Even as federal courts become more lenient with affording standing in data breach lawsuits, limits remain to the type of claims courts will permit to proceed. The United States District Court for the Central District of California provided a recent example on June 18, 2019, in dismissing a suit against Delta Air Lines arising from a data breach suffered in 2017 by a vendor for Delta that supports the company’s website by providing chat services and collecting customer data (this good information will give you more data on that).
Delta avoided certain other state claims, in this and other
actions, by relying on the protections afforded to it under the federal Airline
Deregulation Act. While other businesses may not have that law to rely on, they
can still take a lesson from the McGarry case and include expressly
facing material that references such a policy.
 C.D. Cal, No. 2:18-cv-09827, DE 130 (June 18, 2019)