720-891-1663
SORRY, THIS MAY BE THE LONGEST ALERT I HAVE EVER WRITTEN BUT THERE ARE A LOT OF IMPORTANT NUANCES FOR ANY BUSINESS WITH CUSTOMERS IN CALIFORNIA.
This case is likely to get confusing, but this is only the first of many to come.
First, the facts –
This week a lawsuit was filed against Hanna Anderson AND Salesforce saying Salesforce and Hanna Anderson failed to protect user data, safeguard platforms or provide cybersecurity warnings.
The complaint also asks the judge to determine if the companies violated the new California Consumer Privacy Act, but it does claim that they did violate California’s Unfair Competition Law and were negligent.
The complaint does not YET ask for money, but it reserves the right to amend the complaint.
Why this complaint and a number of others not yet filed are going to be interesting is because of the effective date of CCPA – January 1, 2020.
Since this breach happened last year and was discovered last year – that would be before CCPA went into effect.
BUT, Hanna Anderson did not notify customers until mid January this year – after CCPA went into effect.
This is likely why they threw the kitchen sink into the lawsuit.
Guaranteed there are going to be many more like this for a while.
One point of view is that the breach happened and was discovered before CCPA came into effect, but the other point of view is that consumers were not notified until after CCPA came into effect, so they had no knowledge of the event until after CCPA came into effect.
Note that this is an edge case. Time will sort this out.
What about cases where the breach happened pre-CCPA but the breach discovery happened post-CCPA. By my reading, the law doesn’t clarify the situation, but there is probably a lot of legal precedent that will guide the courts.
Eventually, new breaches will be post-CCPA, but think about Marriott. They didn’t discover the breach for four years. Other breaches went undiscovered for ten years. That is why this ruling will be important.
From the lawyer’s standpoint, this is not the BIGGEST lawsuit around by any stretch, but still 10,000 x CCPA’s maximum statutory damage claim of $750 is $7.5 million. If it is 20,000, the claim could be for $15 million.
It seems that the strategy is to get the court to rule on whether CCPA applies and if it does then they amend the claim asking for millions.
If it does apply then this becomes the very first, ever, CCPA breach case.
Remember that CCPA does not require that you show that you have been damaged, so Hanna Anderson’s offer of credit monitoring, credit repair and a million dollar insurance reimbursement policy is good PR. Nothing more. Historically, when companies were breached they offered these services because then they could claim that customers were not harmed because they are making them whole. BUT, CCPA does not require people to show that they were harmed, so this strategy does not help Hanna Anderson.
There is a defense under CCPA – that the company was breached in spite of reasonable cybersecurity protections being in place. Of course, reasonable is not defined, although Kamala Harris did take a stab at it in 2016 when she was the California AG. Her opinion does not carry the force of law; it merely indicates what strategy she might take if she were to sue someone.
The “reasonable” term in security and privacy laws drives me crazy. In fact, New York just removed that term from their law. It does, however, generate large fees for lawyers and experts alike.
So lets see what we know about their “reasonableness”. Remember this is all from media reports, so who knows if it is accurate or tells the whole story, but here goes anyway:
So there is really more that we do not know than we do know, but this is the beginning of a new era – post CCPA.
All of this depends on whether the trial court (and all of the appeals) says that CCPA applies or not.
Information for this post came from Security Week, Bloomberg Law, and Media Post.