• by Ray Schultz , Columnist, February 10, 2020

It didn’t take long for lawyers to use CCPA as a cudgel against companies, sort of.

A class-action suit was filed last week against Salesforce and its client, children’s apparel seller Hanna Andersson, alleging a data breach. It cites CCPA but does not invoke it as law.  

That’s appropriate because the breach took place last year, before CCPA was implemented. And there may be issues pertaining to class standing and other legal intricacies.  

Still, this is a harbinger of what brands can expect in the days to come.

The complaint, filed with the U.S. District Court for the Northern District of California,, San Francisco division, charges that personally identifiable information (PII) on Hanna Andersson customers was found on the dark web.

It adds that “that Hanna Andersson’s third-party ecommerce platform, Salesforce Commerce Cloud, was infected with malware that may have scraped information entered by customers.”

The incident has affected around 10,000 California residents, and for the purposes of this suit, such a resident claims to have been victimized: Bernadette Barnes of Sacramento.

On Oct. 14, 2019, Barnes purchased five items online for a total cost of $119.59, the complaint states. To complete the action, Barnes entered “her PII: name, billing and shipping addresses, payment card type and full number, CVV code, credit card expiration date, and email address,” it adds.

That same day, Barnes received an email confirmation of the transaction. On Jan. 15, like other customers, Barnes got a notice from Hanna CEO Mike Edwards about the breach that occurred between September 2016 and Nov. 11, 2019.

“We have taken steps to re-secure the online purchasing platform on our website and to further harden it against compromise,” Edwards writes. “In addition, we have retained forensic experts to investigate the incident and are cooperating with law enforcement and the payment card brands.”

In addition, the firm is offering MyIDCare identity theft protection services through ID Experts, including 12 months of credit and CyberScan monitoring and a $1,000,000 insurance reimbursement policy, Edwards continues.

Despite those benefits, Barnes is coping with anxiety and “time spent reviewing the account compromised by the breach, contacting her credit card company, exploring credit monitoring options, and self-monitoring her accounts,” her complaint states.

Data breaches have resulted in some hefty settlements, and are much in the news. For example, the story broke on Monday that Equifax, which suffered a massive breach, was the victim of Chinese military hackers.

Bloomberg Law writes that if the Barnes suit were amended to assert a cause of action under CCPA, “the defendants would face a minimum of $1,000,000 in CCPA statutory damages.”

But it may not come to that.The CCPA requires “a 30-day notice and an opportunity to cure before a CCPA class action may be filed and prohibits the lawsuit if the company successfully and promptly cures the breach,” Bloomberg Law continues.

Salesforce has not responded to a request for comment at deadline.