Post Breach: Jimmy John's, Coke Sued

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/post-breach-jimmy-johns-coke-sued-a-7568

The restaurant chain Jimmy John's and Coca-Cola are both facing class
action lawsuits stemming from recent data breaches.

In both cases, the lead plaintiffs identify instances of fraud or identity
theft they allegedly experienced as a result of the breach incidents.

Historically, class action lawsuits arising from data breaches have not
gotten a lot of traction because they have lacked tangible proof of
damages, says Scott Vernick, a partner at the law firm Fox Rothschild whose
practice includes privacy and data security law.

"Just because someone alleges they had fraudulent charges doesn't mean
they're going to be able to surpass the hurdle," he says. That's because
consumers rarely pay any expenses related to payment card fraud, with the
card brands or issuers picking up the expense, he notes.

Jimmy John's Case

In the Jimmy John's lawsuit, plaintiff Barbara Irwin alleges a credit card
she used at a Jimmy John's location in Arizona was compromised as a result
of the breach, with five fraudulent charges made on the card.

"The security breach, and the failure to promptly discover and block the
data breach, was the result of Jimmy John's grossly inadequate information
systems and security oversight," the plaintiff alleges in the lawsuit.

Irwin is suing Jimmy John's on behalf of all breach victims for violations
of various state data breach statutes, making charges that include breach
of implied contract, violation of the Arizona Consumer Fraud Act and
violation of the Illinois Consumer Fraud and Deceptive Business Practices
Act. The suit is seeking unspecified damages, including that Jimmy John's
pay for three years of credit card fraud monitoring services.

Jimmy John's on Sept. 24 confirmed a payment card breach that affected
about 216 of its locations in 40 states. Potentially compromised
information included card numbers and, in some cases, the cardholder's
name, verification code and/or the card's expiration date, the chain said.
The Champaign, Ill.-based restaurant chain, which has more than 2,000
locations, did not reveal how many cards were potentially impacted.

Although its investigation is ongoing, the company says it appears that
customers' payment card data was compromised after an intruder stole log-in
credentials from its "point-of-sale vendor" and used the credentials to
remotely access the point-of-sale systems at some corporate and franchised
locations between June 16 and Sept. 5 and install malware.

Jimmy John's declined to comment on the pending lawsuit.

Coke Breach Impacts Employees

The lawsuit against Coca-Cola alleges that after the breach, fraudsters
accessed, used and altered the bank and credit accounts, and other PII, of
plaintiff Shane Enslin, a former service technician at Keystone Coca-Cola
Bottling Co. in Mount Pocono, Penn. Plus, a fraudster obtained employment
from the United Parcel Service in Enslin's name, according to the lawsuit.
"The plaintiff has suffered direct injury and damages as a result of the
data breach and compromise of his PII," the lawsuit says.

The lawsuit, filed on behalf of all breach victims, charges Coca-Cola,
among other things, with negligence, negligent misrepresentation and fraud
and breach of contract. The class action is seeking unspecified damages,
including the provision of credit monitoring services and identity theft
insurance for at least 25 years.

Back in January, Coca-Cola said that the personal information of roughly
74,000 current and former employees, as well as contractors and vendors,
was exposed as a result of the theft of 55 company laptops by a former
employee. About 4,500 off the affected individuals were contractors or
vendors for Coke, according to The Wall Street Journal.

In November and December of 2013, Coke recovered the unencrypted company
laptops that had been stolen over a period of six years, according to the
Journal. Information exposed as a result of the theft includes Social
Security and driver's license numbers, the report says. The former employee
apparently involved in the theft had been responsible for maintaining or
disposing of company equipment.

Coca-Cola did not immediately respond to a request for comment.

Analyzing the Lawsuits

The chances of both lawsuits being successful are slim, Vernick contends.
"Simply alleging you're more prone to identity theft isn't going to cut
it," he says. "In very few instances has someone been able to demonstrate
damage or an out-of-pocket loss."

Another issue is determining whether the lead plaintiffs are truly
representative of a class, Vernick says. In the Jimmy John's case, "even if
the [plaintiff] has suffered damages because he was out-of-pocket for five
fraudulent charges, that could make a standing for him," but not
necessarily a class, he says.

A challenge in breach-related lawsuits is "plaintiffs showing where the
data ended up or what thieves did with the equipment," says Eric Grover, a
partner at the law firm Keller Grover LLP (see: Dismissed Breach Cases: A
Common Element). Even in breach cases where there have been plaintiffs who
have become victims of identity theft, the challenge is "proving with
certainty that the identity theft followed the breach," he says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!