Hemp company cbdMD settles data breach class action

(Photo Credit: Tinnakorn jorruang/Shutterstock)

Update:

• A settlement has been reached between online retail giant cbdMD Inc. and customers who claim the company’s negligence resulted in two data breaches of its website in spring 2020.
• On Aug. 15, a North Carolina federal judge approved the $300,000 settlement in the class action lawsuit brought by customers who purchased cannabidiol products from cbdMD Inc. and who claimed the breach caused their personal and financial information to fall into the possession of malicious actors. 
• The settlement, which was approved by U.S. District Judge Robert J. Conrad Jr., allows class members to receive as much as $210 for out-of-pocket expenses such as card replacement fees, overdraft fees, interest and up to $80 in costs for obtaining credit monitoring and identity theft protection.
• It is estimated about 44,000 consumers had their private information exposed in the data breach. 

(Oct. 13, 2020)

Customers who purchased cannabidiol products from the online retail giant cbdMD Inc. claim the company’s negligence resulted in two data breaches of its website this spring, causing customers’ personal and financial information to fall into the possession of malicious actors. 

Sensitive information — including customers’ credit card numbers, email addresses, billing addresses and bank account numbers — was obtained by hackers and is likely for sale on the dark web, putting customers at a “substantially increased risk of financial fraud,” the class action lawsuit claims. 

Plaintiffs Michael Warshawsky of Florida, and Michael Steinhauser of California, are among thousands of customers affected by the data breaches that occurred between late March and mid-May of this year, according to the class action lawsuit. 

In late September, cbdMD, the parent company of CBD Industries LLC, notified the U.S. Securities and Exchange Commission (SEC) and attorneys general in California, Maine, New Hampshire and Vermont, among other states, as well as the affected customers, of the data breaches. That notice triggered plaintiffs to file suit on behalf of themselves and the entire affected Class.  

The Charlotte, North Carolina-based company was founded in 2015; it manufactures and distributes hemp-based products including cannabidiol oils used for pain relief and general health for both humans and animals. All members of the proposed Class used cbdMD’s e-commerce platform to make purchases, according to the class action lawsuit.

In Warshawsky’s case, a $67.48 debit card purchase from the CBD site on April 27 led to a fraudulent transfer of $1,369 from his checking account a month later.

To perpetrate the fraud, an unauthorized third-party used the same debit card number Warshawsky had used on the cbdMD website. The fraudster used a mobile phone app to transfer the funds from Warshawsky’s checking account to an account set up by the hacker in Warshawsky’s name, the lawsuit alleges. 

Similarly, in Steinhauser’s case, his $65.68 debit card purchase from the site April 25 led to a fraudulent charge of $452.54 at a Best Buy store in another city about two and a half months later. 

In both cases, the men spent time and energy tracking and resolving the fraudulent charges with their respective banks — time they otherwise would have spent working or enjoying leisure activities, according to the class action lawsuit.

They both continue to be greatly concerned about credit card theft and financial fraud in the future, given that their personal and financial information may still be available to cyber criminals, the class action lawsuit alleges. 

Adding insult to injury, the plaintiffs note, not long after the data breaches occurred, the company’s revenue rose during the summer of 2020 as a result of “a significant shift in online sales as an overall percentage of net sales,” according to the lawsuit.

The publicly traded company claims to have estimated annual revenue of more than $25 million.

Plaintiffs accuse cbdMD of negligence and failure to protect their data, lambasting the company for allowing hackers to repeatedly penetrate its networks and steal customers’ financial and personal information.  

Especially in light of the facts that these sorts of web-scraping hacks have been “surging” since 2016, the company knew or should have known about the importance of maintaining secure systems, and it knew or should have known its security practices did not adequately safeguard plaintiffs’ information, the class action lawsuit alleges.  

Indeed, these types of data breaches are so common that the Federal Bureau of Investigation (FBI) issued a warning to companies about it in October 2019, according to the class action lawsuit, and advised companies of specific steps they should take to properly protect e-commerce systems from cyber criminals. 

But cbdMD “apparently did not take this advice,” the class action lawsuit alleges, claiming the company did not use “reasonable security procedures and practices appropriate to the nature of the sensitive information they were collecting.”

In addition to failing to prevent the data breaches in the first place, the company also failed to detect the breaches for almost six months, according to the class action lawsuit.

What’s more, when cbdMD did finally discover the breaches, it allegedly informed shareholders days before it informed the affected consumers, “depriving their customers of precious time to put a stop to financial fraud as soon as possible,” the plaintiffs contend. 

The company’s conduct amounts to negligence and violates federal and state statutes, the lawsuit claims.

The plaintiffs are demanding a jury trial as well as a declaratory judgment that the company’s existing security measures do not comply with its “explicit or implicit contractual obligations to provide reasonable security procedures and practices appropriate to the nature of the information to protect customers’ personal information.” 

In addition, plaintiffs are demanding an order that the company comply with those obligations by “implementing and maintaining reasonable security measures,” including purchasing credit monitoring services for the plaintiffs for 10 years. 

Have you purchased any products from cbdMD? Are you worried your data may have been compromised? Let us know in the comments.

The plaintiffs are represented by Jean Martin, John A. Yanchunis and Ryan J. McGee of Morgan & Morgan Complex Litigation Group, and M. Anderson Berry and Leslie Guillon of Clayeo C. Arnold, A Professional Law Corp. 

The cbdMD Data Breach Class Action Lawsuit is Michael Warshawsky, et al. v. cbdMD Inc., et al., Case No. 3:20-cv-00562, in the U.S. District Court for the Western District of North Carolina, Charlotte Division. 

Read About More Class Action Lawsuits & Class Action Settlements:

• Humana, Cotiviti data breach class action settlement
• OneTouchPoint data breach class actions allege cyberattack affected over 1M patients
• PCS Revenue Control Systems data breach $1.135M class action settlement
• Twilio data breach result of employee phishing attack