In 2019, Hanna Andersson, a children’s apparel store, suffered a data breach while using a Salesforce e-commerce platform. As a result of the breach, customers filed a class action lawsuit, alleging customer data was stolen and asking that both Hanna Andersson and Salesforce be held liable under the California Consumer Protection Act (CCPA).

Background

Barnes v. Hanna Andersson and Salesforce (4:20-cv-00812-DMR) was one of the first cases filed under the newly effective CCPA, and it has garnered much attention from privacy experts and attorneys alike. According to the complaint, the data breach allegedly occurred from September 16, 2019, to November 11, 2019, during which time hackers collected sensitive consumer information, such as customer names, billing and shipping addresses, payment card numbers, CVV codes, and credit card expiration dates. On December 5, 2019, law enforcement found this information on the dark web and alerted Hanna Andersson, which then investigated the incident and confirmed that Salesforce’s platform was “infected with malware.” Hanna Andersson reported this breach to customers and the California attorney general on January 15, 2020.

Plaintiffs allege that the breach was caused by Hanna Andersson’s and Salesforce’s “negligent and/or careless acts and omissions and failure to protect customer’s data … [and failure] to detect the breach.” Plaintiffs further allege that, as a result of the breach, Hanna Andersson’s customers “face a lifetime risk of identity theft.”

Moreover, Bernadette Barnes, the named plaintiff in the case, alleges that she now experiences anxiety as a result of time spent reviewing the “account compromised by the breach, contacting her credit card company, exploring credit monitoring options, and self-monitoring her accounts.” Barnes also claims to now feel hesitation about shopping on other online websites.

Settlement

In December 2020, the court preliminarily approved the class action settlement filed by the plaintiffs. This settlement included both monetary and non-monetary requirements. First, a $400,000 settlement fund that will provide cash payments of up to $500 per class member, with expense awards of up to $5,000 available to class members with extraordinary circumstances, such as rampant identity theft. The actual payment to the average class member is not ascertainable now since it will vary depending on the ultimate size of the class, however it is expected to be approximately $38 per class member. Second, the settlement requires Hanna Andersson to improve its cybersecurity through, but not limited to, the following measures: hiring a director of cybersecurity, implementing multi-factor authentication for cloud services accounts, and conducting a risk assessment consistent with the NIST Risk Management Framework.

Takeaway

At this point, it’s unclear whether these requirements should be viewed as setting an industry standard for compliance or for setting minimum practices. For example, multi-factor authentication has long been considered an industry standard and an order for its implementation seems more like an indictment of Hanna Andersson’s practices than the creation of a new and more robust standard. Additionally, it is noteworthy that the court ordered Hanna Andersson to hire a director of cybersecurity and not a chief information security officer (CISO). While at first glance these seem like simple differences in title, a CISO is an executive-level position that typically plays an enterprise-wide role in developing and implementing privacy and cybersecurity policies, while also responding to any incidents that may occur. Many consider a CISO role that reports directly to the CEO to be an industry best-practice. In comparison, a director of cybersecurity is not an executive-level position, rather it is a role that may often report to a CISO or be siloed within an Information Technology department. Typically, the director of cybersecurity has less authority and power to shape policies enterprise-wide.

Regardless, this settlement will set the stage for any upcoming CCPA-related privacy and cybersecurity disputes. Furthermore, this settlement will provide insight into who may be sued under CCPA, specifically whether third-party processors may be brought into litigation going forward. In light of this decision, businesses should compare their privacy and cybersecurity practices to the settlement requirements, while bearing in mind that these represent the minimum for compliance, not necessarily the industry standard.

Continue to look for further updates and alerts from Bradley on state privacy rights and obligations.