Hanna Andersson agrees to pay $400K in CCPA-related breach lawsuit

Children’s clothing retailer Hanna Andersson has agreed to pay $400,000 to settle a data breach class-action lawsuit that was among the first to cite the CCPA in its judgment sought. Another company named in the lawsuit—cloud technology provider Salesforce—does not appear to be contributing to the settlement.

The lawsuit, filed in February in the U.S. District Court for the Northern District of California, claimed Hanna Andersson and Salesforce violated the CCPA by losing customers’ personal identifiable information (PII) during a 2019 data breach. Hackers gained access to the PII, including credit card data, through Hanna Andersson’s third-party e-commerce platform operated by Salesforce, according to the lawsuit. The hackers used the stolen data to make purchases on Hanna Andersson’s Website for two months before the breach was discovered, the lawsuit said. The stolen PII was also sold on the dark web.

According to the settlement, noted in a Nov. 19 court filing, more than 200,000 U.S.-based customers who made purchases from the Hanna Andersson Website from Sept. 16 to Nov. 11, 2019, are eligible to receive compensation in the agreement.

The original lawsuit estimated 10,000 California-based customers might have been affected during the breach period. The CCPA only applies to California-based consumers; consumers from other states would have had to discuss their options with their states’ Attorney General. The CCPA provides the means for consumers who have had their PII stolen or compromised to sue for compensation; in other states, the AG’s office would have to sue businesses on consumers’ behalf.

Settlement class members will be eligible to receive between $500 and $5,000, depending on their circumstances, the lawsuit said.

“Plaintiffs strongly believe the settlement is fair, reasonable and adequate and that the court should grant it preliminary approval and notice distributed to class members,” wrote attorneys for the class-action plaintiffs in the settlement agreement. “The settlement provides quick relief for class members, including compensation for the alleged unauthorized dissemination of their PII.”

In the settlement, Hanna Andersson also agreed to take steps to prevent future data breaches, including by conducting a risk assessment of its data assets; enabling multi-factor authentication for all cloud services accounts; hiring a new director of cyber-security and additional technical personnel; conducting phishing and penetration testing; and deploying additional intrusion detection and prevention, malware and antivirus, and monitoring applications.

Other companies that have been hit with CCPA-related lawsuits include data brokerage firm ZoomInfo, which was sued by its competitor, Bombora. Class-action lawsuits by consumers alleging companies mishandled their personal data were filed against Zoom and Houseparty, while a CCPA-related lawsuit against TikTok alleged the Chinese company mishandled the data of the minor.

The most high-profile of CCPA-related lawsuits thus far was one filed against Walmart in July alleging the mishandling of personal data.

Although the California Attorney General’s office began enforcing the CCPA as of July 1, it has yet to publicly announce an enforcement action. The AG’s office has sent notices of CCPA noncompliance to companies it believes are violating the CCPA but provides companies with time to fix the issues before filing a lawsuit.

On Nov. 3, California voters approved the California Privacy Rights Act (CPRA), which will replace the CCPA in 2023. The CPRA ladles additional responsibilities onto businesses for how they should handle private data, like prohibiting companies from sharing sensitive information about customers’ health, finances, race, ethnicity, and precise location; tripling fines for violations related to children’s data; and putting new limits on how companies can collect, share, and sell customers’ personal data. On several of these fronts, data privacy experts say the CPRA lines up better with the EU’s General Data Protection Regulation than the CCPA does now.

The CPRA also establishes an enforcement agency to take over for the AG’s office. That agency, the California Privacy Protection Agency, could launch as soon as July 2021.

None of the three law firms representing the Hanna Andersson customers, nor attorneys representing Hanna Andersson and Salesforce, responded to Compliance Week’s requests for comment.