[BreachExchange] Hanna Andersson, Salesforce ink deal to settle CCPA data breach class action

[Destry Winant]

https://today.westlaw.com/Document/I715743302b7e11ebb26bd3086ac74fc7/View/FullText.html?transitionType=SearchItem&contextData=(sc.Default)

(Reuters) - Hanna Andersson LLC and Salesforce.com Inc have reached a
proposed agreement with plaintiffs to resolve class claims related to
a 2019 data breach, according to a motion for preliminary approval of
the settlement.
The litigation, composed of two consolidated cases against the
children's apparel retailer and cloud technology services provider,
was one of the early cases alleging a violation of the California
Consumer Privacy Act, which took effect Jan. 1. Hanna has agreed to
pay $400,000 and take corrective measures to resolve the claims,
according to the unopposed motion filed Thursday in San Francisco
federal court.
Salesforce doesn't appear to be contributing to the settlement fund.
An attorney for the plaintiffs, who are represented by Morgan &
Morgan, the Arnold Law Firm, and Wolf Haldenstein Adler Freeman & Herz
didn't immediately respond to a request for comment on the proposed
settlement. Nor did an attorney from Perkins Coie for Hanna Andersson
or an attorney from Morrison & Foerster for Salesforce.
The litigation stems from Hanna Andersson's notification to customers
and state attorneys general in January that an unauthorized third
party had accessed information on its website for purchases made in a
two-month period in 2019, potentially exposing customers' names,
billing and payment card information, according to the complaint. The
notice to the states disclosed that credit card information was
available on the dark web and that a Salesforce commerce platform used
by Hanna was infected by malware that may have scraped customers'
information.
The consolidated complaint included claims for negligence, declaratory
judgment, violations of the California privacy and unfair competition
laws, and violation of Virginia's breach notification law.
The proposed settlement class contains more than 200,000 individuals
who made purchases from Hanna's website during the time period in
2019.
"In light of the risks and uncertainties presented by data breach
litigation, the $400,000 Settlement Fund achieved for the
approximately 200,273 member Class in this case is an extraordinary
result," the plaintiffs' lawyers wrote in the filing.
Hanna has agreed to make changes to its business practices as they
relate to its e-commerce platform, including conducting a risk
assessment of its data assets, enabling multi-factor authentication
for cloud services accounts, deploying intrusion protection and
monitoring applications and hiring a cybersecurity director, according
to the proposed settlement.
The plaintiffs' lawyers said in the filing they will separately seek
$120,000 in attorneys fees.
The parties had initially reached a settlement "in principle" over the
summer and had asked U.S. District Judge Edward Chen to stay the case
pending its finalization.
Litigation under the California Consumer Privacy Act is still new and
many of the cases filed so far - including those that bring direct
causes of action and others that use the law as predicate for other
claims - are in early stages, as the law has been in effect less than
a year.
The privacy law currently provides a limited private right of action
for individuals to sue in certain data breach situations. That right
will be expanded under the California Privacy Rights Act, a ballot
measure that California voters passed earlier this month.
The case is In Re: Hanna Andersson and Salesforce.com Data Breach
Litigation, U.S. District Court for the Northern District of San
Francisco, 3:20-cv-00812-EMC.
For the plaintiffs: John Yanchunis of Morgan & Morgan Complex
Litigation Group, M. Anderson Berry of Arnold Law Firm, and Rachele
Byrd of Wolf Haldenstein Adler Freeman & Herz
For Hanna Andersson: Todd Hinnen of Perkins Coie
For Salesforce: Tiffany Cheung of Morrison & Foerster