The first class action alleging a violation under the California Consumer Privacy Act ("CCPA"), which was filed against ‎Hanna Andersson, LLC has now been resolved for $400,000 subject to court approval. The settlement amounts to ‎‎$2 per settlement class member and anticipates a payout of $38 per average valid claim. While the claims are ‎premised on a cyber incident that occurred prior to the enactment of the CCPA, how the court handles the monetary ‎component of the settlement may help provide some guidance for future CCPA litigants.‎

Factual and Procedural Background ‎

Hanna, a high-end children's clothing retailer, notified customers and state Attorneys General on or ‎about January 15, 2020 that it had experienced a breach whereby hackers accessed customers' ‎personal identifying information ("PII") through its third-party e-commerce platform. The notice ‎advised that a cyberattack allegedly occurred between September 16 and November 11, 2019 and ‎affected thousands of Hanna customers. Specifically, Plaintiffs allege that hackers obtained all the PII ‎needed in order to make fraudulent purchases (e.g. names, billing and shipping addresses, payment ‎card type and numbers, security (CW) codes, and expiration dates) and that law enforcement officials ‎found stolen information for sale on the dark web.‎

Shortly after Hanna notified affected individuals, plaintiff Bernadette Barnes filed a class action ‎against Hanna in the United States District Court for the Northern District of California. See Barnes ‎v. Hanna Andersson, LLC, et al., Case No. 3:20-cv-00812-EMC. A complaint filed by Krista Gill and ‎Doug Sumerfield (collectively with Bernadette Barnes, "Plaintiffs") on March 30, 2020 was combined ‎with the Barnes action and led to the Consolidated Amended Class Action Complaint (the ‎‎"Complaint") filed on June 3, 2020. ‎

The Complaint asserted five causes of action: (1) negligence, (2) declaratory relief, (3) violation of the California Unfair ‎Competition Law, Cal. Bus. & Prof. Code § 17200, et seq., (4) violation of the CCPA, Cal. Civ. Code § 1798.100, et ‎seq., and (5) violation of the Virginia Personal Information Breach Notification Act, Va. Code Ann. § 18.2-186.6, et ‎seq. Plaintiffs sought equitable and monetary relief on behalf of all persons whose PII were compromised as a result ‎of Hanna's purported failure to adequately protect PII, warn users of inadequate security practices, and monitor ‎Hanna's website and ecommerce platform for security vulnerabilities and incidents.‎

Settlement Terms

The parties reached a settlement in principle on June 19, 2020 and, after months of negotiations ‎regarding the specific terms, Plaintiffs filed an Unopposed Motion for Preliminary Approval of ‎Class Action Settlement (the “Motion”) on November 19, 2020. The settlement provided the ‎following relevant provisions:‎

• The proposed nationwide settlement class will contain any individual who made ‎purchases from the Hanna website between September 16 and November 11, 2019, which ‎is approximately 200,273 individuals.‎
• Hanna will create a settlement fund in the amount of $400,000, which will be the ‎exclusive source of payment to settlement class members, costs of claims administration, ‎payments to any claims referee, attorney fees and expenses, and class representative ‎service awards.‎
• Hanna will make business practice changes, including but not limited to conducting risk ‎assessments consistent with the NIST Risk Management Framework; enabling multi-‎factor authentication for all cloud services accounts; hiring additional technical personnel, ‎conducting phishing and penetration testing; deploying additional intrusion detection and ‎prevention, malware and anti-virus, and monitoring applications within the Hanna ‎environment; and hiring a Director of Cyber Security.‎

Noteworthy Takeaways From The Settlement

Plaintiffs contend that the monetary terms of the settlement are “extraordinary.”  See Motion, p. ‎‎17. However, the proposed $400,000 settlement fund will only result in an average award of $38 ‎to settlement class members who file valid claims. While Plaintiffs note that a settlement class ‎member may receive up to $500 for a basic settlement award or up to $5,000 in extraordinary ‎cases, it appears that most settlement class members will receive markedly less than the $100 to ‎‎$750 prescribed by the CCPA. Id., p. 19.  ‎

There are at least two reasons why the Hanna settlement may be significantly lower than those ‎predicted in other CCPA class actions. First, the subject data breach arose before the CCPA ‎became effective. Thus, it is questionable whether the CCPA damages calculation is even ‎applicable. Plaintiffs do not address this issue in the Motion, though, and instead simply argue ‎that they have a strong claim. Second, the COVID-19 pandemic has adversely affected a ‎number of business, including retailers like Hanna. Id., p. 16. As a result, and as there is no ‎insurance coverage for any of the claims in the Complaint, Plaintiffs claim that there is a ‎legitimate risk that the defendants would be judgment-proof. Id.  ‎

The settlement also provides for substantive business practice changes on the part of Hanna, ‎which will benefit all settlement class members, regardless of whether they submit a claim, or not.  ‎These additional security precautions will undoubtedly result in additional costs to Hanna going forward.

The court will conduct a hearing on the Motion on December 23, 2020. We will continue to ‎monitor this settlement, as well as all other privacy and cyber class actions brought under the ‎CCPA, and will provide future client updates regarding these topics.‎