(Reuters) - Hanna Andersson LLC and Salesforce.com Inc have reached a proposed agreement with plaintiffs to resolve class claims related to a 2019 data breach, according to a motion for preliminary approval of the settlement.

The litigation, composed of two consolidated cases against the children's apparel retailer and cloud technology services provider, was one of the early cases alleging a violation of the California Consumer Privacy Act, which took effect Jan. 1. Hanna has agreed to pay $400,000 and take corrective measures to resolve the claims, according to the unopposed motion filed Thursday in San Francisco federal court.

Salesforce doesn't appear to be contributing to the settlement fund.

An attorney for the plaintiffs, who are represented by Morgan & Morgan, the Arnold Law Firm, and Wolf Haldenstein Adler Freeman & Herz didn't immediately respond to a request for comment on the proposed settlement. Nor did an attorney from Perkins Coie for Hanna Andersson or an attorney from Morrison & Foerster for Salesforce.

The litigation stems from Hanna Andersson's notification to customers and state attorneys general in January that an unauthorized third party had accessed information on its website for purchases made in a two-month period in 2019, potentially exposing customers' names, billing and payment card information, according to the complaint. The notice to the states disclosed that credit card information was available on the dark web and that a Salesforce commerce platform used by Hanna was infected by malware that may have scraped customers' information.

The consolidated complaint included claims for negligence, declaratory judgment, violations of the California privacy and unfair competition laws, and violation of Virginia's breach notification law.

The proposed settlement class contains more than 200,000 individuals who made purchases from Hanna's website during the time period in 2019.

"In light of the risks and uncertainties presented by data breach litigation, the $400,000 Settlement Fund achieved for the approximately 200,273 member Class in this case is an extraordinary result," the plaintiffs' lawyers wrote in the filing.

Hanna has agreed to make changes to its business practices as they relate to its e-commerce platform, including conducting a risk assessment of its data assets, enabling multi-factor authentication for cloud services accounts, deploying intrusion protection and monitoring applications and hiring a cybersecurity director, according to the proposed settlement.

The plaintiffs' lawyers said in the filing they will separately seek $120,000 in attorneys fees.

The parties had initially reached a settlement "in principle" over the summer and had asked U.S. District Judge Edward Chen to stay the case pending its finalization.

Litigation under the California Consumer Privacy Act is still new and many of the cases filed so far - including those that bring direct causes of action and others that use the law as predicate for other claims - are in early stages, as the law has been in effect less than a year.

The privacy law currently provides a limited private right of action for individuals to sue in certain data breach situations. That right will be expanded under the California Privacy Rights Act, a ballot measure that California voters passed earlier this month.

The case is In Re: Hanna Andersson and Salesforce.com Data Breach Litigation, U.S. District Court for the Northern District of San Francisco, 3:20-cv-00812-EMC.

For the plaintiffs: John Yanchunis of Morgan & Morgan Complex Litigation Group, M. Anderson Berry of Arnold Law Firm, and Rachele Byrd of Wolf Haldenstein Adler Freeman & Herz

For Hanna Andersson: Todd Hinnen of Perkins Coie

For Salesforce: Tiffany Cheung of Morrison & Foerster