In In re Sonic Corp. Customer Data Breach Litig. Fin. Insts., No. 1:17-md-02807-JSG, 2020 U.S. Dist. LEXIS 204169 (N.D. Ohio Nov. 2, 2020), Judge Gwin certified a data breach class. The facts were as follows:
Between April 7, 2017, and October 28, 2017, hackers used malware installed on point-of-sale systems at 762 Sonic restaurants to steal sales transaction payment card data. Sonic required franchise restaurants to use only certain types of point-of-sale systems. In 2017, many Sonic restaurants used obsolete technology that was vulnerable to hacking. The hackers targeted Sonic franchises that used a particular point-of-sale system and were able to obtain cardholder data. Plaintiffs claim the industry standard requires encryption of stored credit card data, but Sonic’s franchisees used outdated technology-mandated by Sonic corporate policy-and did not encrypt the stolen card data. A following investigation revealed that the stolen data had been sold online. The hackers were able to steal credit card data with impunity for more than six months because Sonic had set up security alerts using an invalid e-mail address. 9 Five million payment cards’ data were sold online. 10 Plaintiffs allege that “Visa and other card brands determined” that the compromised cards had all been used at Sonic restaurants.
The District Court certified the class.
Here, Plaintiffs’ negligence claims all grow out of Sonic’s alleged failure to secure its point-of-sale systems, an alleged failure that made the data breach possible. Further, Plaintiffs argue that they and the other potential class members all suffered injury because they had to respond to the security breach alert. Defendants respond that the named Plaintiffs’ claims are not typical. Even though the class’s negligence claims may all arise out of Sonic’s conduct leading to one event, Defendants maintain that each class member will have to prove that they suffered some fraud, had to replace a card, or other injury. 49 Defendants underscore this argument by noting that some of the cards exposed in the Sonic breach were exposed in other breaches that gave rise to 2017-2019 alerts, so damages could have resulted from other exposures. Essentially, Plaintiffs argue that receiving an alert results from a common cause and creates a common class injury. 51 Defendants argue that it does not. To Defendants, there will need to be “individualized inquiries to investigate how the thousands of class members responded to the breach.” But how potential class members responded to the breach alert speaks more to damages than it does to Defendants’ liability. Still, the Court will define the class more narrowly than Plaintiff’s proposal. The Court will only include those financial institutions that received notice and took action to reissue credit cards or reimbursed a compromised account. Similar to other courts in similar data breach cases, the Court