Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

And So It Begins: The First CCPA Class Action

By Jeffrey L. Poston, Nathanial J. Wood, Paul M. Rosen, Kristin Madigan, Gabriel M. Ramsey & Kayvan M. Ghaffari on March 24, 2020
Email this postTweet this postLike this postShare this post on LinkedIn

 

California businesses have been nervously waiting for the first class action asserting a violation of California’s now-infamous California Consumer Privacy Act (CCPA).

The wait is now over.

The CCPA, a consumer privacy law that Crowell & Moring has analyzed and written about at length provides California consumers with a private right of action when their “nonencrypted and nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.” Cal. Civ. Code § 1798.150(a). The CCPA’s private right of action allows plaintiffs to collect statutory damages—per breach, which can quickly add up—without proof of actual damage from the unauthorized access. The law broadly applies to any for-profit business doing business in California that collects, shares, or sells California consumers’ personal data, and: (1) has annual gross revenues in excess of $25 million; (2) possesses the personal information of 50,000 or more consumers, households, or devices; or (3) earns more than half of its annual revenue from selling consumers’ personal information.

On March 9, 2020, plaintiffs in a putative data-breach class action filed an amended complaint against Hanna Andersson and Salesforce, its e-commerce platform, alleging a claim for violation of the CCPA. The amended complaint alleges hackers scraped personally identifiable information (PII) from Andersson’s and Salesforce’s platform from September 16, 2019, to November 11, 2019, and used that information to steal the customers’ identities and make fraudulent purchases. According to the amended complaint, neither Andersson nor Salesforce uncovered this breach; instead, law enforcement agents notified both of the breach on December 5, 2019. The amended complaint further alleges that Andersson failed to protect consumers’ data because it did not have an executive in charge of cybersecurity, based on the fact that, after the malware was discovered and removed from the platform, Andersson posted a job opening for a “Director of Cyber Security,” who would be “responsible for safeguarding all systems end points and network infrastructure from all forms of intrusion.” The putative class plaintiffs seek between $100 and $750 for each California resident affected by the alleged breach, along with injunctive relief and attorneys’ fees and costs.

The amended complaint presents a host of novel issues that courts will grapple with as the CCPA makes its way through the judiciary, including:

  • Whether a class action can be based on a data breach that occurred before the CCPA went into effect;
  • Whether the failure of a businesses to have a cybersecurity lead at the time of the alleged breach is relevant to a liability finding;
  • How courts will interpret what is “reasonable” in safeguarding PII; and
  • How will courts interpret the “cure” requirement under CCPA to mitigate liability.

This suit is an important test case for how courts will interpret the CCPA for both the plaintiff’s bar and for businesses. Crowell & Moring will continue monitoring and providing updates to this case, as well as to Attorney General Xavier Becerra’s continued modifications to the proposed regulations implementing the CCPA.

Other Crowell & Moring CCPA alerts can be found here.

Photo of Jeffrey L. Poston Jeffrey L. Poston

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years…

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years of experience leading investigations and litigation for corporate clients, Jeff counsels and defends clients in complex data protection matters involving class-actions and regulatory enforcement actions, as well as commercial disputes. Jeff also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Read more about Jeffrey L. PostonEmail
Show more Show less
Photo of Nathanial J. Wood Nathanial J. Wood

Nathanial Wood is a partner in Crowell & Moring’s Litigation Group in the firm’s Los Angeles office. His practice focuses on the litigation of complex commercial matters, including privacy and cybersecurity and class actions. Nathanial has substantial experience representing clients at all phases…

Nathanial Wood is a partner in Crowell & Moring’s Litigation Group in the firm’s Los Angeles office. His practice focuses on the litigation of complex commercial matters, including privacy and cybersecurity and class actions. Nathanial has substantial experience representing clients at all phases of the litigation process, from pre-litigation counseling through trial and appeals.

Read more about Nathanial J. WoodEmail
Show more Show less
Photo of Paul M. Rosen Paul M. Rosen
Read more about Paul M. RosenEmail
Photo of Kristin Madigan Kristin Madigan
Read more about Kristin MadiganEmail
Photo of Gabriel M. Ramsey Gabriel M. Ramsey
Read more about Gabriel M. RamseyEmail
Photo of Kayvan M. Ghaffari Kayvan M. Ghaffari
Read more about Kayvan M. GhaffariEmail
  • Posted in:
    Corporate & Commercial, Featured Posts
  • Blog:
    Retail & Consumer Products Law Observer
  • Organization:
    Crowell & Moring LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • The FTI Award Journal
  • International Dispute Resolution
  • China Law Update Blog
  • Law of The Ledger
  • Antitrust Law Blog
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo