On February 3, 2020, Bernadette Barnes, a private resident of California (on behalf of herself and others similarly situated), brought the first data breach suit citing CCPA ever.  The suit named Hanna Andersson (company specializing in high end children’s apparel) and Salesforce.com (cloud technology service as a software (“SaaS”) company) as defendants, and brought claims of negligence, declaratory relief, and violation of the California Unfair Competition Law in connection with the widespread data breach that Hanna Andersson notified customers and state Attorneys General about on January 15, 2020, whereby hackers obtained access to (via Salesforce’s Commerce Cloud platform) and scraped customers’ personal information including names, addresses, payment card numbers, CVV codes, and expiration dates, and then made the information available for sale on the dark web. 

The citations to the CCPA were in Plaintiff’s negligence and state unfair competition law claims.

The negligence claim cited to both the CCPA and Section 5 of the FTC Act to establish Defendants’’ duty of care.  Specifically, CCPA requires that companies take reasonable steps and employ reasonable methods of safeguarding personally-identifiable information (Cal. Civ. Code Sec. 1798.81.5), and Section 5 of the FTC Act prohibits “unfair…practices in or affecting commerce” (15 U.S.C. Sec. 45(a)), which the FTC has enforced as including unfair practices of failing to use reasonable measures to protect personally identifiable information.

The state unfair competition claim alleged violation of Cal. Bus. & Prof. Code Sec. 17200 by engaging in unlawful acts and practices under the CCPA, specifically (1) “by establishing the sub-standard security practices and procedures described herein; by soliciting and collecting Plaintiffs’’ and California Class members’ PII with knowledge that the information would not be adequately protected; and by storing Plaintiffs’ and California Class members’ PII in an unsecure electronic environment in violation of Cal. Civ. Code Sec. 1798.81.5”; and (2) by failing to disclose the data breach to California class members in a timely and accurate manner, contrary to the duties imposed by Cal. Civ. Code 1798.82.  

The final paragraph of the complaint contained a reservation of plaintiffs’ rights to amend the Complaint to seek damages and relief under Cal. Civ. Code Sec. 1798.100 (which provides California residents with the right to seek up to $750 per consumer, per incident, for security breach incidents). 

This Complaint is noteworthy because it is the first to cite CCPA.  However, as it appears that the security breach at issue occurred in 2019 – not 2020 (CCPA went into effect on January 1, 2020) – it’s unclear how big of a role the citations to CCPA will play in the case (or that the final paragraph’s reservation would be upheld).  But additional cases like this one – based on breaches that have occurred since CCPA’s effective date – will undoubtedly follow. 

Of note, while the CCPA went into effect on January 1, 2020, and the private right of action (related to security breaches) became available on that date, the California attorney general will not begin enforcing CCPA until July 1, 2020.