California continues to lead on data privacy protection. Since the adoption of the California Consumer Privacy Act (CCPA), cracking down on data breaches and promoting consumer privacy has remained a priority in the state. Recently, a California resident filed a federal class action lawsuit against Salesforce, the cloud-based e-commerce platform, and Hanna Andersson, which is a children’s clothing company. From Sept. 16 through Nov. 11, 2019, Salesforce experienced a data breach due to a malware infiltration on their network. Through the malware, hackers were able to access purchases that Hanna Andersson customers made. Salesforce was under contract with the Hanna Andersson to handle their customers’ personal and payment information when they engaged in a sale. The breach put a significant chunk of consumer data at risk, including credit card information and personal identifiers. The hackers scraped data from about ten thousand consumers nationwide and sold it to criminals on the dark web. Law enforcement was the first entity to discover the breach in Dec. 2019, nearly 3 months after the attack started.

 

The class action counts were for negligence, declaratory relief, and violations under the California Unfair Competition Law (UCL). The complaint claims that both companies failed to protect private data, failed to detect the data breach, employed inadequate security practices, and did not warn consumers about their deficient practices. Curiously, there is no separate count for violations of the California Consumer Privacy Act (CCPA). However, the class action partially based their UCL claim on violations of CCPA-imposed security standards and inadequate notice practices. One reason the class action might have left out an explicit CCPA cause of action is that the CCPA is experiencing on-going concerns about ambiguities in the new law. It will be interesting to see if the class later amends the claim to expressly plead under the CCPA and how that plea would hold up in court.

How are the Companies Responding to the Salesforce Data Breach?

After law enforcement notified Hanna Andersson of the breach, the company investigated and alerted all potentially affected consumers as well as the state Attorney Generals. Hanna Andersson indicated that it was taking steps to remedy the breach and tighten security measures. Some of these measures included re-securing and hardening security efforts on the purchasing platform, increasing the use of multi-factor authentication, enhanced system monitoring, hiring forensic experts to assist with the investigation, and offering theft protection services to consumers. The Attorney General’s letter also stated that the malware was removed on Nov. 11, but did not provide further details about the removal process. Hanna Andersson is also looking for a new director of cybersecurity. All of this suggests that there were not sufficient security safeguards in place during the cyberattack.

According to the class action complaint, Salesforce never sent out an independent notice of the breach and has not released a “vulnerabilities and exposure” report. Both companies have not commented on the class action lawsuit to date.

The Data Protection School of Hard Knocks

In a digital age filled with bad actors constantly looking for security flaws to exploit, the case of Salesforce and Hanna Andersson highlights the global problem of companies failing to implement sufficient security safeguards. Scraping and skimming from online purchases is an ongoing epidemic. The FBI even issued a warning providing ways that businesses can protect themselves from these attacks. Suggestions included using updated anti-malware software, segregating network systems, and hosting employee education seminars. Warning from national law enforcement agencies illustrate that the heightened fears about consumer data vulnerabilities are not unfounded. Consumers should be able to make online purchases with ease and businesses need to take steps to protect these transactions and limit breach potential.

The rates of new privacy and data laws that have been popping up around the world are due to this escalating concern. Obviously, severe consequences can follow when a company fails to have significant security protocols in place. In this case, the failure to implement stronger security measures resulted in a successful data breach that could put consumers at a lifetime risk for identity theft and purchase fraud since much of the stolen data is already on the dark web. Prior to the breach, both company websites noted that the e-commerce platform employed strong security measures. However, this breach illustrates that the security measures and monitoring practices were not strong enough. Organizations offering products for sale to consumers should use this as a teaching moment and review their current security practices. Updating and monitoring security systems to maintain a strong information governance plan is more crucial than ever to limit breach exposure.

If your organization is interested in proactive or reactive data breach response: Epiq Data Breach Response.