It was only a matter of time, but we now have our first lawsuit that references California’s new consumer data protection act, the California Consumer Privacy Act (CCPA), which went into effect on Jan. 1, 2020. The CCPA permits each consumer that can establish a violation of certain provisions of the CCPA to seek damages of up to $750, or actual damages, whichever is greater. As the CCPA hangs over businesses like a Sword of Damocles, it remains to be seen whether it will have a measurable effect on the defense and prosecution of data breach lawsuits and resulting settlements.
On Feb. 3, 2020, the complaint in Barnes v. Hanna Andersson, LLC et al. (N.D. Cal., No. 20-cv-00812, was filed in the United States District Court Northern District of California San Francisco Division against children’s clothing company Hanna Andersson, LLC and Salesforce.com, Inc. (collectively “defendants”). The complaint alleges, among other things, negligence arising out of a data breach resulting in the loss of customers’ names, billing, shipping addresses, payment card numbers, CVV codes, and credit card expiration dates.
The complaint is notable because it alleges that the defendants failed to adequately protect user data as required by the CCPA, specifically Cal. Civ. Code Section 1798.81.5, and that the defendants failed to safeguard their platforms or provide cybersecurity warnings. The CCPA provides that businesses “shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” While the complaint seeks a declaratory judgment that the defendants’ existing security measures do not comply with its duties of care to provide reasonable security procedures, the complaint does not yet seek statutory damages under the CCPA. However, the plaintiff reserves the right to amend the complaint to seek such damages.
The CCPA provides that in the event of a data breach, “any consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action…” and permits consumers to seek damages of no less than $100 and up to $750 per consumer per incident, or actual damages, whichever is greater. If the plaintiff can establish that the defendants’ security procedures and practices were not reasonable, the plaintiff will likely amend the complaint seeking statutory fines. Whether CCPA statutory damages are ever awarded in the case remains to be seen, but the potential availability of such damages will likely factor into the plaintiff’s settlement negotiations.