According to reports, an April 23 breach into the databases of multi-level marketing company Arbonne International exposed personally identifiable information for some 3,500 California residents. While such occurrences are sadly not all that shocking these days, this breach will likely be one of the first tests for the California Consumer Privacy Act (CCPA), which protects “consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.”
One aspect that will likely garner close attention will be the size of the penalties issued under the CCPA and what they could mean for Arbonne’s future. Intentional violations of the California Consumer Privacy Act can bring civil penalties of up to $7500 for each violation in a lawsuit brought by the California Attorney General on behalf of the people of the State of California. The maximum fine for other violations is $2500 per violation.
Almost half of a four-page information sheet from Arbonne describing the hack makes multiple references to the California statute, and how the company is adhering to the requirements of Cal. Civ. Code 1798.82 (h)(2).
Arbonne disclosed that on April 23 it discovered a “data table containing limited personal information may have been accessible to [an] unauthorized actor.” The company provided preliminary notification to the impacted 3,527 California individuals, among others not mentioned in the announcement. By May 22, the California residents received additional written details about what happened and how their passwords may have been compromised. Other compromised information included user name and address.
California consumers whose information had been exposed are being offer free credit monitoring and protections against identity theft, both as required by the statute. Arbonne reported the incident to the FBI and relevant regulators, and is continuing the investigation.