CCPA Compliance: What We Learned from the First Lawsuit Settled

When the California Consumer Privacy Act passed in 2018, one of the key enforcement mechanisms in the law was the private right of action available to consumers after a data breach. Many predicted a rush of litigation as the law went into effect on January 1st, 2020. The plaintiff’s bar has delivered, bringing a number of class action lawsuits against companies that have suffered a data breach. And yet, we haven’t seen resolution of any of these class action cases—until recently.

As the first of its kind, children’s clothing retailer Hanna Andersson settled in a California Consumer Privacy Act class action case in November 2020. However, the monetary awards are far less than what many predicted would come out of CCPA litigation. So what lessons can we take away from this settlement that may prove insightful for future litigation and CCPR compliance?

Background on the Breach of Hanna Andersson

In September 2019, high-end children’s clothing retailer Hanna Andersson was the target of a data breach. Cybercriminals hacked Hanna’s third-party ecommerce platform, powered by Salesforce.

The attack successfully compromised personally identifiable information (PII) of tens of thousands of Hanna customers and bad actors sold that PII on the dark web.

Neither Hanna nor Salesforce were aware of the attacks as they were happening, which spanned about three months. Law enforcement found the information on the dark web, and notified Hanna of the attack.

Hanna notified its customer base in January 2020, about a month after the data breach was discovered and the same month that CCPA went into effect.

Two complaints that named Hanna and Salesforce were consolidated into a class action, filed on June 3rd, 2020. The complaint alleged negligence for failure to “adequately protect its users’ PII ... warn users of its inadequate information security practices, and ... effectively monitor Hanna’s website and ecommerce platform for security vulnerabilities and incidents.”

Parties reached a settlement in November 2020 at a cost of $400,000. The settlement fund would apply to all persons who made purchases on the Hanna website during the period from September 2019 to November 2019, when the data breach occurred.

The settlement fund of $400,000 is set aside for more than 200,000 people, an average of only $2 per affected consumer. It’s worth noting, the anticipated average settlement for valid claims is expected to be $38 per class member, and it is reported that awards are capped at $500 per individual. Exceptional circumstances, though, could warrant settlements up to $5,000 per class member.

An Extraordinary Settlement

The plaintiffs cite the settlement as “extraordinary,” saying, “In light of the risks and uncertainties presented by data breach litigation, the $400,000 Settlement Fund achieved for the approximately 200,273 member Class in this case is an extraordinary result.”

Indeed, the circumstances are interesting. Plaintiffs even pointed out the fact that “this is an especially complex class in an especially risky arena. Historically, data breach cases face substantial hurdles in surviving even the pleading stage.”

The plaintiffs are accurate in these statements, as most data breach litigation to date has not survived a motion to dismiss due to standing issues; namely that the class members are unable to show actual damages suffered and thus have no standing to bring the claims.

But the CCPA was expected to change this dynamic due to the statutory damages built into the law.

This settlement in the Hanna Andersen case, however, is not as large as many predicted a CCPA class action would produce. At an average of $2 per consumer, the settlement is a far cry from the $100–$750 range of damages granted under CCPA.

This should be fantastic news for any company subject to CCPA and concerned about consumer class action litigation after a data breach. However, there are many reasons why this settlement may be depressed compared to expectations.

A Data Breach, CCPA Compliance, and the Lessons Learned

Here are four key takeaways that may prove this settlement to be an aberration.

1. A Nationwide Settlement

Remember that CCPA makes it clear that it only applies to California consumers:

Only California residents have rights under the CCPA. A California resident is a natural person (as opposed to a corporation or other business entity) who resides in California, even if the person is temporarily outside of the state.

However, the complaint sought relief for “all individuals whose PII was compromised in the data breach announced by [Hanna] on January 15, 2020.” In the end, the plaintiffs got what they wanted: the settlement awarded nationwide customers who may have been impacted by the data breach.

This is something we’ve been bracing for with CCPA litigation, and expect that this could continue under California’s new privacy law, CPRA, in 2023.

In this instance, the class represented was national, likely lowering the average-per-consumer settlement figure below the $100–$750 that California consumers could have potentially been awarded.

2. The Timing of Breach

CCPA went into effect in January 2020—the same month that Hanna alerted the state attorney general of the data breach. But the data breach occurred in 2019 before CCPA’s January start date. This factor was not discussed in the Hanna case.

Litigation experts previously pointed out that CPPA does not explicitly state that it applies retroactively and that it would be unlikely that the courts would interpret it that way. Though being a settlement, the court did not have the opportunity to interpret the law as the parties came to a resolution on their own.

This could set the stage for other lawsuits applying CCPA retroactively, however that prospect seems small as we get farther away from the initial enforcement date. When CPRA becomes the new standard in 2023, it is explicit: the law will apply to data collected starting in 2022.

The timing of the breach relative to CCPA taking effect could be another mitigating factor in why the settlement is not as large as expected.

3. Impact of COVID-19

Remember that the CCPA allows consumers to “recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”

But there are a number of factors that could have mitigated this for Hanna, including the nationwide nature of the class, the timing issue I mentioned and others, too. It seems the parties involved understood that Hanna may not have been able to weather the storm if the settlement had been larger.

From the settlement filing:

Hanna’s business has been significantly affected by the COVID-19 global health crisis, which, together with the lack of insurance coverage for Plaintiffs’ claims, creates a real risk that any judgment Plaintiffs obtained against Hanna would be difficult, if not impossible, to collect upon.

It also doesn’t appear that Salesforce is on the hook for the actual settlement, which the plaintiffs noted, leaving Hanna to fund the awards. This further proves the point that you can outsource a business function but not your cyber liability.

4. Business Practices

Finally, as part of the settlement, Hanna agreed to adopt a number of business practices related to cyber risk management. That included the following:

• Conducting a risk assessment of Hanna’s data assets and environment consistent with the NIST Risk Management Framework
• Enabling multi-factor authentication for all cloud services accounts
• Implementing alerting processes for the establishment of new cloud services accounts
• Hiring additional technical personnel
• Complete PCI Attestation of Compliance (AoC) in conjunction with a PCI-certified qualified security assessor (QSA)
• Conducting phishing and penetration testing of Hanna’s enterprise environment and enterprise user base
• Deploying additional intrusion detection and prevention, malware and antivirus, and monitoring applications within the Hanna environment
• Implement regular review of the logs of Hanna’s e-commerce platforms
• Hiring a director of cyber security

These steps are instructive for businesses that want to mitigate their CCPA liability and are looking for specific areas of cybersecurity in which to invest.

Expectations for Breach Litigation Moving Forward

While the monetary award in this settlement is lower than expected, there are a number of reasons discussed above that may prove this settlement is not foreshadowing for all companies facing data breach litigation. Thankfully, cyber liability insurance provides coverage for this type of litigation including the defense costs and any settlement.

This is also just the first settlement under a CCPA class action lawsuit - although certainly not the last. If anything, the fact that this case moved to a settlement so quickly is indicative of the future of data breach litigation. Gone are the days of cases being dismissed at the pleading stage due to standing. Companies are right to expect the ultimate cost of data breaches to increase as a result.