October 22, 2020

Volume X, Number 296

Advertisement

October 22, 2020

Subscribe to Latest Legal News and Analysis

October 21, 2020

Subscribe to Latest Legal News and Analysis

October 20, 2020

Subscribe to Latest Legal News and Analysis

October 19, 2020

Subscribe to Latest Legal News and Analysis

CCPA Data Breach Class Action Litigation Begins

As reported by Bloomberg Law, data breach class action litigation has begun under the California Consumer Privacy Act (CCPA). Filed in the Northern District of California, San Francisco Division, a putative class action lawsuit against Hanna Andersson, LLC and its ecommerce platform provider, Salesforce.com, alleges negligence and a failure to maintain reasonable safeguards, among other things, leading to a data breach. The complaint specifically seeks recovery under the CCPA – Cal. Civ. Code § 1798.100, et seq.

The complaint alleges a familiar story – in the latter part of 2019, hackers compromised the retailer’s website with malware enabling the hackers to scrape names, billing and shipping addresses, payment card numbers, CVV codes, and credit card expiration dates of thousands of the retailer’s customers. Hanna Andersson notified affected persons of the breach on January 15, 2020, and the complaint was filed on February 3, 2020.

Whether the complaint alleges sufficient harm for the case to proceed will be for the court to determine, but under the CCPA that may not be necessary.  The new California law authorizes a private cause of action against covered businesses if a failure to implement reasonable safeguards to protect personal information results in a data breach. Cal. Civ. Code § 1798.150. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

To bring an action for statutory damages under the CCPA, consumers must first notify the business of the alleged violation. The business then has thirty days to cure the violation and provide the consumer with “an express written statement that the violations have been cured and that no further violations shall occur.” It does not appear an opportunity to cure was provided in this case. Also, the breach reportedly occurred in 2019, before the CCPA became effective (January 1, 2020).

Regardless of the outcome of this case, certainly one we will be watching, it should serve as an important reminder for businesses to ensure they have reasonable safeguards in place to protect personal information. Under California law,

A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Cal. Civ. Code § 1798.81.5(b).

But, the meaning of “reasonable safeguards” is not entirely clear in California.  One place to look is in the California Data Breach Report (Report) former California Attorney General, Kamala D. Harris, issued in February, 2016. According to the Report, an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security.

It is not clear that adherence to those controls will provide a sufficient basis to defend a business from an action under the CCPA relating to a data breach. But, those controls might be a good place to start. It also is important to understand how those safeguards should be applied.

First, the CCPA’s private right of action for data breaches applies with respect to personal information of consumers and employees, applicants, officers, etc. Personal information of consumers and employees often resides on different systems, subject to access by different users, and collected, processed, and stored by different third party service providers. Thus, it is important to think broadly when safeguarding personal information that could trigger a class action under this section.

Second, “personal information” for purposes of the “reasonable safeguards” requirement is much narrower than the general definition of personal information for CCPA purposes. Specifically, the private right of action under Cal. Civ. Code § 1798.150 extend only to personal information, “as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5.” This means:

(A)  An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.

similar cause of action exists under an Illinois privacy law that you might have heard about, the Illinois Biometric Information Privacy Act or “BIPA.” That provision has resulted in a flood of litigation, including putative class actions, seeking to recover statutory damages for plaintiffs who allege their biometric information has been collected and/or disclosed in violation of the statute. As data breaches continue to plague businesses across the country, including those subject to the CCPA, ensuring reasonable safeguards are in place may be the best defense.

 

Jackson Lewis P.C. © 2020National Law Review, Volume X, Number 37
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. He founded and currently helps to co-lead the firm's Privacy, e-Communication and Data Security Practice, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals.

In short, his practice focuses on the matrix of laws governing the privacy, security and management of data, as well as the impact and regulation of social media. He also...

973- 538-6890
Jason C. Gavejian, Employment Attorney, Jackson Lewis, Principal, Restrictive Covenants Lawyer
Principal

Jason C. Gavejian is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. and a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

Mr. Gavejian represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination and wage and hour claims in both federal and state courts. Additionally, Mr. Gavejian regularly appears before administrative agencies, including the Equal Employment Opportunity Commission, the Office for Civil Rights (OCR), the New Jersey Division of Civil Rights, and the New Jersey Department of Labor. His practice also focuses on advice/counseling employers regarding daily workplace issues.

Mr. Gavejian represents companies with respect to inquiries from the HHS/OCR, state attorneys general, and other agencies alleging wrongful disclosure of personal/protected information. Mr. Gavejian negotiates vendor agreements and other data privacy and security agreements, including business associate agreements. His work in the area of privacy and data security includes counseling and coaching clients through the process of investigating and responding to breaches of the personally identifiable information (PII) or protected health information (PHI) they maintain about consumers, customers, employees, patients, and others, while also assisting clients in implementing policies, practices, and procedures to prevent future data incidents.

Mr. Gavejian’s litigation experience, coupled with his privacy practice, provides him with a unique view of many workplace issues and the impact privacy, data security, and social media may play in actual or threatened lawsuits.

Mr. Gavejian regularly provides training to both executives and employees and regularly speaks on current privacy, data security, monitoring, recording, BYOD/COPE, biometrics (BIPA), social media, TCPA, and information management issues. His views on these topics have been discussed in multiple publications, including the Washington Post, Chicago Tribune, San Francisco Chronicle (SFGATE), National Law Review, Bloomberg BNA, Inc.com, @Law Magazine, Risk and Insurance Magazine, LXBN TV, Business Insurance Magazine, and HR.BLR.com.

Mr. Gavejian is the Co-Chair of Jackson Lewis’ Hispanic Attorney Resource Group, a group committed to increasing the firm’s visibility among Hispanic-American and other minority attorneys, as well as mentoring the firm's attorneys to assist in their training and development. Mr. Gavejian also previously served on the National Leadership Committee of the Hispanic National Bar Association (HNBA) and regularly volunteers his time for pro bono matters.

Prior to joining Jackson Lewis, Mr. Gavejian served as a judicial law clerk for the Honorable Richard J. Donohue on the Superior Court of New Jersey, Bergen County.

(973) 538-6890
Advertisement
Advertisement