The companies Salesforce.com, Inc. and Hanna Andersson, LLC are on the receiving end of a novel lawsuit, which appears to be the very first data breach class action ever filed with alleged violations of the California Consumer Privacy Act (“CCPA”). The case is styled as Barnes v. Hanna Andersson, LLC , N.D. Cal., Case No. 20-cv-00812.
In this putative class action, which was just filed against these two companies on February 3, 2020 in the Northern District of California, the plaintiffs allege four causes of action for negligence; declaratory relief; and violations of the California Unfair Competition Law (“UCL”), Business and Professions Code § 17200. The plaintiffs claim that Salesforce, a cloud-based software company, and Hanna Anderson, a high-end children’s clothing retailer, failed to protect their data, to provide adequate cybersecurity warnings, and to safeguard their platforms from intruders.
The Barnes complaint comes in the wake of a recent announcement—only a few weeks earlier—that hackers “scraped” the retailer’s customers’ names, addresses, and credit card information from Hanna Anderson’s website. Salesforce was allegedly responsible for hosting this data on its e-commerce platform, which was “infected with malware” and, as a result, became susceptible to the breach. The hackers then posted this information up for sale on the dark web, leading to identity-theft and other privacy concerns. Plaintiffs also claim that the retailer unreasonably delayed its announcement of the breach; and that the breach affected residents of every state, potentially including over 10,000 California residents. Plaintiffs seek, inter alia, injunctive and declaratory relief, free credit monitoring, statutory damages, punitive damages, disgorgement and restitution, and attorneys’ fees and costs.
In an interesting twist, the Barnes complaint, however, does not allege an express cause of action for a violation of the CCPA. Rather the Barnes plaintiffs predicate their UCL § 17200 causes of action, in part, on alleged violations of the CCPA. This is a creative procedural mechanism that allows plaintiffs to buttress their privacy claims, as well as to rebut any challenges with respect to standing, namely, that they did not suffer an injury-in-fact that is “concrete and particularized”—as required by the U.S. Supreme Court in Spokeo, Inc. v. Robins, 578 U.S. ___ (2016).
In their two UCL causes of action for “unlawful” and “unfair” business practices, Plaintiffs thus expressly rely on the newly implemented CCPA standards. First, they claim that “Defendants engaged in unlawful acts and practices . . . by establishing the sub-standard security practices and procedures” and by storing personal information “in an unsecure electronic environment in violation of” the CCPA. Second, they assert that Defendants acted unlawfully “by failing to disclose the data breach to California Class members in a timely and accurate manner, contrary to the duties imposed by” the CCPA. Notably, plaintiffs “reserve the right to amend this Complaint . . . to seek damages and relief under” the CCPA.
To further boost their standing, Plaintiffs also allege that their personal information has now lost its value or has been diminished in value; that they lost (and the hackers gained) at least $15 in stolen-data-compensation per person; that they incurred “lost opportunity costs” and certain out-of-pocket expenses; and that they were deprived of their rights under the CCPA and the UCL. Plaintiffs bring this lawsuit (1) on behalf of the nationwide class and (2) on behalf of the California Class of consumers whose data was compromised as a result of the breach.
Currently, the CCPA provides for a limited private right of action for data breaches, with damages between $100 and $750 per violation, per consumer. If the Barnes complaint is later amended to successfully assert an actual CCPA cause of action, the defendants would face a minimum of $1,000,000 in CCPA statutory damages.
On the surface, the Barnes case seems to be a perfect pilot case for raising a CCPA cause of action. The CCPA, however, contains some ambiguities, which may have played a role in the notable absence of this claim from the Barnes complaint. First, the CCPA protects only California consumers’ “nonencrypted and nonredacted personal information . . . subject to an unauthorized access.” See Cal. Civ. Code § 1798.100(a)(1). Second, it requires a 30-day notice and an opportunity to cure before a CCPA class action may be filed and prohibits the lawsuit if the company successfully and promptly cures the breach. See Cal. Civ. Code § 1798.100(b).
What this means in practical terms remains to be seen. These requirements contain several ambiguities, such as (1) whether the plaintiffs have standing in cases where their stolen data was encrypted, but the hackers managed to bypass encryption and (2) whether the defendant’s removal of the malware amounts to a sufficient “cure,” which bars a subsequent class action.
Companies should closely watch the progression of this lawsuit. Barnes may pave the way for other privacy class actions, especially if the district court issues any consumer-friendly rulings, interprets the CCPA, or rules on any of the unresolved issues, such as the ones raised in this post.