Sonic Customers Strike $4.3M Deal In Data Breach MDL
By Christopher Crosby
Law360 (October 11, 2018, 7:21 PM EDT) — Sonic Drive-In customers in multidistrict litigation over the national fast food restaurant chain’s 2017 credit card data breach have asked an Ohio federal judge to approve a $4.3 million settlement.
Nearly two dozen diners on Wednesday made the request, which would create a nationwide class of Sonic customers affected by the breach, saying the deal to end their claims is fair when weighed against the risk of further litigation.
The plaintiffs had argued that Sonic Corp. didn’t do enough to stop hackers from stealing card numbers and personal information from some 325 drive-in franchises across the country. In the proposed settlement, however, customers said the deal, which includes a promise by Sonic to boost its cybersecurity policies for three years, was fair given the company’s insistence that not every plaintiff suffered fraudulent charges, or those who did were reimbursed.
If approved, each class member who used a credit or debit card at an affected store between April and October 2017 would get $10, and those with fraudulent or unauthorized charges would receive $40. Attorneys are asking for a third of the settlement, $1.44 million, plus expenses, and the 22 representatives plaintiffs in the MDL have requested a total of $42,000.
“The issues are hotly contested in this litigation and the outcome is uncertain,” the customers said. “Sonic’s motion to dismiss argued that representative plaintiffs did not suffer an actionable concrete injury as a result of the data breach and failed to establish an elevated or imminent risk of future injury.”
The settlement would end a slew of suits filed in late 2017 seeking to hold the company liable for a third-party cyberattack on its point-of-sale systems, or cash registers, throughout 2017. The Sonic attack came on the heels of other massive data breaches reported at restaurant chains Arby’s and Wendy’s as well as credit bureau Equifax and the U.S. Securities and Exchange Commission.
Media reports first revealed hackers were selling credit and debit card numbers in an online marketplace in September 2017. Sonic said it was notified of unusual activity by a credit card processor, prompting an internal investigation and a forensic audit into the cause. The company, which has nearly 3,600 locations across 45 states, says it promptly notified federal authorities and the public, and at the time offered affected customers two years of free fraud detection and identity theft protection.
The Oklahoma City-based Sonic has argued that it was the victim of a malware attack and that customers have not suffered an injury, lack standing to sue and failed to prove they were at a heightened or imminent risk of harm.
But customers, who filed their second amended complaint in July, argued they had experienced unauthorized charges, lost money, had their personal and financial information stolen, wasted time and were at a greater risk of identity theft than before. Moreover, they said they overpaid Sonic, or would have skipped their meal had they known the restaurant didn’t keep data secure.
Although Sonic argued that its protections were adequate and it was not responsible, eight separate suits were transferred and consolidated by the Judicial Panel on Multidistrict Litigation, and in January the court appointed lead counsel and attorneys to a steering committee.
The parties struck the settlement in August.
Counsel for the parties didn’t immediately return requests for comment Thursday.
The plaintiffs are represented by William B. Federman and Carin L. Marcussen of Federman & Sherwood, Marc E. Dann and Brian D. Flick of the Dann Law Firm, Melissa R. Emert of Stull Stull & Brody, Michael Fuller of Olsen Daines, Miles N. Clark of Knepper & Clark LLC and Thomas A. Zimmerman Jr.
Sonic is represented by P. Craig Cardon, Kari M. Rollins, Liisa M. Thomas and David M. Poell of Sheppard Mullin Richter & Hampton, Joe M. Hampton and Amy J. Pierce of Corbyn Hampton Barghols Pierce and David A. Riepenhoff and Melanie J. Williamson of Fishel Hass Kim Albrecht Downey.
The case is In Re: Sonic Corp. Customer Data Security Breach, case number 1:17-md-02807, in the U.S. District Court for Northern Ohio.
–Additional reporting by Joyce Hanson. Editing by Orlando Lorenzo.