October 26, 2020

Volume X, Number 300


October 23, 2020

Subscribe to Latest Legal News and Analysis

A New CCPA Data Breach Lawsuit Is “Minted”

Online stationery and craft company Minted Inc. has been hit with a CCPA class action lawsuit, stemming from a massive data breach the company disclosed in late May.  The proposed class action lawsuit, filed in a California federal court, claims that Minted Inc. failed to implement “reasonable security measures” and to properly encrypt certain personal information. See Atkinson v. Minted, Inc., No. 3:20-cv-03869 (N.D. Cal. June 11, 2020).  As a result, the hackers allegedly accessed the company’s database that contained customers’ names and login credentials, including unredacted and unencrypted account information.  Some 73.2 million records were allegedly stolen and included passwords, names, and other information.

The Minted Inc. lawsuit is predicated on the California Consumer Privacy Act.  It also asserts other causes of action, such as California’s Unfair Competition Law, negligence, breach of contract, and breach of implied contract.  The putative class seeks compensatory damages, punitive damages, and penalties.  The plaintiffs asked the court to certify two classes:  (1) a California class predicated on the CCPA and the UCL and (2) a nationwide class, which includes those consumers to whom the CCPA and the UCL do not apply.

As a reminder, the CCPA applies to many companies doing business in California, if they meet certain thresholds, which we previously discussed here.  If the company subject to the CCPA fails to implement “reasonable security measures,” and a data breach subsequently results, the victims of the data breach that are California residents can file a class action and seek significant statutory penalties, ranging from $100 to $750 per every single violation.  In a breach involving 73.2 million records, these penalties quickly escalate to “bet the company” damages, if a large percentage of the putative class plaintiffs reside in California and can claim CCPA penalties.  Additionally, California Attorney General can seek even higher penalties through a regulatory enforcement action, although it is presently unclear how the AG intends to enforce the CCPA, and the draft regulations only became final late last month, as we discussed here.  

“Reasonable security” is a particularly thorny topic and one that has not been defined in the CCPA, or by the courts to any degree.  We discussed the “reasonable security” threshold in a recent webinar with recommendations as to how to develop a reasonable, sustainable, and defensible information security program.

The CCPA is gaining significant traction in California.  We previously reported here on the very first CCPA class action complaint, which was filed earlier this year—Fuentes v. Sunshine Behavioral Health Group, LLC, Case No. 8:20-cv-00487 (C.D. Cal. March 10, 2020).  Similarly to the Minted Inc. lawsuit, it stemmed from a data breach, which allegedly exposed highly sensitive personal and medical information of thousands of patients.  We also wrote here about the first-of-its kind California class action, Barnes v. Hanna Andersson, LLC, which relied on the CCPA to form a basis for a claim under another California statute but did not expressly assert a CCPA cause of action.  We anticipate a steady increase in the number of CCPA data breach class actions that will be filed this year.  

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume X, Number 169



About this Author

Natalie Prescott, Mintz Levin Law Firm, Litigation Attorney
Practice Group Associate

Natalie’s practice focuses on a wide range of litigation matters.

Prior to joining the firm, Natalie worked as the co-founder and trial lawyer for a boutique litigation firm that focuses on state and federal litigation. She also spent many years as a litigation associate at one of the world’s largest law firms, where she received extensive consumer litigation, trial, and appellate experience.

Previously, Natalie served as a judicial law clerk for the Honorable Roger T. Benitez of the United States District Court of the...

858 -314-1534
Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-demand media commentator and speaker on privacy and cybersecurity issues.

Cynthia is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E).

She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions. She is also a key contributor to MintzEdge, an online resource for entrepreneurs that includes useful tools and information for starting and growing a company.

Cynthia has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions.

She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise.

She is a frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies.

During law school, she was editor-in-chief of the Probate Law Journal.