CCPA cited in Hanna Andersson/Salesforce breach lawsuit

The lawsuit, Barnes v. Hanna Andersson, LLC, was brought by plaintiff and California resident Bernadette Barnes in response to a recently acknowledged data breach at Hanna Andersson, a seller of high-end children’s apparel. The complaint, filed in the U.S. District Court for the Northern District of California, seeks to establish a class action on behalf of all California individuals whose personably identifiable information (PII) might have been compromised during the period of the breach.

The CCPA took effect Jan. 1, though it is not meant to be enforced until after July 1 as the California Attorney General’s Office wanted to give companies time to get in compliance with the landmark privacy law. California is the first U.S. state to bring such a law into effect, so how the CCPA’s involvement in this case is interpreted is sure to garner attention from American companies looking to understand their vulnerabilities under the legislation.

The lawsuit states Hanna Andersson revealed the breach to customers via a letter from the CEO on Jan. 15. That same day, Hanna Andersson’s counsel sent a letter to state attorneys general also warning of the breach.

According to the lawsuit, the content of these letters differed vastly, with the note to customers acknowledging the breach and what information was involved while the note to the states revealed the PII was for sale on the dark web. In the letter to the states, Hanna Andersson said it received a tip from law enforcement on Dec. 5, 2019, about the dark web threat, and following a subsequent investigation, it confirmed malware on its e-commerce platform, Salesforce Commerce Cloud, was to blame.

In both letters, Hanna Andersson said the time range the data was vulnerable was from Sept. 16, 2019, through Nov. 11, 2019. Among the PII compromised in the breach was customer names, billing and shipping addresses, payment card numbers, CVV codes, and credit card expiration dates.

“This PII was compromised due to Hanna’s and Salesforce’s negligent and/or careless acts and omissions and the failure to protect customers’ data,” the lawsuit states. “In addition to their failure to prevent the breach, Hanna and Salesforce failed to detect the breach for almost three months.”

The lawsuit raises red flags: How was the malware removed in November when Hanna Andersson wasn’t made aware of the breach until December? Why hasn’t Salesforce yet acknowledged the breach? It also notes Hanna Andersson shared a job posting on LinkedIn in November for a “Director of Cyber Security” around the same time the malware was said to be removed.

The lawsuit estimates more than 10,000 California residents might have been affected during the breach period, meaning millions of dollars might be at stake given the CCPA allows for recovery of damages of up to $750 per consumer per incident. It seeks to determine whether Hanna Andersson and Salesforce violated the CCPA by “failing to maintain reasonable security procedures and practices appropriate to the nature of the PII.”

If the lawsuit is regarded as a class action, it seeks for Hanna Andersson and Salesforce to provide credit monitoring services to all those affected. An award of compensatory, statutory, and punitive damages is also requested in an amount to be determined. The lawsuit seeks a trial by jury.