On March 9, the U.S. District Court for the Northern District of California partially granted a motion to dismiss limiting plaintiffs’ ability to seek certain punitive damages for data breaches. The court also held that the plaintiffs cannot seek claims under the California Customer Records Act (CRA). The consolidated litigation results from announcements that hackers had breached the defendant’s systems and accessed users’ personal information in multiple attacks between 2013 and 2016. While the court kept several claims alive, including one alleging company executives purposefully concealed the hacks and others related to good faith and fair dealing, the court found the plaintiffs had failed to establish when the company learned about the 2013 and 2014 hacks, which warranted dismissal of most of the claims brought under the CRA. With respect to the limit on punitive damages, the court held that there is no punitive remedy for the alleged breaches relating to the breach of contract and CRA claims. However, the court did allow the plaintiffs to seek punitive damages for concealment, negligence, and misrepresentation related to the executives’ alleged suppression of the breach.