Post Breach: Jimmy John's, Coke SuedPlaintiffs Allege Instances of Fraud, Identity Theft
In both cases, the lead plaintiffs identify instances of fraud or identity theft they allegedly experienced as a result of the breach incidents.
Historically, class action lawsuits arising from data breaches have not gotten a lot of traction because they have lacked tangible proof of damages, says Scott Vernick, a partner at the law firm Fox Rothschild whose practice includes privacy and data security law.
"Just because someone alleges they had fraudulent charges doesn't mean they're going to be able to surpass the hurdle," he says. That's because consumers rarely pay any expenses related to payment card fraud, with the card brands or issuers picking up the expense, he notes.
Jimmy John's Case
In the Jimmy John's lawsuit, plaintiff Barbara Irwin alleges a credit card she used at a Jimmy John's location in Arizona was compromised as a result of the breach, with five fraudulent charges made on the card.
"The security breach, and the failure to promptly discover and block the data breach, was the result of Jimmy John's grossly inadequate information systems and security oversight," the plaintiff alleges in the lawsuit.
Irwin is suing Jimmy John's on behalf of all breach victims for violations of various state data breach statutes, making charges that include breach of implied contract, violation of the Arizona Consumer Fraud Act and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. The suit is seeking unspecified damages, including that Jimmy John's pay for three years of credit card fraud monitoring services.
Jimmy John's on Sept. 24 confirmed a payment card breach that affected about 216 of its locations in 40 states. Potentially compromised information included card numbers and, in some cases, the cardholder's name, verification code and/or the card's expiration date, the chain said. The Champaign, Ill.-based restaurant chain, which has more than 2,000 locations, did not reveal how many cards were potentially impacted.
Although its investigation is ongoing, the company says it appears that customers' payment card data was compromised after an intruder stole log-in credentials from its "point-of-sale vendor" and used the credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16 and Sept. 5 and install malware.
Jimmy John's declined to comment on the pending lawsuit.
Coke Breach Impacts Employees
The lawsuit against Coca-Cola alleges that after the breach, fraudsters accessed, used and altered the bank and credit accounts, and other PII, of plaintiff Shane Enslin, a former service technician at Keystone Coca-Cola Bottling Co. in Mount Pocono, Penn. Plus, a fraudster obtained employment from the United Parcel Service in Enslin's name, according to the lawsuit. "The plaintiff has suffered direct injury and damages as a result of the data breach and compromise of his PII," the lawsuit says.
The lawsuit, filed on behalf of all breach victims, charges Coca-Cola, among other things, with negligence, negligent misrepresentation and fraud and breach of contract. The class action is seeking unspecified damages, including the provision of credit monitoring services and identity theft insurance for at least 25 years.
Back in January, Coca-Cola said that the personal information of roughly 74,000 current and former employees, as well as contractors and vendors, was exposed as a result of the theft of 55 company laptops by a former employee. About 4,500 off the affected individuals were contractors or vendors for Coke, according to The Wall Street Journal.
In November and December of 2013, Coke recovered the unencrypted company laptops that had been stolen over a period of six years, according to the Journal. Information exposed as a result of the theft includes Social Security and driver's license numbers, the report says. The former employee apparently involved in the theft had been responsible for maintaining or disposing of company equipment.
Coca-Cola did not immediately respond to a request for comment.
Analyzing the Lawsuits
The chances of both lawsuits being successful are slim, Vernick contends. "Simply alleging you're more prone to identity theft isn't going to cut it," he says. "In very few instances has someone been able to demonstrate damage or an out-of-pocket loss."
Another issue is determining whether the lead plaintiffs are truly representative of a class, Vernick says. In the Jimmy John's case, "even if the [plaintiff] has suffered damages because he was out-of-pocket for five fraudulent charges, that could make a standing for him," but not necessarily a class, he says.
A challenge in breach-related lawsuits is "plaintiffs showing where the data ended up or what thieves did with the equipment," says Eric Grover, a partner at the law firm Keller Grover LLP (see: Dismissed Breach Cases: A Common Element). Even in breach cases where there have been plaintiffs who have become victims of identity theft, the challenge is "proving with certainty that the identity theft followed the breach," he says.