• by Wendy Davis  @wendyndavis, February 5, 2020

Technology company Salesforce and children's clothing retailer Hanna Andersson violated California's new privacy law by failing to use reasonable data security measures, a California resident alleges in a class-action complaint filed against the companies this week.

The lawsuit, brought by Sacramento resident Bernadette Barnes, appears to mark the first time that a company has faced a civil lawsuit alleging violations of the California Consumer Privacy Act.

That law is largely known for privacy provisions that allow consumers to learn what personal information about them is held by businesses, request deletion of that information, and to opt out of its sale. But the measure also includes data security provisions, including ones that authorize private lawsuits over data breaches caused by lax security.

Barnes' complaint includes other, more traditional claims -- including that Salesforce and the clothing store were negligent.

The dispute stems from a data breach that occurred last year and may have affected “tens of thousands” of people, including more than 10,000 California residents, according to Barnes' complaint.

Barnes says the store notified customers in January about the data breach, which allegedly resulted in hackers obtaining personally identifiable information from Hanna Andersson's customers -- including their names, addresses, credit card numbers, security codes and card expiration dates.

“Hanna’s customers face a lifetime risk of identity theft,” Barnes alleges.

She adds that the data “was compromised due to Hanna’s and Salesforce’s negligent and/or careless acts and omissions.”

When Hanna Andersson CEO Mike Edwards notified customers about the data breach, he told them the company would offer one year of credit monitoring, identity theft recovery services, and a million-dollar insurance reimbursement policy, CyberScoop reported last month.