nuna data breach

Can Californians Get Compensation for the Nuna Baby Essentials Data Breach?

On January 21, 2022, Nuna Baby Essentials reported that it found unauthorized malicious computer code on its website. Based on this code, it believes Credit or debit card information used by consumers on Nuna’s website may have been compromised, including consumers’:

  • Credit or debit card #
  • Expiration date
  • CCV/CVV code
  • Billing address
  • Shipping address

This leak potentially affects 21,779 consumers who used Nuna’s website between March 26, 2020 and April 7, 2021.

The full text of the Nuna Baby Essentials Notice of Data Breach can be found here.

Special California Data Breach Laws Protect You

nuna baby essentials data breachCalifornia has laws that specifically protect your personal information.

  • The California Customer Records Act requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information.
  • In 2018, California passed the California Consumer Privacy Act (CCPA). This law contains many protections for personal information of California residents.

If certain types of personal information, like credit card numbers and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the CCPA and CCRA.

Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again) and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from occurring again.

I received a Data Breach Notice from Nuna Baby. What should I do now?

Nuna Baby suggests steps to take to protect your personal data, and is offering affected consumers a one-year membership in Experian’s IdentityWorksSM.

Be aware that the Data Breach Notice says consumers have to enroll to take advantage of this offer, and there is an enrollment deadline for the Experian membership of April 30, 2022 to do so.

If I follow the steps in the Nuna Baby Data Breach Notice, will that prevent my personal information from being sold on the dark web?

“Dark web” monitoring can sometimes tell you if your information is being offered for sale to cyber thieves but cannot actually prevent the sale of that information.

Experian’s IdentityWorks does provide for dark web monitoring. Unfortunately, if you are the victim of a data breach you will still need to be on the lookout. You must remain ever watchful for unapproved credit card charges, identify theft, tax fraud and other illegal uses of your personal information.

As Electronic Personal Data Doesn’t Degrade, One Year Of Identity Theft Services Offered by Nuna Baby May Not Be Enough

Identity theft is on the upswing. In 2018 approximately 23 million people in the United States reported that they had been victims of identity theft within the previous year.[1] By 2021, there were over 50 million personal records compromised nationwide; with the T-Mobile data breach alone affecting 6 million consumers. Even Equifax and Experian, which are in the business of offering credit monitoring services, have experienced massive data breaches, affecting over 150 million people.

Cyber crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is low (under $20 per record, depending on the type of information according to Privacy Affairs Dark Web Index of 2021). Certain critical types of personal information – like social security numbers, names, and birth dates – are almost impossible to change. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.

Law enforcement is often unable to break the sophisticated encryption hiding these unlawful activities. The FBI’s Internet Crime Compliance Center received almost 800,000 complaints in 2020. This leaves identity theft victims to repair their misused credit scores, health insurance, and social security numbers.

Not every data breach will lead to identity theft. But once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.

Businesses Should Be Held Accountable For Data Breaches

Many businesses amass huge troves of personal data about consumers and keep that data indefinitely for future profits. When companies use this strategy, keeping your personal information secure from cyber criminals is their responsibility.  When you trust businesses with data that can be used to identify you, they owe you an obligation to use good privacy and security practices to keep your data safe.

Whether you surf the internet, shop online, or use social media, you leave an electronic trail of personal information that is often scooped up and retained by businesses to boost future sales and increase engagement with their websites.

This personal data is incredibly valuable, both to businesses and to criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[2] The stakes are high: Data breach victims are more likely to also be victims of additional fraud.[3]

You Have Important Legal Rights Under California’s CCPA

The CCPA also provides consumers other important rights.  These include:

  • The right to see a copy of the personal data a business has collected about you, free of charge.
  • The right to find out why a business has collected your personal information, what it has shared (by category), who it was collected from (by source type), and who it has shared your data with (by category).
  • The right to have your personal information deleted from any business that collected it directly from you.
  • The right to find out if your data is being sold.
  • The right to opt-out of the sale of your data without being discriminated against.

When businesses decide to collect and keep personal data about California customers or visitors to their websites, under California law they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals.



[1] Source: E. Harrell, Victims of Identity Theft, 2018. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, 2021.

[2] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).

[3] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).