February 11, 2020

California Consumer Privacy Act sees early action

In one of the first lawsuits to invoke the California Consumer Privacy Act, a consumer in California has filed a class action complaint against Hanna Andersson, LLC (HA) and Salesforce.com Inc., following HA’s January 15, 2020 announcement of a widespread data breach.  HA is primarily a children’s clothing retailer.  Salesforce is named as a defendant because the breach, purportedly brought to HA;s attention by law enforcement, involved online purchases.  Salesforce provides customer relationship management technology to HA, linking online purchasers to its websites and using the purchasers’ payment and personal information to finalize transactions. According to the complaint, filed on February 3, 2020, HA does not require online customers to agree to Terms of Use.

According to the complaint, hackers took HA customers’ names, billing and shipping addresses, payment card numbers, CVV codes and card expiration dates.  The plaintiffs allege that their personally identifiable information (PII) was later found for sale on the dark web.

The suit has been filed in US District Court for the Northern District of California, San Francisco Division.  The plaintiffs seek redress under the California Unfair Competition Law as well as the CCPA, alleging in support of the foregoing sub-standard security practice, inadequate protection of, and failure to take reasonable measures to safeguard and securely store the plaintiffs’ PII.

Complaint | Incident announcement