Back in the beginning of May, we started hearing about a potential security breach at Schnucks, an Illinois supermarket chain. The customer who filed the lawsuit complained that Schnucks waited too long before informing millions of shoppers that they may have had their credit card information compromised after a substantial security breach.
Attorney Jeff Millar, who is representing the case, stated that “They key is going to be to determine… when they knew there was a problem and what they did about it. If they knew there was a problem on December 10, why wait around until March 30?”
Schnucks is a supermarket chain founded in St. Louis and currently owns 100 stores and 96 in-store pharmacies in a five-state region in the Midwest.It wasn’t till the middle of April, 2013 that the company announced that 2.4 million credit and debit cards used at 79 of its stores may have been impacted by a “cyber attack” between December 2012 and the end of March 2013. The company explained that only the card number and expiration date would have been accessed, not the cardholder’s name, address or any other identifying information.
Since then, the company reportedly worked with its payment processor to ensure that all potentially affected card numbers were sent to the credit card companies, to continue sending alerts to the issuing banks. Those banks would then be able to take the necessary steps to protect their card holders, for instance, adding enhanced transaction monitoring or reissuing a new card.
The class action lawsuit against the supermarket chain was filed at the end of April in the circuit court for St. Clair County. It alleges violations of the Illinois Consumer Fraud Act, as well as the Illinois Personal Information Act. The suit was brought forth by Laverne Rippy. As a class action suit, it is also on behalf of all others impacted. Many customers have reported fraudulent charges to their accounts.
The complaint states:
“At all times relevant, [Schnucks] continuously and consistently failed to disclose to consumers… that it in fact did not have adequate systems in place to protect credit and debit card information against any violation or security breaches.”
The suit refers to state law, which says that “… any data collector that owns or licenses personal information concerning and Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach.”
Responding to a Cyber-Attack
One of the major complaints was that the company took so long to provide its customers with information of the breach. It responded by saying that the details were released at an appropriate time, relative to the situation. According to the official Schnucks press release:
“A cyber-attack is not like a bank robbery where you know immediately when it occurred and who was affected. The investigation of a cyber-attack requires painstaking analysis of digital evidence that takes time in order to determine what happened. Since we first received notice of this issue, our team and the computer forensics experts have been working non-stop to find and contain the issue. The forensic investigation firm found the first indication of an issue on March 28, and we contained the issue by March 30.”
Change of Venue
On May 22, 2013, Schnucks filed a motion in St Clair County Circuit Court to move the lawsuit, citing that a federal venue would be more appropriate, given the potential damages. In its motion for removal, the company claimed that the time and effort claims easily exceed the $5 million threshold for federal consideration:
“Even valuing Plaintiff’s and the putative class members’ alleged “time and effort” damages at the federal minimum wage ($7.25 per hour), and interpreting “numerous hours” to equal only two (2) hours, the potential amount in controversy is equal to approximately $7.25 million.”
Schnucks, a St. Louis-based grocery chain was hit with a class action lawsuit over a massive data breach back in April. It has recently filed a motion for removal, arguing that the matter belongs in federal court, due to the scope of the case and the damages involved.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/United States (CIPP/US), a privacy professional should be comfortable with topics related to this post, including:
- Incident response programs (I.C.c.)