CCPA’s Statutory Damages Push More Breach Litigation to the Golden State

Published: Feb. 19, 2020

Updated: Jun. 13, 2023

We had long predicted that the CCPA’s introduction of statutory damages associated with certain data breaches would make California a popular venue for data breach class action lawsuits. Sure enough, litigants are now raising such claims in Barnes v. Hanna Andersson, a data breach litigation against children’s apparel company Hanna Andersson (“Hanna”) and its vendor, Salesforce. 

The case arose from a data breach that plaintiffs allege involved theft of payment card numbers and other financial information sufficient to enable the hackers to make fraudulent purchases and steal the identities of those affected. Plaintiffs contend such stolen information also made its way to the dark web, creating a “lifetime risk of identity theft” for the affected individuals. Plaintiffs allege that Hanna and Salesforce negligently and/or carelessly failed to protect customer data by preventing the breach or promptly detecting the breach. Plaintiffs contend that the breach went undetected for months, and was only discovered when law enforcement notified Hanna that it had discovered such financial information on the dark web. 

Similar to other data breach lawsuits, Plaintiff identifies as injuries to the class members (1) lost or diminished value of personal information; (2) out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, fraud, or misuse of personal information; and (3) lost opportunity costs in spending time to mitigate consequences of the breach. But Plaintiff also alleged class members were deprived of rights possessed under the CCPA.

The Complaint contains multiple allegations intended to establish that defendants failed to implement reasonable security under the CCPA. For example, Plaintiff pointed to (1) the length of time the data was vulnerable to unauthorized access; (2) Hanna’s posting of a job opening for a “Director of Cyber Security”; (3) warnings from the FBI regarding e-skimming attacks; and (4) well-publicized and widespread attacks on other e-commerce retailers that should have given defendants notice of the risk.

Only time will tell whether Plaintiff can establish that the defendants failed to implement reasonable security. But the case likely marks the beginning of a new trend in data breach litigation, with more fulsome allegations of unreasonable security practices. Given the statutory damages available under the CCPA—which arguably obviates the need to allege injury to survive a motion to dismiss—California will be a hotbed for such litigation. Courts will need to assess a number of novel issues, including whether circumstantial allegations (e.g. the existence of similar attacks) suffice to state a claim for failure to maintain reasonable security, whether the CCPA’s statutory damages are available for breaches occurring before the CCPA’s effective date, and how the CCPA’s 30-day cure period affects the claims, if at all.