Even though California’s landmark privacy law only took effect on Jan. 1, it is already being cited in data breach lawsuits.
Salesforce.com and Hanna Andersson—a children’s clothing company—are facing data breach allegations in one of the first class-action lawsuits to directly involve the CCPA.
According to the complaint filed in the U.S. District Court for the Northern District of California (Barnes v. Hanna Andersson, LLC, N.D. Cal., No. 20-cv-00812), Salesforce and Hanna Andersson failed to protect user data, safeguard platforms, or provide cybersecurity warnings. These actions violated state laws including the California Consumer Privacy Act, plaintiff Bernadette Barnes claims.
What We Know About the Hanna Andersson Data Breach
Barnes, the plaintiff, and a California resident, brought her class action complaint to the U.S. District Court after Hanna Andersson announced on Jan. 15 that hackers had scraped customer names, payment card numbers, and other personal information. The complaint alleges that the hacked data, which was found for sale on the dark web, was hosted by Salesforce on its e-commerce platform. It also alleges that the e-commerce platform was infected with malware, which is what led to the data breach.
It is now up to the court to weigh in on whether Hanna Andersson and Salesforce violated the CCPA.
Implications for Businesses Covered Under the CCPA
Barnes V. Hanna Andersson highlights a few issues that all organizations conducting business in California should pay attention to.
1. Cyber Risk and Legal Risk Are Tightly Linked
For organizations that collect or process the personal data of California residents, the risk of facing lawsuits for data breaches has just gone up. Mitigating cyber risk (and, indirectly, legal risk) should be a priority for all firms covered under the CCPA.
However, our own research found that as of Dec. 1, 2019, 91% of covered organizations noted that they had yet to complete all the CCPA-related workstreams.
Compared to typical state consumer protection laws, the CCPA includes a private right of action that makes it easier for consumers to seek damages for weak data-security protections—up to $750 per consumer, per incident after a breach.
For large data collectors that violate the CCPA, the costs from damages can be significant. For instance, a data breach that exposes the record of 10,000 customers could cost a data collector up to $7.5 Million.
Despite earlier reports that the CCPA would not be enforced until July 1—six months after it went into effect—prosecutors have shown they will be enforcing the law. Now is the time to make information security a priority within your organization. While you may already have some solid data protection policies and processes in place, it is important to audit what you have and verify that those measures are operating effectively on a continuous basis to protect the information of California residents.
2. The Need for Damage Control
At a time when cyber threats evolve so quickly, there isn’t a bullet-proof way to totally eliminate the possibility of cyber attacks and data loss.
Organizations need to have a plan for damage control in case they do become the defendant in a CCPA lawsuit.
To minimize potential damages, you’ll need to build a solid case that your organization takes data protection and consumer privacy seriously. This will involve keeping a detailed record of your infosec and data privacy policies, regularly conducting internal compliance activities and audits, and making sure all records are easily accessible to authorized parties.
Sales Force Data Breach Lawsuit Final Thoughts
This is just the beginning of what will be a long list of CCPA-related lawsuits. And while the cost of becoming CCPA-compliant may be steep, the cost of non-compliance will be much steeper.
To keep track of your compliance activities and evidence files in a streamlined way, dedicated compliance software such as Hyperproof can help.