The timing of a cyber attack may matter in assessing legal liability: a federal judge in California has dismissed a potential privacy class action suit against Walmart under the California Consumer Privacy Act.  Plaintiffs plead currently occurring damage/loss (their hacked information is available for sale on the dark web, they say).  Their complaint, however, did not claim that the alleged hack of Walmart occurred after the effective date of the CCPA, which was 1/1/2020.

The case presents an interesting question: whether the attack date or the date of alleged damages is the salient one for attaching liability. The distinction is akin to a "claims made" versus "occurrence" clause relating to insurance coverage. For now, it appears that the attack date may matter more. As more states pass and consider their own privacy laws, however, this issue is one to watch.