From consumers and merchants to financial institutions and investors, fraud is a global problem that damages healthy economic growth. Two sobering statistics illustrate that as the world has become more connected, fraud has only proliferated. In 2001, the FTC received 137,306 reports of fraud. In 2019, that number increased to 1,697,934 – an increase of over 1,000%. As fraud has increased, so too are disputes about who bears the cost. A recent case in the U.S. District Court for the Eastern District of Pennsylvania highlights the strains in the system, as credit card issuers try to hold a retailer liable for negligence in its handling of payment card data. Cases like this could make a difference in the structure of the payments industry. Traditionally, under the card network rules, issuers take the cost of fraud losses, which they can shift to acquirers when card data thefts can be attributed; and acquirers can pass those losses on to merchants under contractual indemnities. A model in which the issuers can directly sue the merchants could alter that system, changing the risk calculus for merchants accepting cards.
In In Re: Wawa Inc. Data Security Litigation, No. 2:19-cv-06019, a group of credit unions alleged that a convenience store chain’s failure to abide by the PCI DSS–the payment card industry’s data security standards–should be the standard of care for determining a negligence claim. Several courts have rejected negligence claims from card issuers in the past, but the plaintiffs in Wawa say their situation is different.
In December 2019, several class action lawsuits were filed against Wawa, Inc. (“Wawa”), a popular convenience store chain, in response to a data breach that allegedly disclosed information collected from its consumers at “most” of its 850 locations. The complaint alleges that the breach began in March 2019, when malicious actors installed malware on Wawa’s point-of-sale payment system. According to the complaint, the malicious actors then began harvesting the financial data submitted during purchases, a practice that continued until December 12, 2019, when Wawa announced the breach.
According to the lawsuits, Wawa’s practice of accepting “swiped” payment cards, as opposed to “dipped” cards with chips, enabled the data breach. Whereas a swipe-only payment processing system enables easier theft, a chipped card uses “industry developed EMV chip technology” that makes fraud “significantly more difficult”. Whenever a chipped card is insert into a payment system, it generates a unique code for each transaction. This unique code makes theft more cumbersome.
In one of the class action lawsuits, a group of credit unions alleged significant damages stemming from the data breach. These damages included the costs of reimbursing fraudulent payments, investigating fraudulent activity, and issuing replacement debit and credit cards. The credit unions seek to represent a class of “[a]ll banks, credit unions, financial institutions, and other entities in the United States . . . that issued payment cards (including debit or credit cards) used by cardholders to make purchases from Wawa from March 4, 2019 to December 13, 2019.” The credit unions alleged tens of millions of dollars of losses, such as the cost of replacing 30 million compromised cards, that they say were caused by Wawa’s allegedly negligent “deficient security measures” and failure to take reasonable and appropriate steps to prevent the breach.
At the heart of the credit unions’ claim is an allegation that the PCI DSS should be the standards upon which a merchant’s liability for damages from a data breach should be determined. Under this theory of tort liability, the PCI DSS could displace any other best practices and standards to become the de facto practices for merchants to follow. A link between the PCI DSS and common law tort duties could result in a seismic shift in liability. According to the Verizon 2020 Payment Security Report, only 27.9% of organizations fully comply with the PCI DSS. This is down from a historic high of 55% in 2016.
Wawa allegedly failed to comply with all or some of the requirements. The credit unions alleged that Wawa’s failure to comply resulted in negligence under at least two different theories.
First, Wawa had an independent and common law duty to use reasonable care to safeguard the data used by credit and debit cards for payments. This duty arose “under general and well-established principles of negligence,” which were “independent of any duty Wawa owed as a result of any purported contractual obligations.”
Second, Wawa had a duty of care because of the “special relationship” that existed between it and the credit unions. That relationship arose because Wawa was “entrusted” with its customers’ payment information and “[o]nly Wawa was in a position to ensure that its systems were sufficient to protect against the harm” that financial institutions will experience from a data breach.
Additionally, the credit unions requested the court enjoin Wawa to “utilize industry standard encryption to encrypt the transmission of cardholder data at the POS and at all other times” and “comply with all PCI DSS standards pertaining to the security of its customers’ personal and confidential information”.
In its motion, Wawa primarily argued that a contractual relationship between it and the plaintiffs precluded any non-contract claims, including the independent theories of tort liability. Wawa relied on a “web of interrelated agreements and rules” between it and the credit unions. Wawa alleged that these “agreements and rules” were “binding” and “set forth the rights and responsibilities” of the parties for data breaches, including recovery. In support of this argument, Wawa acknowledged that “claims brought by financial institutions following data security incidents are relatively new,” and compared its case to two recent decisions by the Third and Seventh Circuits that dismissed negligence claims for purely economic damages between parties with contractual relationships.
Wawa argued that in Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162 (3d Cir. 2008), the Third Circuit affirmed dismissal of a negligence claim. In Sovereign, a group of financial institutions alleged damages in the form of the cost of reimbursements and cancellations related to a data breach. The court rejected a negligence claim alleging purely economic loss. Similarly, in Cmty. Bank of Trenton v. Schnuck Markets, 887 F.3d 803 (7th Cir. 2018), Wawa argued that the court declined to find a remedy for financial institutions for its costs arising from a data breach when there was a contractual relationship between the parties. Wawa specified that the court focused on the existence of a contractual relationship, instead of the scale of the remedies that the contracts permitted.
In opposition, the credit unions argued that the Pennsylvania Supreme Court recently recognized a common law duty to exercise reasonable care to protect against a foreseeable risk of harm, which includes the possibility cyber theft. See Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018). In Dittman, a case involving a data breach, the court held that the University of Pittsburgh Medical Center had a duty to use reasonable care in collecting and storing its employees’ personal and financial data. The parties disagreed over whether Dittman should be limited to an employer-employee relationship.
The court’s decision remains forthcoming. Regardless of the outcome, In Re: Wawa will be a case to monitor.