CCPA referred to for first time in Hanna Andersson Data Breach Lawsuit

A lawsuit filed Monday by California resident Bernadette Barnes against online retailer Hanna Andersson and its e-commerce platform Salesforce is among the first of legal cases to cite the California Consumer Privacy Act (CCPA) in judgment sought. The CCPA came into effect January 1, but the California Attorney General is giving everybody until July 1 for companies to become compliant before violations and fines will be given. 

California is the first U.S. state to bring a large scale data privacy and regulation law into effect, but there are many other states following such as Nevada, New York, Vermont, South Carolina, and more. All of these states along with lots of advertising companies will be closely paying attention to the case, comparing and contrasting their companies compliance and security policies.

The lawsuit details: According to Complianceweek, the case is a class action on behalf of all California individuals whose personally identifiable information (PII) could have been compromised during the period of the breach from Sept. 16, 2019, through Nov. 11, 2019. Hanna Andersson revealed the breach to customers by letter from the CEO on Jan. 15. That same day, Hanna Andersson’s counsel sent a letter to state attorneys general also warning of the breach. In both letters Hanna Andersson revealed information taken in the breach such as customer names, billing and shipping addresses, payment card numbers, CVV codes, and credit card expiration dates. The lawsuit states that only in the letter to the attorney generals did they reveal that the information taken was already up for sale on the dark web though. 

Barnes v Hanna Andersson LLC. is seeing if Hanna Andersson or Salesforce violated CCPA terms by “failing to maintain reasonable security procedures and practices appropriate to the nature of the PII.” The lawsuit estimates more than 10,000 California residents might have been affected during the exposed period. The CCPA allows for recovery of damages of up to $750 per consumer per incident! That is a lot of money that Hanna Andersson could end up being fined for along with possibly having to provide free credit monitoring and security. This is definitely a legal case to pay attention to because this will be a clear indication of how strict CCPA laws and regulations will be.