The only certainties in life used to be death and taxes. In 2020, it would be safe to add California Consumer Privacy Act (CCPA) class actions to that "distinguished" list. On February 3, Barnes v. Hanna Andersson, LLC, N.D. Cal., Case No. 20-cv-00812, was filed in the Northern District of California, setting in motion the certainty that CCPA class actions are on their way, if not already here.* Filed on behalf of all California residents, the Barnes complaint alleges that between September and November 2019, clothing retailer Hanna Andersson and Salesforce, its online payment services provider, failed to properly safeguard the personally identifiably information (PII) of its customers after hackers stole customers' private information and posted it to the dark web for sale.
What You Need to Know
- Under the CCPA, a data breach is any unauthorized access, theft or disclosure of a consumer's non-encrypted and non-redacted personal information that results from a company's failure to implement and maintain "reasonable" security procedures and practices. Here, the complaint alleges that the defendants failed to maintain reasonable security procedures and practices in order to protect the consumers' PII.
- Although the CCPA is largely viewed as new law related to California consumers' privacy rights (and placement of subsequent obligations to companies doing business in California), the CCPA includes potentially draconian damages for a data breach permitted by unreasonable cybersecurity. Under the new law, an individual need not show any actual harm caused by a data breach, yet he/she may seek statutory fines of up to $750 per incident per individual in the event of a breach. Plaintiffs estimate that at least 10,000 California residents could have been affected by this breach, thereby exposing defendants to up to $7.5 million dollars in damages if proven true.
- There exists a duty to monitor and ensure that third party organizations are properly safeguarding a company's data. During the course of the investigation into the breach, it was discovered that the Salesforce ecommerce platform was infected with malware which allowed the hackers to steal consumers' PII from Hanna Andersson's website.
- The CCPA went into effect on January 1, 2020, yet enforcement by the California Attorney General is not allowed until July 2020. However, no such delay is required for private litigation under the data breach portion of the CCPA. Interestingly, although the complaint alleges that the data breach occurred in 2019, the court could choose to apply the CCPA but that is still yet to be determined.
While Barnes may be the first class action lawsuit to mention violation of the CCPA, it certainly will not be the last. In fact, numerous class actions lawsuits have been filed in the new year which either mention the CCPA or utilize CCPA-like language to style particular claims. As such, it is evident that the Plaintiffs' bar sees the CCPA as a potential for extensive class action litigation. Expect to see an ongoing deluge of class action litigation in California under the data breach portions of the CCPA. In addition, although the Barnes' plaintiffs may not be able to invoke the CCPA due to the data breach occurring in 2019 (before the CCPA took affect), Barnes serves as a stark reminder that implementing and maintaining reasonable data security is vital to defend a business against CCPA claims. Newmeyer Dillion can assist companies analyze their cyber risk profile, and provide access to experienced forensic teams which can ensure reasonable security exists in your organization.
*While Barnes does not yet expressly state a cause of action under the CCPA, relying upon violations of the California Unfair Competition Law in its place, we anticipate that an amendment will soon be filed to include a CCPA claim.
Daniel Schneider is a Partner in Newmeyer Dillion's Privacy & Data Security group. Focused on advocating on behalf of clients when cyber threats inevitably happen, Dan also advises on best practices to help protect the company and mitigate future concerns. Dan can be reached at firstname.lastname@example.org.
Jeff Dennis (CIPP/US) is the Head of the firm's Privacy & Data Security practice. Jeff works with the firm's clients on cyber-related issues, including contractual and insurance opportunities to lessen their risk. For more information on how Jeff can help, contact him at email@example.com.
About Newmeyer Dillion
For 35 years, Newmeyer Dillion has delivered creative and outstanding legal solutions and trial results that achieve client objectives in diverse industries. With over 70 attorneys working as a cohesive team to represent clients in all aspects of business, employment, real estate, environmental/land use, privacy & data security and insurance law, Newmeyer Dillion delivers holistic and integrated legal services tailored to propel each client's success and bottom line. Headquartered in Newport Beach, California, with offices in Walnut Creek, California and Las Vegas, Nevada, Newmeyer Dillion attorneys are recognized by The Best Lawyers in America©, and Super Lawyers as top tier and some of the best lawyers in California and Nevada, and have been given Martindale-Hubbell Peer Review's AV Preeminent® highest rating. For additional information, call 949.854.7000 or visit www.newmeyerdillion.com.