January 29, 2023

Volume XIII, Number 29


January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

Third Circuit Issues Order in WaWa Data Breach

CPW has been covering the data breach litigation In re: Wawa, Inc. Data Security Litigation, pending in the U.S. District Court for the Eastern District of Pennsylvania (see here and here).  As a reminder, In Re: Wawa Inc. Data Security Litigation, No. 2:19-cv-06019 arose out of a data breach impacting Wawa, Inc. (“Wawa”), a popular convenience store chain.  Several class action lawsuits were filed in response to a data breach that allegedly disclosed information collected from its consumers at “most” of Wawa’s 850 locations.  The complaint alleges that the breach began in March 2019, when malicious actors installed malware on Wawa’s point-of-sale (“POS”) payment system.  According to the complaint, the malicious actors then began harvesting the financial data submitted during purchases, which continued until December 12, 2019, when Wawa announced the breach.

According to the lawsuits, Wawa’s practice of accepting “swiped” payment cards, as opposed to “dipped” cards with chips, enabled the data breach.  Whereas a swipe-only payment processing system enables easier theft, a chipped card uses “industry developed EMV chip technology” that makes fraud “significantly more difficult”.  Broadly speaking, class action lawsuits were filed on behalf of Wawa’s customers, employees, and financial institutions (e.g., credit unions).  The Wawa court’s case management plan created three distinct tracks for the litigation:  the Consumer Track, the Employee Track, and the Financial Institution Track.

As we previously covered, in ruling on the Financial Institution Track plaintiffs’ motion to dismiss, the court held that the plaintiffs pleaded a plausible negligence claim based on their novel theory that imposed a duty of care based on the Payment Card Industry Data Security Standard (“PCI DSS”), but noted that Wawa’s argument that the “Payment Card Rules” may place contractual limitations on the plaintiffs’ rights and remedies.

The Consumer Track Plaintiffs and Wawa entered into a class action settlement in late 2020.  Over the objections of the Employee Track Plaintiffs, the court, granted final approval of the settlement and dismissed the Consumer Track Action with prejudice on April 20, 2022.  The proposed settlement class was comprised of approximately 22 million class members.  The agreement provided for compensation based on three “tiers” of class members:  (1) Tier One, comprised of customers who made a Wawa purchase using a payment card during the data breach period, but did not experience any fraudulent activity as a result, will receive a $5 Wawa gift card; (2) Tier Two, comprised of customers who made a Wawa purchase using a payment card during the data breach period and who submit proof of a subsequent fraudulent charge or attempted fraudulent charge, will receive a $15 Wawa gift card; (3) Tier Three, comprised of customers who have demonstrated out-of-pocket expenses or losses in connection with a fraudulent transaction incurred on a payment card resulting from the data breach will be entitled to reimbursement up to $500.  Wawa also agreed to various forms of injunctive relief, including, but not limited to, retaining a qualified security assessor on an annual basis to assess Wawa’s compliance with PCI DSS requirements.

The Employee Track Plaintiffs opposed the Consumer Track settlement on the grounds that there was a lack of clarity regarding the adequacy and fairness of the settlement with respect to the rights and interests of the Employee Track Plaintiffs, who are entitled to greater consideration relative to the Consumer Track Plaintiffs.

Following the court’s order granting final approval of the Consumer Track settlement agreement, representatives of the Employee Track Plaintiffs filed a notice of appeal to the Third Circuit.  The court subsequently issued an order on April 26, 2022, stating that because the order only resolved the claims of one out of three “track” of plaintiffs, it may not yet be an appealable “final decision.”  The court instructed the parties to file written responses addressing the issue within 14 days of the order.  The parties’ responses are due on May 10, 2022.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 124

About this Author

Shing Tse Litigation Attorney Squire Patton Boggs Law Firm

Shing Tse is an associate in our Litigation Practice, based in the Houston office. Shing has experience representing clients in a variety of complex litigation matters in state and federal courts.

713 546 3336
Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...