CPW has been covering the data breach litigation In re: Wawa, Inc. Data Security Litigation, pending in the U.S. District Court for the Eastern District of Pennsylvania (see here and here). As a reminder, In Re: Wawa Inc. Data Security Litigation, No. 2:19-cv-06019 arose out of a data breach impacting Wawa, Inc. (“Wawa”), a popular convenience store chain. Several class action lawsuits were filed in response to a data breach that allegedly disclosed information collected from its consumers at “most” of Wawa’s 850 locations. The complaint alleges that the breach began in March 2019, when malicious actors installed malware on Wawa’s point-of-sale (“POS”) payment system. According to the complaint, the malicious actors then began harvesting the financial data submitted during purchases, which continued until December 12, 2019, when Wawa announced the breach.
According to the lawsuits, Wawa’s practice of accepting “swiped” payment cards, as opposed to “dipped” cards with chips, enabled the data breach. Whereas a swipe-only payment processing system enables easier theft, a chipped card uses “industry developed EMV chip technology” that makes fraud “significantly more difficult”. Broadly speaking, class action lawsuits were filed on behalf of Wawa’s customers, employees, and financial institutions (e.g., credit unions). The Wawa court’s case management plan created three distinct tracks for the litigation: the Consumer Track, the Employee Track, and the Financial Institution Track.
As we previously covered, in ruling on the Financial Institution Track plaintiffs’ motion to dismiss, the court held that the plaintiffs pleaded a plausible negligence claim based on their novel theory that imposed a duty of care based on the Payment Card Industry Data Security Standard (“PCI DSS”), but noted that Wawa’s argument that the “Payment Card Rules” may place contractual limitations on the plaintiffs’ rights and remedies.
The Consumer Track Plaintiffs and Wawa entered into a class action settlement in late 2020. Over the objections of the Employee Track Plaintiffs, the court, granted final approval of the settlement and dismissed the Consumer Track Action with prejudice on April 20, 2022. The proposed settlement class was comprised of approximately 22 million class members. The agreement provided for compensation based on three “tiers” of class members: (1) Tier One, comprised of customers who made a Wawa purchase using a payment card during the data breach period, but did not experience any fraudulent activity as a result, will receive a $5 Wawa gift card; (2) Tier Two, comprised of customers who made a Wawa purchase using a payment card during the data breach period and who submit proof of a subsequent fraudulent charge or attempted fraudulent charge, will receive a $15 Wawa gift card; (3) Tier Three, comprised of customers who have demonstrated out-of-pocket expenses or losses in connection with a fraudulent transaction incurred on a payment card resulting from the data breach will be entitled to reimbursement up to $500. Wawa also agreed to various forms of injunctive relief, including, but not limited to, retaining a qualified security assessor on an annual basis to assess Wawa’s compliance with PCI DSS requirements.
The Employee Track Plaintiffs opposed the Consumer Track settlement on the grounds that there was a lack of clarity regarding the adequacy and fairness of the settlement with respect to the rights and interests of the Employee Track Plaintiffs, who are entitled to greater consideration relative to the Consumer Track Plaintiffs.
Following the court’s order granting final approval of the Consumer Track settlement agreement, representatives of the Employee Track Plaintiffs filed a notice of appeal to the Third Circuit. The court subsequently issued an order on April 26, 2022, stating that because the order only resolved the claims of one out of three “track” of plaintiffs, it may not yet be an appealable “final decision.” The court instructed the parties to file written responses addressing the issue within 14 days of the order. The parties’ responses are due on May 10, 2022.