We anticipated a lot of lawsuits would be filed under California’s new law, the California Consumer Privacy Act (CCPA), as it imposes a data security duty on organizations. But will any of the complaints filed withstand early motions to dismiss? The CCPA requires complainants to give the organization 30 days to “cure” a violation and to provide assurance that it will not occur again. Can a plaintiff claim that because their data was stolen and sold on the dark web, there is no cure available and the case should just proceed?
A potential class action lawsuit was filed in federal court this week. This one involves a hack by the threat actors known as ShinyHunters. On May 6, a post on a popular forum announced that data from a number of companies hacked in January was now up for sale. The threat actors also listed the sale themselves on a dark web marketplace, with a price tag of $2500. As of today, there have been no sales of Minted data on that one marketplace, but of course, that doesn’t rule out private sales or sales negotiated on Jabber, etc.
Minted, Inc. allegedly first learned that they had been hacked when ZDNet reported that a bunch of companies allegedly had their data hacked and listed for sale by Shiny Hunters.
The plaintiffs in the proposed class action lawsuit filed in San Francisco federal court this week are Melissa Atkinson and Katie Renvall. The complaint claims violations of the California Consumer Privacy Act § 1798.150, violation of California’s Unfair
Competition Law, Cal. Bus. & Prof. Code § 17200, et seq., negligence, breach of contract, and breach of implied contract.
According to the complaint, the breach compromised the consumers’ name, email address, “hashed” or “salted” password, and “where available, telephone number, billing address, and shipping address(es).”
Minted’s notification about the breach can be found here. It says, in relevant part:
The information involved includes customers’ names and login credentials to their Minted accounts, consisting of their email address and password. The passwords were hashed and salted and not in plain text. Telephone number, billing address, shipping address(es), and, for fewer than one percent of affected customers, date of birth, also may have been impacted.
Based on our investigation to date, we have no reason to believe that the following information was affected: payment or credit card information, customer address book information, or photos or personalized information that customers added to Minted designs.
The lawsuit makes some interesting claims in that it seems to be trying to establish encryption as necessary and anything less as not constituting reasonable security. Citing a post from last year by Steve Tuow on IAPP, the complaint claims:
Minted has failed to maintain reasonable security controls and systems appropriate for the nature of the PII it maintains as required by the CCPA and other common and statutory laws. Hashed and “salted” passwords are not necessarily encrypted. According to one blogger for the International Association for Privacy Professionals, “encryption is a security strategy …[that] protects your organization from scenarios like a devastating breach where, if the adversary were to gain access to your servers, the data stored would be of no use to them, unless they have the encryption key. It’s an all-or-nothing security posture: You either get the see the data unencrypted, or you don’t.” “[O]rganizations should encrypt their data on a disk as a required security measure. But they must not stop there. In fact, the CCPA is clear that they should go further.” Id.
The complaint also alleges that Minted failed to maintain proper measures to detect hacking and intrusion. Since Minted acknowledged that they did not know that they had been hacked and had data exfiltrated in January until a reporter published something about it in May, how will they defend against that claim if it comes to that point? And if it’s not considered reasonable and necessary already, when will it become industry standard that all entities collecting and storing more than X individuals’ personal information should have a means to detect large file transfers/exfiltration by sftp that are anomalies from their usual network traffic? Or should there be some other standard or best practice that we will hold entities to?
Not surprisingly, the complaint does not allege that either of the named plaintiffs have experienced any concrete injury like identity theft or fraud. It’s all about what may happen and the time they will have to spend forever, etc. etc. etc. But the fact that the plaintiffs claim there is no cure makes me wonder whether all future complaints will try that same tack. Some of us had been discussing this exact issue at the Privacy&Security Forum last month. What’s a “cure” in a confirmed breach if identity information is involved and will not change over the individual’s lifetime? And how can an entity really provide assurance that a similar or identical breach won’t happen again? Will pinky swearing suffice?
I think the CCPA litigation — to the extent that complaints survive initial challenges — may get us more into what is considered “reasonable” security — at least in California.
DataBreaches.net has been unable to reach Minted via email so far, but has reached out to the firm via Twitter to try to get contact information. If I can get a statement from the firm about the lawsuit, this post will be updated with it.
Update: The company responded by stating that it does not comment on any potential pending litigation.