Article
Salesforce On The Breach: Consumers Fight Back After Their Data Was Sold On The Dark Web
- Regulatory & Compliance
- 3 Mins
The class action counts were for negligence, declaratory relief, and violations under the California Unfair Competition Law (UCL). The complaint claims that both companies failed to protect private data, failed to detect the data breach, employed inadequate security practices, and did not warn consumers about their deficient practices. Curiously, there is no separate count for violations of the California Consumer Privacy Act (CCPA). However, the class action partially based their UCL claim on violations of CCPA-imposed security standards and inadequate notice practices. One reason the class action might have left out an explicit CCPA cause of action is that the CCPA is experiencing on-going concerns about ambiguities in the new law. It will be interesting to see if the class later amends the claim to expressly plead under the CCPA and how that plea would hold up in court.
How are the Companies Responding to the Salesforce Data Breach?
After law enforcement notified Hanna Andersson of the breach, the company investigated and alerted all potentially affected consumers as well as the state Attorney Generals. Hanna Andersson indicated that it was taking steps to remedy the breach and tighten security measures. Some of these measures included re-securing and hardening security efforts on the purchasing platform, increasing the use of multi-factor authentication, enhanced system monitoring, hiring forensic experts to assist with the investigation, and offering theft protection services to consumers. The Attorney General’s letter also stated that the malware was removed on Nov. 11, but did not provide further details about the removal process. Hanna Andersson is also looking for a new director of cybersecurity. All of this suggests that there were not sufficient security safeguards in place during the cyberattack.
According to the class action complaint, Salesforce never sent out an independent notice of the breach and has not released a “vulnerabilities and exposure” report. Both companies have not commented on the class action lawsuit to date.
The Data Protection School of Hard Knocks
In a digital age filled with bad actors constantly looking for security flaws to exploit, the case of Salesforce and Hanna Andersson highlights the global problem of companies failing to implement sufficient security safeguards. Scraping and skimming from online purchases is an ongoing epidemic. The FBI even issued a warning providing ways that businesses can protect themselves from these attacks. Suggestions included using updated anti-malware software, segregating network systems, and hosting employee education seminars. Warning from national law enforcement agencies illustrate that the heightened fears about consumer data vulnerabilities are not unfounded. Consumers should be able to make online purchases with ease and businesses need to take steps to protect these transactions and limit breach potential.
The rates of new privacy and data laws that have been popping up around the world are due to this escalating concern. Obviously, severe consequences can follow when a company fails to have significant security protocols in place. In this case, the failure to implement stronger security measures resulted in a successful data breach that could put consumers at a lifetime risk for identity theft and purchase fraud since much of the stolen data is already on the dark web. Prior to the breach, both company websites noted that the e-commerce platform employed strong security measures. However, this breach illustrates that the security measures and monitoring practices were not strong enough. Organizations offering products for sale to consumers should use this as a teaching moment and review their current security practices. Updating and monitoring security systems to maintain a strong information governance plan is more crucial than ever to limit breach exposure.
If your organization is interested in proactive or reactive data breach response: Epiq Data Breach Response.
The contents of this article are intended to convey general information only and not to provide legal advice or opinions.