2020 is Here and Data Subjects Are Ready To Execute Their Rights Under the CCPA

By Antonia M. Dumas, Esq., Associate at XPAN Law Group, LLC 

It has begun – consumers (data subjects) are looking at the California Consumer Privacy Act (“CCPA”) as one of the channels to file suit against companies for failure to meet data privacy and security requirements. (A full copy of the CCPA can be found here: Title 1.81.5. California Consumer Privacy Act of 2018, Section 1798.100, et seq.).

It is no longer a myth that consumers/data subjects will take advantage of these new rights in California … and this will apply to other jurisdictions that are establishing data subject rights under the emerging laws across the US. You could say that we foresaw a case like this seeking the same types of proactive and protective measures in our blog post closing out 2019.  We anticipate that 2020 would be a year where we would see more proactive data security and privacy requirements for companies as well as courts continuing to grapple with the challenges of cybersecurity and data privacy lawsuits. This CA lawsuit will set the stage for data privacy and security related lawsuits going forward, just as CA set the state for the development of data privacy laws across the country. 

First Lawsuit to Cite CCPA: Barnes v. Hanna Andersson, LLC 

There has been buzz around the CCPA which just took effect January 1, 2020. Now, it only took about a month for the CCPA to make an appearance in a lawsuit filed by a data subject on behalf of a class of members (Barnes v. Hanna Andersson, LLC) executing their rights under the CCPA, among other regulations. The action that was filed in the Northern District of California, the federal court in Oakland, and proposes to certify a class of approx 10,000 other data subjects against the children’s clothing company, Hanna Andersson, LLC (“Hanna”), and its third-party cloud-based service provider for ecommerce (i.e., payments), Salesforce.Com, Inc. (“Salesforce”). The complaint alleges that both Hanna and Salesforce failed to properly safeguard customers’ sensitive data and failed to detect the breach (and subsequent sale of information on the dark web). Further, the complaint alleges that even once customers’ data was taken, Hanna did not sufficiently provide accurate notice of the details of the data breach. 

The lawsuit is seeking a claim under negligence, a declaratory judgment regarding violation of various legal duties, and claims under violations of CA’s Unfair Competition law (Cal. Bus & Prof. Code Section 17200, et seq). Under these claims, the complaint cites specifically to the CCPA in two key sections, under its allegations of negligence and allegations of violation of CA’s Code regarding unlawful practices. 

Under the claim of negligence, the complaint cites the CCPA as a source of one of the many legal duties owed to the potential class members. Under the claim of violation of CA’s Code regarding unlawful practices, the complaint cites the CCPA in the allegations that Defendants failed to take reasonable methods of safeguarding data and failure to disclose the data breach in a timely and accurate manner. (Citing Cal. Civ Code Sec. 1798.81.5 and 1789.82). Separately (but related), under the claim of violation of CA’s Code regarding unfair business practices, the Plaintiff and potential class members allege that that the Defendants conducted unfair acts and practices in their failure to protect the PII and take proper actions following the data breach.  

Failure To Protect PII

On January, 15, 2020, the high-end children’s apparel company announced that hackers had obtained  personal information of its customers through e-skimming/scaping (i.e., use of malicious code on an e-commerce credit card processing or/checkout page). The personal information included personal identifiable information (“PII”) such as customer names, credit card numbers, security codes, card expiration, and other personal information. The data breach occurred from September 16, 2019 to November 11, 2019 and may have affected “tens of thousands” of people, including more than 10,000 CA residents. 

The data which was obtained from the e-skimming of the website was actually found for sale on the dark web by law enforcement (after warnings about e-skimming had been previously circulated). And it was law enforcement that shed light on the fact that a data breach occurred, which appears to have been undetected and unknown by Hanna or Salesforce. It was the Salesforce platform that was infected with malware that allowed for the e-skimming and unauthorized disclosure of PII. Once again, this is a data breach stemming from a third-party source/relationship, among the long list of other famous breaches which started with Target and has included other top brands like Best Buy, Sears, Kmart, Delta, etc. (See our previous blog about third-party relationships as insider threats).  

As detailed above, the Plaintiff and potential class members allege negligence and violations of legal and contractual duties under California’s unfair competition law, the CCPA, and other laws and industry standards. They allege that Hanna and Salesforce owed a duty to the consumers to “exercise reasonable care in obtaining, using, and protecting their PII from unauthorized third parties.” 

Further, the complaint alleges negligence for a breach of duty of a list of legal duties which were owned to class members where it cites various laws.  The list of legal duties includes the following: 

  1. Exercising reasonable care in processing (i.e., obtaining, retaining, securing, safeguarding, deleting) and protecting the PII of the potential class in their possession;
  2. “Using reasonable and adequate security procedures that are compliant with industry-standard practices”; and  
  3. Implementing processes to “quickly detect a data breach and timely act on warnings about data breaches,” including prompt (and accurate notification of the data breach). 

In addition to the above, the Plaintiff and potential class members allege that the CCPA requires Defendants to take reasonable steps, including utilizing reasonable methods to safeguard and protect the PII of class members who are CA residents. (Cal. Civ. Code §1798.81). Further, the complaint relies on the guidance from the Federal Trade Commission (FTC), alleging that that Hanna and Salesforce had a duty to use reasonable data security measures under Section 5 of the FTC Act, 15 U.S.C. § 45(a). It states that this duty “prohibits ‘unfair . . . practices in or affecting commerce,’ including, as interested and enforced by the FTC, the unfair practices of failing to use reasonable measures to protect PII…”. 

Failure to Accurately Report Breach 

The parties also allege that Hanna’s notification of the breach was not timely and not accurate and complete. First, they allege that Hanna’s notification given to the affected consumers was not until a month after the discovery of customer’s PII from law enforcement. Second, they allege that Hanna’s notification that was provided  did not provide detailed information (only stated unauthorized access) and provided far less information than the notification provided to the Attorneys General. The notification to the Attorneys General appears to have stated that the information obtained from credit cards used on the website were available for purchase on the dark web, that an investigation had been conducted to confirm the source was malware on the Salesforce platform and that steps to re-secure the platform and increase security have been taken. Further, Salesforce did not provide any notification or acknowledgement of the breach. 

Companies Are Keeping a Close Eye On This Case

Because the CCPA is a new avenue through which consumers can actually seek damages for data security and privacy breaches, similar to rights under other consumer protection laws. 

For relief, seeking a declaratory judgment for violations of the CCPA, free credit monitoring, damages, punitive damages, etc. And even though the CCPA is only one of various laws that are brought into this lawsuit, it will be important to see how the court addresses these claims under the CCPA. 

It is important to clarify that the complaint itself does not establish a claim under CCPA directly and does not currently seek fines (probably because the enforcement date is not until July 1, 2020), but it does reserve the right to amend it later to seek damages and relief. However, in connection with the exposure of PII and sale of data on the dark web, the complaint seeks a declaratory judgment that: 

  1. The existing security measures do not comply with contractual obligations and duties of care (i.e., including under CCPA) to provide reasonable security procedures and practices to protect PI of customers; and 
  2. The defendants must implement and maintain certain reasonable security measures. 

The request for a declaratory judgment includes a laundry list of reasonable security measures, many of which we see under the CCPA, other data privacy regulations and many of FTC’s settlement orders. These included: 

  1. Conducting external and internal audits/penetration tests; 
  2. Conducting external security audits and setting internal automated security monitoring; 
  3. Managing new and modified procedures through audits, testing, and training;
  4. Implementing access and user controls (e.g., segmentation, firewalls, access controls, etc.); 
  5. Conducting regular database scans and checks; 
  6. Continuous training and education to identify a breach and executing a breach response plan; 
  7. Providing free credit monitoring for the class for 10 years; and 
  8. “Meaningfully” educating users about threats faces as result of breach and loss of PII to third-parties and steps that users must take to protect themselves. 

Under the CCPA, CA residents could seek up to $750 per affected class member, per violation. For large data collectors with a large amount of data subjects that are CA residents, damages could mean millions of dollars. This may not be the 4% global income as under the GDPR, but it could still be a big number. 

Key Takeaways While You Wait 

While you wait for this first data subject case to provide some guidance – do not wait! That is, do not wait to implement proper data privacy and security measures, establish policies and procedures and actively train your employees on such measures and detecting data breaches. And especially, do not wait to start conducting due diligence and risk management on your third-party vendors and service providers as they are often the weakest link and largest liability. And a last FYI – if you use a third-party service provider to process credit card payments, beware of a completely different set of standards and requirements under the Payment Card Industry Data Security Standard (PCI DSS). But this is a discussion for another time/post. Just remember, luck favors the prepared! 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.