The first class action alleging a violation under the California Consumer Privacy Act ("CCPA"), which was filed against Hanna Andersson, LLC has now been resolved for $400,000 subject to court approval. The settlement amounts to $2 per settlement class member and anticipates a payout of $38 per average valid claim. While the claims are premised on a cyber incident that occurred prior to the enactment of the CCPA, how the court handles the monetary component of the settlement may help provide some guidance for future CCPA litigants.
Factual and Procedural Background
Hanna, a high-end children's clothing retailer, notified customers and state Attorneys General on or about January 15, 2020 that it had experienced a breach whereby hackers accessed customers' personal identifying information ("PII") through its third-party e-commerce platform. The notice advised that a cyberattack allegedly occurred between September 16 and November 11, 2019 and affected thousands of Hanna customers. Specifically, Plaintiffs allege that hackers obtained all the PII needed in order to make fraudulent purchases (e.g. names, billing and shipping addresses, payment card type and numbers, security (CW) codes, and expiration dates) and that law enforcement officials found stolen information for sale on the dark web.
Shortly after Hanna notified affected individuals, plaintiff Bernadette Barnes filed a class action against Hanna in the United States District Court for the Northern District of California. See Barnes v. Hanna Andersson, LLC, et al., Case No. 3:20-cv-00812-EMC. A complaint filed by Krista Gill and Doug Sumerfield (collectively with Bernadette Barnes, "Plaintiffs") on March 30, 2020 was combined with the Barnes action and led to the Consolidated Amended Class Action Complaint (the "Complaint") filed on June 3, 2020.
The Complaint asserted five causes of action: (1) negligence, (2) declaratory relief, (3) violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code § 17200, et seq., (4) violation of the CCPA, Cal. Civ. Code § 1798.100, et seq., and (5) violation of the Virginia Personal Information Breach Notification Act, Va. Code Ann. § 18.2-186.6, et seq. Plaintiffs sought equitable and monetary relief on behalf of all persons whose PII were compromised as a result of Hanna's purported failure to adequately protect PII, warn users of inadequate security practices, and monitor Hanna's website and ecommerce platform for security vulnerabilities and incidents.
The parties reached a settlement in principle on June 19, 2020 and, after months of negotiations regarding the specific terms, Plaintiffs filed an Unopposed Motion for Preliminary Approval of Class Action Settlement (the “Motion”) on November 19, 2020. The settlement provided the following relevant provisions:
- The proposed nationwide settlement class will contain any individual who made purchases from the Hanna website between September 16 and November 11, 2019, which is approximately 200,273 individuals.
- Hanna will create a settlement fund in the amount of $400,000, which will be the exclusive source of payment to settlement class members, costs of claims administration, payments to any claims referee, attorney fees and expenses, and class representative service awards.
- Hanna will make business practice changes, including but not limited to conducting risk assessments consistent with the NIST Risk Management Framework; enabling multi-factor authentication for all cloud services accounts; hiring additional technical personnel, conducting phishing and penetration testing; deploying additional intrusion detection and prevention, malware and anti-virus, and monitoring applications within the Hanna environment; and hiring a Director of Cyber Security.
Noteworthy Takeaways From The Settlement
Plaintiffs contend that the monetary terms of the settlement are “extraordinary.” See Motion, p. 17. However, the proposed $400,000 settlement fund will only result in an average award of $38 to settlement class members who file valid claims. While Plaintiffs note that a settlement class member may receive up to $500 for a basic settlement award or up to $5,000 in extraordinary cases, it appears that most settlement class members will receive markedly less than the $100 to $750 prescribed by the CCPA. Id., p. 19.
There are at least two reasons why the Hanna settlement may be significantly lower than those predicted in other CCPA class actions. First, the subject data breach arose before the CCPA became effective. Thus, it is questionable whether the CCPA damages calculation is even applicable. Plaintiffs do not address this issue in the Motion, though, and instead simply argue that they have a strong claim. Second, the COVID-19 pandemic has adversely affected a number of business, including retailers like Hanna. Id., p. 16. As a result, and as there is no insurance coverage for any of the claims in the Complaint, Plaintiffs claim that there is a legitimate risk that the defendants would be judgment-proof. Id.
The settlement also provides for substantive business practice changes on the part of Hanna, which will benefit all settlement class members, regardless of whether they submit a claim, or not. These additional security precautions will undoubtedly result in additional costs to Hanna going forward.
The court will conduct a hearing on the Motion on December 23, 2020. We will continue to monitor this settlement, as well as all other privacy and cyber class actions brought under the CCPA, and will provide future client updates regarding these topics.