Minted, the online marketplace that had 5 million of its users' records sold online last month, is now being hit with a class action lawsuit under California's new privacy law that alleges the service failed to implement reasonable security measures to protect customers’ PII or prevent and detect unauthorized access to the data.

The site, which allows customers to place use orders for art, holiday cards, and wedding invitations using community-created graphic designs, acknowledged May 28 that earlier that month, on May 6, hackers were able to breach the company’s user account database.

It was on that same day the hacking group, Shiny Hunters, advertised having the stolen data - five million user accounts, for sale at $2,500 - on an underground forum. Minted wound up being only one of a handful of companies implicated in the sale; the group advertised having 73.2 million records in total that day, containing personally identifying information from 11 companies.

The company, in a breach notification posted to its site, said the stolen information included customer names and login credentials, specifically email addresses and hashed and salted passwords. Additional information, including telephone numbers, billing addresses, shipping addresses, and birth dates, may have also been impacted.

In the lawsuit, two plaintiffs, Melissa Atkinson and Katie Renvall, are alleging the company, despite making $150 million in revenue last year, never adequately invested in security to protect personally identifiable information, in addition to prevent and detect unauthorized access to the data. Having a solution in place could have prevented hackers from breaking into Minted’s systems and stealing customer data, the lawsuit suggests.

The company had a duty, the suit - available here via Bloomberg - alleges, to discover the breach and notify customers their PII had been compromised. Instead, it lingered online where it floated around the dark web for nine days until the company discovered it - and another 13 days until the company publicly disclosed the incident.

In the suit, the plaintiffs break down guidelines, put forth by the Federal Trade Commission, that entities should follow to protect PII and reduce the likeliness of data breaches. Organizations should encrypt sensitive data, identify and understand network vulnerabilities, pay attention to web application security, use an intrusion detection system, monitor incoming traffic, and develop a plan to respond to a data breach if one occurs.

The fact that Minted says it didn't realize there had been a breach until it was publicly reported "indicates that it does not use an adequare intrusion detection system... does not sufficiently monitor incoming traffic for suspicious activity... does not properly monitorfor the transmission of large amounts of data from the system... and does not maintain an appropriate plan to respond effectively to a data breach in the event one occurs," the suit claims.

The complaint alleges negligence, breach of contract, and breach of implied contract - but also two violations of California law, the newly enacted California Consumer Privacy Act and the state's Unfair Competition Law.

The CCPA of course, applies to businesses with gross annual revenues in excess of $25 million, businesses sharing the data of more than 50,000 customers, or businesses that derive 50% or more of their revenues from the sale of protected personal data – meaning it’s likely Minted satisfies at least the first two conditions of the law.

Under the CCPA, companies can be fined $2,500 to $7,500 per violation. The plaintiffs reportedly plan to amend their complaint to seek actual damages and statutory damages of $750 per customer record - the maximum penalty under a private right of action as permitted by the CCPA - subject to the data breach, on behalf of the class.