[BreachExchange] Data Breach Litigation Without a Data Breach? Not So Fast Walmart Says…

[Destry Winant]

https://www.natlawreview.com/article/data-breach-litigation-without-data-breach-not-so-fast-walmart-says

The Lavarious Gardiner v. Walmart Inc. et al. case is anything but typical.

As a re-cap, back in July 2020, plaintiff filed a class action
complaint against Walmart alleging that Walmart suffered a data breach
which they never disclosed. As evidence of the breach, plaintiff
presented claims that the personal information associated with his
Walmart account had been discovered on the dark web and presented the
results of security scans performed on Walmart’s website, which
allegedly show certain vulnerabilities.

In other words, plaintiff filed suit on the suspicion that Walmart’s
systems had been breached, which Walmart denies.

On December 12, Walmart filed a Motion to Dismiss all plaintiff’s
claims, (which include, among others, a claim under the California
Consumer Privacy Act (“CCPA”) and a claim under California Unfair
Competition Law (‘UCL’)) arguing that plaintiff failed to state viable
claims. In addition to the specific arguments discussed below for the
CCPA and UCL claims, the motion presents several additional arguments,
including the allegation that plaintiff “cannot make the requisite
showing of cognizable harm.”

Specifically with respect to the alleged CCPA violation, Walmart
argues that plaintiff failed to allege when the breach occurred, which
makes it impossible to determine if the CCPA even applies. The CCPA
expressly provides that it is not operative until January 1, 2020, and
it contains no express language establishing that it applies
retroactively.[1] Walmart’s motion argues that the court should follow
the precedent set by Judge Koh in In re Yahoo! Inc. Customer Data Sec.
Breach Litig., which reached the conclusion that a claim under the
recently amended California Customer Records Act (“CRA”) had to be
dismissed where the plaintiffs failed to allege when the alleged
violation occurred.[2]

The motion also urges the court to dismiss the UCL claim on the
grounds (among others) that a UCL claim cannot be based on alleged
violations of the CCPA. On its face, the CCPA states that “nothing in
this title shall be interpreted to serve as the basis for a private
right of action under any other law.”[3] Furthermore, during
negotiations for the passage and the amendment of CCPA two separate
California Senate Judiciary Committee reports acknowledged CCPA
eliminates the possibility of a private right of action outside the
narrow claim related to data breaches.[4]

In sum, the resolution by the court of the motion to dismiss could
shed light on two interesting questions related to CCPA litigation:
(1) whether CCPA could be read to apply to data breaches that occurred
before its effective day but were subsequently discovered; and (2)
whether CCPA may allow for a private right of action outside of the
narrow provision on data breaches.

As always, CPW will be there to discuss additional developments in
this and other data privacy litigation cases.

Stay tuned.