• by Wendy Davis  @wendyndavis, July 13, 2020

Tech company Salesforce and children's clothing retailer Hanna Andersson have agreed “in principle” to settle a class-action lawsuit over a 2019 data breach, court papers reveal.

Settlement terms are expected to be finalized before the end of August, according to documents filed earlier this month with U.S. District Court Judge Edward Chen in San Francisco.

If granted approval by Chen, the deal will resolve one of the first lawsuits in California to allege a violation of the state's new Consumer Privacy Act.

The lawsuit stemmed from a data breach that occurred last year and may have affected more than 10,000 California residents, according to an amended complaint brought in June by Sacramento resident Bernadette Barnes and Alexandria, Virginia residents Krista Gill and Doug Sumerfield.

They alleged that the store notified customers in January about the data breach, which allegedly resulted in hackers obtaining personally identifiable information -- including customers' names, addresses, credit card numbers, security codes and card expiration dates.

“In addition to their failure to prevent the breach, Hanna and Salesforce failed to detect the breach for almost three months,” the complaint alleged. “Months after it started, law enforcement found the stolen information on the dark web and warned Hanna on December 5, 2019. Hanna then investigated the breach, confirmed that Salesforce Commerce Cloud’s ecommerce platform was 'infected with malware,' and confirmed that the PII entered by customers into the platform during the purchase process was 'scraped.'”

Among other claims, the customers allege that the companies violated the California Consumer Privacy Act.

That law -- which went into effect in January -- is largely known for privacy provisions that allow consumers to learn what personal information about them is held by businesses, request deletion of that information, and to opt out of its sale. But the measure also includes data security provisions, including ones that authorize private lawsuits over certain data breaches.

Hackers store the information last year, before California's new privacy law took effect. But the amended complaint sought to hold the companies responsible for violating the law on the theory that hackers “further disclosed” customers' personal information after January 1 of this year.

When Hanna Andersson CEO Mike Edwards notified customers about the data breach, he said the company would offer one year of credit monitoring, identity theft recovery services, and a million-dollar insurance reimbursement policy, CyberScoop reported earlier this year.