Is the CCPA Tsunami Beginning?

The first swell of what is expected to be an eventual tsunami of data privacy lawsuits has been spotted off the California shore. While not an actual wave yet, a lawsuit filed on Monday, February 3, 2020, has caught the attention of data privacy experts and in-house counsels around the world. 

This swell on the horizon is caused by a legal complaint that cites the California Consumer Privacy Act (CCPA). The litigation is one of the first class-action lawsuits to involve the CCPA directly. In this case, the plaintiff, Bernadette Barnes, accuses Hanna Andersson, LLC and, Inc. of failing to protect user data, safeguard platforms, or provide cybersecurity warnings.

The complaint alleges that Personally Identifiable Information (PII) provided to Hanna Andersson was hacked and was found for sale on the dark web. Salesforce hosted this data on its e-commerce platform and that the e-commerce platform was infected with malware, which is what led to the data breach. 

Ms. Barnes alleges that the stolen information includes:

  • Name
  • Address
  • Telephone number
  • Email address
  • Full credit card number with expiration date and security code

Enacted in 2018, the CCPA establishes consumer rights relating to their personal information. It went into effect on January 1, 2020. The Hanna Andersson breach occurred between September and November of 2019. The complaint asks the court to determine “Whether Defendants violated California’s Consumer Privacy Act by failing to maintain reasonable security procedures and practices appropriate to the nature of PII.” Still, it is not expected that penalties will be assessed for violating this law because the alleged violation occurred before the law took effect. 

The CCPA goes beyond establishing greater measures to protect California consumers; it grants them new rights. These new rights include:

  • The right to know what personal information is collected
  • The right to delete personal information
  • Ther right to opt-out of the sale of their personal information
  • The right to non-discrimination of terms or price when exercising privacy rights under the CCPA

Data privacy experts believe the first cases involving the CCPA are particularly important. Litigation is the method by which the finer points of how a law will be enforced are determined. By establishing case law, the scope of reasonable penalties is approximated for future lawsuits.

When asked to comment about this case, Chris Olson, CEO of The Media Trust said, “The response to the CCPA breach filing will be telling for two primary reasons. First, regulations are better understood when prosecuted as the nuances and compliance attempts are formally reviewed and judged–exactly what is needed with some of the unclear portions of CCPA. Second, companies pay attention when a law is enforced. In addition, Hanna Andersson suffered an e-skimming attack–aka “Magecart”–a totally preventable situation had they been monitoring their digital assets for compromised or unknown code.”

According to the California Attorney General, Xavier Becerra’s website, the Attorney General cannot bring an enforcement action under the CCPA until July 1, 2020. It has been widely reported that non-compliance with CCPA rules can bring fines up to $7,500 per record. However, that lofty penalty is expected to be reserved for only the most intentional and egregious violations. 

While calling this first CCPA lawsuit the swell before the tsunami of similar legal action may, indeed, be hyperbole, CISOs and Risk Managers have every reason to be concerned. Most experts agree that not only will there be a flood of similar CCPA filings, but similar laws are expected to crop up in other states across the U.S.