In the wake of an alleged data breach, First Choice Federal Credit Union filed a class action lawsuit against The Wendy’s Company in Pennsylvania federal court on April 25.  Wendy’s has already been hit with a consumer class action filed in February in Florida federal court based on the same event.  Now First Choice seeks to bring claims on behalf of financial institutions nationwide.

According to the Complaint, Wendy’s maintained a “pervasive and inadequate approach to data security.”  That approach allegedly allowed hackers to install malware on Wendy’s computer systems that remained undetected for weeks, or possibly months, until outside parties notified Wendy’s of the possible breach.  The breach was discovered through fraudulent transactions involving customers’ personal and financial data.

First Choice seeks to represent a class of financial institutions throughout the country that issued credit or debit cards used by consumers to make purchases from Wendy’s while malware was installed on its payment card systems.  The Complaint seeks to recover the costs, including canceling and reissuing compromised cards and reimbursing customers for fraudulent charges, which these financial institutions purportedly bore as a result of the data breach.  The Complaint asserts that “[t]he financial damages suffered by Plaintiff and members of the class are massive and continue to increase.  Industry sources estimate that millions of accounts could be affected by the data breach.”

The three-count class action Complaint alleges:

  • negligence for Wendy’s alleged failure to use reasonable measures to protect its customers’ personal and financial information;
  • negligence per se, for the company’s suspected violation of Section 5 of the Federal Trade Commission Act; and
  • declaratory and injunctive relief, requesting that Wendy’s employ adequate security protocols consistent with industry standards to protect its customers’ personal and financial information.

Other large companies have faced similar claims.  For example, several U.S. banks filed suit against Target following its 2013 data breach.  The banks claimed that they lost millions when they were forced to reimburse customers who lost money as a result of the breach.  Target settled the class action lawsuit for $39 million in December 2015.  Most recently, in March, Home Depot settled a consolidated class action filed by financial institutions for $19.5 million resulting from the 2014 breach of its systems.

Troutman Sanders LLP will continue to monitor developments in the Wendy’s data breach class action.