District Court (Ohio) Says Criminal Data Hack Was Not Supervening Cause Entitling Business to Summary Judgment in Data Breach Case

In In re Sonic Corp. Customer Data Sec. Breach Litig., No. 1:17-md-2807, 2021 U.S. Dist. LEXIS 168504, at *13-16 (N.D. Ohio Sep. 7, 2021), Judge Gwin denied summary judgment to the defendants, who argued that the criminal hacking constituted a supervening cause.

Here, Sonic can only prevail by showing that the hackers’ criminal acts were independent of Sonic’s negligent security practices, that these criminal acts were adequate of themselves to bring about the hack, and that the hack was not a reasonably foreseeable event. Questions of material fact block Sonic-favorable findings on each of these three conclusions. Sonic’s role in creating the numerous and distinct vulnerabilities that separately contributed to Plaintiffs’ claimed injuries is a sufficiently disputed material fact. Sonic inexplicably gave Infor access to over 760 Sonic franchisees’ payment systems without requiring dual authentication.58 Sonic never required periodic password change nor required any minimal level of password complexity.59 Sonic never limited foreign access to the VPN and never established a useful logging system tied to alerts. 60 Also, Sonic arguably used a middleware transaction processing software that could not accommodate end-to-end encryption.61 Sonic disputes its responsibility for these problems but presents insufficient evidence to now resolve these questions.  A reasonably jury could find that the hack was a foreseeable consequence of creating and maintaining a vulnerable entry point. Without the vulnerable Sonic-created access point, the hackers would not have been able to breach the affected restaurants’ point-of-sale systems and steal card information. The failure to provide PAYS payment processing software that Infor could encrypt made card compromise foreseeable. The failure to limit access to domestic users and the failure to log and alert suspicious activity, made a greater card member loss foreseeable. Also, Sonic’s creation of a credential with permanently enabled access to the VPN tunnel made the damage worse. The harm from the vulnerable VPN channel “continue[d] to operate concurrently” because the hack was able to continue as long as the VPN remained accessible. Rather than a single-event intrusion, the Sonic hackers used the VPN credential for more than six months to mine more and more franchisees’ data. Sufficient evidence also supports an argument that, independent of the VPN failure, end-to-end encryption would have stopped the damage. Independent of the VPN failure, blocks on foreign users would have stopped the damage. Independent of the VPN failure, logging and alerts would have reduced the damage. Sonic fails to show that the hackers’ acts superseded Sonic’s acts.  Further, even if Sonic Defendants had never experienced a data breach in this way, many other retail companies had suffered similar data breaches. That is why Sonic’s other VPN credentials used multifactor authentication.63 And that is why Sonic documents nominally required “external support personnel” to use multifactor authentication.64 Indeed, Sonic’s actions addressing the hack underscore the importance of this security measure. Once Sonic enabled multifactor authentication for the “infor_nrowan” credential, the hackers lost access to customer card data. On this record, a reasonable jury could find that the hack was not an independent cause of the Plaintiffs’ injury. Arguably, Plaintiffs needed to reissue cards and reimburse fraudulent charges because customers’ card data was stolen in a data breach made possible because Sonic created a vulnerable entry point.  There is sufficient evidence that Sonic Defendants’ actions were the proximate cause of Plaintiffs’ injury to make summary judgment inappropriate. Proximate cause is a question for the trier of fact in this case.