Walmart secures dismissal of California data breach lawsuit

The exterior of a Walmart department store pictured in West Haven, Connecticut, U.S., February 17, 2021. REUTERS/Mike Segar/File Photo
  • Walmart disputed alleged breach occurred
  • Judge dismissed case with prejudice

(Reuters) - A California federal judge has tossed a proposed privacy class action against Walmart Inc over an alleged data breach, finding the customer who sued the retailer still has not adequately pleaded his claims.

U.S. District Judge Jeffrey White in Oakland on Wednesday closed the case, for good, after previously allowing the plaintiff to amend the lawsuit after having dismissed it earlier this year.

The Walmart customer, San Francisco resident Lavarious Gardiner, had brought several claims related to an alleged data breach of the Bentonville, Arkansas-based retailer's website, including that hackers made customers' personal information, such as names, addresses and financial account data, available for sale on the dark web.

Walmart, in court filings, had disputed that there was a breach. Gardiner did not specify when the alleged breach occurred, only that the disclosure is "ongoing."

Walmart, represented by Hunton Andrews Kurth, said in a statement the company is pleased with the ruling and takes protecting customers' data seriously.

"We are not aware of our data security measures being compromised, and we disputed the plaintiff's allegations that the failure of our systems played any role in the public disclosure of his personally identifiable information," a Walmart representative said.

A lawyer of Wilshire Law Firm, which represents Gardiner, didn't immediately respond to a request for comment.

Among other claims, Gardiner alleged a violation of the California Consumer Privacy Act (CCPA), which took effect on Jan. 1, 2020 with a provision allowing consumers to sue if certain personal data is subject to a breach due to a business' failure to implement reasonable security procedures.

White, in his previous dismissal order in March, found the CCPA provision doesn't apply retroactively, and the claim could only go forward with allegations showing the supposed violation occurred on or after the law's effective date.

In Wednesday's ruling, he pointed out that Gardiner alleges he found his personal data available for sale in 2019. The "logical conclusion," then, is that the alleged breach happened before January 2020, which White called "fatal" to the CCPA claim. The judge said the court wouldn't consider a declaration from Gardiner that attests he actually made the discovery in June 2020, rather than 2019.

Since the prior order put Gardiner on notice about what was needed for the claim to proceed, "it is not credible that this allegation, which is central to Plaintiff's CCPA claim, is the result of a typo or misunderstanding," he said.

The case is Gardiner v. Walmart Inc. et al, U.S. District Court for the Northern District of California, No. 4:20-cv-04618-JSW

For the plaintiff: Justin Marquez of the Wilshire Law Firm

For Walmart: Ann Marie Mortimer of Hunton Andrews Kurth

Read More:

Walmart beats data breach lawsuit, in test of California privacy law's scope

Our Standards: The Thomson Reuters Trust Principles.

Thomson Reuters

Sara Merken reports on privacy and data security, as well as the business of law, including legal innovation and key players in the legal services industry. Reach her at sara.merken@thomsonreuters.com