Gardiner v. Walmart Inc.

Data Breach Class Action

Northern District

Judge Jeffrey S. White

Defense Attorneys: Hunton Andrews Kurth Llp, Ann Marie Mortimer, Jason J. Kim, Jeff R. R. Nelson

Plaintiffs Attorneys: Wilshire Law Firm, Justin F. Marquez, Thiago M. Coelho, Robert J. Dart, Bobby B. Saadian

Ann Marie Mortimer

While surfing around on the dark web in 2019, plaintiff Lavarious Gardiner found his personal identifying information up for sale.

In a class action against Walmart Inc., Gardiner claimed there was a data breach of the retailer's computer network, in which hackers accessed the personal identifying information of approximately two million online customers.

But due to the dearth of evidence, the retroactive nature of the case, and the lack of compensable harm, U.S. District Judge Jeffrey S. White of Oakland dismissed all causes of action in July, including violations of the plaintiff-friendly California Consumer Privacy Act.

The case was an early, precedent-setting test of the CCPA's provision allowing California residents to bring private suits regarding data breaches. Gardiner v. Walmart Inc., 20-CV-04618 (N.D. Cal., filed July 10, 2020).

Alleging a data breach may no longer prove sufficient for a lawsuit, as leaked personal information does not necessarily entail financial injury, identity theft or other harm in need of remuneration.

Defense attorney Ann Marie Mortimer, a partner with Hunton Andrews Kurth LLP, called the CCPA the "new shiny toy of statutory claims," but also said that "this was a case about the dog that didn't bark because there was no data breach."

White's decision recognized the CCPA did not apply retroactively for claims prior to 2020.

Mortimer said that "the court went on to consider the allegations in the complaint ... and in so doing confirmed the developed case law that simply alleging a breach, particularly of what I'm going to call 'phonebook-type elements,' is not sufficient under the law to prove a compensable loss.

"For instance, if my name and phone number is revealed in a breach, how does that translate to an actual compensable harm? Okay, well, most courts would say it doesn't," she added.

Mortimer said it was a "factually idiosyncratic case" with "a judge who rigorously applied the plain text of the statute in the CCPA. ... As the track record matures, courts are more closely scrutinizing these allegations against the familiar litmus test of whether or not they're well-pled facts, and whether those facts fit the legal standard."

She also noted that "sophisticated and persistent adversaries" could often circumvent firewalls, despite the best security protections in place.

Plaintiff's attorney Justin F. Marquez of Wilshire Law Firm could not be reached for comment.

- Kathryn Stelmach Artuso

Jason J. Kim

Jeff R. R. Nelson