On Wendy’s Class Action: The Beef’s in the Details
The fast food chain is the latest to face a class action lawsuit on behalf of customers whose credit card data was stolen following a data breach.
Wendy’s, the fast food chain, won lots of fans in the 1980s with its iconic “Where’s the Beef?” ad campaign from 1984. It’s a quintessential 80s meme (before memes were a thing) that gets you knowing looks and smiles from folks of a certain age when you trot it out, and bewildered stares from millennials.
Fast forward three decades and “where’s the beef” might just end up being the company’s legal defense in the face of another class action lawsuit filed by a Pennsylvania credit union, First Choice Credit Union, following a data breach at the company that resulted in the theft of bank and credit card information belonging to an unknown number of Wendy’s customers.
According to a report by Reuters, First Choice sued Wendy’s on behalf of other credit unions and financial institutions who have suffered losses tied to the data breach, which Wendy’s acknowledged in January.
According to a report by KrebsOnSecurity, credit unions experienced a relatively high level of fraud linked to cards that were part of the breach at Wendy’s, according to B. Dan Berger, the CEO of the National Association of Federal Credit Unions. Cyber criminals will often exploit weak security controls around debit cards to withdraw large sums of money with duplicate cards manufactured using stolen card information.
The First Choice lawsuit is the second class action filed against Wendy’s in recent months. In February, Jonathan Torres, a Wendy’s customer who claims that he had fraudulent charges on his credit card totaling $577 dollars after hackers stole his card information from Wendy’s point of sale system, filed a class action suit in a Federal court in Florida on behalf of affected customers. Torres describes Wendy’s failure to “secure and safeguard its customers’ credit and debit card numbers and other payment card data” and provide timely notice to him and other customers affected.
As reported by Credit Union Times, First Choice is a small Pennsylvania credit union with 6,500 members and $43 million in assets. The firm alleges that cybercriminals used malware to extract Track 1 and Track 2 data from Wendy’s point of sale network. First Choice incurred significant costs responding to the breach. It had to cancel and reissue compromised cards, change or close accounts, reimburse cardholders for fraudulent charges and institute fraud monitoring services.
Wendy’s said in January that it was investigating claims of a credit card breach at some of its stores. The incident was linked to a compromise of the company’s point of sale (POS) network. Torres is suing on behalf of all Wendy’s customers affected by the breach.
While the company has acknowledged the incident, much is still not known about the breach: including the extent of the hackers’ penetration of Wendy’s network of stores or how many customers were affected. In a February financial filing, Wendy’s said it has engaged cybersecurity experts to conduct a comprehensive investigation into “unusual credit card activity related to certain Wendy's restaurants.” That investigation found that some of the chain’s restaurants have been found “to have malware on their systems,” Wendy’s said.
The class action suits come amid a souring legal environment for retailers and others who are the victims of data breaches.
Arguments, popular among breached firms, that consumers lack standing to sue because they cannot prove they suffered monetary damages as a result of a breach are being met with skepticism. Wendy’s in fact, made that very argument in the suit brought by Torres, arguing that the court should dismiss the case. That did not happen.
Instead, courts in the U.S. are increasingly accepting the notion that data breaches and the theft of personal information poses an imminent risk to consumers, even though no immediate harm may exist. In April, for example, the U.S. Appeals Court for the Seventh Circuit reversed a lower court’s decision to dismiss a class action suit against chain restaurant P.F. Chang’s, saying that the risk of “future injuries” suffered by consumers wrapped up in the breach there were “sufficiently imminent” to give them standing in court (PDF).
That has prompted changes by breached firms. Home Depot, for example, advanced the “no harm” argument in a class action case linked to the theft of customer information from its network, but ultimately settled the suit, agreeing to pay $19 million to customers harmed in the incident.
While the outcome of such cases is by no means clear, security experts agree that follow-on class action suits brought against breached firms help make the case for better security for customer data and payment systems. Class action suits raise the costs of any breach for a company and also inflict brand damage beyond the cost of any settlement. It is hoped that such suits, coupled with higher insurance costs in the wake of adverse incidents, will prompt companies to do more to address information security issues on their networks.