Jimmy John’s Data Breach Prompts Class Action Claims
An Arizona resident has filed a putative class action in an Illinois federal court claiming that Jimmy John’s Franchise, LLC failed to secure its customers’ personal and financial data, which were purportedly accessed through the company’s point-of-sale systems at some 216 restaurant locations, between June and September 2014. Irwin v. Jimmy John’s Franchise, LLC, No. 14-2275 (C.D. Ill., filed November 6, 2014). While the named plaintiff alleges that access to her credit card information led to “five fraudulent charges to the credit card that she used during the aforesaid transactions at Jimmy John’s,” she seeks to represent 39 separate statewide classes and a District of Columbia class of all those who used a debit or credit card at Jimmy John’s during the data breach regardless of whether they actually experienced a loss or identity theft.
The plaintiff alleges that Jimmy John’s failed to promptly discover and block the data breach, relied on a “grossly inadequate information system and security oversight,” and failed to promptly and adequately inform its customers about the data breach thus placing class members “at serious risk of ongoing financial loss and identity theft.” According to the complaint, the company collects and stores information relating to credit and debit cards, including the account number, expiration date, card verification value, and personal identification number for debit cards. It also allegedly “collects and stores customer names, mailing addresses, phone numbers, and email addresses.” The plaintiff further contends, “While the Company’s collection of customer information may itself be legal, by collecting and storing such extensive and detailed customer information, the Company creates an obligation for itself to use every means available to it to protect this information from falling into the hands of identity thieves and other criminals.”
Alleging violations of state data breach statutes, breach of implied contract,bailment, unjust enrichment, as well as violations of the Arizona and Illinois consumer fraud laws, the plaintiff seeks an order “requiring Defendants to pay for three years of credit card fraud monitoring services” and other injunctive relief; actual, statutory and punitive damages; restitution; disgorgement; interest; attorney’s fees; costs; and the establishment of a “fluid recovery fund for the distribution of unclaimed funds.”