Within the span of seven days this month, in two different regions of the country some 2,700 miles apart, class action lawsuits were filed against WAWA, the East Coast convenience store king, and Ring, the maker of the smart doorbell marketed through Amazon. Both of these suits allege negligence against the defendants for failing to maintain and implement security measures to protect the consumer.
The Ring case has been discussed on several levels in multiple online publications. The doorbell network and camera was hacked and the unauthorized user had access to data and images of the customer, who resided in California, where the lawsuit was filed. The WAWA case has flown a bit more under the radar.
In the WAWA Class Action Complaint filed in the Eastern District of Pennsylvania, the lead plaintiff in the action was a regular customer of the WAWA stores near their residence and both he and his wife paid by credit card over a lengthy period of time (maybe years?) up until this past December. In December WAWA sent out a notice to all of its customers that its payment processing servers had been breached. It read in part:
Our information security team discovered malware on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019. This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained. At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa, and this malware never posed a risk to our ATM cash machines.
Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019. Our information security team identified this malware on December 10, 2019, and by December 12, 2019, they had blocked and contained this malware.
It does not take a legal scholar to see where this is going. In addition to the allegations that the notice had been far from timely given the first breach activity and its discovery, the plaintiffs also asserted the efforts made to safeguard privacy as stated in the WAWA Privacy Notice were negligent in they did not follow payment card industry standards or FTC prohibitions on failing to protect confidential information. While the PCI Security Council standards are not law, they are industry best practices that should be followed. The complaint further alleged that:
…Despite this, Wawa failed to upgrade and maintain its data security systems in a meaningful way in order prevent data breaches. Wawa’s security flaws run afoul of industry best practices and standards. More specifically, the security practices in place at Wawa are in stark contrast and directly conflict with the PCI DSS core security standards.
Had Wawa properly maintained its information technology systems (“IT systems”), adequately protected them, and had adequate security safeguards in place, it could have prevented the Data Breach and/or could have promptly detected the Data Breach when It occurred.
Because of industry warnings, awareness of industry best practices, the PCI DSS, and numerous well-documented restaurant and retail (and other) data breaches, Wawa was alerted to the risk associated with failing to ensure that its IT systems were adequately secured.
Wawa was not only aware of the threat of data breaches, generally, but was aware of the specific danger of malware infiltration. Malware has been used recently to infiltrate large retailers such as, inter alia, Target, GameStop, Chipotle, Jason’s Deli, Whole Foods…
In order for one to succeed with a negligence action, the plaintiff must show
- There was a duty owed to the plaintiff (safeguard information)
- There was a breach of that duty (information not adequately protected)
- The breach of that duty was the direct cause of plaintiff’s damage (personal financial information exposed)
- The plaintiff can show actual damages by the negligence (improper disclosure, lost time and money and increased risk of identity theft)
There were several other legal principles the plaintiff alleged in their complaint, but the negligence piece of it will be a universal cause of action as we see these data breach cases move forward in the future. The cause and effect will be dynamic to follow; in other words, how will the costs of these actions and liability insurance to protect against them, be passed down to the customer in the future?