The popular online stationary and craft marketplace Minted Inc. has been sued in a class action under California’s new consumer privacy law, which allows for thousand-dollar per violation penalties, for allegedly mismanaging customer’s’ personal information following a massive data breach revealed last month.
According to the complaint, filed Thursday in the U.S. District Court for Northern District of California, hackers going by the name Shiny Hunters stole 73.2 million records containing personally identifying information from 11 companies, Minted among them.
On May 6, 2020, Shiny Hunters attempted to sell the data on the dark web. Minted was allegedly unaware of the breach until notified by a public report on May 15. It wasn’t until May 28 that Minted notified customers via email, according to the complaint.
Would-be class plaintiffs Melissa Atkinson and Katie Renvall allege that Minted failed to invest in appropriate data security systems, notwithstanding reporting around $150 million in revenue in 2019.
Minted told customers that the data leaked included unredacted and unencrypted names, logon email addresses, and hashed passwords. According to the complaint, it told customers no payment or credit card information was stolen but hasn’t explained how it reached that conclusion, and they say the data could be used to figure out how to access other sensitive accounts.
The lawsuit makes claims under both federal and California state law, including the California Consumer Privacy Act enacted in January.
The CCPA applies to businesses with gross annual revenues in excess of $25 million, businesses sharing the data of more than 50,000 customers, or businesses that derive 50% or more of their revenues from the sale of protected personal data, which for purposes of the law is defined broadly.
It requires companies to disclose their data collection and sharing practices and to provide consumers with the right to delete their personal information. It also requires businesses to give consumers the opportunity to opt-out of the sale of their data and prohibits the sale of personal information for consumers under the age of 16 altogether.
Businesses that run afoul of the law face penalties of $2,500 for each unintentional violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided when enforced by the state attorney general’s office. Penalties sought under a private right of action range from $100 to $750 per violation.
Causes of Action: For the California class, the California Consumer Privacy Act and California’s Unfair Competition Law. For the nationwide class, negligence, breach of contract, and breach of implied contract.
Relief: Compensatory and punitive damages; statutory or civil penalties.
Potential Class Size: The lawsuit seeks certification of nationwide and California classes comprised of all individuals whose personally identifiable information was compromised in the breach.
Response: Minted didn’t immediately respond to a request for comment.
Attorneys: Moginrubin LLP and Schack Law Firm.
The case is Atkinson v. Minted, Inc., N.D. Cal., No. 3:20-cv-03869, 6/11/20.