Wendy's International Inc. has settled two class actions alleging injuries stemming from a 2016 payment-system breach. Jackson v. Wendy's Int'l Inc., No. 16-0210 (M.D. Fla., entered February 26, 2019); First Choice Fed. Credit Union v. Wendy's Co., No. 16-0506 (W.D. Penn., entered February 26, 2019). A Florida federal court approved a $3.4 million settlement between a consumer class and the company, including $1.1 million in attorney's fees. In Pennsylvania, a federal court granted preliminary approval to a settlement in a lawsuit brought by a class of financial institutions that reimbursed customers for fraudulent transactions. Wendy's will pay $50 million under the settlement agreement.
Tag Archives data breach
Brinker International Inc. faces a putative class action alleging hackers stole customers' personally identifiable information (PII) from point-of-sale systems at Chili's Grill & Bar in April and May 2018. Steinmetz v. Brinker Int'l, Inc, No. 18-0981 (D. Nev., filed May 30, 2018). The plaintiff seeks damages, an injunction and attorney's fees for negligence and alleged violations of the Fair Credit Reporting Act and Nevada consumer-protection law. Wendy’s International LLC has agreed to settle a lawsuit alleging that a similar point-of-sale breach exposed customers’ PII at more than 1,000 locations nationwide. Jackson v. Wendy's Int'l LLC, No. 16-0210 (M.D. Fla., entered May 25. 2018). The lawsuit was previously dismissed, then an amended complaint proceeded. Terms of the settlement were not disclosed. An Illinois federal court dismissed a putative class action without prejudice after the plaintiffs voluntarily dismissed claims related to a data breach of Panera Bread Co.’s customer records because none…
Binny's Beverage Depot faces a putative class action alleging the company violated the Illinois Biometric Information Privacy Act (BIPA) by collecting and sharing employee biometric information without informed consent. Burger v. Gold Standard Enters., Inc., No. 2018CH05904 (Ill. Ch. Ct., Cook Cty., filed May 7, 2018). The plaintiff alleges that Binny's established a fingerprint-based time-clock program and shared the collected data with third-party payroll processors and data-storage vendors without providing its employees "informed written consent, and without informing them through a publicly available written policy of how it was going to store and dispose of this irreplaceable information," and "failed to maintain lawful data retention practices which reduce the risk of theft or other misappropriation of its workers' biometrics by unauthorized third parties." The risk was compounded, the complaint asserts, because the biometric data was linked to Social Security numbers, addresses, birth dates and "potentially other relevant financial information." Claiming violations of…
Panera Bread Co. faces a putative class action alleging that a data breach exposed the personal data of thousands of customers to hackers, increasing their risk of fraud and identity theft. Boykin v. Panera Bread Co., No. 18-2461 (N.D. Ill., filed April 5, 2018). The complaint alleges that the company failed to protect the personally identifiable information of Panera’s My Rewards card and My Panera app users, including names, credit and debit card numbers, expiration dates and verification codes, email addresses, telephone numbers and birth dates. In August 2017, a “white-hat hacker” apparently accessed the information and notified Panera about the potential security breach. Although Panera reportedly told the hacker it was developing a solution, the complaint alleges that the hacker “checked it every month or so” and ultimately contacted the publisher of Krebs on Security in 2018 to bring attention to the issue. The plaintiffs assert that in the…
The U.S. Judicial Panel on Multidistrict Litigation (JPML) has transferred five class actions related to a data breach at Sonic restaurants to the Northern District of Ohio, where the assigned court is presiding over a potential tag-along case. In re Sonic Corp. Customer Data Sec. Breach Litig., MDL No. 2807 (entered December 6, 2017). Sonic confirmed on September 27, 2017, that point-of-sale systems had been breached at its drive-in restaurants.
A federal court has dismissed with prejudice a data-breach suit filed by a group of credit unions against Noodles & Co., holding that the restaurant had no independent duty of care to the unions distinct from its contractual agreements with MasterCard and Visa. SELCO Cmty. Credit Union v. Noodles & Co., No. 16-2247 (D. Colo., order entered July 21, 2017). The plaintiffs, four credit unions whose cardholders’ information was compromised by the data breach, sued for negligence, negligence per se and declaratory relief, claiming they lost revenue due to decrease in card usage after the breach was publicized and incurred costs related to canceling and reissuing cards, responding to cardholder inquiries and monitoring accounts. The court held that economic loss rules in both Colorado and the unions’ home states barred recovery in tort for purely financial losses caused by negligence. Further, the court found, no independent duty exceptions to those…
A consumer has filed a putative class action alleging Chipotle Mexican Grill, Inc. failed to take measures to prevent an April 2017 data breach in which hackers used malware to steal customer data from the magnetic stripes on payment cards. Baker v. Chipotle Mexican Grill, Inc., No. 17-1134 (C.D. Cal., filed June 9, 2017). The complaint alleges that Chipotle failed to take “adequate and reasonable measures” to protect its data systems, which reportedly contain personally identifiable information in addition to payment card data. The plaintiff seeks class certification, equitable relief, damages and attorney’s fees. Issue 638
A Florida federal court has dismissed part of a data breach complaint against Wendy’s, calling two of the claims “shotgun pleadings” and noting that the plaintiffs “misconstrue the basic legal principles of statutory law.” Torres v. Wendy’s Int’l, LLC, No. 16-0210 (M.D. Fla., order entered March 21, 2017). Additional details on the case appear in Issues 594 and 612 of this Update. The plaintiffs originally filed suit in February 2016 after a data breach of Wendy’s credit card payment system, but the Florida court dismissed the suit for failure to plead an injury sufficient to prove standing. Ruling on the amended complaint, the court found that the plaintiffs could establish standing based on “particularized, concrete injuries,” including late fees, loss of credit card reward points and loss of cashback awards. The court refused to dismiss a breach of implied contract count, reasoning that when a merchant invites a customer to…
A Florida federal court has dismissed a putative class action against The Wendy’s Co. alleging the company failed to adequately secure its customers’ financial information but granted the plaintiff leave to amend. Torres v. Wendy’s Co., No. 16-0210 (M.D. Fla., order entered July 15, 2016). The court found that while the plaintiff’s financial information had been fraudulently used to complete two transactions, “other district courts have concluded that mere fraudulent charges on debit or credit cards do not rise to the level of actual identity theft sufficient to establish standing.” Further, because the charges were reimbursed by the plaintiff’s credit union, he had “not alleged any monetary harm stemming from the two fraudulent charges.” The plaintiff also argued that he and the putative class had standing because of the threat of future harm because they must monitor for future identity theft. The court distinguished the facts at issue from a similar…
The Seventh Circuit Court of Appeals has revived a data breach lawsuit against P.F. Chang’s China Bistro, Inc., finding that the two plaintiffs have standing to sue despite eating at a restaurant apparently not linked to the breach. Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-3700 (7th Cir., order entered April 14, 2016). Additional details about the breach appear in Issue 526 of this Update. The plaintiffs ate at an Illinois location of P.F. Chang’s two months before the company announced its payment system had been hacked, revealing personal information and credit card numbers. One plaintiff noticed fraudulent charges on his card and purchased credit-monitoring services, while the other alleged that he spent time and effort monitoring his card statements and credit report. Each brought separate lawsuits, which were later consolidated then dismissed for lack of standing. Following its announcement about the data breach, P.F. Chang’s identified 33 restaurants…