February 8, 2023

Volume XIII, Number 39


February 08, 2023

Subscribe to Latest Legal News and Analysis

February 07, 2023

Subscribe to Latest Legal News and Analysis

February 06, 2023

Subscribe to Latest Legal News and Analysis

First CCPA Settlement Reached in Hanna Andersson Case

CPW readers are already familiar with the California Consumer Privacy Act (“CCPA”) which took effect this year.  Well, buckle your seatbelts and . . . . bolster your internal security practices as the first settlement under the CCPA has been announced and the area in which it has the greatest impact has nothing to do with the monetary relief provided to the class.

Last month the high-end children’s clothing retailer Hanna Andersson agreed to pay $400,000 and implement new security measures as part of a class action settlement arising from litigation brought in the wake of a widespread data breach.  The lawsuit stems from a security incident where hackers accessed Hanna Andersson’s (“Hanna”) third-party e-commerce platform and gained access to customers’ personal information (“PII”).  The breach affected the PII (including names, shipping and billing addresses, payment card numbers, CVV codes, and expiration dates) of over 200,000 customers who made online purchases using the Hanna website between September 16 and November 11, 2019.  The hackers then exfiltrated and used this information to make fraudulent purchases using Hanna’s customers’ credit cards.  Hanna notified its customers of the breach on January 15, 2020.

In the resulting litigation, Plaintiffs’ amended putative class action complaint alleged a variety of claims under state statutory and common law theories.  This included following causes of actions: (i) negligence; (ii) declaratory relief; (iii) violation of the California Unfair Competition Law, Business & Professions Code § 17200, et seq.; (iv) violation of the California Consumer Privacy Act ; and (iv) violation of the Virginia Personal Information Breach Notification Act, Va. Code Ann. § 18.2–186.6, et seq.  Plaintiffs sought equitable and monetary relief on behalf of all individuals whose PII was compromised in the data breach.  The case made waves when it was filed as it was among the first to cite a violation of the California Consumer Privacy Act (“CPPA”).

The settlement announced last month creates a settlement fund of $400,000 for the approximately 200,273 class members (amounting to a $2 payment to class members).  Class members who participate in the settlement and file a claim will receive up to $5,000 in relief (although most will be entitled to $500).  These amounts are subject to proration if there are insufficient funds to pay these amounts based on the number of class members who ultimately file a claim.

Considering the CCPA provides for statutory damages ranging from $100-$750 dollars, at first blush this amount seems to be on the low side.  However, bear in mind that the $2/class member is more than double the value per class member of other recent data breach settlements.  Additionally, in the context of this litigation, Hanna (as many businesses) is experiencing COVID related disruptions and the breach at issue was not covered by insurance.  Moreover, because the breach preceded enactment of the CCPA, there was an argument the CCPA statutory damages provision was not even applicable to this case.

As part of the Settlement, Hanna additionally committed to:

  • Conduct a risk assessment of the Hanna data assets and environment
    consistent with the NIST Risk Management Framework;
  • Enable multi-factor authentication for all cloud services accounts;
  • Implement alerting processes for the establishment of new cloud services
  • Hire additional technical personnel;
  • Complete PCI Attestation of Compliance (AOC) in conjunction with a
    PCI-certified Qualified Security Assessor (QSA);
  • Conduct phishing and penetration testing of the Hanna enterprise
    environment and enterprise user base;
  • Deploy additional intrusion detection and prevention, malware and anti-
    virus, and monitoring applications within the Hanna environment;
  • Implement regular review of the logs of Hanna’s ecommerce platforms;
  • Hire a Director of Cyber Security.

These additional security measures will benefit the class members as well as future customers.  Of course, these additional security measures will also increase cybersecurity and compliance costs for Hanna.

A video conference hearing in the case is scheduled for December 22, 2020.  Assuming approval is granted, the settlement in this case will provide a benchmark for future litigants bringing claims under the CCPA.  This is particularly so in regards to the comprehensive security precautions outlined (which are becoming common in data privacy litigations more broadly).

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 350

About this Author

Raisa Dyadkina Intellectual Property Attorney Squire Patton Boggs San Francisco, CA

Raisa Dyadkina is an associate in the Intellectual Property & Technology Practice and advises on trademark matters and on a broad range of commercial contracts.

Raisa has prior experience in intellectual property enforcement, anti-counterfeiting, and brand protection for copyright, trademark, and right of publicity matters. Prior to joining the firm, she worked at the world’s largest live entertainment company, where she executed a brand protection and enforcement strategy for over 100 musical artists.

Raisa graduated law school with a faculty-awarded Excellence in...

Lydia de la Torre Data Privacy & Cybersecurity Attorney Squire Patton Boggs Palo Alto, CA
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups to mature Fortune 500 companies, in a...

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...