Wal Mart Data Breach Litigation: Undisclosed Data Breach

Data Breach Litigation Without a Data Breach? Not So Fast Walmart Says…
Wednesday, December 30, 2020
The Lavarious Gardiner v. Walmart Inc. et al. case is anything but typical.

As a re-cap, back in July 2020, plaintiff filed a class action complaint against Walmart alleging that Walmart suffered a data breach which they never disclosed. As evidence of the breach, plaintiff presented claims that the personal information associated with his Walmart account had been discovered on the dark web and presented the results of security scans performed on Walmart’s website, which allegedly show certain vulnerabilities.

In other words, plaintiff filed suit on the suspicion that Walmart’s systems had been breached, which Walmart denies.

On December 12, Walmart filed a Motion to Dismiss all plaintiff’s claims, (which include, among others, a claim under the California Consumer Privacy Act (“CCPA”) and a claim under California Unfair Competition Law (‘UCL’)) arguing that plaintiff failed to state viable claims. In addition to the specific arguments discussed below for the CCPA and UCL claims, the motion presents several additional arguments, including the allegation that plaintiff “cannot make the requisite showing of cognizable harm.”

Specifically with respect to the alleged CCPA violation, Walmart argues that plaintiff failed to allege when the breach occurred, which makes it impossible to determine if the CCPA even applies. The CCPA expressly provides that it is not operative until January 1, 2020, and it contains no express language establishing that it applies retroactively.[1] Walmart’s motion argues that the court should follow the precedent set by Judge Koh in In re Yahoo! Inc. Customer Data Sec. Breach Litig., which reached the conclusion that a claim under the recently amended California Customer Records Act (“CRA”) had to be dismissed where the plaintiffs failed to allege when the alleged violation occurred.[2]

The motion also urges the court to dismiss the UCL claim on the grounds (among others) that a UCL claim cannot be based on alleged violations of the CCPA. On its face, the CCPA states that “nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”[3] Furthermore, during negotiations for the passage and the amendment of CCPA two separate California Senate Judiciary Committee reports acknowledged CCPA eliminates the possibility of a private right of action outside the narrow claim related to data breaches.[4]

In sum, the resolution by the court of the motion to dismiss could shed light on two interesting questions related to CCPA litigation: (1) whether CCPA could be read to apply to data breaches that occurred before its effective day but were subsequently discovered; and (2) whether CCPA may allow for a private right of action outside of the narrow provision on data breaches.

As always, CPW will be there to discuss additional developments in this and other data privacy litigation cases.