Hanna Andersson and Salesforce Receive Preliminary Approval for Settlement of CCPA-Based Class Action Litigation

Bradley Arant Boult Cummings LLP
Contact

Bradley Arant Boult Cummings LLP

In 2019, Hanna Andersson, a children’s apparel store, suffered a data breach while using a Salesforce e-commerce platform. As a result of the breach, customers filed a class action lawsuit, alleging customer data was stolen and asking that both Hanna Andersson and Salesforce be held liable under the California Consumer Protection Act (CCPA).

Background

Barnes v. Hanna Andersson and Salesforce (4:20-cv-00812-DMR) was one of the first cases filed under the newly effective CCPA, and it has garnered much attention from privacy experts and attorneys alike. According to the complaint, the data breach allegedly occurred from September 16, 2019, to November 11, 2019, during which time hackers collected sensitive consumer information, such as customer names, billing and shipping addresses, payment card numbers, CVV codes, and credit card expiration dates. On December 5, 2019, law enforcement found this information on the dark web and alerted Hanna Andersson, which then investigated the incident and confirmed that Salesforce’s platform was “infected with malware.” Hanna Andersson reported this breach to customers and the California attorney general on January 15, 2020.

Plaintiffs allege that the breach was caused by Hanna Andersson’s and Salesforce’s “negligent and/or careless acts and omissions and failure to protect customer’s data … [and failure] to detect the breach.” Plaintiffs further allege that, as a result of the breach, Hanna Andersson’s customers “face a lifetime risk of identity theft.”

Moreover, Bernadette Barnes, the named plaintiff in the case, alleges that she now experiences anxiety as a result of time spent reviewing the “account compromised by the breach, contacting her credit card company, exploring credit monitoring options, and self-monitoring her accounts.” Barnes also claims to now feel hesitation about shopping on other online websites.

Settlement

In December 2020, the court preliminarily approved the class action settlement filed by the plaintiffs. This settlement included both monetary and non-monetary requirements. First, a $400,000 settlement fund that will provide cash payments of up to $500 per class member, with expense awards of up to $5,000 available to class members with extraordinary circumstances, such as rampant identity theft. The actual payment to the average class member is not ascertainable now since it will vary depending on the ultimate size of the class, however it is expected to be approximately $38 per class member. Second, the settlement requires Hanna Andersson to improve its cybersecurity through, but not limited to, the following measures: hiring a director of cybersecurity, implementing multi-factor authentication for cloud services accounts, and conducting a risk assessment consistent with the NIST Risk Management Framework.

Takeaway

At this point, it’s unclear whether these requirements should be viewed as setting an industry standard for compliance or for setting minimum practices. For example, multi-factor authentication has long been considered an industry standard and an order for its implementation seems more like an indictment of Hanna Andersson’s practices than the creation of a new and more robust standard. Additionally, it is noteworthy that the court ordered Hanna Andersson to hire a director of cybersecurity and not a chief information security officer (CISO). While at first glance these seem like simple differences in title, a CISO is an executive-level position that typically plays an enterprise-wide role in developing and implementing privacy and cybersecurity policies, while also responding to any incidents that may occur. Many consider a CISO role that reports directly to the CEO to be an industry best-practice. In comparison, a director of cybersecurity is not an executive-level position, rather it is a role that may often report to a CISO or be siloed within an Information Technology department. Typically, the director of cybersecurity has less authority and power to shape policies enterprise-wide.

Regardless, this settlement will set the stage for any upcoming CCPA-related privacy and cybersecurity disputes. Furthermore, this settlement will provide insight into who may be sued under CCPA, specifically whether third-party processors may be brought into litigation going forward. In light of this decision, businesses should compare their privacy and cybersecurity practices to the settlement requirements, while bearing in mind that these represent the minimum for compliance, not necessarily the industry standard.

Continue to look for further updates and alerts from Bradley on state privacy rights and obligations.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bradley Arant Boult Cummings LLP | Attorney Advertising

Written by:

Bradley Arant Boult Cummings LLP
Contact
more
less

Bradley Arant Boult Cummings LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.