June 27, 2022

Volume XII, Number 178


June 24, 2022

Subscribe to Latest Legal News and Analysis

Data Breach Litigation Without a Data Breach? Not So Fast Walmart Says…

The Lavarious Gardiner v. Walmart Inc. et al. case is anything but typical.

As a re-cap, back in July 2020, plaintiff filed a class action complaint against Walmart alleging that Walmart suffered a data breach which they never disclosed. As evidence of the breach, plaintiff presented claims that the personal information associated with his Walmart account had been discovered on the dark web and presented the results of security scans performed on Walmart’s website, which allegedly show certain vulnerabilities.

In other words, plaintiff filed suit on the suspicion that Walmart’s systems had been breached, which Walmart denies.

On December 12, Walmart filed a Motion to Dismiss all plaintiff’s claims, (which include, among others, a claim under the California Consumer Privacy Act (“CCPA”) and a claim under California Unfair Competition Law (‘UCL’)) arguing that plaintiff failed to state viable claims. In addition to the specific arguments discussed below for the CCPA and UCL claims, the motion presents several additional arguments, including the allegation that plaintiff “cannot make the requisite showing of cognizable harm.” 

Specifically with respect to the alleged CCPA violation, Walmart argues that plaintiff failed to allege when the breach occurred, which makes it impossible to determine if the CCPA even applies. The CCPA expressly provides that it is not operative until January 1, 2020, and it contains no express language establishing that it applies retroactively.[1] Walmart’s motion argues that the court should follow the precedent set by Judge Koh in In re Yahoo! Inc. Customer Data Sec. Breach Litig., which reached the conclusion that a claim under the recently amended California Customer Records Act (“CRA”) had to be dismissed where the plaintiffs failed to allege when the alleged violation occurred.[2]

The motion also urges the court to dismiss the UCL claim on the grounds (among others) that a UCL claim cannot be based on alleged violations of the CCPA. On its face, the CCPA states that “nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”[3] Furthermore, during negotiations for the passage and the amendment of CCPA two separate California Senate Judiciary Committee reports acknowledged CCPA eliminates the possibility of a private right of action outside the narrow claim related to data breaches.[4]

In sum, the resolution by the court of the motion to dismiss could shed light on two interesting questions related to CCPA litigation: (1) whether CCPA could be read to apply to data breaches that occurred before its effective day but were subsequently discovered; and (2) whether CCPA may allow for a private right of action outside of the narrow provision on data breaches.

As always, CPW will be there to discuss additional developments in this and other data privacy litigation cases.

Stay tuned.

[1] See, Cal. Civ.Code § 1798.198(a).

[2] 2017 WL 3727318, at *38 (N.D. Cal. Aug. 30, 2017) (“Because the CCAC does not allege when Defendants discovered the 2013 Breach, the Court cannot determine which version of the CRA was in effect at the time that Defendants allegedly violated the CRA . . .”)

[3] See, Cal. Civ. Code § 1798.150(c).

[4] See, Cal. Sen. Judiciary Committee Report on 2018 CA A.B. 375, June 26, 2018, p. 22. (acknowledging before the passage of CCPA’s Section 1798.150(c) that CCPA “eliminates the ability of consumers to bring claims for violations of the Act under statutes such as the [UCL]”) and Cal. Sen. Rules Committee Report on CA A.B. 1355, September 12, 2019, p. 6. (stating that section 1798.150 is the “only enforcement mechanism made available to consumers pursuant to the CCPA . . .” )

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 365

About this Author

Lydia de la Torre Data Privacy & Cybersecurity Attorney Squire Patton Boggs Palo Alto, CA
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups to mature Fortune 500 companies, in a...

Raisa Dyadkina Intellectual Property Attorney Squire Patton Boggs San Francisco, CA

Raisa Dyadkina is an associate in the Intellectual Property & Technology Practice and advises on trademark matters and on a broad range of commercial contracts.

Raisa has prior experience in intellectual property enforcement, anti-counterfeiting, and brand protection for copyright, trademark, and right of publicity matters. Prior to joining the firm, she worked at the world’s largest live entertainment company, where she executed a brand protection and enforcement strategy for over 100 musical artists.

Raisa graduated law school with a faculty-awarded Excellence in...