Here is one of the questions we get asked most often: “Ok, so we’ve had a real data breach and you say we have clear notification obligations, what can happen if we just ignore it and pretend it never happened — that is, we just don’t notify?”
Unfortunately, this question is oftentimes coupled with this statement as well: “Well, I talked to our business lawyer and he said this really isn’t a big deal and we shouldn’t worry about it.”
And, then, after I explain to them why I wouldn’t go to a proctologist for advice about dealing with an abscess tooth, I usually get this question: “Well, how is anybody going to find out about this if we do not say anything?”
I recognize that the folks asking me these questions are scared, they are dealing with something that is unknown to them, and because I am giving them bad news, they don’t like it — they have every right to ask these questions and they should so they will have as much information as possible when making a critical decision that could very well impact the future existence of their business.
As I was reading the Law 360 article, Walmart Sued Over Allegedly Undisclosed Data Breach (subscription required), the above questions popped into my head so I thought it would be helpful for me to share some of the details from that article. All I know about this case comes from this article and I have no idea how the case is going to turn out, but, in reading the article, a lot of what is being said seems very plausible to me, based on my experience, and highlights some of the things I caution folks about when they ask me why they have to notify.
What can happen?
Plaintiff Lavarious Gardiner is suing Walmart in a consumer class action lawsuit in California “for alleged violations of California’s Consumer Privacy Act and the state’s unfair competition law as well as negligence, breach of contract, and breach of the implied covenant of good faith and fair dealing.” The lawsuit is seeking unspecified damages, costs and attorney fees.
According to the article, this “case differs from other prominent data breach suits involving major retailers, such as Zappos, because the company didn’t disclose the breach and Gardiner could prove his individual information had been exposed.” “’Here we already have that information being sold for money online,’” according to Gardiner’s attorney.
How did the plaintiff find out about the alleged data breach?
Gardiner claims that he has discovered that, in addition to his own, over two million accounts of information that were taken from Walmart’s customers are for sale on the dark web.
“Gardiner also said that he had talked to some of the hackers, who told him that ‘the accounts they are selling are real accounts that belong to Walmart customers.’”
“Although Gardiner doesn’t specify a timeframe during which the alleged breach occurred, he says he used a variety of digital security tools to check for vulnerabilities in Walmart’s systems and found numerous issues. What’s more, he says, Walmart hasn’t told its customers that their data is at risk.”
“’Despite the fact that the accounts are available for sale on the dark web, and Walmart’s website contains multiple severe vulnerabilities through which the data was obtained, Walmart has failed whatsoever to notify its customers that their data has been stolen,’ Gardiner said.”
For those who may wish to follow this case, the case is Gardiner v. Walmart Inc. et al., case number 4:20-cv-04618, in the U.S. District Court for the Northern District of California. Read more at: https://www.law360.com/cybersecurity-privacy/articles/1292079/walmart-sued-over-allegedly-undisclosed-data-breach?nl_pk=052b01ce-e721-409e-a0a9-c63ac9c57cbd&utm_source=newsletter&utm_medium=email&utm_campaign=cybersecurity-privacy?copied=1