Wawa Settles Data Breach Lawsuit for $9 Million
Wawa has agreed to pay its customers $9 million after cybercriminals were able to obtain credit/debit card information used at Wawa’s convenience stores and fuel pumps. The hackers purportedly started the scheme in March 2019 and continued to harvest sensitive payment information for several months. Attorneys for the customers filed a class action in the federal Eastern District Court of Pennsylvania and alleged that Wawa was negligent in failing to safeguard its customers’ payment information.
The Wawa data breach represents one of an increasing number of business-targeted cyberattacks. As a result, courts are aiming to define what sort of conduct will render a company liable for the failure to protect sensitive customer data.
Pennsylvania’s federal courts appear to agree that customers should not be entitled to compensation unless their data can be shown to have been misappropriated. The fact that a company’s customer data has been breached only gives rise to a “speculative” future injury for which the courts cannot grant a remedy.
“We conclude that Appellants' allegations of hypothetical, future injury are insufficient to establish standing. Appellants' contentions rely on speculation that the hacker: (1) read, copied, and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of Appellants by making unauthorized transactions in Appellants' names. Unless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.” Reilly v. Ceridian Corporation, 664 F.3d 38 (2011).
The Wawa case is significant because the cybercriminals did more than just obtain the company’s data. The plaintiff customers demonstrated the hackers published the stolen payment card information on the “dark web” (i.e., the portion of the Internet that is only accessibly via specialized web browsers that promote anonymity). Having one’s credit card information held for sale on the dark web would appear to qualify as a “concrete injury,” but Pennsylvania’s federal courts appear to require even more to create a valid claim.
The same issue was critical in another data breach case in the Eastern District of Pennsylvania, Clemens v. ExecuPharm, Inc., 2021 WL 735728 (2021). The Defendant ExecuPharm’s server was hacked by a ransomware group, and many of its employees’ social security numbers and payment information were criminally extracted. As in the Wawa case, there was some indication the stolen data had been held for sale on the dark web. However, the court concluded the unlawful exposure of the ExecuPharm employees’ data, even if published for use by criminals, was insufficient to create a claim.
In essence, the Clemens court determined that individuals harmed by data breaches should have no legal remedy until someone personally steals money from their accounts or transacts fraudulently in their name. I find this to be a poorly conceived standard as it places undue burden on harmed people to be on constant guard for the enhanced risk of identity theft. In any event, the federal courts remain divided on this issue, and I expect the law will evolve as these cyberattack cases become more prevalent.