2021 CCPA Litigation Tracker

As of January 1, 2020, California became the first state to permit residents whose sensitive personal information is exposed in a data breach to seek statutory damages between $100-$750 per incident, even in the absence of any actual harm. Further, the California Attorney General may bring a civil action against any entity violating the CCPA, seeking an injunction and civil penalties between $2,500 (for each violation) and $7,500 (for each intentional violation). As a result, we will continue to see a significant uptick in data breach class actions filed in California courts. BCLP’s Litigation Tracker will help you stay abreast of litigation trends and regulatory developments.

*Cases identified based upon public court filings and may not include cases filed in state courts that do not publicly post complaints, or cases that do not directly identify the CCPA in cover sheets.

**Please contact goli.mahdavi@bclplaw.com if you are aware of a case filing not identified within the litigation tracker, or for more information about a particular case.

Date Filed
May 17, 2021
Sector

Property Management

Case Number
34-2021-00300923
Court
Superior Court of Sacramento
Plantiff(s)
Archibeque, et al.
Allegation
Putative class action against a multifamily property management company. Defendant is alleged to have failed to protect the sensitive personal information (including but not limited to names, addresses, dates of birth, Social Security numbers, driver's license numbers or other government identification card numbers, passport numbers, tax identification numbers, financial account information, online credentials, digital signatures, and/or payment card information, and medical information) belonging to the residents of the properties managed by Defendant. On or about August 14, 2020, Defendant learned about an alleged data breach by an unauthorized actor who gained access to this personal information. Complaint alleges a violation of the CCPA § 1798.150: failure to implement and maintain reasonable security procedures sufficient to protect Plaintiff & California Class's sensitive personal information from unauthorized access and disclosure. Plaintiffs also bring various claims for negligence, breach of written contract, breach of implied contract, invasion of privacy, breach of confidence, violation of CA's Unfair Competition Law (Cal. Bus. & Prof. Code § 17200, et seq.) for both unfair and unlawful business practices, and violation of CA's Customer Records Act (Cal. Civ. Code §§ 1798.80, et seq.)
Date Filed
June 21, 2021
Sector

Healthcare

Case Number
37-2021-00026758-CU-BT-CTL
Court
Superior Court of San Diego
Plantiff(s)
Thomas, et al.
Allegation
Putative class action against a healthcare provider. Defendant is alleged to have failed to use reasonable security measures to protect individuals' sensitive personal data, including names, social security numbers or other government identification numbers, financial account numbers, dates of birth, medical diagnosis or treatment information, health information, and/or client identification numbers, and other protected health information and personally identifiable information. On or before December 3, 2020, Defendant is alleged to have became aware of the alleged data breach that resulted in unauthorized access to individuals' identifiable information. Complaint alleges a violation of the CCPA § 1798.100 et seq. Plaintiffs also bring various claims for negligence, intrusion upon seclusion/invasion of privacy, breach of express contract, breach of implied contract, breach of fiduciary duty, unjust enrichment, violation of CA's Confidentiality of Medical Information Act (Cal. Civ. Code § 56, et seq.), and violation of CA's Unfair Competition Law (Cal. Bus. & Prof. Code § 17200, et seq.)
Date Filed
June 17, 2021
Sector

Healthcare

Case Number
37-2021-00026415-CU-BC-CTL
Court
Superior Court of San Diego
Plantiff(s)
Barlew, et al.
Allegation
Putative class action against a healthcare provider. Defendant is alleged to have failed to take adequate security measures (including adequate vetting of the Defendant's IT service provider) to protect individuals' personal and medical information (including names, social security numbers or other government identification numbers, financial account numbers, dates of birth, medical diagnosis or treatment information, health insurance information, and/or client identification numbers) from unauthorized access. Defendants became aware of a data breach on or about April 12, 2021. Data breach is alleged to have occurred in late September 2020 and files obtained by an unauthorized third party between October 22, 2020 to December 3, 2020. Complaint alleges a violation of the CCPA § 1798.100, et seq.: failure to implement and maintain reasonable security measures sufficient to protect individuals' personal and medical information. Plaintiffs also bring various claims for negligence, negligence per se, breach of implied contract, breach of implied covenant of good faith and fair dealing, unjust enrichment, violations of CA's Unfair Competition Law (Cal. Bus. & Prof. Code § 17200, et seq.), violations of CA's Customer Records Act (Cal. Civ. Code §§ 1798.82, et seq.), and violations of CA's Confidentiality of Medical Information Act (Cal. Civ. Code § 56, et seq.)
Date Filed
January 25, 2021
Sector

Financial Services

Case Number
3:21-cv-01089-LAB-MSB (originally 3:21-cv-00572)
Court
USDC Southern District of California
Plantiff(s)
McClure, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to securely store and transfer personal cardholder information associated with Employment Development Department ("EDD") debit accounts (including names or initials, account numbers, and any security codes, access codes, or passwords for financial accounts) resulting in unauthorized access to those accounts and theft. Complaint alleges a violation of the CCPA § 1798.100 et seq.: failure to implement and maintain reasonable security measures (including issuing EDD debit cards without EMV debit chip technology) sufficient to securely store and transfer cardholders' personal information. Plaintiffs also bring various claims for violations of the Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.), violations of CA Unfair Competition Law (Cal. Bus. & Prof. Code § 17200, et seq.), negligence, negligent performance of contract, negligent failure to warn, breach of contract, breach of contract (third-party beneficiaries), breach of implied contract, and breach of the implied covenant of good faith and fair dealing. Transferred from USDC Northern District of California to USDC Southern District of California.
Date Filed
January 26, 2021
Sector

Financial Services

Case Number
3:21-cv-01088-LAB (originally 3:21-cv-00615)
Court
USDC Southern District of California
Plantiff(s)
Oosthuizen and Mathews, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to protect Plaintiffs' and class members Employment Development Department ("EDD") debit accounts and associated personal information (including but not limited to names and initials, account numbers, and any security codes, access codes, or passwords for financial accounts) from fraudulent access and theft by unauthorized parties. Complaint alleges a violation of the CCPA §§ 1798.100 et seq.: failure to implement and maintain reasonable security measures (including issuing EDD debit cards without EMV debit chip technology) sufficient to securely store and transfer cardholders' sensitive personal information. Plaintiffs also bring various claims for violations of CA's Customer Records Act (Cal. Civ. Code §§ 1798.80, et seq.), violations of CA's Unfair Competition Law (Cal. Bus. & Prof. Code § 17200, et seq.), negligence and negligence per se, breach of fiduciary duty, breach of contract, breach of implied contract, breach of the implied covenant of good faith and fair dealing, breach of contract (third-party beneficiaries). Transferred from USDC Northern District of California to USDC Southern District of California.
Date Filed
June 10, 2021
Sector

App-based parking service

Case Number
8:21-cv-01024-CJC-ADS
Court
USDC Central District of California
Plantiff(s)
Schaubach, et al.
Allegation
Putative class action against an app-based parking service. Defendant is alleged to have failed to protect customers' personally identifiable information including first and last names, email addresses, passwords, home addresses, telephone numbers, and license plate numbers. The data breach is alleged to have occurred when Defendants were hacked via a third-party software vulnerability on or about March 2021. Complaint alleges a violation of the CCPA § 1798.150: failure to implement and maintain reasonable security measures sufficient to protect customers' personal information. Plaintiffs also bring a claim for negligence.
Date Filed
June 04, 2021
Sector

Healthcare Technology

Case Number
2:21-cv-01004-KJM-AC
Court
USDC Eastern District of California
Plantiff(s)
Camacho, by and through her minor child T.C., et al.
Allegation
Putative class action against a healthcare technology company and specialty pharmacy benefits manager. Defendant is alleged to have failed to protect customers' personal health information and personal identifiable information, including first and last name, date of birth, and prescription information. On or about May 5, 2021, Plaintiff was notified of alleged data breach in which T.C.'s personal health information and personal identifiable information had been improperly accessed by unauthorized third parties. The alleged data breach occurred on February 6, 2021. Complaint alleges a violation of the CCPA §§ 1798.100 et seq: failure to exercise reasonable care and implement adequate security measures sufficient to protect the personal identifiable information and personal health information of the plaintiff's minor child and Class members. Plaintiffs also bring various claims for negligence (also incorporating the CCPA), negligence per se (also incorporating the CCPA), breach of confidence, breach of express contract, breach of implied contract, intrusion upon seclusion, CA's Unfair Competition Law (Cal. Bus. & Prof. Code § 17200, et seq.) (also incorporating the CCPA), CA's Customer Records Act (Cal. Civ. Code §§ 1798.80, et seq.) and request for a declaratory judgment and injunctive relief.
Date Filed
May 25, 2021
Sector

Biometrics Technology

Case Number
2:21-cv-04360
Court
USDC Central District of California
Plantiff(s)
Vestrand, et al.
Allegation
Putative class action against a biometrics technology company. Defendant is alleged to have covertly collected biometric information of individuals using artificial intelligence algorithms that scan facial images from the internet. Defendant is alleged to have created a searchable biometric database using this collected biometric information. Defendant is further alleged to have allowed hackers or other unauthorized parties to obtain access to the biometric database containing the sensitive biometric data. Complaint alleges a violation of the CCPA § 1798.100(b): failure to inform Plaintiff and subclass as to what personal information would be collected and how the personal information would be used. Plaintiffs also bring various claims for violation of CA's Unfair Competition Law (Cal. Bus. & Prof. Code § 17200, et seq.) for unlawful and unfair business practices, incorporating CCPA § 1798.100(b), Commercial Misappropriation under Cal. Civ. Code § 3344(a) (also separately alleged), Invasion of Privacy under the CA Constitution (Art. I, § 1) (also separately alleged), and violation of CA's common law right of publicity (also separately alleged), unjust enrichment, and a request for declaratory judgment and injunction.
Date Filed
May 04, 2021
Sector

Hosted File Transfer Services

Case Number
5:21-cv-03322-SVK
Court
USDC Northern District of California
Plantiff(s)
Harbour and Wisnesky, et al.
Allegation
Putative class action against a file transfer service provider, health care insurance provider, and health care service provider. Defendants are alleged to have failed to protect the sensitive personal and health information (including but not limited to names, email addresses, phone numbers, home addresses, dates of birth, Social Security numbers, bank account and routing information, and sensitive personal health information) of the health care insurance provider's members, resulting in unauthorized access by third parties. The data breach is alleged to have occurred between January 7, 2021 and January 25, 2021. Members were notified of the data breach on or about March 24, 2021. Complaint alleges a violation of the CCPA §§ 1798.100, et seq.: failure to implement and maintain reasonable security measures sufficient to protect Plaintiff consumers' information. Plaintiffs also bring various claims for negligence, negligence per se, breach of implied contract, violation of CA's Confidentiality of Medical Information Act (Cal. Civ. Code §§ 56 et seq.), violation of CA's Customer Records Act (Cal. Civ. Code §§ 1798.80, et seq.), violation of CA's Unfair Competition Law (incorporating the CCPA under the "unlawful" business practice prong, Cal. Bus. & Prof. Code §§ 17200, et seq.), invasion of privacy (intrusion upon seclusion), violation of the CA Constitution (Art. 1, § 1), and a request for declaratory relief.
Date Filed
May 04, 2021
Sector

Insurance

Case Number
3:21-cv-03295
Court
USDC Northern District of California
Plantiff(s)
Becker, et al.
Allegation
Putative class action against an insurance agency. Defendant is alleged to have failed to protect customer PII (names, social security numbers, dates of birth, insurance information, and other sensitive personal and health information) from unauthorized disclosure by a third party. Data breach is alleged to have occurred between March 6, 2020 and May 5, 2020. Plaintiffs bring various claims for negligence, breach of confidence, request for injunctive and declaratory relief, and violation of CA's Unfair Competition Law §§ 17200 et seq. ("unlawful" conduct based on alleged violation of the CCPA based on the failure to implement and maintain reasonable security measures sufficient to protect Plaintiffs' PII (Cal. Civ. Code §§ 1798.100, et seq.)).
Date Filed
April 23, 2021
Sector

Hosted File Transfer Services

Case Number
5:21-cv-02975
Court
USDC Northern District of California
Plantiff(s)
Doe, et al.
Allegation
Putative class action against a file transfer service provider and health care insurance provider. Defendants are alleged to have failed to protect sensitive personal and health information (including but not limited to names, home addresses, insurance ID numbers, social security numbers, health information, and medical history) of the health care insurance provider's members, resulting in access by unauthorized individuals. The data breach is alleged to have occurred on or about mid-December 2020 through January 2021. Members were notified of the data breach on or about March 24, 2021. Complaint alleges a violation of the CCPA §§ 1798.100, et seq.: failure to implement and maintain reasonable security procedures sufficient to prevent unauthorized access and disclosure of Plaintiffs' personal and health information. Plaintiffs also bring various claims for negligence, negligence per se, invasion of privacy, breach of confidence, and breach of contract.
Date Filed
April 20, 2021
Sector

Financial Services

Case Number
3:21-cv-01137-LAB-MSB (originally 2:21-cv-03385)
Court
USDC Southern District of California
Plantiff(s)
Smith and Yuan, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to securely store and transfer cardholder PII (e.g. names, account or credit/debit card numbers and associated security codes), including issuing cards without EMV chip technology, resulting in unauthorized access, disclosure, and theft of PII and property. Complaint alleges a violation of the CCPA §§ 1798.100, et seq.: failure to take reasonable measures to adequately protect Plaintiffs' personal information. Plaintiffs also bring various claims for negligence, negligent failure to warn, violation of the Electronic Funds Transfer Act (15 USC § 1963 and 12 C.F.R. § 205.1, et seq.), breach of contract, and violation of CA's Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.). Transferred from USDC Central District of California to USDC Southern District of California.
Date Filed
April 13, 2021
Sector

Insurance

Case Number
2:21-cv-04441-AB (originally 21STCV13824)
Court
USDC Central District of California
Plantiff(s)
Lopez, et al.
Allegation
Putative class action against an insurance company. Defendant is alleged to have failed to protect customers' PII (names, addresses, driver's license numbers, payment card information) resulting in unauthorized access by a third party. The data breach is alleged to have occurred on December 26, 2020 and another unspecified date in December. Plaintiffs were notified of the data breach on March 16, 2021. Complaint alleges a violation of the CCPA §§ 1798.100, et seq.: Failure to implement and maintain reasonable security measures sufficient to protect customer's PII from unauthorized access. Plaintiffs also bring various claims for CA's Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), and breach of contract. Transferred from Superior Court of Los Angeles to USDC Central District of California.
Date Filed
April 06, 2021
Sector

Hosted File Transfer Services

Case Number
21CV379187
Court
Superior Court of Santa Clara
Plantiff(s)
Vunisa, et al.
Allegation
Putative class action against a file transfer service provider and health care insurance provider. Defendants are alleged to have failed to protect sensitive personal and health information of the health care insurance provider's members, resulting in access by unauthorized individuals. The data breach is alleged to have occurred on or about mid-December 2020 through January 2021. Complaint alleges a violation of the CCPA §§ 1798.100 et seq.: failure to implement and maintain reasonable security procedures sufficient to protect sensitive personal data from unauthorized access. Plaintiffs also bring various claims against one or more defendant(s) for violation of the CA Confidentiality of Medical Information Act (Cal. Civ. Code §§ 56, et seq.), violation of the CA Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), invasion of privacy, breach of contract, breach of implied contract, and a request for declaratory relief.
Date Filed
March 26, 2021
Sector

Financial Services

Case Number
2:21-cv-02645
Court
USDC Central District of California
Plantiff(s)
Atachbarian, et al.
Allegation
Putative class action against a company that provides address verification services and payment processing. Defendant is alleged to have failed to protect plaintiffs' PII (names, addresses, license plate numbers, and vehicle identification numbers) from unauthorized disclosure and theft in a ransomware attack. The alleged data breach occurred on or about February 3 and 4, 2021. Complaint alleges a violation of the CCPA § 1798.100, et seq.: failure to implement and maintain reasonable security procedures sufficient to protect plaintiffs' PII. Plaintiffs also bring various claims for violations of the Driver's Privacy Protection Act (18 U.S.C. §§ 2721, et seq.), and invasion of privacy (CA Constitution, Art. 1, § 1).
Date Filed
March 25, 2021
Sector

Financial Services

Case Number
2:21-cv-02596
Court
USDC Central District of California
Plantiff(s)
Blain, et al.
Allegation
Putative class action against a company that provides address verification services and payment processing. Defendant is alleged to have failed to protect plaintiffs' PII (names, addresses, license plate numbers, and vehicle identification numbers) from unauthorized disclosure and theft in a ransomware attack. The alleged data breach occurred on or about February 3 and 4, 2021. Complaint alleges a violation of the CCPA § 1798.100, et seq.: failure to implement and maintain reasonable security procedures sufficient to protect plaintiffs' PII. Plaintiffs also bring various claims for violation of the Driver's Privacy Protection Act (18 U.S.C. §§ 2721, et seq.), invasion of privacy (CA Constitution, Art. 1, § 1), and negligence.
Date Filed
March 16, 2021
Sector

Financial Services

Case Number
34-2021-00296612-CU-BC-GDS
Court
Superior Court of Sacramento
Plantiff(s)
Rodriguez, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to adequately safeguard its customers' PII (including names, addresses, dates of birth, Social Security numbers, and financial account information) which allowed the unauthorized transfer of the PII by an employee to a third party. The alleged data breach was discovered by the bank on September 29, 2020 and affected customers were notified on November 19, 2020. Complaint alleges a violation of the CCPA § 1798.100 et seq.: failure to maintain reasonable security procedures sufficient to protect the customers' PII. Plaintiffs also bring various claims for negligence, negligence per se, bailment, breach of implied contract, violation of CA's Unfair Competition Law (Bus. & Prof. Code § 17200, et seq.), and violation of CA's Customer Records Act (Cal. Civ. Code §§ 1798.80, et seq.).
Date Filed
March 11, 2021
Sector

Cloud based Technology

Case Number
5:21-cv-01708
Court
USDC Northern District of California
Plantiff(s)
Whittaker, et al.
Allegation
Putative class action against a cloud service provider. Defendant is alleged to have failed to properly maintain and store customer PII, resulting in unauthorized access to customer PII. Data breach(es) is/are alleged to have occurred during December 2020 and January 2021. Complaint alleges a violation of the CCPA § 1798.100 et seq.: failure to implement and maintain sufficient security measures to protect the customers' PII. Plaintiffs also bring various claims for negligence, negligence per se, a third party beneficiary claim, violation of CA's Confidentiality of Medical Information Act (CA Civ. Code §§ 6, et seq.), CA's Unfair and Unlawful Business Practices (§§ 17200, et seq.), request for relief under the Declaratory Judgment Act (28 U.S.C. § 2201 et seq.)
Date Filed
March 01, 2021
Sector

Financial Services

Case Number
3:21-cv-01115-LAB (originally 3:21-cv-01466)
Court
USDC Southern District of California
Plantiff(s)
Smith and Karam, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to securely store or transfer cardholder and account information to prevent unauthorized account use and disclosure of PII. Complaint alleges a violation of the CCPA § 1798.100 et seq.: failure to maintain reasonable security measures sufficient to protect consumers' PII. Plaintiffs also bring various claims for violation of CA's Unfair Competition Law, violation of Electronic Funds Transfer Act (15 U.S.C. § 1693, et seq.), negligence, negligent performance of contract, negligent failure to warn, breach of contract, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and breach of contract (for third-party beneficiaries.) Transferred from USDC Northern District of California to USDC Southern District of California.
Date Filed
February 19, 2021
Sector

Financial Services

Case Number
2:21-cv-01567
Court
USDC Central District of California
Plantiff(s)
Trevino, et al.
Allegation
Putative class action against a company that provides address verification services and payment processing. Defendant is alleged to have failed to protect plaintiffs' PII from unauthorized disclosure and theft in a ransomware attack. Data breach is alleged to have occurred in February 2021. Complaint alleges a violation of the CCPA § 1798.100, et seq.: failure to implement and maintain reasonable security measures to sufficiently protect plaintiffs' PII. Plaintiffs also bring various claims for violations of the Driver's Privacy Protection Act ("DPPA") (18 U.S.C. §§ 2721, et seq.), breach of contract (plaintiffs as intended third-party beneficiaries), and invasion of privacy and violation of the CA Constitution (Art. I, § 1).
Date Filed
February 26, 2021
Sector

Online Retail/Technology

Case Number
BCV-21-100436
Court
Superior Court of Kern
Plantiff(s)
Newman, et al.
Allegation
Putative class action against an online precious metals retailer. Defendant is alleged to have failed to implement and maintain reasonable online security measures sufficient to protect consumer's PII (including consumer's names, address, and payment card information) resulting in unauthorized access and disclosure. Data breach is alleged to have occurred between February 18, 2020 through July 17, 2020. Complaint alleges a violation of the CCPA § 1798.100: failure to implement and maintain reasonable security measures sufficient to protect consumers' PII. Plaintiffs also bring various claims for violation of CA's Unfair Competition Law, §§ 17200 et seq., and breach of contract.
Date Filed
February 26, 2021
Sector

Cloud based Technology

Case Number
5:21-cv-01430-VKD
Court
USDC Northern District of California
Plantiff(s)
Price, et al.
Allegation
Putative class action against a cloud service provider. Defendant is alleged to have failed to properly secure and safeguard PII (including names, social security numbers, driver's license or state identification numbers, dates of birth, bank account numbers, and medical information) stored or shared on its file transfer service on the cloud. Data breach(es) is/are alleged to have occurred during December 2020 and January 2021. Defendant is further alleged to have failed to adequately warn customers of its inadequate security. Plaintiffs bring various claims for violation of CA's Unfair Competition Law §§ 17200 et seq. (including violation of the Confidentiality of Medical Information Act ("CMIA") (CA Civ. Code § 56, et seq.), violation of the Customer Records Act ("CRA") (CA Civ. Code §§ 1798.80, et seq.), violation of the CCPA (CA Civ. Code §§ 1798.100, et seq.), Section 5 of the Federal Trade Commission Act, and other state data security laws), and negligence.
Date Filed
February 18, 2021
Sector

Financial Services

Case Number
2:21-cv-00319-MCE-KJN
Court
USDC Eastern District of California
Plantiff(s)
Wiggins, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to securely store and transfer cardholder PII (e.g. names, account or credit/debit card numbers and associated security codes), including issuing cards without EMV chip technology, resulting in unauthorized access, disclosure, and theft of PII and property. Complaint alleges a violation of the CCPA § 1798.100, et seq.: failure to implement and maintain reasonable security measures sufficient to protect plaintiffs' PII. Plaintiffs also bring various claims for violations of CA's Unfair Competition Law §§ 17200 et seq., violations of Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.), negligence, and breach of contract.
Date Filed
February 02, 2021
Sector

Healthcare/Digital Services

Case Number
5:21-cv-00198-JWH-SHK
Court
USDC Central District of California
Plantiff(s)
Gamino, et al.
Allegation
Putative class action against a mobile application provider that tracks gynecological functions of the user. Defendant is alleged to have failed to safeguard consumers' private health information, and failed to disclose the collection and sale of consumers' personal information to third parties for commercial exploitation without the user's permission. Plaintiffs bring various claims, including invasion of privacy and violation of the CA Constitution (Art. 1, § 1), intrusion upon seclusion, violation of CA's Unfair Competition Law §§ 17200 et seq. ("unlawful" conduct based on alleged violation of the CCPA, et al.), negligent misrepresentation, unjust enrichment, violation of the Comprehensive Computer Data Access and Fraud Act ("CDAFA") under Cal. Penal Code § 502, and violation of the Federal Wiretap Act, 18 U.S.C. §§ 2510, et seq.
Date Filed
February 01, 2021
Sector

Healthcare/Medical Supplies

Case Number
2:21-cv-00946
Court
USDC Northern District of California
Plantiff(s)
Hashemi and Altes, et al.
Allegation
Putative class action against a hair clinic. Defendant is alleged to have failed to properly protect PII (names, social security numbers, financial account and/or payment card numbers, and driver's license numbers). Defendant is further alleged to have failed to adequately notify plaintiffs of the unauthorized disclosure of their PII. The data breach is alleged to have occurred on or about August 17, 2020 through September 24, 2020. Complaint alleges a violation of the CCPA § 1798.150(a): Failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for negligence, breach of confidence, and violation of CA's Unfair Competition Law § 17200 et seq.
Date Filed
February 01, 2021
Sector

Healthcare/Medical Supplies

Case Number
30-2021-01181929-CU-BC-CXC
Court
Superior Court of Orange
Plantiff(s)
Mullinix, Vela, Orozco, et al.
Allegation
Putative class action against a fertility clinic network. Defendant is alleged to have failed to protect patient PII (names, addresses, dates of birth, MPI numbers, and social security numbers) thereby allowing unauthorized third parties to gain access. Defendant is further alleged to have failed to adequately notify plaintiffs of the unauthorized access of their PII. The data breach is alleged to have occurred between August 12, 2020 and September 14, 2020. Complaint alleges a violation of the CCPA § 1798.150(a)(1): Failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for breach of express an/or implied contractual promise, breach of covenant of good faith and fair dealing, negligence per se, negligence, violation of CA's Unfair Competition Law § 17200 et seq., violation of CA's Consumer Legal Remedies Act § 1750 et seq., violation of the Maryland Consumer Protection Act (Md. Code Comm. Law § 13-301 et seq.), and violation of the Maryland Personal Information Protection Act (Md. Code Ann., § 14-3501 et seq.).
Date Filed
January 28, 2021
Sector

Financial Services

Case Number
3:21-cv-01087-LAB (originally 3:21-cv-00699-SK)
Court
USDC Southern District of California
Plantiff(s)
Wilson, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to securely store and transfer cardholder PII, including issuing cards without EMV chip technology, resulting in unauthorized access, disclosure, and theft of PII and property. Complaint alleges a violation of the CCPA § 1798.150(a): Failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for violations of CA's Unfair Competition Law, violations of Elecronic Funds Transfer Act (15 U.S.C. § 1693 et seq.), negligence, negligent performance of contract, negligent failure to warn, breach of contract, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and breach of contract (third-party beneficiaries.) Transferred from USDC Northern District of California to USDC Southern District of California.
Date Filed
January 27, 2021
Sector

Payment Services

Case Number
3:21-cv-00641-JCS
Court
USDC Northern District of California
Plantiff(s)
Bitmouni, et al.
Allegation
Putative class action against company that provides online payment services for merchants. Defendant is alleged to have failed to properly secure PII (including names, contact details, social security numbers, and bank account information) from unauthorized access via one of its websites. Defendant is alleged to also have failed to provide sufficient notice to customers that their PII had been exposed. The data breach occurred between May 13, 2018 and December 16, 2020. Complaint alleges a violation of CCPA § 1798.150(a): Failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for negligence, breach of implied contract, invasion of privacy, breach of confidence, and violation of CA's Unfair Competition Law § 17200 et seq.
Date Filed
January 22, 2021
Sector

Financial Services

Case Number
3:21-cv-01093-LAB-MSB (originally 3:21-cv-00547)
Court
USDC Southern District of California
Plantiff(s)
Willrich, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to securely store or transfer cardholder PII, resulting in a widespread security breach of unauthorized transactions. Complaint alleges a violation of the CCPA § 1798.100 et seq.: a failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for violation of CA's Unfair Competition Law, violations of Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.), breach of contract, breach of implied contract, breach of the implied covenant of faith and fair dealing, and breach of contract (third-party beneficiaries.) Transferred from USDC Northern District of California to USDC Southern District of California.
Date Filed
January 20, 2021
Sector

Financial Services

Case Number
3:21-cv-0190-LAB (originally 3:21-cv-00494)
Court
USDC Southern District of California
Plantiff(s)
Rodriguez et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to prevent the unauthorized access of cardholder PII by third parties, resulting in theft or unauthorized disclosure. Complaint alleges a violation of the CCPA § 1798.150: failing to implement and maintain reasonable security procedures sufficient to prevent plaintiffs' PII from unauthorized access. Plaintiffs also bring various claims for violation of CA's Unfair Competition Law § 17200 et seq., violation of the Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq. and 12 C.F.R. § 1005.11), negligence, breach of express contract, breach of implied contract, breach of implied covenant of good faith and fair dealing, and unjust enrichment. Transferred from USDC Northern District of California to USDC Southern District of California.
Date Filed
January 15, 2021
Sector

Healthcare/Medical Supplies

Case Number
37-2021-00002017-CU-MC-CTL
Court
Superior Court of San Diego
Plantiff(s)
Ramey, et al.
Allegation
Putative class action against company that owns and operates a network of optometry centers. Defendant is alleged to have failed to protect PII (including names, addresses, dates of birth, social security numbers, and prescription information) from unauthorized access by an unknown third party on or about October 30, 2020. Complaint alleges a violation of CCPA § 1798.150(a): Failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for violation of CA's Unfair Competition Law § 17200 et seq., negligence, breach of implied contract, and violation of CA's Confidentiality of Medical Information Act § 56, et seq.
Date Filed
January 14, 2021
Sector

Financial Services

Case Number
3:21-cv-01092-LAB (originally 3:21-cv-00376)
Court
USDC Southern District of California
Plantiff(s)
Yick, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have breached its duty under the CCPA to implement and maintain reasonable security procedures (e.g. use of EMV chip technology) sufficient to protect PII (including names, account numbers, credit or debit card numbers, in combination with security codes or passwords) resulting in unauthorized access, disclosure, and theft of PII. Complaint alleges a violation of the CCPA § 1798.150(a): failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for violations of CA's Unfair Competition Law, violations of Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.), negligence, negligence performance of contract, negligent failure to warn, breach of contract, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and breach of contract (third-party beneficiaries.) Transferred from USDC Northern District of California to USDC Southern District of California.
Date Filed
January 08, 2021
Sector

Digital Financial

Services/FinTech

Case Number
21CV375167
Court
Superior Court of Santa Clara
Plantiff(s)
Mehta, et al.
Allegation
Putative class action against an online digital securities platform. Defendant is alleged to have failed to protect the PII of its platform users from unauthorized third party access on or about July 22, 2020 until on or about October 5, 2020. Complaint alleges a violation of the CCPA § 1798.150: failure to implement and maintain reasonable security procedures to protect consumer PII. Plaintiffs also bring various claims for negligence, breach of contract, violation of the Customer Records Act § 1798.82, violation of the Consumers Legal Remedies Act § 1750 et seq., violation of the Right to Privacy (Cal. Const., art. I, § 1), violation of the Unfair Competition Law (Bus. & Prof. Code § 17200, et seq.), and violation of the False Advertising Law (Bus. & Prof. Code § 17500, et seq.)