Wendy’s Hit with EMV Related Data Breach Class Action Lawsuit


By: Behnam Salehi and Jonathan Romvary       

A class action lawsuit has been filed against the fast food chain Wendy’s claiming it failed to adequately safeguard customer payment and other personally identifiable information (“PII”). The lawsuit also alleges that Wendy’s failed to timely and adequately notify Plaintiff regarding the breach and precise nature of PII involved.

On January 27, 2016, Wendy’s announced that it discovered malicious software, or malware, designed to steal customer payment data, on computers that operate the payment processing system. In Torres v. The Wendy’s Company, filed February 8, 2016 in the Middle District of Florida, plaintiff Jonathan Torres alleges that Wendy’s failed to provide sufficient security measures, allowing hackers to steal his payment card information (“PCI”) and fraudulently charge nearly $600 worth of purchases at other retailers.  Plaintiff also alleges breach of contract and violations of the Florida Unfair and Deceptive Trade Practices Act.

The basis of the complaint is that Wendy’s violated its obligation to abide by industry standards and best practices in protecting its customer’s PII. Additionally, the complaint alleges that Wendy’s failed to timely and adequately notify customers that the breach may have affected their PII or PCI, preventing customers to fully understand the scope of the breach and their ability to protect themselves from potential harm. The lawsuit further alleges that Wendy’s should have implemented better security measures. This suit is one of the first to directly target a retailer for failing to implement new industry standards regarding payment card transactions.

Major credit card vendors are transitioning to new, more secure chip card technology, referred to as EMV. EMV cards have an embedded microprocessor chip that creates a dynamic authentication code for each transaction. Unlike credit cards, which use a magnetic strip to store PCI, EMV cards employ a code that is unique to each transaction and cannot be used more than once.  Under the current zero-liability regulations, the card issuers are responsible for losses due to fraud. Effective October 1, 2015, merchants are now liable for: (1) failing to update POS terminals to EMV chip-enabled technology; (2) accepting a counterfeit magnetic strip card; (3) conducting “fallback transactions;” and (4) accepting a lost or stolen card. This liability shift was developed as an incentive for both merchants and card issuers to increase card security and reduce counterfeit fraud.

In the wake of mass data breaches by other retailers, it is critical that merchants understand the implications of the liability shift regarding non-compliance with EMV technology standards. As Wendy’s is now aware, a failure to employ industry standards and best practices may lead to significant exposure.