Litigants have been looking forward to guidance regarding the limits of data breach claims since the California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020. Now some of the questions are starting to be answered. In particular, the recent decision in Gardiner v. Walmart, Inc.1 provides some much-needed direction as to the specificity required to state a CCPA claim, and the types of damages that are recoverable for data breaches in California.
Factual And Procedural Background.
Lavarious Gardiner filed a putative class action against Walmart, Inc. on July 10, 2020 regarding a purported data breach. Gardiner alleged that unauthorized individuals accessed his personal identifying information (“PII”) on Walmart’s website. Although Walmart never disclosed the alleged breach (and maintains that no breach occurred), Gardiner claims that he discovered his PII on the “dark web” and was advised by “hackers” that the information came from his Walmart account. Gardiner also claimed that he detected several vulnerabilities on Walmart’s website using cybersecurity scan software.
Gardiner asserted statutory claims against Walmart including violation of the CCPA2 and violation of California’s Unfair Competition Law (the “UCL”).3 In addition, Gardiner asserted common law claims such as negligence and breach of contract.
In response, Walmart filed a motion to dismiss that was granted on March 5, 2021, albeit with leave to amend. While Gardiner has now amended the complaint, the ruling addresses several important issues relating to data breach class actions.
The Complaint Must State When The Alleged Breach Occurred.
A threshold issue raised by Walmart was whether Gardiner sufficiently stated a CCPA claim despite failing to allege when the purported breach occurred. Gardiner argued that it is enough that his PII is still being sold on the dark web – regardless of when the breach occurred.
Importantly, the Court agreed with Walmart that a plaintiff must allege when the breach occurred. The Court clarified that, for purposes of a CCPA claim, the relevant conduct is the actual data breach resulting from a “failure to implement and maintain reasonable security procedures and practices.” Accordingly, the Court found that Gardiner must allege that the purported breach occurred on or after January 1, 2020 (the effective date of the CCPA), and failure to do so warrants dismissal.
Because the CCPA cannot be applied retroactively,4 when the underlying breach occurred is particularly important. Of course, even if there was no dispute that the breach occurred after the effective date of the CCPA, January 1, 2020, the timing of the breach is relevant in order to put the defendant on notice of the plaintiff’s claims and to allow for some initial analysis of the merits of the lawsuit.
Given the limited case law interpreting the CCPA, this specific finding may have a significant impact on future cases. In particular, it is likely to filter out some CCPA claims by requiring plaintiffs to specifically allege when the breach occurred.
The Complaint Must Sufficiently Allege Disclosure of PII.
Walmart also argued that Gardiner’s complaint did not sufficiently allege disclosure of actionable PII under the CCPA,5 necessitating dismissal. Specifically, Gardiner did not claim that the 3-digit passcode to his credit card was disclosed in the purported breach.
Gardiner countered that the three-digit passcode should be “read into” his claim because he generally alleged disclosure of his “Walmart account, and all of its data.” Gardiner argued that the inference was obvious because his account information would be useless to third parties without the access code.
The Court disagreed that it should assume that Gardiner’s account information and passcode were both disclosed in the purported breach, noting that while the “Court will draw reasonable inferences in Plaintiff’s favor [on a motion to dismiss], it cannot read missing allegations in the complaint.” Thus, this finding clarifies that a plaintiff must also sufficiently allege the type of PII that was disclosed in order to state a claim under the CCPA.
Plaintiff’s Damages Arising From A Data Breach Must Not Be Speculative.
Walmart argued that Gardiner’s alternative claims (negligence, violation of the UCL, and breach of contract) must fail because he cannot allege a cognizable injury. Walmart emphasized that Gardiner did not allege that he incurred any fraudulent charges or suffered any identity theft. In addition, Walmart contended that mitigation efforts (such as cancelling the account and purchasing credit monitoring services) are not recoverable damage. Similarly, Walmart noted that major credit card issuers have a “zero-fraud-liability” policy, eliminating the risk of imminent future harm.
The Court agreed with Walmart that Gardiner failed to allege any actionable harm because his claim of future harm was too speculative and there was nothing to suggest that expenses for credit monitoring services were reasonable or necessary.
The Court did not reach the issue of whether the closure of the relevant account was fatal to Gardiner’s claims. However, if the Court later finds that canceling a compromised account forecloses future injury, it may have a dramatic effect on the ability of plaintiffs to claim damages for a data breach. Indeed, that is usually one of the first steps that is recommended to protect a person’s credit in the event of a breach.
Disclaimers Of Liability May Provide Additional Protection For Companies.
The Gardiner v. Walmart decision provides valuable insight as to the parameters of CCPA claims, and other causes of action that are related thereto. The district court largely rejected Gardiner’s expansive view of the CCPA and his vague allegations regarding the purported data breach.
Whether these changes are sufficient to avoid another motion to dismiss remains to be seen. Regardless of whether Walmart files an answer or another motion to dismiss, though, this decision provides litigants with useful information regarding the scope of data breach class action claims. We will continue to monitor this matter and provide future updates regarding other important decisions in this case.
1. Case No. 20-cv-04618-JSW (N.D. Cal.).
2. Cal. Civ. Code § 1798.150, et seq.
3. Cal. Bus. & Prof. Code § 17200, et seq.
4. McClung v. Emp’t Dev. Dep’t, 34 Cal. 4th 467, 475 (2004) (“Generally, statutes operate prospectively only.”).
5.CCPA only provides for a private right of action for disclosure of account information if it is accompanied with the required security code, access code, or password that would permit access to the account.
6. Gardiner alleged that he suffered a monetary injury because “he did not receive the benefit of his bargain with Defendants, through which he agreed to pay for goods with the understanding that his payment information would be protected by Defendants.” (Compl. ¶¶ 94 and 118.)
7. Gardiner alleges that the “last order dates” of the stolen customer data on the dark web were in 2020, indicating that the breach took place in the same year. Gardiner also claims that some of the stolen credit/debit cards have expiration dates in 2024 and 2025, and since credit/debit cards usually expire within 3-5 years of being issued, there is “sound evidence” to demonstrate that the breach occurred after January 1, 2020. (Amended Compl. ¶¶ 71-2.) He also claims that the sale of his PII included the PIN or CVV numbers associated with his payment card, but that this information was being withheld from the dark web until a buyer made an acceptable offer. (Amended Compl. ¶ 19.)
8. In addition to credit monitoring and identity theft protection services, Gardiner claims he incurred postage costs and hired attorneys, accountants, and other specialists to assist with recovery/mitigation efforts. (Amended Compl. ¶ 50.)
9. Amended Compl. ¶¶ 129 and 132. Gardiner contended that these provisions were unenforceable in his opposition to the motion to dismiss, but he did not provide sufficient facts in his original complaint to support this argument.