In 2014, grocers and restaurants continued to be plagued by attacks leading to the theft of credit card information. Among others, Supervalu Inc. and Jimmy John’s both experienced intrusions in 2014, extending the string of intrusions and breaches in recent years that have hit stores and restaurants in the food and beverage industry.
- On August 14, 2014, Supervalu experienced an intrusion into the portion of its network that processes credit card data. This breach hit as many as 1,000 stores, including many no longer owned by Supervalu but for which Supervalu was still providing IT services. While investigating that breach, Supervalu identified a separate and unrelated incident that occurred weeks later, where malware had been installed in the portion of its network that processes credit card data.
- Jimmy John’s experienced a credit card data breach that lasted from June 16 to September 5. The hacker may have gained access to Jimmy John’s point of sale systems using login credentials stolen from the company’s point of sale vendor. This breach affected 216 stores.
2014 also saw developments in stores’ and restaurants’ liability for credit card data breaches. One of the most active areas involves whether those stores and restaurants hit by data beaches are liable to transactions processors and financial institutions for costs such as issuing new credit cards. Here, the news has been mixed for stores and restaurants.
- On one hand, a court interpreted a contractual limit of liability to narrow a grocer’s liability for a data breach. Schnuck Markets had claims asserted against it by its transactions processing vendors for costs associated with replacing credit cards and other expenses, which costs and expenses had been assessed against the transactions processors by Visa and Mastercard. In denying the claim by the transactions processors, the court entered into a detailed analysis of the limitation of liability in the agreement between the processors and Schnuck Markets and found that the limitation of liability excluded these categories of damages. This case underscores that, while negotiating a protective contract takes time and effort up front, it can substantially limit a company’s exposure when a problem arises. (Schnuck Markets Inc. v. First Data Merchant Svcs. Corp., 2015 BL 9927, E.D. Mo., 13-cv-02226, 1/15/15)
- On the other hand, in litigation resulting from the Target data breach, a federal judge denied Target’s motion to dismiss claims asserted against it by the financial institutions of customers affected by the breach. These banks – which estimate that the total harm to them and retailers may eventually exceed $18 billion – asserted that Target was negligent in failing to take steps to avoid the data breach. The court found that the harm alleged by the banks was sufficiently foreseeable for it to deny Target’s motion to dismiss the negligence claims alleged by the banks. A key distinction from the Schnuck Markets case is that here there was no direct contractual relationship between the store and the financial institutions, so no limitation of liability was in play. In any event, both the Target case and the Schnuck Markets case are useful reminders that consumer litigation is just one risk arising from a data breach. (In re Target Corp. Customer Data Security Breach Litigation, MDL No. 14-2522, 2014 WL 6775314 (D. Minn. Dec. 2, 2014))