CCPA lawsuit’s underway, despite July 1 enforcement date

The California attorney general's office is still fine-tuning regulations implementing the California Consumer Privacy Act and enforcement won't begin until July 1, but the first lawsuit invoking the CCPA is underway.

Class action plaintiffs filed a complaint alleging that personal information collected by children's retailer Hanna Andersson, LLC during online purchases between Sept. 16, 2019, and Nov. 11, 2019, was stolen and posted for sale on the dark web. Barnes v. Hanna Andersson, LLC , 20-cv-00812 (N.D. Cal.). Hackers were able to "scrape" data entered by as many as 10,000 California customers and thousands of customers in other states allegedly because the Salesforce.com ecommerce platform used by Hanna Anderson was infected with malware. The stolen information included customers' billing and shipping addresses, payment card numbers, CVV codes, and credit card expiration dates.

The Hanna Andersson hack seems to be just the kind of scenario for which the CCPA is supposed to provide a remedy. If an inattentive company fails to secure customers' personal data and it is stolen, consumers have a private right of action to seek statutory damages rather the uphill battle of trying to prove actual damages. Under the CCPA, consumers can seek damages of between $100 and $750 per incident, depending on the severity of the defendant's misconduct. Cal. Civ. Code Section 1798.150(a)(1)(A), (a)(2).

Curiously, the facts presented in the Hanna Andersson lawsuit don't fit neatly within the CCPA. For starters, the alleged hack occurred entirely in 2019, prior to the effective date of CCPA. There's no discussion in the complaint that any of the plaintiffs provided the required notice to Hanna Andersson or Salesforce.com of the alleged violation of CCPA or a demand to cure within 30 days. Cal. Civ. Code Section 1798.150(b). The complaint notes that both Hanna Andersson and Salesforce.com state that they encrypt customers' personal data, but it doesn't address whether the data was encrypted at the time it was hacked. This is important because consumers' rights to pursue damages under the CCPA arise only if "nonencrypted and nonredacted" personal information is stolen, disclosed or accessed without authorization. Cal. Civ. Code Section 1798.150(a)(1).

The way in which the lawsuit invokes the CCPA is odd. Rather than directly alleging a violation of the CCPA (perhaps because its provisions weren't in effect at the time of the hack), the complaint alleges causes of action for negligence; declaratory relief; and violations of the California Unfair Competition Law. Cal. Bus. and Prof. Code Section 17200. The complaint wraps in duties set forth in the CCPA as elements of the other causes of action. For example, the negligence claim is based, in part, on the alleged failure of the defendants to take reasonable steps to safeguard customers' personal information as required by Section 1798.81.5(b) of the CCPA. The complaint also alleges the defendants were negligent because they knew or should have known that their security was not sufficient because scraping hacks were on the rise in 2019 and the FBI noted in an Oct. 22, 2019 "Tech Tuesday" warning to retailers that accept credit card payments online that cyber criminals may be able to inject malicious code onto a website that enables them to collect customers' personal data.

Similarly, the complaint alleges that defendants violated the Unfair Competition law due to "sub-standard security practices and procedures" and thereby failed to employ reasonable methods of safeguarding customers' personal information as required by CCPA Section 1798.81.5(b). In addition, the defendants allegedly violation Section 1798.82 of the CCPA by failing to disclose the data breach to customers in a timely, accurate manner.

While it is troubling any time a company fails to protect customers' personal data, the alleged conduct of the defendants in this case is orders of magnitude less egregious than other data breaches. Take Equifax, for example, which failed to remedy a known software security problem for which a patch existed. It failed to detect the illegal downloads of 143 million consumers' personal data that went on for months because the tool that was supposed to audit network traffic for evidence of malicious activity had expired -- 10 months earlier. Wired magazine reported at the time that the user portal used by the hackers to access Equifax's computers had the absurdly amateurish credentials of "admin/admin". Equifax did not disclose the breach for 76 days, and during that time, Equifax's former Chief Information Officer and a software product development manager, dumped Equifax stock and were later convicted of insider trading.

It isn't as though there is a shortage of data breaches to choose from. In 2019, more than 250 data breaches were reported to the California attorney general's office under the less restrictive rules in effort prior to the CCPA. Since Jan. 1, when the CCPA took effect, four data breaches have been reported to the California attorney general's office by Foundation Medicine, New Heights Ventures, Woods & Woods, LLC and True Fire, LLC. The breach at Woods and Woods, an Indiana law firm with California clients, involved a ransomware attack during which highly sensitive data including clients' name, address, date of birth, social security number, medical information, bank account, and bank routing numbers were stolen. There are likely more data breaches that haven't been reported since there is often a lag between the breach and reporting.

The Hanna Andersson lawsuit likely won't shed much light on interpretations of the CCPA since the complaint doesn't directly allege a violation of the statute and the facts don't clearly fall within the statute. But the next lawsuit that does directly seek damages under the CCPA can't be far behind. 