Lessons from the First Case Alleging CCPA Violations

The record amount of data being processed across increasing touchpoints has led to many governments implementing a series of regulatory frameworks that dictate how data may be used and shared. Of these regulations, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the Payment Card Industry Data Security Standard (PCI DSS) are among the most frequently cited. Brazil has a similar set of regulations (LGPD) going into effect in 2021 (pushed out from August 2020 due to worldwide events). The EU’s GDPR, which is approaching its second anniversary, focuses on protecting European citizen data and thus far, there have been almost 300 citations associated with GDPR violations. CCPA, however, is a more recent introduction, and the original bill, which intended to protect consumers’ privacy, was passed by the California State Legislature in June 2018, signed into law in October 2019 and became effective on January 1, 2020.

Influenced by the perceived success of the EU’s GDPR, the CCPA hands Californian consumers new rights pertaining to their personal information and the way their data is collected, proliferated and stored. Under these new regulations, customers have the right to request insight into how companies use their personal data. Even though the CCPA is a state statute, exclusive to the state of California, the Golden State’s strategic economic importance as an American financial hub renders numerous companies answerable to the stricter data protection rules enshrined in the CCPA.

Currently, failure to comply with the CCPA can result in significant sanctions, with statutory damages between $100 and 750 per record breached. California courts can, however, increase penalties, depending on the breach. Sanctions can reach $7,500 for intentional violations and $2,500 for unintentional violations. While we have yet to see a fine handed out under these stipulations, there are other detrimental implications associated with regulatory incompliance, such as negative press coverage and loss of consumer trust. As a matter of fact, reputational damage alone can be the most devastating and financially impactful effect for noncompliant businesses.

Why should you be concerned with CCPA?

Despite its relatively recent introduction to the regulatory landscape, the CCPA has already been cited in its first case. The first-class action lawsuit alleging data breaches under the CCPA was filed by California resident Bernadette Barnes in Barnes v. Hanna Andersson LLP and Salesforce.com, Inc at the San Francisco division of the United States District Court.

Barnes alleges, on behalf of herself and others affected by the breach, that high-end children’s clothing online retailer Hanna Andersson and its San Franciscan cloud-based e-commerce platform Salesforce failed to adequately protect user data, therefore violating the CCPA.

Attorneys argue that Hanna Andersson left customers’ personal information vulnerable to access by unlicensed individuals, whereas Salesforce failed to detect the data breach for almost three months.

The court heard that, during the breach – which occurred between September 16 and November 11, 2019 – hackers stole personal information from an estimated 10,000 Hanna Andersson customers. This breached data included names, addresses and credit card information such as card CVV codes, expiration dates and card numbers. In court, it was argued that the plaintiffs suffered extensively due to this breach, which diminished the value of their personally identifiable information (PII), which remains available for abuse on the dark web; incurred them with extensive costs associated with identify theft; and deprived them of the rights they possess under the California Unfair Competition Law and CCPA. This novel punitive class-action case saw plaintiffs rely on the new CCPA regulations, claiming the defendants employed unlawful business and substandard security practices.

This lawsuit reveals several things. First, clear precedents have yet to be established in regard to claims being covered by CCPA. This is to be expected, given that this is the first lawsuit to cite CCPA since its effective date of January 1, 2020, and those clear precedents will come sooner rather than later. To that point, we can expect more lawsuits moving forward to cite the CCPA, and many – if not all of these – will probably refer to situations that occurred after the CCPA effective date. Most importantly, though, is the not-so-subtle takeaway businesses should glean from this situation: Data privacy and security are not rights to ignore, but to address head on through robust, data-centric security protections and regulatory-compliant processes for gathering, handling and storing personal data appropriately, as opposed to relying solely on perimeter defenses and intrusion detection techniques.

Securing Data and Ensuring Compliance

Threats to personal data are constantly evolving, so businesses must continually adapt their data security strategies in order to comply with new data protection regulations – especially with the advent of landmark data protection legislation intended to ensure that organizations are held accountable for the way that they use and process personal consumer data.

While there is no surefire way to completely ensure that your data will be preserved, there are tools that can be deployed top improve security posture. As we know, compliance does not equate to security, regardless of how many regulations you are trying to conform to. Instead, regulations should be seen as a roadmap on the journey to cybersecurity. In fact, there are tools that can be used to keep information accountable to regulation and useless to unauthorized actors.

When it comes to securing PII, CCPA regulation states that the use of pseudonymization is acceptable to preserve data from unauthorized access. Likewise, data tokenization is an incredibly useful tool when considering regulatory compliance. This is when sensitive information, such as names and financial information, is substituted with a “token” or a non-sensitive alternative. This means that if Salesforce and Hanna Andersson had deployed tokenization, they would not have been subjected to a lengthy legal battle, as the information would be entirely useless to the hackers.

Tokenized data can still be analyzed for comprehensive insight without breaching CCPA. Indeed, tokenized data, in the context of the CCPA, is not considered as “personal information” so long as it has been “de-identified.” The fact that tokenized information affords additional regulatory compliance means that it is an incredibly useful tool for achieving CCPA compliance. Also, if done properly, data tokenization can be used to secure information in accordance with PCI DSS.

As personal data becomes more valuable, this information will become targeted more frequently by criminals. Sensitive personal data can be sold on the dark web, but threat actors can also use that information for other purposes, such as extortion and plain old vindictive maliciousness. Complying with CCPA is a step toward protecting consumer data, but more needs to be done to achieve total data security through a combination of tools and processes.