California Consumer Protection Act – first class-action lawsuit settled

First CCCP lawsuit settled, ImageQuest

If you do business with customers living in California – be aware. The state’s new data privacy law is already spawning class-action suits over data breaches.

Hanna Andersson, a Portland, Ore.-based retailer of premium children’s clothing, became the first company to settle such a suit brought under the California Consumer Protection Act (CCPA.)

Interestingly, the November 2020 settlement covers a data breach the retailer suffered during the fall of 2019 before CCPA took effect. Nevertheless, the retailer agreed to a $400,000 settlement and will improve its cybersecurity measures for an unspecified additional cost.

None of the loss was covered by insurance, according to several accounts in legal journals.

Early versions of the lawsuit, Barnes v. Hanna Andersson, also included Salesforce as a defendant. The suit said the retailer used Salesforce’s e-commerce software, and Westlaw reported the Salesforce platform “was infected by malware that may have scraped customers’ information.”

Reports on the settlement make no mention of Salesforce. A November Westlaw report says, “Salesforce doesn’t appear to be contributing to the settlement fund.”

According to the National Law Review, hackers stole data on customers who bought from the Hanna Andersson e-commerce platform between Sept. 16 and Nov. 11 in 2019. The hackers stole “names, shipping and billing addresses, payment card numbers, CVV codes, and (card) expiration dates” belonging to more than 200,000 people buying from Hanna Andersson.

The hackers then used the stolen card information to make fraudulent purchases. The stolen data also was posted for sale on the Dark Web. Hanna Andersson notified customers of the breach on Jan. 15, 2020.

Among the cybersecurity improvements the retailer agreed to make are:

  • Conduct a Risk Assessment of its data assets and environment following the NIST framework
  • Enable multifactor authentication for all cloud services accounts
  • Conduct phishing and penetration testing of the retailer’s enterprise environment and enterprise user base
  • Deploy additional intrusion detection and prevention, anti-malware, and anti-virus monitoring applications within its data environment
  • Implement regular review of the logs of its e-commerce platforms
  • Hire a Director of Cyber Security.

The retailer must also complete a PCI Attestation of Compliance, likely to continue to accept credit cards – and stay in business.

If you are concerned about whether your cyber-measures will protect you from a devastating breach – and the lawsuits that follow – contact us to set up an initial exploratory chat with our experts.

Scroll to Top