This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| less than a minute read

Judge Tosses CCPA Class Action Suit Against Walmart Based on Attack Date, Despite Ongoing Damages

The timing of a cyber attack may matter in assessing legal liability: a federal judge in California has dismissed a potential privacy class action suit against Walmart under the California Consumer Privacy Act.  Plaintiffs plead currently occurring damage/loss (their hacked information is available for sale on the dark web, they say).  Their complaint, however, did not claim that the alleged hack of Walmart occurred after the effective date of the CCPA, which was 1/1/2020.

The case presents an interesting question: whether the attack date or the date of alleged damages is the salient one for attaching liability. The distinction is akin to a "claims made" versus "occurrence" clause relating to insurance coverage. For now, it appears that the attack date may matter more. As more states pass and consider their own privacy laws, however, this issue is one to watch.

U.S. District Judge Jeffrey White in Oakland on Friday granted Walmart's motion to toss the proposed class action, which alleges hackers made customers' accounts available for sale on the dark web after a purported breach. *** Judge White in the Friday decision found that portion of the CCPA doesn't apply retroactively, so the alleged breach can only be actionable if it happened after the law took effect. White, disagreeing with Gardiner's argument that the timing is sufficient because the data is currently for sale on the dark web, said the claim can't go forward without allegations showing Walmart's supposed violation occurred on or after Jan. 1, 2020.


insights, data security and privacy, hill_mitzi