partner, Inc. in the Northern District of California on February 3, seeking statutory damages for violations of the recently enacted (and maddeningly ambiguous) privacy law. Our Ice Miller Data Security and Privacy team provides below a summary of the complaint and three key implications for our clients.

The Complaint: What Happened?

On January 15, 2020, Hanna Andersson notified customers and state Attorneys General about a widespread data breach that occurred from September 16, 2019 to November 11, 2019.[1] The complaint alleges that hackers “scraped” as many as 10,000 customers’ personal information—including name, address, and full credit card information—from Salesforce’s Commerce Cloud platform and then posted the information for sale on the dark web for as much as $15 per piece of information. Although Hanna Andersson’s notice to customers indicated that the scraping malware was removed on November 11, 2019, the complaint alleges that Hanna Andersson made materially different admissions in its more-detailed notice to the Attorneys General. In that notice, Hanna Andersson allegedly indicated it was not aware of the breach until December 5, 2019, when the FBI informed Hanna Andersson that credit cards used on its website were available for purchase on the dark web.[2] That raises a timing conundrum: if Hanna Andersson were first notified of the breach by the FBI on December 5, 2019, how did it remove the malware three weeks earlier?

Although the plaintiffs cite the CCPA in the complaint—namely, that the defendants did not use reasonable security procedures and practices and did not disclose the breach in a timely and accurate manner—they do not expressly allege a cause of action for any CCPA violations. They do, however, “reserve the right to amend [the] Complaint . . . to seek damages and relief under [the CCPA].”[3] The reservation of rights may relate to the CCPA’s notice-and-cure period lapses. The CCPA requires 30-day notice and an opportunity to cure before a class action may be filed and bars the lawsuit if the company cures the breach within that time. If the Defendants do not cure, however, they could face statutory damages of $100 to $750 per violation. In a case with 10,000 affected California residents, as alleged here, that could mean $1M in statutory damages, at minimum.

What Does This Mean For Your Company?

The lawsuit highlights four implications for your company:
  1. Companies must be able to demonstrate that reasonable security measures are both implemented and monitored.
An important defense to an action brought under the CCPA is the safe harbor for a defendant implementing “reasonable security procedures.”  Where a defendant can demonstrate such procedures, it can overcome the fact of a data security incident and prevail on a CCPA claim. Plaintiffs allege that while Salesforce touts the secure nature of its Platform as a Service (PaaS) system on its website, both Salesforce and Hanna Andersson failed to discover a significant breach for almost three months. While a failure to discover a significant breach alone for three months would not be determinative of unreasonable security procedures, this allegation underscores the importance of combining both technical and administrative safeguards to comply with the CCPA’s reasonable security requirement. Even the “strongest” technical safeguards can be ineffective if not monitored and updated. Furthermore, even though the CCPA does not define reasonable security and permits companies some discretion when tailoring their reasonable security measures to the type and amount of data they collect, nearly all industry guidance on the subject states that monitoring your security measures is just as important as implementing them. We recommend clients conduct this analysis now to evaluate their security procedures and implement improvements where needed and appropriate for their companies, rather than waiting for a data security incident to hit and scrambling to put together a defensible position. Guidance from California suggests that a framework like the Center for Internet Security Top 20 Critical Security Controls, or another framework, can be leveraged to put together this analysis.
  1. Companies must heed warnings from law enforcement and industry experts.
In the Complaint, the plaintiffs allege that the FBI warned companies like Hanna Andersson and Salesforce about the specific type of e-skimming that took place on Salesforce’s platform. The FBI released Oregon FBI Tech Tuesday: Building a Digital Defense Against E-Skimming on October 22, 2019, two months before Hanna Andersson realized it had been breached, and the release listed specific steps businesses and agencies could do to protect themselves from e-skimming. The Complaint alleges Hanna Andersson and Salesforce ignored this warning.
  1. Companies must have a plan in place for responding within the 30-day cure period.
One of the few reassuring provisions in the CCPA is the requirement that consumers give companies 30 days to cure reasonable security failures before the consumer can commence a lawsuit. It is essential that your company designate in its incident response plan who will be tasked with curing or attempting to cure the security measure that failed and produced the consumers’ lawsuit. As part of the curing process, it may be worthwhile to include consumer and state Attorneys General notices of the security incident in the procedures you will take to cure the security failure.
  1. Companies should be careful to draft customer notices that include material and accurate information.
The plaintiffs in this case have latched on to what appear to be discrepancies between the notifications sent to the regulatory bodies and those sent to customers. We can expect the plaintiffs to argue that Hanna Andersson was being deceptive in leaving out key information, or in providing inconsistent timelines to regulators and to consumers. While we do not yet know why these decisions were made – and there could very well be a logical explanation – the optics are not favorable. Carefully drafting and reconciling these notices is highly recommended, as is review from a litigator who can spot arguments that make defending data breach litigation more challenging.
Feel free to contact Ice Miller’s Data Security and Privacy team to assist you with your company’s CCPA compliance and litigation questions. For more information, contact Reena Bajowala, Mason Clark, or another member of our Data Security and Privacy team.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
[1] Complaint at 2, Barnes v. Hanna Andersson, LLC , N.D. Cal., Case No. 20-cv-00812.
[2] Complaint at 8.
[3] Complaint at 24.
View Full Site View Mobile Optimized