[BreachExchange] Salesforce.com and Hanna Andersson Data Breach Lawsuit Among the First to Cite the CCPA
Destry Winant
destry at riskbasedsecurity.com
Thu Feb 6 10:20:34 EST 2020
https://securityboulevard.com/2020/02/salesforce-com-and-hanna-andersson-data-breach-lawsuit-among-the-first-to-cite-the-ccpa/
Even though California’s landmark privacy law only took effect on Jan.
1, it is already being cited in data breach lawsuits.
Salesforce.com and Hanna Andersson—a children’s clothing company—are
facing data breach allegations in one of the first class action
lawsuits to directly involve the CCPA.
According to the complaint filed in the U.S. District Court for the
Northern District of California (Barnes v. Hanna Andersson, LLC, N.D.
Cal., No. 20-cv-00812), Salesforce and Hanna Andersson failed to
protect user data, safeguard platforms, or provide cybersecurity
warnings. These actions violated state laws including the California
Consumer Privacy Act, plaintiff Bernadette Barnes claims.
What We Know About the Hanna Andersson Data Breach
Photo by Bill Oxford on Unsplash
Barnes, the plaintiff and a California resident, brought her class
action complaint to the U.S. District Court after Hanna Andersson
announced on Jan. 15 that hackers had scraped customer names, payment
card numbers, and other personal information. The complaint alleges
that the hacked data, which was found for sale on the dark web, was
hosted by Salesforce on its e-commerce platform. It also alleges that
the e-commerce platform was infected with malware, which is what led
to the data breach.
It is now up to the court to weigh in on whether Hanna Andersson and
Salesforce violated the CCPA.
Implications for Businesses Covered Under the CCPA
Barnes V. Hanna Andersson highlights a few issues that all
organizations conducting business in California should pay attention
to.
1. Cyber Risk and Legal Risk Are Tightly Linked
For organizations that collect or process the personal data of
California residents, the risk of facing lawsuits for data breaches
has just gone up. Mitigating cyber risk (and, indirectly, legal risk)
should be a priority for all firms covered under the CCPA.
However, our own research found that as of Dec. 1, 2019, 91% of
covered organizations noted that they had yet to complete all the
CCPA-related workstreams.
Compared to typical state consumer protection laws, the CCPA includes
a private right of action that makes it easier for consumers to seek
damages for weak data-security protections—up to $750 per consumer,
per incident after a breach.
For large data collectors that violate the CCPA, the costs from
damages can be significant. For instance, a data breach that exposes
the record of 10,000 customers could cost a data collector up to $7.5
Million.
Despite earlier reports that the CCPA would not be enforced until July
1—six months after it went into effect—prosecutors have shown they
will be enforcing the law. Now is the time to make information
security a priority within your organization. While you may already
have some solid data protection policies and processes in place, it is
important to audit what you have and verify that those measures are
operating effectively on a continuous basis to protect the information
of California residents.
2. The Need for Damage Control
At a time when cyber threats evolve so quickly, there isn’t a
bullet-proof way to totally eliminate the possibility of cyber attacks
and data loss.
Organizations need to have a plan for damage control in case they do
become the defendant in a CCPA lawsuit.
To minimize potential damages, you’ll need to build a solid case that
your organization takes data protection and consumer privacy
seriously. This will involve keeping a detailed record of your infosec
and data privacy policies, regularly conducting internal compliance
activities and audits, and making sure all records are easily
accessible for authorized parties.
Conclusion
This is just the beginning of what will be a long list of CCPA-related
lawsuits. And while the cost of becoming CCPA-compliant may be steep,
the cost of non-compliance will be much steeper.
More information about the BreachExchange
mailing list