Volkswagen and Audi Face Data Breach Class Action Suit
On June 28, 2021, the giant automaker, Volkswagen AG’s U.S. entity and its Audi brand, were hit with a class action suit alleging data breach of personal information of approximately 3.3 million consumers. Villalobos v. Volkswagen Group of America, Inc. et al., 2:21-cv-13049 (Jun. 28, 2021). A California consumer filed a class action suit before the U.S. District Court for the District of New Jersey, against the automakers, on behalf of other current and prospective car buyers whose information was being allegedly compromised by hackers.
In June 2021, the automakers notified its customers about an incident which took place, whereby consumer database was obtained when one of their vendors left the data unsecured. The compromised information included name of the consumers; their contact information; vehicle purchase, lease and inquiry details, including vehicle identification numbers (VINs); make, model, year, color and trim specifics; and driver’s license, Social Security, account or loan and tax identification numbers for some consumers. The class action suit alleged that the automakers failed to adequately safeguard consumer information obtained from the year 2014 to 2019, for the purpose of sales and marketing campaigns. In the suit, the automakers have been alleged to be guilty of negligence, unjust enrichment, breach of confidence, breach of implied contract, and lastly, violations of the Driver’s Privacy Protection Act and the California Consumer Privacy Act. The suit alleged that between the years 2014 to 2019, Volkswagen and Audi collected personal information from approximately 3.3 million U.S. based customers. And around 90,000 of those customers had provided the companies with sensitive information such as driver’s license, account and Social Security numbers. However, as eager the companies were to collect the personal information, they failed to exert enthusiasm to safeguard it.
Through the class action suit, the plaintiff sought damages, reimbursement of costs for out-of-expenses such as credit monitoring services, and improvement to Volkswagen’s and Audi’s data security systems. The consumers whose information have been compromised with are facing a heightened and imminent risk of fraud and identity theft and would have to closely monitor their financial accounts to prevent any unlawful activity. The suit further alleges that the automakers were informed in March, 2021, that unauthorized third parties had accessed customers’ personal information, and with a subsequent investigation it was confirmed that the data was stolen. However, the companies did not inform the state attorneys general and the customers affected by the hack, until June, 2021.
The plaintiff, who had leased three Audi vehicle since 2017, alleged that the data breach notice he received in June cautioned him to “look out for spam emails” and “be cautious when opening links or attachments from unsolicited third parties”. Plaintiff alleged that Volkswagen and Audi failed to comply with Federal Trade Commission guidelines in the run-up to the breach, which the companies should have been careful about, given the similar attacks against large companies in the recent years.
Similar class action suits have been filed against leading companies, such as LinkedIn, Home Depot., and most recently against Walmart. While the litigation against Walmart is ongoing, LinkedIn and Home Depot have agreed to settle the respective class action suits. In a 2014 class action alleging data breach, Home Depot, Inc. agreed to pay $17.5 million and implement a series of data security practices. Further, LinkedIn agreed to pay a total of $1.25 million to settle the class action suit against it. While also trying the current lawsuit against Volkswagen and Audi, court may refer to these precedents for reference.