As readers of CPW know, the Lavarious Gardiner v. Walmart Inc. et al. case is unusual.  Back in July 2020, Plaintiff filed a class action complaint against Walmart alleging that Walmart suffered a data breach which was never disclosed.  As evidence of the breach, Plaintiff presented claims that the personal information associated with his Walmart account had been discovered on the dark web and presented the results of security scans performed on Walmart’s website, which allegedly showed certain vulnerabilities.  In other words, Plaintiff filed suit on the supposition that Walmart’s systems had been breached, which Walmart denies.  Plaintiff’s complaint included a claim under the California Consumer Privacy Act (“CCPA”), in addition to other California privacy and consumer protection statutes.

CPW has previously covered Walmart’s Motion to Dismiss Plaintiff’s Complaint filed on December 12, 2020.  This post is an update now that Plaintiff and Walmart have both submitted additional briefing to the court regarding whether the case should proceed past the pleadings stage.

Walmart had argued that Plaintiff’s CCPA claim failed because the complaint did not allege when the purported breach occurred, which makes it impossible to determine if the CCPA even applies. [Note: The CCPA expressly provides that it is not operative until January 1, 2020, and it contains no express language establishing that it applies retroactively.]  In response to Walmart’s Motion, Plaintiff argued that the alleged data breach is ongoing and cannot identify specific dates that Walmart’s system was breached.  Additionally, Plaintiff asserted that his CCPA claim should survive dismissal because: (1) by pleading his data is presently for sale on the dark web, Plaintiff adequately plead information sufficient to invoke the CCPA and (2) Plaintiff additionally adequately pled loss of his “personal information” as defined in the statute.

In Walmart’s Reply, it first reiterated that the CCPA does not apply retroactively and Plaintiff must show that the alleged breach occurred after the CCPA was effective January 1, 2020.  Walmart then argued that Plaintiffs filed this lawsuit on the “mere suspicion” that Walmart’s network was breached but did not offer any concrete proof of the alleged breach.  Additionally, Walmart disputed Plaintiff’s contention that he was not required to allege a specific date that the data breach occurred.  As a result of these deficiencies, Walmart asserted that Plaintiff did not meet his burden in pleading sufficient information to show that the CCPA even applied to the litigation in the first place.

Even assuming the CCPA applies here, Walmart also argued that Plaintiff’s injuries are not cognizable; and thus, Plaintiff did not meet his burden in pleading damages and injury in his UCL, negligence, and contract claims merely because he cancelled the payment card(s) in question.  Responding to Plaintiff’s alleged injuries, Walmart claimed that Plaintiff’s information is not compensable, Plaintiff’s out of pocket expenses are self-inflicted, Plaintiff’s benefit of the bargain theory fails, and Plaintiff foreclosed any possible future risk of harm because he closed or modified his financial accounts as a result of the alleged breach.

A hearing is scheduled on the motion pending before the court for March 05, 2021.  CPW will be there to cover additional developments as they occur, particularly in regards to how the court rules on Plaintiff’s CCPA claim.  Stay tuned.