ERIE — A payment card issuer that’s suing Wendy’s for costs associated with a data breach that began in October argues that the fast food chain’s tardiness in transitioning to new payment technology makes it liable.
First Choice Federal Credit Union filed a putative class action in the U.S. District Court for the Western District of Pennsylvania with the goal of recovering the money it says it spent to cancel and reissue cards, as well as reimburse fraudulent charges.
The suit cites the breach that started Oct. 22 and ended March 10, however reports indicate the breach could have lasted longer and affected more than the five percent of stores the company originally estimated.
This isn’t the first lawsuit brought by an issuing bank and more will likely occur, Sara Hollan Chelette, a commercial litigation attorney at Jackson Walker in Dallas who counsels clients on data breach requirements, told the Pennsylvania Record.
“Issuing banks are going to continue their efforts to recover from merchants amounts they are required to pay in connection with data breaches,” Hollan Chelette said.
Issuing banks sued Target and Home Depot after breaches at the companies’ respective stores. In a class action suit against Target, banks said the company acted negligently. Target eventually settled the suit by agreeing to pay just under $40 million and almost $20 million in attorneys’ fees, but that came after it fought the negligence claim and lost. The Home Depot litigation stemming from a 2014 breach is still pending, Hollan Chelette said.
She said the suit against Wendy’s is similar to the Target case, with an addition.
“First Choice is taking a position that was previously unavailable to similarly situated plaintiffs,” Hollan Chelette said.
The suit claims Wendy’s missed an Oct. 1 deadline to transition to new technology for card transactions. By failing to switch its systems from a magnetic-stripe to EMV technology, First Choice alleges Wendy’s acted negligently.
Payment networks - including major card companies like Visa, MasterCard, American Express and Discover - set the Oct. 1 deadline for a “counterfeit liability shift.”
This is new technology in the U.S., and it was quickly adopted by national chains that experienced breaches. But not every business has made the switch — and not every payment card issuer has, either. If a data breach occurs at a business that doesn’t have EMV, liability for cards that have EMV chips could fall on the merchant.
“At the most basic level, plaintiffs in data breach lawsuits, whether they are affected employees, consumers, or financial institutions, are alleging that the merchant failed to exercise reasonable care in handling the personal or financial information at issue,” Hollan Chelette said.
“There are numerous ways to go about this. The failure to implement EMV claim First Choice raises is simply another arrow in the quiver.”
The question remains: Will the claim work? The October deadline didn’t mandate the use of EMV, it just laid out liability. She predicts the lawsuit will prompt more businesses to transition their systems.
“Additionally, there have been many challenges with the EMV rollout. For example, even if a merchant has the system in place to accept EMV cards, it might still be waiting to obtain certification. That said, the EMV argument is just one of many First Choice raises,” she said. “Although it will be interesting to see how this particular allegation is treated, the case will not stand or fall on this allegation alone.”
On top of the suit by financial institutions, Wendy’s faces a putative class action filed by consumers in a federal court in Florida.