California’s Supreme Court Just Made Data-Breach Lawsuits Easier to File

For years, one of the most reliable ways for a company to get a California data-breach class action dismissed was to point at what the plaintiffs couldn’t prove. Yes, an attacker got into the system. Yes, records were exfiltrated. But could the plaintiffs show that any human being on the other end had actually looked at their specific information? Usually not — forensic logs rarely capture that — and a well-developed line of Court of Appeal decisions had turned that evidentiary gap into a near-automatic exit ramp for defendants.

In J.M. v. Illuminate Education, Inc. (Cal. Supreme Court, Case No. S286699), decided in May 2026, the California Supreme Court closed that exit ramp. The Court rejected the “actually viewed” requirement for stating a claim under the Confidentiality of Medical Information Act (CMIA), holding that unauthorized acquisition of protected data can support liability even where a plaintiff cannot prove that anyone reviewed the records. For the thousands of organizations that hold Californians’ personal and medical information, the decision rebalances breach litigation in the plaintiffs’ favor — and it does so in a case that should already be familiar to readers of this site.

The Company at the Center

Illuminate Education is an education-technology vendor that supplied student-information and assessment platforms to school districts across the United States. In late 2021, attackers accessed its environment, and the data of millions of current and former students — including, in many cases, sensitive information about health, special-education status, and accommodations — was exposed. The breach became one of the defining edtech security failures of the period and drew regulatory attention well beyond California.

We have written about Illuminate before from the enforcement side, when the Federal Trade Commission pursued an information-security order against the company over the same underlying failures. J.M. is the other half of the story: the private civil-litigation side, where individuals — here, minors suing through guardians — sought to hold the company directly liable under California’s statutory privacy regime. The FTC order tells you what regulators can do. J.M. tells you what plaintiffs’ lawyers can now do, and the answer is “considerably more than before.”

The dispute turned on a deceptively simple question of statutory interpretation. Under the CMIA, an entity that maintains medical information must do so “in a manner that preserves the confidentiality of the information,” and a negligent release can trigger statutory damages. The Customer Records Act (Civil Code § 1798.82 and related provisions) operates on a parallel logic for personal information more broadly, defining a “breach of the security of the system” as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.

A series of Court of Appeal decisions had grafted an additional element onto these statutes: to plead a breach of confidentiality, a plaintiff had to allege that an unauthorized person actually viewed the information. Mere exposure — even mere theft of the data — was not enough. Because real-world forensics almost never establish that a specific record was opened and read by a specific attacker, this requirement functioned as a structural barrier to liability. Defendants leaned on it heavily, and it worked.

The Supreme Court in J.M. rejected that gloss. The Court held that the statutory text focuses on whether confidentiality was compromised through unauthorized acquisition, not on whether the company can be shown to have failed a post-hoc test of who read what. In plain terms: if your security failed and the data was taken, a plaintiff no longer has to reconstruct the attacker’s reading habits to get into court.

A Nuanced Ruling, Not a Blank Check

It would be a mistake to read J.M. as a wholesale win for plaintiffs. The decision is more surgical than that, and the parts that cut the other way matter for how you assess your own exposure.

  • It lowered the bar on the “actually viewed” element. This is the headline, and it is genuinely significant. The most effective pleading-stage defense in California breach litigation is substantially weakened.
  • It narrowed who counts as a covered “provider of health care.” Not every organization that happens to touch health-adjacent data is automatically a CMIA-covered provider. The Court tightened that definition, which limits CMIA’s reach to entities that actually fall within the statutory category. For some defendants, that is a meaningful off-ramp.
  • It constrained certain private rights of action under the Customer Records Act. The Court did not hand plaintiffs an unlimited statutory-damages weapon; it clarified the boundaries of who may sue and on what theory under the CRA.

The net effect is a more plaintiff-friendly threshold for the claims that do apply, paired with sharper limits on which claims apply and who can bring them. Whether J.M. helps or hurts a given organization depends heavily on whether it is a covered provider and which statute the plaintiffs invoke.

Why This Matters Far Beyond Education

The stakes are clearest when you remember what CMIA damages look like. Where medical information is negligently released, affected individuals may recover nominal statutory damages of $1,000 per violation without proving any actual harm, alongside actual damages, attorneys’ fees, and other relief in appropriate cases. Multiply $1,000 by a class of hundreds of thousands or millions of students, patients, or customers, and the “no actual harm” feature stops being a technicality and becomes the entire economics of the case.

Before J.M., the “actually viewed” requirement was the pressure-release valve on that exposure: even with a large class and a statutory per-violation figure, defendants could argue the plaintiffs had not pleaded a cognizable breach. Remove that valve and the calculus shifts. A breach that exposes a large California population now presents a more direct path from “incident” to “certifiable class with statutory damages,” which changes settlement leverage from the first demand letter onward.

This is not confined to edtech or healthcare. Any organization that maintains the kind of data these statutes protect — and the CRA’s definition of personal information is broad — should treat J.M. as a recalibration of its litigation risk. The decision arrives alongside a wider 2026 trend in California of courts and regulators reading “breach” expansively, declining to require proof of downstream misuse, and lowering the evidentiary hurdles between an incident and a viable claim.

The ruling does not change your security obligations, but it changes the consequences of failing them, and it should change how you prepare for the litigation that follows an incident.

  • Reassess breach-litigation exposure for California populations. Update your risk models to assume that “no proof anyone viewed the data” is no longer a dependable defense to CMIA confidentiality claims. If your prior exposure estimates leaned on that defense, they are now optimistic.
  • Know whether you are a covered “provider of health care.” Because J.M. narrowed that definition, your classification under CMIA is now a live, outcome-determinative question. Get a clear legal read on whether your organization — or specific product lines — falls inside or outside the statute.
  • Map your data to the right statute. CMIA, the Customer Records Act, and the CCPA’s private right of action each have different triggers, damages, and limits. The same breach can implicate different exposure depending on which population and data type is involved. Build that mapping before an incident, not during one.
  • Tighten the security controls that the plaintiffs’ bar will scrutinize. Negligence is still the liability hook. Access controls, encryption of data at rest, vendor oversight, retention minimization, and timely patching are exactly the elements a complaint will allege you failed. The fewer of those you can be credibly accused of neglecting, the better your posture even under the new standard.
  • Minimize and segregate sensitive categories. The richest statutory-damages exposure attaches to medical and other sensitive information. Holding less of it, for less time, in fewer systems, directly reduces the size of any future class and the per-record multiplier.
  • Coordinate enforcement and litigation defense. As Illuminate’s own experience shows, a single incident can generate both a regulator’s order and private class actions. The factual admissions and undertakings you make in one forum can be used against you in the other. Manage them as a single, coordinated exposure.

Conclusion

J.M. v. Illuminate Education will be cited for one proposition above all others: in California, a data-breach plaintiff no longer has to prove that someone actually read the stolen file to state a claim for breach of confidentiality. That is a structural change. It removes the defense that has quietly disposed of more California breach cases than perhaps any other, and it pairs that removal with a damages regime that does not require proof of harm.

The decision’s narrowing of “covered provider” status and its limits on certain Customer Records Act claims mean the ruling is not a one-way ratchet, and some defendants will find genuine protection in those holdings. But the direction of travel is unmistakable. California is steadily lowering the evidentiary barriers between a security failure and a viable, high-value class action — and organizations that have been comforting themselves with “they can’t prove anyone looked at it” should retire that assumption today.

This article is provided for informational purposes only and does not constitute legal advice.