Plaintiffs rush to the courthouse to be first in line to pursue lawsuits after notice of a breach is made.  The latest example involves Wendy’s, where a plaintiff alleged that “Wendy’s approach at maintaining the privacy of Plaintiff’s and Class members’ [personally identifiable information (PII)] was lackadaisical, cavalier, reckless, or at the very least, negligent,” in a complaint filed by Jonathan Torres on February 8 in U.S. District Court for the Middle District of Florida.   

Torres had visited a Wendy’s restaurant in Orlando on January 3.  Shortly thereafter he was informed that his debit card number had been used to make a purchase at a Sports Authority in the amount of $200, and $277.74 at a Best Buy store.  On January 27, Wendy’s announced that it had discovered malicious software designed to steal credit and debit card data on computers that operate the payment processing systems for its restaurants.  Torres claims he was one of the victims of the Wendy’s data breach.  While the basis for causation is uncertain, Torres asserts that “lackadaisical” security measures allegedly allowed hackers to steal his debit card number and rack up nearly $600 in purchases. 

Torres’ class action complaint alleges that The Wendy’s Company failed to secure and safeguard its customers’ credit and debit card numbers, other payment card data, and other personally identifiable information, and failed to provide timely, accurate, and adequate notice to Torres and other class members that their private information had been stolen and to inform them of precisely what types of information were involvedTorres seeks to certify a statewide class covering every Floridian whose information was involved in the breach.   

Torres specifically argues that Wendy’s could have prevented this data breach because the hackers likely used a variant of BlackPOS, the identical malware strain that hackers used in last year’s data breach at many other retail establishments.  “While many retailers, banks and card companies responded to recent breaches by adopting technology that helps [make] transactions more secure, Wendy’s has acknowledged that it has retained a security consultant to review and look into its systems.”  But “[u]nfortunately, Wendy’s did not explain why such security measures had not already been in place at the time of the data breach.” 

The complaint is noteworthy not just because it alleges facts in an attempt to avoid standing and lack of damage defenses, but also because it asserts causation and a uniform act which Plaintiff claims demonstrates that Wendy’s conduct fell below the reasonable standard of care.  A good information security practice includes noting what attacks are being perpetrated on like or similar systems, and hardening systems against similar attacks.  As Wendy’s demonstrates, Torres’ counsel is making note of such events and using them to create a basis to pursue discovery on the defendant’s infosec program and controls.   

 

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Julie D. Hoffmeister Julie D. Hoffmeister

Julie is a partner primarily focusing on financial services litigation. She defends consumer-facing companies of all types in individual claims and class actions, including claims under the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), and the Telephone Consumer Protection…

Julie is a partner primarily focusing on financial services litigation. She defends consumer-facing companies of all types in individual claims and class actions, including claims under the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), and the Telephone Consumer Protection Act (TCPA). Julie also applies her litigation knowledge in assisting businesses in developing compliance processes and procedures for the myriad federal consumer protection laws.

Read more about Julie D. HoffmeisterJulie's Linkedin Profile
Show more Show less
Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Read more about Ronald I. Raether, Jr.Ronald I.'s Linkedin Profile
Show more Show less
Related Posts
Cybersecurity, virus protection, Hand on laptop with holographic System warning and red alert icons. Symbolizes cyber threats, data security breaches, and IT system errors. digital risk management now
Fourth Circuit Finds Public Disclosure Required for Standing in Data Breach Case
October 27, 2025
Inside Shield. CPU Concept. Cybersecurity Technology
Important Guidance on Third-Party Service Provider Cyber Risk
October 22, 2025
Electronic quantum computer microchip with lock icon. Internet security and privacy network technology. Circuit board. 3d render
Shining the Light on a Recent Wave of Potential Privacy Claims
September 22, 2025