Plaintiffs rush to the courthouse to be first in line to pursue lawsuits after notice of a breach is made. The latest example involves Wendy’s, where a plaintiff alleged that “Wendy’s approach at maintaining the privacy of Plaintiff’s and Class members’ [personally identifiable information (PII)] was lackadaisical, cavalier, reckless, or at the very least, negligent,” in a complaint filed by Jonathan Torres on February 8 in U.S. District Court for the Middle District of Florida.
Torres had visited a Wendy’s restaurant in Orlando on January 3. Shortly thereafter he was informed that his debit card number had been used to make a purchase at a Sports Authority in the amount of $200, and $277.74 at a Best Buy store. On January 27, Wendy’s announced that it had discovered malicious software designed to steal credit and debit card data on computers that operate the payment processing systems for its restaurants. Torres claims he was one of the victims of the Wendy’s data breach. While the basis for causation is uncertain, Torres asserts that “lackadaisical” security measures allegedly allowed hackers to steal his debit card number and rack up nearly $600 in purchases.
Torres’ class action complaint alleges that The Wendy’s Company failed to secure and safeguard its customers’ credit and debit card numbers, other payment card data, and other personally identifiable information, and failed to provide timely, accurate, and adequate notice to Torres and other class members that their private information had been stolen and to inform them of precisely what types of information were involved. Torres seeks to certify a statewide class covering every Floridian whose information was involved in the breach.
Torres specifically argues that Wendy’s could have prevented this data breach because the hackers likely used a variant of BlackPOS, the identical malware strain that hackers used in last year’s data breach at many other retail establishments. “While many retailers, banks and card companies responded to recent breaches by adopting technology that helps [make] transactions more secure, Wendy’s has acknowledged that it has retained a security consultant to review and look into its systems.” But “[u]nfortunately, Wendy’s did not explain why such security measures had not already been in place at the time of the data breach.”
The complaint is noteworthy not just because it alleges facts in an attempt to avoid standing and lack of damage defenses, but also because it asserts causation and a uniform act which Plaintiff claims demonstrates that Wendy’s conduct fell below the reasonable standard of care. A good information security practice includes noting what attacks are being perpetrated on like or similar systems, and hardening systems against similar attacks. As Wendy’s demonstrates, Torres’ counsel is making note of such events and using them to create a basis to pursue discovery on the defendant’s infosec program and controls.