What’s in Store for Future CCPA Settlements After the Hanna Andersson Class Action

Locke Lord LLP

Locke Lord LLP

The first class action alleging a violation under the California Consumer Privacy Act ("CCPA"), which was filed against ‎Hanna Andersson, LLC has now been resolved for $400,000 subject to court approval. The settlement amounts to ‎‎$2 per settlement class member and anticipates a payout of $38 per average valid claim. While the claims are ‎premised on a cyber incident that occurred prior to the enactment of the CCPA, how the court handles the monetary ‎component of the settlement may help provide some guidance for future CCPA litigants.‎

Factual and Procedural Background ‎

Hanna, a high-end children's clothing retailer, notified customers and state Attorneys General on or ‎about January 15, 2020 that it had experienced a breach whereby hackers accessed customers' ‎personal identifying information ("PII") through its third-party e-commerce platform. The notice ‎advised that a cyberattack allegedly occurred between September 16 and November 11, 2019 and ‎affected thousands of Hanna customers. Specifically, Plaintiffs allege that hackers obtained all the PII ‎needed in order to make fraudulent purchases (e.g. names, billing and shipping addresses, payment ‎card type and numbers, security (CW) codes, and expiration dates) and that law enforcement officials ‎found stolen information for sale on the dark web.‎

Shortly after Hanna notified affected individuals, plaintiff Bernadette Barnes filed a class action ‎against Hanna in the United States District Court for the Northern District of California. See Barnes ‎v. Hanna Andersson, LLC, et al., Case No. 3:20-cv-00812-EMC. A complaint filed by Krista Gill and ‎Doug Sumerfield (collectively with Bernadette Barnes, "Plaintiffs") on March 30, 2020 was combined ‎with the Barnes action and led to the Consolidated Amended Class Action Complaint (the ‎‎"Complaint") filed on June 3, 2020. ‎

The Complaint asserted five causes of action: (1) negligence, (2) declaratory relief, (3) violation of the California Unfair ‎Competition Law, Cal. Bus. & Prof. Code § 17200, et seq., (4) violation of the CCPA, Cal. Civ. Code § 1798.100, et ‎seq., and (5) violation of the Virginia Personal Information Breach Notification Act, Va. Code Ann. § 18.2-186.6, et ‎seq. Plaintiffs sought equitable and monetary relief on behalf of all persons whose PII were compromised as a result ‎of Hanna's purported failure to adequately protect PII, warn users of inadequate security practices, and monitor ‎Hanna's website and ecommerce platform for security vulnerabilities and incidents.‎

Settlement Terms

The parties reached a settlement in principle on June 19, 2020 and, after months of negotiations ‎regarding the specific terms, Plaintiffs filed an Unopposed Motion for Preliminary Approval of ‎Class Action Settlement (the “Motion”) on November 19, 2020. The settlement provided the ‎following relevant provisions:‎

  • The proposed nationwide settlement class will contain any individual who made ‎purchases from the Hanna website between September 16 and November 11, 2019, which ‎is approximately 200,273 individuals.‎
  • Hanna will create a settlement fund in the amount of $400,000, which will be the ‎exclusive source of payment to settlement class members, costs of claims administration, ‎payments to any claims referee, attorney fees and expenses, and class representative ‎service awards.‎
  • Hanna will make business practice changes, including but not limited to conducting risk ‎assessments consistent with the NIST Risk Management Framework; enabling multi-‎factor authentication for all cloud services accounts; hiring additional technical personnel, ‎conducting phishing and penetration testing; deploying additional intrusion detection and ‎prevention, malware and anti-virus, and monitoring applications within the Hanna ‎environment; and hiring a Director of Cyber Security.‎

Noteworthy Takeaways From The Settlement

Plaintiffs contend that the monetary terms of the settlement are “extraordinary.”  See Motion, p. ‎‎17. However, the proposed $400,000 settlement fund will only result in an average award of $38 ‎to settlement class members who file valid claims. While Plaintiffs note that a settlement class ‎member may receive up to $500 for a basic settlement award or up to $5,000 in extraordinary ‎cases, it appears that most settlement class members will receive markedly less than the $100 to ‎‎$750 prescribed by the CCPA. Id., p. 19.  ‎

There are at least two reasons why the Hanna settlement may be significantly lower than those ‎predicted in other CCPA class actions. First, the subject data breach arose before the CCPA ‎became effective. Thus, it is questionable whether the CCPA damages calculation is even ‎applicable. Plaintiffs do not address this issue in the Motion, though, and instead simply argue ‎that they have a strong claim. Second, the COVID-19 pandemic has adversely affected a ‎number of business, including retailers like Hanna. Id., p. 16. As a result, and as there is no ‎insurance coverage for any of the claims in the Complaint, Plaintiffs claim that there is a ‎legitimate risk that the defendants would be judgment-proof. Id.  ‎

The settlement also provides for substantive business practice changes on the part of Hanna, ‎which will benefit all settlement class members, regardless of whether they submit a claim, or not.  ‎These additional security precautions will undoubtedly result in additional costs to Hanna going forward.

The court will conduct a hearing on the Motion on December 23, 2020. We will continue to ‎monitor this settlement, as well as all other privacy and cyber class actions brought under the ‎CCPA, and will provide future client updates regarding these topics.‎

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Locke Lord LLP | Attorney Advertising

Written by:

Locke Lord LLP

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.