Salesforce, Hanna Andersson among first companies to face lawsuit citing California's new privacy law

Cloud-based software company Salesforce and a high-end children's clothing retailer are among the first companies facing a data-breach lawsuit in federal court under California's landmark privacy law, which took effect Jan. 1.

Salesforce and Hanna Andersson failed to protect user data, safeguard platforms or provide cybersecurity warnings, violating the California Consumer Privacy Act, California resident Bernadette Barnes alleges in a complaint filed yesterday in federal court in San Francisco.

Companies and their lawyers have been expecting a wave of litigation under the CCPA, which includes a private right of action that lets consumers sue for damages following a data breach if companies had inadequate security practices. California residents can seek up to $750 per consumer, per incident, under the CCPA after a breach for weak data-security protections.

Barnes is seeking to represent individuals whose personal information was compromised in a breach that occurred between last Sept. 16 and Nov. 11. According to Barnes' complaint, hackers "scraped" Hanna Andersson customers' names from its website by infecting it with malware, and stole customers' addresses and credit card information.

But Andersson, whose e-commerce platform is hosted by Salesforce, waited until Jan. 15 to notify customers and state attorneys general about the widespread data breach, plaintiff said. In the meantime, customer information  already has been found on the dark web, plaintiffs allege.

"Defendants knew or should have known that its computer systems and data security practices were inadequate to safeguard California Class members' PII and that the risk of a data breach or theft was highly likely," Barnes said.

Barnes is seeking credit monitoring, an order enjoining the defendants from engaging in the alleged wrongful conduct, disgorgement, and compensatory, statutory, and punitive damages, "in an amount to be determined," she said.

While Barnes is not seeking fines under the CCPA, she said she reserves the right to amend her complaint to add a potential California class to seek damages under the law's data-breach provisions.