InfoBytes Blog
Convenience store chain agrees to pay $12 million to resolve data security incident
On February 19, consolidated class members filed an unopposed motion for preliminary approval of a settlement agreement in the U.S. District Court for the Eastern District of Pennsylvania to resolve data security incident claims. Class members—comprised of a nationwide group of consumers whose credit and debit card information was compromised in a 2019 data security incident affecting a nationwide convenience store chain—alleged that “despite the foreseeability of a data breach” the convenience store chain, among other things, “failed to implement adequate measures to protect the sensitive, non-public payment card information entrusted to it by its customers.” The claims also alleged that certain class members continued to experience fraudulent transactions on their payment cards, and that many class members spent time responding to the data security incident, spent money on protective measures, and may experience a heightened risk of future misuse of their payment card information.
Following mediation, the parties agreed to the preliminary settlement terms, which will provide monetary relief to class members through a three-tier system totaling up to $9 million, plus $3.2 million for attorneys’ fees and expenses and class representative service awards. The convenience store chain is also required to take additional measures for a period of two years to prevent future unauthorized intrusions, including (i) retaining a qualified security assessor; (ii) conducting annual tests of its cybersecurity protocols; (iii) operating payment systems that encrypt payment card information and comply with credit card issuers’ security procedures, including systems at point-of-sale fuel pump terminals; and (iv) maintaining information security programs, policies, and procedures.