July 2, 2022

Volume XII, Number 183

Advertisement
Advertisement

July 01, 2022

Subscribe to Latest Legal News and Analysis

June 30, 2022

Subscribe to Latest Legal News and Analysis

June 29, 2022

Subscribe to Latest Legal News and Analysis

Federal Court Finds the California Consumer Privacy Act (CCPA) Does Not Apply Retroactively, Dismissing Claims Against Walmart Stemming from an Alleged Data Breach

A federal District Court in California recently dismissed a lawsuit against Walmart that arose from an alleged data breach. (Gardiner v. Walmart, Inc., 20-cv-04618-JSW (N.D. Cal., March 5, 2021). Among other things, the court determined that California’s Consumer Privacy Act (CCPA) does not apply retroactively, dismissing the CCPA claim because the plaintiff had not specified the date of the alleged breach.

According to the allegations of the complaint, the plaintiff had provided certain personal identifying information (PII) to Walmart, including credit card information, when he created an online account. Plaintiff claimed that Walmart has been targeted numerous times by individuals who have hacked its website and its customers’ computers, and that the hackers posted stolen account information—including his—on the dark web. As a result, plaintiff asserted that he and others faced an imminent threat of identity theft and fraud, had to spend time and resources to mitigate the effects of the data breach, and suffered economic damages. The complaint alleged violations of the CCPA and also California’s Unfair Competition Law, along with common law claims such as negligence and breach of contract.

Walmart, which disputed that there was any breach of its network, moved to dismiss the complaint. The court granted the motion. As to the CCPA claim, the court concluded that CCPA only applies to breaches occurring on or after January 1, 2020, and does not apply retroactively. Plaintiff therefore had to allege that Walmart’s purported violation of its duty to implement reasonable security procedures to prevent the breach occurred on or after that date. Because plaintiff did not allege a specific date of the alleged breach, he did not have a viable CCPA claim. The court held that the CCPA claim also failed because the complaint did not sufficiently allege disclosure of plaintiff’s PII, such as disclosure of his credit card number and security code.

In addition, the court dismissed all of plaintiff’s remaining claims for negligence, contract, and unfair competition on the grounds that plaintiff had failed to plead a cognizable injury. In doing so, the court found that, without factual allegations identifying what PII was stolen, plaintiff’s bare assertion that his PII had economic value was insufficient to support his claims. The court also determined, among other things, that conclusory allegations of an increased risk of identity theft were insufficient to establish injury. The decision may not end the litigation, however, as the court granted plaintiff leave to amend his complaint to cure the identified deficiencies. It remains to be seen if he will do so.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XI, Number 69
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jean Tomasco, Robinson Cole Law Firm, Hartford, Labor and Employment, Litigation Law Attorney
Counsel

Jean Tomasco's practice involves employer counseling and employment litigation, with an emphasis on the Employee Retirement Income Security Act (ERISA) and benefits litigation. She is a member of the firm’s Health + Benefits Litigation Team and its Labor, Employment, Benefits + Immigration Group.

Employee Benefits and Compensation Litigation

Jean has more than two decades of experience handling benefit claims litigation. She represents insurers, managed care organizations, and employers in benefit...

860-275-8323
Advertisement
Advertisement
Advertisement