As reported by Bloomberg Law, data breach class action litigation has begun under the California Consumer Privacy Act (CCPA).
Filed in the Northern District of California, San Francisco Division, a putative class action lawsuit against Hanna Andersson, LLC and its ecommerce platform provider, Salesforce.com, alleges negligence and a failure to maintain reasonable safeguards, among other things, leading to a data breach. The complaint specifically seeks recovery under the CCPA.
The complaint alleges a familiar story – in the latter part of 2019, hackers compromised the retailer’s website with malware enabling the hackers to scrape names, billing and shipping addresses, payment card numbers, CVV codes, and credit card expiration dates of thousands of the retailer’s customers. Hanna Andersson notified affected persons of the breach on January 15, 2020, and the complaint was filed on February 3, 2020.
Whether the complaint alleges sufficient harm for the case to proceed will be for the court to determine, but under the CCPA that may not be necessary. The new California law authorizes a private cause of action against covered businesses if a failure to implement reasonable safeguards to protect personal information results in a data breach.
If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.
To bring an action for statutory damages under the CCPA, consumers must first notify the business of the alleged violation. The business then has thirty days to cure the violation and provide the consumer with “an express written statement that the violations have been cured and that no further violations shall occur.” It does not appear an opportunity to cure was provided in this case. Also, the breach reportedly occurred in 2019, before the CCPA became effective (January 1, 2020).
Regardless of the outcome of this case, certainly one we will be watching, it should serve as an important reminder for businesses to ensure they have reasonable safeguards in place to protect personal information. Under California law, “a business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
But, the meaning of “reasonable safeguards” is not entirely clear in California. One place to look is in the California Data Breach Report (Report) former California Attorney General, Kamala D. Harris, issued in February, 2016. According to the Report, an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security.
It is not clear that adherence to those controls will provide a sufficient basis to defend a business from an action under the CCPA relating to a data breach. But, those controls might be a good place to start. It also is important to understand how those safeguards should be applied.
As data breaches continue to plague businesses across the US, including those subject to the CCPA, ensuring reasonable safeguards are in place may be the best defense that companies have.