2021 CCPA Litigation Tracker

As of January 1, 2020, California became the first state to permit residents whose sensitive personal information is exposed in a data breach to seek statutory damages between $100-$750 per incident, even in the absence of any actual harm. Further, the California Attorney General may bring a civil action against any entity violating the CCPA, seeking an injunction and civil penalties between $2,500 (for each violation) and $7,500 (for each intentional violation). As a result, we will continue to see a significant uptick in data breach class actions filed in California courts. BCLP’s Litigation Tracker will help you stay abreast of litigation trends and regulatory developments.

*Cases identified based upon public court filings and may not include cases filed in state courts that do not publicly post complaints, or cases that do not directly identify the CCPA in cover sheets.

**Please contact goli.mahdavi@bclplaw.com if you are aware of a case filing not identified within the litigation tracker, or for more information about a particular case.

Date Filed
May 04, 2021
Sector

Hosted File Transfer Services

Case Number
5:21-cv-03322-SVK
Court
USDC Northern District of California
Plantiff(s)
Harbour and Wisnesky, et al.
Allegation
Putative class action against a file transfer service provider, health care insurance provider, and health care service provider. Defendants are alleged to have failed to protect the sensitive personal and health information (including but not limited to names, email addresses, phone numbers, home addresses, dates of birth, Social Security numbers, bank account and routing information, and sensitive personal health information) of the health care insurance provider's members, resulting in unauthorized access by third parties. The data breach is alleged to have occurred between January 7, 2021 and January 25, 2021. Members were notified of the data breach on or about March 24, 2021. Complaint alleges a violation of the CCPA §§ 1798.100, et seq.: failure to implement and maintain reasonable security measures sufficient to protect Plaintiff consumers' information. Plaintiffs also bring various claims for negligence, negligence per se, breach of implied contract, violation of CA's Confidentiality of Medical Information Act (Cal. Civ. Code §§ 56 et seq.), violation of CA's Customer Records Act (Cal. Civ. Code §§ 1798.80, et seq.), violation of CA's Unfair Competition Law (incorporating the CCPA under the "unlawful" business practice prong, Cal. Bus. & Prof. Code §§ 17200, et seq.), invasion of privacy (intrusion upon seclusion), violation of the CA Constitution (Art. 1, § 1), and a request for declaratory relief.
Date Filed
May 04, 2021
Sector

Insurance

Case Number
3:21-cv-03295
Court
USDC Northern District of California
Plantiff(s)
Becker, et al.
Allegation
Putative class action against an insurance agency. Defendant is alleged to have failed to protect customer PII (names, social security numbers, dates of birth, insurance information, and other sensitive personal and health information) from unauthorized disclosure by a third party. Data breach is alleged to have occurred between March 6, 2020 and May 5, 2020. Plaintiffs bring various claims for negligence, breach of confidence, request for injunctive and declaratory relief, and violation of CA's Unfair Competition Law §§ 17200 et seq. ("unlawful" conduct based on alleged violation of the CCPA based on the failure to implement and maintain reasonable security measures sufficient to protect Plaintiffs' PII (Cal. Civ. Code §§ 1798.100, et seq.)).
Date Filed
April 23, 2021
Sector

Hosted File Transfer Services

Case Number
5:21-cv-02975
Court
USDC Northern District of California
Plantiff(s)
Doe, et al.
Allegation
Putative class action against a file transfer service provider and health care insurance provider. Defendants are alleged to have failed to protect sensitive personal and health information (including but not limited to names, home addresses, insurance ID numbers, social security numbers, health information, and medical history) of the health care insurance provider's members, resulting in access by unauthorized individuals. The data breach is alleged to have occurred on or about mid-December 2020 through January 2021. Members were notified of the data breach on or about March 24, 2021. Complaint alleges a violation of the CCPA §§ 1798.100, et seq.: failure to implement and maintain reasonable security procedures sufficient to prevent unauthorized access and disclosure of Plaintiffs' personal and health information. Plaintiffs also bring various claims for negligence, negligence per se, invasion of privacy, breach of confidence, and breach of contract.
Date Filed
April 20, 2021
Sector

Financial Services

Case Number
2:21-cv-03385
Court
USDC Central District of California
Plantiff(s)
Smith and Yuan, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to securely store and transfer cardholder PII (e.g. names, account or credit/debit card numbers and associated security codes), including issuing cards without EMV chip technology, resulting in unauthorized access, disclosure, and theft of PII and property. Complaint alleges a violation of the CCPA §§ 1798.100, et seq.: failure to take reasonable measures to adequately protect Plaintiffs' personal information. Plaintiffs also bring various claims for negligence, negligent failure to warn, violation of the Electronic Funds Transfer Act (15 USC § 1963 and 12 C.F.R. § 205.1, et seq.), breach of contract, and violation of CA's Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.).
Date Filed
April 13, 2021
Sector

Insurance

Case Number
21STCV13824
Court
Superior Court of Los Angeles
Plantiff(s)
Lopez, et al.
Allegation
Putative class action against an insurance company. Defendant is alleged to have failed to protect customers' PII (names, addresses, driver's license numbers, payment card information) resulting in unauthorized access by a third party. The data breach is alleged to have occurred on December 26, 2020 and another unspecified date in December. Plaintiffs were notified of the data breach on March 16, 2021. Complaint alleges a violation of the CCPA §§ 1798.100, et seq.: Failure to implement and maintain reasonable security measures sufficient to protect customer's PII from unauthorized access. Plaintiffs also bring various claims for CA's Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), and breach of contract.
Date Filed
April 06, 2021
Sector

Hosted File Transfer Services

Case Number
21CV379187
Court
Superior Court of Santa Clara
Plantiff(s)
Vunisa, et al.
Allegation
Putative class action against a file transfer service provider and health care insurance provider. Defendants are alleged to have failed to protect sensitive personal and health information of the health care insurance provider's members, resulting in access by unauthorized individuals. The data breach is alleged to have occurred on or about mid-December 2020 through January 2021. Complaint alleges a violation of the CCPA §§ 1798.100 et seq.: failure to implement and maintain reasonable security procedures sufficient to protect sensitive personal data from unauthorized access. Plaintiffs also bring various claims against one or more defendant(s) for violation of the CA Confidentiality of Medical Information Act (Cal. Civ. Code §§ 56, et seq.), violation of the CA Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), invasion of privacy, breach of contract, breach of implied contract, and a request for declaratory relief.
Date Filed
March 26, 2021
Sector

Financial Services

Case Number
2:21-cv-02645
Court
USDC Central District of California
Plantiff(s)
Atachbarian, et al.
Allegation
Putative class action against a company that provides address verification services and payment processing. Defendant is alleged to have failed to protect plaintiffs' PII (names, addresses, license plate numbers, and vehicle identification numbers) from unauthorized disclosure and theft in a ransomware attack. The alleged data breach occurred on or about February 3 and 4, 2021. Complaint alleges a violation of the CCPA § 1798.100, et seq.: failure to implement and maintain reasonable security procedures sufficient to protect plaintiffs' PII. Plaintiffs also bring various claims for violations of the Driver's Privacy Protection Act (18 U.S.C. §§ 2721, et seq.), and invasion of privacy (CA Constitution, Art. 1, § 1).
Date Filed
March 25, 2021
Sector

Financial Services

Case Number
2:21-cv-02596
Court
USDC Central District of California
Plantiff(s)
Blain, et al.
Allegation
Putative class action against a company that provides address verification services and payment processing. Defendant is alleged to have failed to protect plaintiffs' PII (names, addresses, license plate numbers, and vehicle identification numbers) from unauthorized disclosure and theft in a ransomware attack. The alleged data breach occurred on or about February 3 and 4, 2021. Complaint alleges a violation of the CCPA § 1798.100, et seq.: failure to implement and maintain reasonable security procedures sufficient to protect plaintiffs' PII. Plaintiffs also bring various claims for violation of the Driver's Privacy Protection Act (18 U.S.C. §§ 2721, et seq.), invasion of privacy (CA Constitution, Art. 1, § 1), and negligence.
Date Filed
March 16, 2021
Sector

Financial Services

Case Number
34-2021-00296612-CU-BC-GDS
Court
Superior Court of Sacramento
Plantiff(s)
Rodriguez, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to adequately safeguard its customers' PII (including names, addresses, dates of birth, Social Security numbers, and financial account information) which allowed the unauthorized transfer of the PII by an employee to a third party. The alleged data breach was discovered by the bank on September 29, 2020 and affected customers were notified on November 19, 2020. Complaint alleges a violation of the CCPA § 1798.100 et seq.: failure to maintain reasonable security procedures sufficient to protect the customers' PII. Plaintiffs also bring various claims for negligence, negligence per se, bailment, breach of implied contract, violation of CA's Unfair Competition Law (Bus. & Prof. Code § 17200, et seq.), and violation of CA's Customer Records Act (Cal. Civ. Code §§ 1798.80, et seq.).
Date Filed
March 11, 2021
Sector

Cloud based Technology

Case Number
5:21-cv-01708
Court
USDC Northern District of California
Plantiff(s)
Whittaker, et al.
Allegation
Putative class action against a cloud service provider. Defendant is alleged to have failed to properly maintain and store customer PII, resulting in unauthorized access to customer PII. Data breach(es) is/are alleged to have occurred during December 2020 and January 2021. Complaint alleges a violation of the CCPA § 1798.100 et seq.: failure to implement and maintain sufficient security measures to protect the customers' PII. Plaintiffs also bring various claims for negligence, negligence per se, a third party beneficiary claim, violation of CA's Confidentiality of Medical Information Act (CA Civ. Code §§ 6, et seq.), CA's Unfair and Unlawful Business Practices (§§ 17200, et seq.), request for relief under the Declaratory Judgment Act (28 U.S.C. § 2201 et seq.)
Date Filed
March 01, 2021
Sector

Financial Services

Case Number
3:21-cv-01466
Court
USDC Northern District of California
Plantiff(s)
Smith and Karam, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to securely store or transfer cardholder and account information to prevent unauthorized account use and disclosure of PII. Complaint alleges a violation of the CCPA § 1798.100 et seq.: failure to maintain reasonable security measures sufficient to protect consumers' PII. Plaintiffs also bring various claims for violation of CA's Unfair Competition Law, violation of Electronic Funds Transfer Act (15 U.S.C. § 1693, et seq.), negligence, negligent performance of contract, negligent failure to warn, breach of contract, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and breach of contract (for third-party beneficiaries.)
Date Filed
February 19, 2021
Sector

Financial Services

Case Number
2:21-cv-01567
Court
USDC Central District of California
Plantiff(s)
Trevino, et al.
Allegation
Putative class action against a company that provides address verification services and payment processing. Defendant is alleged to have failed to protect plaintiffs' PII from unauthorized disclosure and theft in a ransomware attack. Data breach is alleged to have occurred in February 2021. Complaint alleges a violation of the CCPA § 1798.100, et seq.: failure to implement and maintain reasonable security measures to sufficiently protect plaintiffs' PII. Plaintiffs also bring various claims for violations of the Driver's Privacy Protection Act ("DPPA") (18 U.S.C. §§ 2721, et seq.), breach of contract (plaintiffs as intended third-party beneficiaries), and invasion of privacy and violation of the CA Constitution (Art. I, § 1).
Date Filed
February 26, 2021
Sector

Online Retail/Technology

Case Number
BCV-21-100436
Court
Superior Court of Kern
Plantiff(s)
Newman, et al.
Allegation
Putative class action against an online precious metals retailer. Defendant is alleged to have failed to implement and maintain reasonable online security measures sufficient to protect consumer's PII (including consumer's names, address, and payment card information) resulting in unauthorized access and disclosure. Data breach is alleged to have occurred between February 18, 2020 through July 17, 2020. Complaint alleges a violation of the CCPA § 1798.100: failure to implement and maintain reasonable security measures sufficient to protect consumers' PII. Plaintiffs also bring various claims for violation of CA's Unfair Competition Law, §§ 17200 et seq., and breach of contract.
Date Filed
February 26, 2021
Sector

Cloud based Technology

Case Number
5:21-cv-01430-VKD
Court
USDC Northern District of California
Plantiff(s)
Price, et al.
Allegation
Putative class action against a cloud service provider. Defendant is alleged to have failed to properly secure and safeguard PII (including names, social security numbers, driver's license or state identification numbers, dates of birth, bank account numbers, and medical information) stored or shared on its file transfer service on the cloud. Data breach(es) is/are alleged to have occurred during December 2020 and January 2021. Defendant is further alleged to have failed to adequately warn customers of its inadequate security. Plaintiffs bring various claims for violation of CA's Unfair Competition Law §§ 17200 et seq. (including violation of the Confidentiality of Medical Information Act ("CMIA") (CA Civ. Code § 56, et seq.), violation of the Customer Records Act ("CRA") (CA Civ. Code §§ 1798.80, et seq.), violation of the CCPA (CA Civ. Code §§ 1798.100, et seq.), Section 5 of the Federal Trade Commission Act, and other state data security laws), and negligence.
Date Filed
February 18, 2021
Sector

Financial Services

Case Number
2:21-cv-00319-MCE-KJN
Court
USDC Eastern District of California
Plantiff(s)
Wiggins, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to securely store and transfer cardholder PII (e.g. names, account or credit/debit card numbers and associated security codes), including issuing cards without EMV chip technology, resulting in unauthorized access, disclosure, and theft of PII and property. Complaint alleges a violation of the CCPA § 1798.100, et seq.: failure to implement and maintain reasonable security measures sufficient to protect plaintiffs' PII. Plaintiffs also bring various claims for violations of CA's Unfair Competition Law §§ 17200 et seq., violations of Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.), negligence, and breach of contract.
Date Filed
February 02, 2021
Sector

Healthcare/Digital Services

Case Number
5:21-cv-00198-JWH-SHK
Court
USDC Central District of California
Plantiff(s)
Gamino, et al.
Allegation
Putative class action against a mobile application provider that tracks gynecological functions of the user. Defendant is alleged to have failed to safeguard consumers' private health information, and failed to disclose the collection and sale of consumers' personal information to third parties for commercial exploitation without the user's permission. Plaintiffs bring various claims, including invasion of privacy and violation of the CA Constitution (Art. 1, § 1), intrusion upon seclusion, violation of CA's Unfair Competition Law §§ 17200 et seq. ("unlawful" conduct based on alleged violation of the CCPA, et al.), negligent misrepresentation, unjust enrichment, violation of the Comprehensive Computer Data Access and Fraud Act ("CDAFA") under Cal. Penal Code § 502, and violation of the Federal Wiretap Act, 18 U.S.C. §§ 2510, et seq.
Date Filed
February 01, 2021
Sector

Healthcare/Medical Supplies

Case Number
2:21-cv-00946
Court
USDC Northern District of California
Plantiff(s)
Hashemi and Altes, et al.
Allegation
Putative class action against a hair clinic. Defendant is alleged to have failed to properly protect PII (names, social security numbers, financial account and/or payment card numbers, and driver's license numbers). Defendant is further alleged to have failed to adequately notify plaintiffs of the unauthorized disclosure of their PII. The data breach is alleged to have occurred on or about August 17, 2020 through September 24, 2020. Complaint alleges a violation of the CCPA § 1798.150(a): Failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for negligence, breach of confidence, and violation of CA's Unfair Competition Law § 17200 et seq.
Date Filed
February 01, 2021
Sector

Healthcare/Medical Supplies

Case Number
30-2021-01181929-CU-BC-CXC
Court
Superior Court of Orange
Plantiff(s)
Mullinix, Vela, Orozco, et al.
Allegation
Putative class action against a fertility clinic network. Defendant is alleged to have failed to protect patient PII (names, addresses, dates of birth, MPI numbers, and social security numbers) thereby allowing unauthorized third parties to gain access. Defendant is further alleged to have failed to adequately notify plaintiffs of the unauthorized access of their PII. The data breach is alleged to have occurred between August 12, 2020 and September 14, 2020. Complaint alleges a violation of the CCPA § 1798.150(a)(1): Failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for breach of express an/or implied contractual promise, breach of covenant of good faith and fair dealing, negligence per se, negligence, violation of CA's Unfair Competition Law § 17200 et seq., violation of CA's Consumer Legal Remedies Act § 1750 et seq., violation of the Maryland Consumer Protection Act (Md. Code Comm. Law § 13-301 et seq.), and violation of the Maryland Personal Information Protection Act (Md. Code Ann., § 14-3501 et seq.).
Date Filed
January 28, 2021
Sector

Financial Services

Case Number
3:21-cv-00699-SK
Court
USDC Northern District of California
Plantiff(s)
Wilson, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to securely store and transfer cardholder PII, including issuing cards without EMV chip technology, resulting in unauthorized access, disclosure, and theft of PII and property. Complaint alleges a violation of the CCPA § 1798.150(a): Failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for violations of CA's Unfair Competition Law, violations of Elecronic Funds Transfer Act (15 U.S.C. § 1693 et seq.), negligence, negligent performance of contract, negligent failure to warn, breach of contract, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and breach of contract (third-party beneficiaries.)
Date Filed
January 27, 2021
Sector

Payment Services

Case Number
3:21-cv-00641-JCS
Court
USDC Northern District of California
Plantiff(s)
Bitmouni, et al.
Allegation
Putative class action against company that provides online payment services for merchants. Defendant is alleged to have failed to properly secure PII (including names, contact details, social security numbers, and bank account information) from unauthorized access via one of its websites. Defendant is alleged to also have failed to provide sufficient notice to customers that their PII had been exposed. The data breach occurred between May 13, 2018 and December 16, 2020. Complaint alleges a violation of CCPA § 1798.150(a): Failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for negligence, breach of implied contract, invasion of privacy, breach of confidence, and violation of CA's Unfair Competition Law § 17200 et seq.
Date Filed
January 22, 2021
Sector

Financial Services

Case Number
3:21-cv-00547
Court
USDC Northern District of California
Plantiff(s)
Willrich, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have failed to securely store or transfer cardholder PII, resulting in a widespread security breach of unauthorized transactions. Complaint alleges a violation of the CCPA § 1798.100 et seq.: a failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for violation of CA's Unfair Competition Law, violations of Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.), breach of contract, breach of implied contract, breach of the implied covenant of faith and fair dealing, and breach of contract (third-party beneficiaries.)
Date Filed
January 20, 2021
Sector

Financial Services

Case Number
3:21-cv-00494
Court
USDC Northern District of California
Plantiff(s)
Rodriguez
Allegation
Putative class action against a bank. Defendant is alleged to have failed to prevent the unauthorized access of cardholder PII by third parties, resulting in theft or unauthorized disclosure. Complaint alleges a violation of the CCPA § 1798.150: failing to implement and maintain reasonable security procedures sufficient to prevent plaintiffs' PII from unauthorized access. Plaintiffs also bring various claims for violation of CA's Unfair Competition Law § 17200 et seq., violation of the Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq. and 12 C.F.R. § 1005.11), negligence, breach of express contract, breach of implied contract, breach of implied covenant of good faith and fair dealing, and unjust enrichment.
Date Filed
January 15, 2021
Sector

Healthcare/Medical Supplies

Case Number
37-2021-00002017-CU-MC-CTL
Court
Superior Court of San Diego
Plantiff(s)
Ramey, et al.
Allegation
Putative class action against company that owns and operates a network of optometry centers. Defendant is alleged to have failed to protect PII (including names, addresses, dates of birth, social security numbers, and prescription information) from unauthorized access by an unknown third party on or about October 30, 2020. Complaint alleges a violation of CCPA § 1798.150(a): Failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for violation of CA's Unfair Competition Law § 17200 et seq., negligence, breach of implied contract, and violation of CA's Confidentiality of Medical Information Act § 56, et seq.
Date Filed
January 14, 2021
Sector

Financial Services

Case Number
3:21-cv-00376
Court
USDC Northern District of California
Plantiff(s)
Yick, et al.
Allegation
Putative class action against a bank. Defendant is alleged to have breached its duty under the CCPA to implement and maintain reasonable security procedures (e.g. use of EMV chip technology) sufficient to protect PII (including names, account numbers, credit or debit card numbers, in combination with security codes or passwords) resulting in unauthorized access, disclosure, and theft of PII. Complaint alleges a violation of the CCPA § 1798.150(a): failure to implement and maintain reasonable security procedures sufficient to protect PII. Plaintiffs also bring various claims for violations of CA's Unfair Competition Law, violations of Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.), negligence, negligence performance of contract, negligent failure to warn, breach of contract, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and breach of contract (third-party beneficiaries.)
Date Filed
January 08, 2021
Sector

Digital Financial

Services/FinTech

Case Number
21CV375167
Court
Superior Court of Santa Clara
Plantiff(s)
Mehta, et al.
Allegation
Putative class action against an online digital securities platform. Defendant is alleged to have failed to protect the PII of its platform users from unauthorized third party access on or about July 22, 2020 until on or about October 5, 2020. Complaint alleges a violation of the CCPA § 1798.150: failure to implement and maintain reasonable security procedures to protect consumer PII. Plaintiffs also bring various claims for negligence, breach of contract, violation of the Customer Records Act § 1798.82, violation of the Consumers Legal Remedies Act § 1750 et seq., violation of the Right to Privacy (Cal. Const., art. I, § 1), violation of the Unfair Competition Law (Bus. & Prof. Code § 17200, et seq.), and violation of the False Advertising Law (Bus. & Prof. Code § 17500, et seq.)