In retailing it’s usually a good thing when you’re the first to do something. Except when it’s a lawsuit. And except when you’re the first retailer to get rung up under the new California Consumer Privacy Act (CCPA).
Although the law has only been in effect since Jan.1, the first-class action lawsuit alleging data breaches under the CCPA was filed on Feb 5. The plaintiffs are customers of children’s clothing company Hanna Andersson and Salesforce.com. The lawsuit was brought after Hanna Andersson announced on Jan. 15 that hackers stole customer names, credit card numbers and other personal information. The data was later found for sale on the dark web. Salesforce is part of the complaint because it hosted the Hanna Andersson eCommerce site. The complaint accuses Salesforce of allowing the site to be infected with malware, which is the prime suspect for the data breach.
Neither Salesforce nor Hanna Andersson has commented or responded as yet to the complaint.
The CCPA is similar to the European Union’s General Data Protection Regulation (GDPR), which took effect in 2018. The California law is more specific and more punitive for breaches. The CCPA is intended to give consumers control over their personal information online. Under the law, consumers have the right to know what personal information companies are collecting about them, along with the right to block sale of that information and access to it if it has been collected. Consumers also have the right to ask companies about any and all data collected on them, and companies have to share that information when requested. If their requests are not accommodated, consumers can file suit.
In addition to the first lawsuit filed, companies in California are confronting the new reality of the CCPA. According to TechCrunch, i360, an advertising and data company, no longer asks for full Social Security numbers, opting instead for the last four digits. Verizon has asked its customers to upload their driver’s license or state ID to verify their identity. Comcast asks for the same, and adds an additional requirement asking customers for a selfie before it will turn over customer data.
In some ways the Hanna Andersson/Salesforce complaint is not a surprise. Security Boulevard research shows that as of Dec. 1, 2019, 91 percent of organizations covered under the law had not yet to completed all the CCPA-related workstreams. The potential punishments for non-compliance are steep. In the wake of a data breach, consumers can seek damages for weak data-security protections — up to $750 per consumer, per incident. A data breach that exposes the records of 10,000 customers could potentially cost a firm up to $7.5 million. Although there had been reports that the CCPA would not be enforced until July 1, prosecutors have ignored that.
“This is just the beginning of what will be a long list of CCPA-related lawsuits,” according to a Security Boulevard blog by Jingcong Zhao. “And while the cost of becoming CCPA-compliant may be steep, the cost of non-compliance will be much steeper.”
Hackers aren’t making compliance any easier. Reports have now surfaced about skimmers (hidden devices designed to steal credit card information), becoming more powerful online. Last week the first arrests were announced for eSkimming. Interpol, which helps coordinate police agencies in 194 countries, in late January said it had arrested three people from Indonesia who allegedly compromised hundreds of online shopping websites. It said the suspects stole payment card details and personal data such as names, addresses and phone numbers.