District Court (Ohio) Says Data Breach Response Information in Sonic Hack Won’t Be Sealed Because of Interest to the Public (and the Court)

In In re Sonic Corp. Customer Data Sec. Breach Litig. Fin. Insts., No. 1:17-md-2807, 2021 U.S. Dist. LEXIS 142001, at *5-6 (N.D. Ohio July 30, 2021), Judge Gwin refused to seal some of the data breach investigation from the Sonic data breach hack.

In 2017, unidentified third parties accessed Sonic customers’ payment card data. The hackers obtained customer payment card information from more than three-hundred Sonic Drive-Ins. This litigation followed and the Court granted class certification.  Before the Court are two motions to seal exhibits, one motion from Plaintiffs and one from non-party Visa Inc. For the following reasons, the Court DENIES Plaintiffs’ motion to seal and DENIES IN PART AND GRANTS IN PART Visa Inc.’s motion to seal. . . .Non-party Visa Inc. also asks the Court to allow Plaintiffs to file under seal their summary judgment-related Exhibit EEE. Exhibit EEE is a copy of an “Event Qualification Summary Under The Visa Global Compromised Account Recovery (GCAR) Program” “prepared in connection with” the Sonic data breach. Visa explains that the Qualification Summary document contains “highly commercially sensitive” information. Visa is concerned about potential competitive harm if the Qualification Summary is publicly disclosed.  Visa’s motion describes the Qualification Summary’s contents, and the Court uses that description to determine which aspects of the exhibit appears to contain proprietary information that Visa does not need to disclose. Briefly, the Qualification Summary may be redacted to exclude information about Visa, Inc.’s internal processes and standards, but information pertaining to the Sonic data breach is of greater interest to both the public and the Court in this matter.  Plaintiffs may redact information regarding “details of Visa’s internal systems, databases,” Visa’s “processes for analyzing . . . sensitive cardholder account information, descriptions of Visa’s contractual rules with its clients, [and] Visa’s application of the confidential processes of its proprietary GCAR program.” Any Visa-customer personal information, such as names, addresses, or account information, may be redacted if it is included in the Qualification Summary. The Court recognizes that these aspects of the Qualification Summary may contain Visa’s proprietary information.

But, the District Court held that Sonic’s data security practices and forensic investigation could not be sealed.

Plaintiffs may not redact “confidential information regarding Sonic’s data security practices and results of a forensic investigation conducted by an independent forensic investigator, highly sensitive information about overall fraud and counterfeit fraud transactions reported by Visa Issuers regarding certain accounts that transacted at Sonic during relevant time frames, and the number of accounts impacted across Visa Issuers.” The Court does not find evidence that disclosing these aspects of the Qualification Summary will put Visa at a competitive disadvantage.