Ruling on a motion to dismiss a claim for violation of the California Consumer Privacy Act, the Hon. Mary M. Rowland of the United States District Court in the North District of Illinois, held:

Defendants argue that [Plaintiff] fails to allege a specific action Defendants took or failed to take that breached a duty under the CCPA to maintain “reasonable” security measures. [5] at 6. But they cite no authority requiring such specificity at this stage of the proceedings. This Court finds it sufficient that [Plaintiff] alleges a Data Breach caused by Defendants’ purported lack of reasonable security measures that allowed third parties to view and steal her personal information. See, e.g.Mehta v. Robinhood Fin. LLC, No. 21-CV-01013-SVK, 2021 WL 6882377, at *8 (N.D. Cal. May 6, 2021) (denying motion to dismiss CCPA claim based on allegations that the defendants violated their duty to maintain reasonable security measures by “allow[ing] unauthorized users to view, use, manipulate, exfiltrate, and steal the nonencrypted and nonredacted personal information of Plaintiffs and other customers, including their personal and financial information”).

In re Ligation, No. 22-cv-137, 2022 U.S. Dist. LEXIS 175415, at *33-34 (N.D. Ill. Sep. 28, 2022)