Salesforce. com, Inc. and children’s clothing company Hanna Andersson are facing a federal court lawsuit that is among the first to cite the new California Consumer Data Privacy Act that went into effect in January.
The complaint alleges that Salesforce and Hanna Andersson failed to protect user data, safeguard platforms, or provide cybersecurity warnings stemming from a 2019 customer data loss breach.
Hanna Andersson was informed by law enforcement on December 5, 2019 that “credit cards used on its website were available for purchase on a dark web site.” An investigation confirmed that Hanna Andersson’s third-party e-commerce platform, Salesforce Commerce Cloud, was infected with Magecart malware that may have scraped customers’ information when they entered the platform to purchase products.
In the era of digital transformation and e-commerce, this story is a reminder of the downside pitfalls of critical third-party infrastructure for companies, in this caseSalesforce Commerce Cloud. These solutions have enabled countless small retailers like Hanna Andersson to reach a much larger market by making e-commerce sales both fast and affordable. This is partly what has helped make Salesforce a $165BN-market-cap company (Bloomberg). Few companies are better embodiments of digital transformation and the cloud.
But, we are reminded almost weekly of the security risks to companies that rely upon third-party cloud providers and managed service providers to function. As third-party providers go, so go their customers.
The trilemma facing companies in this era—choosing between growth, cost, and security when they can only have two—is a difficult one to navigate for any company, especially relatively smaller retailers that understandably see the opportunity afforded by transitioning to the cloud. The growth and cost factors are also much better understood by most management teams in a financial context. However, for a retailer like Hanna Andersson, the most valuable asset it possesses is customer financial data. The second most valuable asset it possesses is customer behavioral data—being able to improve personalization that can lower customer acquisition costs and improve inventory management, knowing what customers want, as well as when and where they want it.
Companies now have a legal liability to protect this data, and the obligation for doing so is shared with cloud providers like Salesforce. Management teams should consider the value of the assets being protected (alongside the growth and cost factors) when decisions about how data is stored and organized are made and what controls are in place to lower the risk of it being stolen.
Similar to GDPR, an indirect consequence of the California Consumer Data Privacy Act will be transparency around breaches when they do occur. This will increasingly prompt discussions amongst management teams and boards around the vulnerabilities that exist, especially in critical infrastructure like cloud providers, as well as what measures and systems to put in place to manage the downside financial risk.