CPW readers are already familiar with the California Consumer Privacy Act (“CCPA”) which took effect this year. Well, buckle your seatbelts and . . . . bolster your internal security practices as the first settlement under the CCPA has been announced and the area in which it has the greatest impact has nothing to do with the monetary relief provided to the class.
Last month the high-end children’s clothing retailer Hanna Andersson agreed to pay $400,000 and implement new security measures as part of a class action settlement arising from litigation brought in the wake of a widespread data breach. The lawsuit stems from a security incident where hackers accessed Hanna Andersson’s (“Hanna”) third-party e-commerce platform and gained access to customers’ personal information (“PII”). The breach affected the PII (including names, shipping and billing addresses, payment card numbers, CVV codes, and expiration dates) of over 200,000 customers who made online purchases using the Hanna website between September 16 and November 11, 2019. The hackers then exfiltrated and used this information to make fraudulent purchases using Hanna’s customers’ credit cards. Hanna notified its customers of the breach on January 15, 2020.
In the resulting litigation, Plaintiffs’ amended putative class action complaint alleged a variety of claims under state statutory and common law theories. This included following causes of actions: (i) negligence; (ii) declaratory relief; (iii) violation of the California Unfair Competition Law, Business & Professions Code § 17200, et seq.; (iv) violation of the California Consumer Privacy Act ; and (iv) violation of the Virginia Personal Information Breach Notification Act, Va. Code Ann. § 18.2–186.6, et seq. Plaintiffs sought equitable and monetary relief on behalf of all individuals whose PII was compromised in the data breach. The case made waves when it was filed as it was among the first to cite a violation of the California Consumer Privacy Act (“CPPA”).
The settlement announced last month creates a settlement fund of $400,000 for the approximately 200,273 class members (amounting to a $2 payment to class members). Class members who participate in the settlement and file a claim will receive up to $5,000 in relief (although most will be entitled to $500). These amounts are subject to proration if there are insufficient funds to pay these amounts based on the number of class members who ultimately file a claim.
Considering the CCPA provides for statutory damages ranging from $100-$750 dollars, at first blush this amount seems to be on the low side. However, bear in mind that the $2/class member is more than double the value per class member of other recent data breach settlements. Additionally, in the context of this litigation, Hanna (as many businesses) is experiencing COVID related disruptions and the breach at issue was not covered by insurance. Moreover, because the breach preceded enactment of the CCPA, there was an argument the CCPA statutory damages provision was not even applicable to this case.
As part of the Settlement, Hanna additionally committed to:
- Conduct a risk assessment of the Hanna data assets and environment consistent with the NIST Risk Management Framework;
- Enable multi-factor authentication for all cloud services accounts;
- Implement alerting processes for the establishment of new cloud services accounts;
- Hire additional technical personnel;
- Complete PCI Attestation of Compliance (AOC) in conjunction with a PCI-certified Qualified Security Assessor (QSA);
- Conduct phishing and penetration testing of the Hanna enterprise environment and enterprise user base;
- Deploy additional intrusion detection and prevention, malware and anti- virus, and monitoring applications within the Hanna environment;
- Implement regular review of the logs of Hanna’s ecommerce platforms; and
- Hire a Director of Cyber Security.
These additional security measures will benefit the class members as well as future customers. Of course, these additional security measures will also increase cybersecurity and compliance costs for Hanna.
A video conference hearing in the case is scheduled for December 22, 2020. Assuming approval is granted, the settlement in this case will provide a benchmark for future litigants bringing claims under the CCPA. This is particularly so in regards to the comprehensive security precautions outlined (which are becoming common in data privacy litigations more broadly).