In the first-of-its-kind privacy lawsuit, Hanna Andersson and Salesforce.com have been accused of violating the California Consumer Privacy Act (“CCPA”). (Barnes v. Hanna Andersson, LLC, N.D. Cal., No. 20-cv-00812.) This case is unique because the CCPA just became operative on January 1st, but the complaint relates to an alleged breach that occurred in 2019.

According to the complaint, around September 15, 2019 the Salesforce e-commerce platform used by Hanna for online purchases was infected with malware. The malware allegedly allowed hackers the ability to “scrape” (i.e., obtain) customer information and credit card numbers during the purchase process. Hanna supposedly became aware of the breach and by November 11, 2019 it had removed the malware. Unfortunately, Hanna was informed by law enforcement on December 5th that hackers had already posted customer credit card information for purchase on the dark web.

Based on this data breach, Hanna sent a “Notification of Security Incident” letter on January 15, 2020 to potentially affected California customers warning them that their names, shipping address, billing address, payment card number, CVV code, and credit card expiration date may be available for sale on the dark web. According to the complaint, over 10,000 California residents affected by this breach received the notification letter. Based on these allegations, the complaint requests class action status, injunctive and declaratory relief, free credit monitoring, statutory damages, punitive damages, disgorgement, restitution, and attorneys’ fees and costs.

Interestingly, the Plaintiff did not bring an action solely based on the newly operative CCPA statute. Instead, the complaint also alleges that the Defendants violated California’s Unfair Competition Law (Cal. Bus. and Prof. Code §17200) based on unlawful actions that were in violation of the CCPA. Specifically, the complaint alleges the Plaintiffs engaged in unlawful business practices by:

  1. Failing to establish reasonable security practices and procedures to adequately protect and store California resident’s personally identifiable information (“PII”) in violation of the CCPA.
  2. Failing to disclose the data breach to the affected California residents in a timely and accurate manner also in violation of the CCPA.

For private right of actions, the CCPA statutory damages can range between $100 and $750 per violation for each affected resident. Because the complaint alleges that 10,000 California residents were affected, the Defendants could face a statutory damage award ranging between $1,000,000 and $7,500,000.

While this is likely just the first in many yet-to-come privacy lawsuits, this case should be closely watched as it will hopefully answer many unknown aspects of the CCPA. For instance, to receive statutory damages under the CCPA it will have to be shown that Defendants did not have “reasonable security procedures and practices” in place. But there is no current guidance as to what is considered “reasonable” under the CCPA. Also, the CCPA provides a 30-day “cure” period thereby barring statutory damage recovery. Based on the alleged facts, it is yet to be seen if Hanna’s action successfully and timely cured the alleged breach thereby barring statutory recovery.

We will continue to monitor this case and provide updates as issues pertaining to the CCPA are addressed.