For those of us waiting to see how the CCPA's statutory damage provision would impact the value of data breach class actions, the wait continues.
Three of the first consumer class actions alleging CCPA violations for a failure to implement and maintain reasonable security procedures and practices were filed in February and March of last year against Hanna Andersson and Salesforce.com, following Hanna Andersson's announcement that it suffered a data breach involving customer payment card information. The cases were ultimately consolidated in the U.S. District Court for the Northern District of California (Case No. 20-cv-00812), and recently the parties filed a request for preliminary approval of the proposed settlement.
The breach impacted more than 200,000 customers, but the proposed settlement—if approved—seems not to reflect the CCPA's statutory damage provision of $100 to $750 per consumer per incident.
The defendants agreed to establish a $400,000 settlement fund for the class, with class members having the option of claiming a payment of $500 if they have experienced no fraudulent charges on their accounts, or a payment of $5,000 if they have suffered fraudulent charges. The amount paid to claimants may increase or decrease pro rata, depending on the total number of claims, though the increased amount cannot exceed $1,000 or $10,000, respectively.
Class notice, estimated to cost approximately $46,000, will also be paid out of the settlement fund. Any funds that remain following the claims period will be paid to a cy pres recipient.
As part of the settlement, the defendants also agreed to improve their data security, but much of what is proposed is vague and likely underway regardless of civil litigation, including agreeing to conduct regular risk assessments, implement multifactor authentication for all cloud service accounts, hire additional technical personnel, conduct regular phishing and penetration testing, and hire a director of cyber security. Finally, the defendants agree as part of the settlement not to oppose a fee and cost application of up to $120,000.
A settlement averaging less than $2 per class member is likely not what Alastair Mactaggart envisioned when he first campaigned to put what ultimately became the CCPA on the ballot in 2018. Plaintiffs attempt to justify the size of the settlement fund by estimating a claims rate of 3 percent, but there were likely other avenues available to provide class members with relief. Indeed, the preliminary approval papers reveal that defendants have a contact email for every class member because each made an online purchase with Hanna Andersson.
The attorneys' fees and costs recovery is also not likely what the plaintiffs' bar imagined upon passage of the CCPA. While the anticipated recovery of $120,000 in fees is far from insubstantial given that the case never progressed beyond the pleading stage, counsel claims to have incurred more than twice that amount based on the time and costs invested in the case, which seems likely given that multiple firms were involved.
The preliminary approval papers give some indication regarding the difficulties plaintiffs faced moving forward, which likely resulted in the settlement terms below defendants' costs to litigate further. Plaintiffs point to challenges that data breach plaintiffs often face satisfying Article III standing and pleading factual allegations showing injury-in-fact, but this has been true of every data breach case filed in federal court. Ultimately, these challenges have become more difficult over time, and the CCPA will likely further this trend.
The composition of the class may have impacted negotiations. It may be that California residents simply did not account for a significant portion of the 200,000 consumers, limiting the impact of the CCPA's statutory damage provision.
In addition, Hanna Andersson's terms and conditions, which include an arbitration provision and class action waiver, also likely impacted the value of the settlement.
The preliminary approval papers say as much, and while plaintiffs in CCPA cases are likely to argue that California Civil Code sections 1798.150(b)1 and 1798.1922 foreclose arbitration provisions and class action waivers, the U.S. Supreme Court has repeatedly turned back California's attempts to limit arbitration. Federal courts interpreting this authority therefore seem likely to reject any argument that arbitration limits "any right to a remedy."
Finally, it is possible that information exchanged between the parties showed that Hanna Andersson and Salesforce had robust security procedures and practices but suffered a data breach anyway. Ultimately, without access to the forensic reports it is impossible to know if the plaintiffs could show that Hanna Andersson and Salesforce failed to maintain reasonable security procedures and practices to safeguard customers' personal information.
Ultimately, the CCPA claim did not seem to greatly impact the settlement in this case. Indeed, the Hanna Andersson settlement looks a lot like the settlements in other data breach class actions. To the extent this settlement provides guidance moving forward relating to the valuation of CCPA claims, that guidance favors the defendants. At least for now, the value of data breach cases has not increased.
1 Permits private rights of action on a classwide basis.
2 Renders void and unenforceable "any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under this title, including but not limited to any right to a remedy or means of enforcement."