This week, Volkswagen AG’s U.S. entity and its Audi brand were hit with a class action for a data breach that allegedly compromised 3.3 million consumers’ personal information. In the U.S. District Court for the District of New Jersey, a California consumer filed a suit against the automakers on behalf of other current and prospective car buyers whose information was allegedly compromised by hackers.

In June 2021, Volkswagen and Audi notified consumers of an incident in which consumer information was potentially obtained and/or accessed when one of their vendors left the data unsecured. The information potentially affected by this incident included the consumers’ names, contact information and (for some) driver’s license numbers or other similar identification number. The suit alleges that the automakers did not adequately safeguard consumer data from 2014-2019, which was gathered for purposes of sales and marketing campaigns.

The suit alleges claims of negligence, unjust enrichment, breach of confidence, breach of implied contract, as well as violations of the Driver’s Privacy Protection Act and the California Consumer Privacy Act. Plaintiff is seeking damages, reimbursement of costs for out-of-pocket expenses such as credit monitoring services, and improvements to Volkswagen’s and Audi’s data security systems.

We will monitor this suit, especially in regard to the claims under the California Consumer Privacy Act, to see what (if any) lessons can be learned or precedent set.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.