Litigants have been looking forward to guidance regarding the limits of data breach claims since the California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020.Now some of the questions are starting to be answered. In particular, the recent decision in Gardiner v. Walmart, Inc.1 provides some much-needed direction as to the specificity required to state a CCPA claim, and the types of damages that are recoverable for data breaches in California.
Lavarious Gardiner filed a putative class action against Walmart, Inc. on July 10, 2020 regarding a purported data breach.Gardiner alleged that unauthorized individuals accessed his personal identifying information (“PII”) on Walmart’s website. Although Walmart never disclosed the alleged breach (and maintains that no breach occurred), Gardiner claims that he discovered his PII on the “dark web” and was advised by “hackers” that the information came from his Walmart account. Gardiner also claimed that he detected several vulnerabilities on Walmart’s website using cybersecurity scan software.
Gardiner asserted statutory claims against Walmart including violation of the CCPA2 and violation of California’s Unfair Competition Law (the “UCL”).3In addition, Gardiner asserted common law claims such as negligence and breach of contract.
In response, Walmart filed a motion to dismiss that was granted on March 5, 2021, albeit with leave to amend.While Gardiner has now amended the complaint, the ruling addresses several important issues relating to data breach class actions.
A threshold issue raised by Walmart was whether Gardiner sufficiently stated a CCPA claim despite failing to allege when the purported breach occurred.Gardiner argued that it is enough that his PII is still being sold on the dark web – regardless of when the breach occurred.
Importantly, the Court agreed with Walmart that a plaintiff must allege when the breach occurred.The Court clarified that, for purposes of a CCPA claim, the relevant conduct is the actual data breach resulting from a “failure to implement and maintain reasonable security procedures and practices.” Accordingly, the Court found that Gardiner must allege that the purported breach occurred on or after January 1, 2020 (the effective date of the CCPA), and failure to do so warrants dismissal.
Because the CCPA cannot be applied retroactively,4 when the underlying breach occurred is particularly important. Of course, even if there was no dispute that the breach occurred after the effective date of the CCPA, January 1, 2020, the timing of the breach is relevant in order to put the defendant on notice of the plaintiff’s claims and to allow for some initial analysis of the merits of the lawsuit.
Given the limited case law interpreting the CCPA, this specific finding may have a significant impact on future cases.In particular, it is likely to filter out some CCPA claims by requiring plaintiffs to specifically allege when the breach occurred.
Walmart also argued that Gardiner’s complaint did not sufficiently allege disclosure of actionable PII under the CCPA,5 necessitating dismissal.Specifically, Gardiner did not claim that the 3-digit passcode to his credit card was disclosed in the purported breach.
Gardiner countered that the three-digit passcode should be “read into” his claim because he generally alleged disclosure of his “Walmart account, and all of its data.”Gardiner argued that the inference was obvious because his account information would be useless to third parties without the access code.
The Court disagreed that it should assume that Gardiner’s account information and passcode were both disclosed in the purported breach, noting that while the “Court will draw reasonable inferences in Plaintiff’s favor [on a motion to dismiss], it cannot read missing allegations in the complaint.”Thus, this finding clarifies that a plaintiff must also sufficiently allege the type of PII that was disclosed in order to state a claim under the CCPA.
Walmart argued that Gardiner’s alternative claims (negligence, violation of the UCL, and breach of contract) must fail because he cannot allege a cognizable injury.Walmart emphasized that Gardiner did not allege that he incurred any fraudulent charges or suffered any identity theft. In addition, Walmart contended that mitigation efforts (such as cancelling the account and purchasing credit monitoring services) are not recoverable damage. Similarly, Walmart noted that major credit card issuers have a “zero-fraud-liability” policy, eliminating the risk of imminent future harm.
The Court agreed with Walmart that Gardiner failed to allege any actionable harm because his claim of future harm was too speculative and there was nothing to suggest that expenses for credit monitoring services were reasonable or necessary.
The Court did not reach the issue of whether the closure of the relevant account was fatal to Gardiner’s claims.However, if the Court later finds that canceling a compromised account forecloses future injury, it may have a dramatic effect on the ability of plaintiffs to claim damages for a data breach. Indeed, that is usually one of the first steps that is recommended to protect a person’s credit in the event of a breach.
The Gardiner v. Walmart decision provides valuable insight as to the parameters of CCPA claims, and other causes of action that are related thereto.The district court largely rejected Gardiner’s expansive view of the CCPA and his vague allegations regarding the purported data breach.
Sign up for our newsletter and get the latest to your inbox.