fbpx

Early CCPA Litigation is Underway as Walmart Faces Class Action Lawsuit

Written by: Brett Lawrence, Esq. and Brock Wolf

Early last month, Walmart joined Minted Inc., Zoom, TikTok, and Salesforce.com to become the largest company targeted by a class action lawsuit following a data breach under the California Consumer Privacy Act (“CCPA”). On July 10, 2020, shortly after CCPA enforcement began on July 1, Lavarious Gardiner filed suit in the U.S. District Court for the Northern District of California.

In his complaint, Gardiner alleges that Walmart’s online platform has significant security flaws that allowed hackers to steal personal information (including names, addresses, and financial information) from “Consumers” (read: California residents) with online accounts with the retail giant. Gardiner also alleges that over two million accounts are for sale on the dark web and that Walmart failed to notify consumers that their data was at risk. The complaint does not specify when the data breach occurred.

The CCPA allows individuals to sue for statutory damages between $100 and $750 per consumer if (1) their information is stolen and (2) the business failed to maintain reasonable security procedures. Gardiner is suing on behalf of any California resident who had a Walmart account in the last four years. According to the complaint, this could create a class, “at least in the thousands.” Depending on the size of the class, damages could be massive.

Businesses can avoid similar lawsuits by engaging in “reasonable security procedures and practices” under the CCPA. Unfortunately, the term “reasonable security procedures” is not defined under CCPA. We will continue to monitor Gardiner v. Walmart Inc. to see how the court interprets this “reasonable security procedures” requirement.

Until then, and as a practical matter, businesses should take additional security measures to protect themselves from data breaches that could lead to potential claims. Companies should also review their privacy policies to set consumer expectations and provide CCPA required notifications