In In re Sonic Corp. Customer Data Sec. Breach Litig., No. 1:17-md-2807, 2020 U.S. Dist. LEXIS 114891 (N.D. Ohio July 1, 2020), Judge Gwin allowed a negligence claim to stand in a data breach case against Sonic. The facts were as follows.
Sonic restaurants are largely franchisee-owned. Sonic Defendants only directly own about 6% of Sonic restaurants. However, Sonic exerts much control over the franchise restaurants, including the franchisees’ data security policies. Plaintiffs allege that in 2015, Sonic’s corporate-owned restaurants were hacked, and login credentials stolen. The hackers attempted to install malware that would allow them to skim credit card data from Sonic’s customers. Sonic hired a third party data breach reviewer to investigate and remediate the threat. After investigating the 2015 data breach, the third party reviewer warned that similar future attacks could occur. Despite this warning, Sonic did not address the described vulnerabilities. Despite the 2015 incident warning, industry-wide warnings, and many high-profile data breaches at other companies, Sonic continued to ignore industry security standards. Plaintiffs allege that Sonic largely controlled its franchisees’ data security. Franchise agreements required franchisees to pay into a cybersecurity and technology fund that Sonic used to fund and control franchisees’ security technology. Sonic’s franchise agreements required Sonic franchisees conform to Sonic security policies. Sonic and Sonic-approved vendors set up the technology that franchisees used, including preconfigured security settings. Franchisees were not permitted to modify or change the security settings that Sonic corporate created. Sonic required franchisees to choose one of three Sonic-approved point of sale (“POS”) technology vendors. Sonic disallowed using other vendors without express permission. As one of the three approved point of sale technology vendors, Sonic chose the card processing firm Infor. The 2017 breach locations all used Sonic-approved vendor Infor.18 In 2013, using the technology-fund money, Sonic updated its technology systems, including its point-of-sale technology.19 Sonic alone selected the new technologies and the implementation timeline for each store. However, at the time of the 2017 breach, 23% of Sonic locations still used the old technology. Sonic alone controlled the new technology roll-out and forbade franchisees from changing the technology. This made the franchise restaurants using the old technology vulnerable. For instance, Kitchen Display System, one system used by franchisees who had not received updated technology, had been “end of life” for almost a decade. In other words, the Kitchen Display System was so old that the system manufacturers had stopped updates and security patches almost a decade earlier. Additionally, this technology had no anti-virus or anti-malware software. Plaintiffs allege that franchisees also used Windows XP operating systems, which had been end of life since early 2016, and Microsoft RDP, which was also outdated. In addition to the outdated hardware, Sonic required franchisees to maintain specific configuration settings, including a Sonic requirement that franchisees permanently enable remote access. With remote access, Sonic—or hackers—could log in to the VPN and access the franchisees’ cardholder data environments (“Cardholder Data”). Sonic also used weak passwords that required only 4 letters for VPN access. Starting on April 7, 2017, hackers breached Sonic’s point-of-sale systems at the 762 Sonic franchisees that used the Infor system.29 Sonic had created remote-access accounts for use by point-of-sale vendors, such as Infor. Plaintiffs allege that “all Infor locations used the same non-complex, weak password to access the Kitchen Display Systems.” After obtaining legitimate Infor credentials, the hackers were able to access customer data in all Sonic restaurants that used the Infor platform. Access to the franchisees’ point-of-sale system allowed the hackers to access the franchisees’ Cardholder Data, the system that processes, stores, and transmits payment information for approval. The hackers installed malware on the stores’ point-of-sale terminal or back-of-house servers through the end of life Kitchen Display System. The malware allowed the hackers to access customers’ credit card data. Plaintiffs allege that industry standard encrypts stored credit card data, but the hacked information was not encrypted because these stores used an outdated system for that portion of payment processing. The hackers were able to obtain unencrypted payment card data in a form that allowed them to duplicate the stolen user information onto physical payment cards or make online purchases.36 An investigation revealed that payment card data had been taken from the system and sold online. Hackers were able to siphon credit card data unabated for about six months, because Sonic had set up security alerts using an invalid e-mail address. Because of this, Sonic only notified the public about the potential breach, about six months after it had begun.
The District Court found that the negligence claim could proceed under the framework of a person’s duty to anticipate criminal acts.
Sonic’s failure-to-act, as opposed to affirmative acts, argument relies heavily on BancFirst, the only case interpreting the Oklahoma’s third-party-criminal-acts negligence case law in the context of a security data breach. In that case, BancFirst, an Oklahoma bank, sued Dixie Restaurants, which operated restaurants across several states, for damages resulting from the restaurants’ data breach. The federal district court granted the restaurant chain’s motion to dismiss under Oklahoma law. In major part, the BancFirst district court dismissed the case because BancFirst did not allege that the restaurant chain had taken affirmative acts that put the bank at risk. Instead, BancFirst complained of the defendant restaurants’ failure to put in place adequate security measures. Despite the differences, the Sonic Defendants argue that the holding applies here. The Court disagrees with Sonic’s argument that BancFirst requires the Court dismiss Plaintiffs’ claims. As the BancFirst court noted, BancFirst’s complaint largely dealt with the defendant Dixie Restaurants’ failure to act. Here, however, Plaintiffs have pleaded that Sonic Defendants affirmatively acted to create the vulnerabilities that the hackers easily exploited. For instance, Sonic created the remote access accounts, required that they be kept open, created weak passwords, and set up security notifications to go to a defunct email account. All these acts, which Plaintiffs allege violated industry security standards, were affirmative steps taken by Sonic that put Plaintiffs at greater risk for suffering a data breach. The Court finds that at the motion to dismiss stage, this is enough to state a claim for negligence. Sonic Defendants argue that their “[o]peration of a franchise business is not an affirmative act.” But while Sonic’s operation of a franchise is not alone sufficient, the Sonic affirmative information technology decisions arguably led to the damages Plaintiffs complain of. Simply operating a franchise operation, alone, does not create liability. But some acts taken by the franchisor can create liability. In their reply, Sonic Defendants argue that Plaintiffs cannot show that a reasonable merchant would have considered the data breach risk associated with creating and maintaining the security measures the hackers later exploited. However, the present case is distinguishable from Gaines-Tabb, on which Sonic heavily relies. In that case, the plaintiffs alleged that the defendant fertilizer manufacturer was liable for injuries caused by a bomb detonated by a third party because the fertilizer manufacturer had distributed explosive grade ammonium nitrate on the fertilizer market. In Gaines-Tabb the plaintiffs argued that the fertilizer manufacturer should have manufactured a fertilizer grade with an additive that would prevent detonation. In finding that a reasonable person in the defendants position would have disregarded the risk of harm, the district court gave import to the allegation that ammonium nitrate had not been sold as ammonium nitrate but instead had actually been mislabeled and sold as fertilizer at a Kansas farmers’ co-op. The Gaines-Tabb Court also noted that the plaintiffs failed to plead that the defendant had reason to know of the criminal propensities of the farmers’ co-op customers or that the bombers existed or planned to use the product in a bombing, much less that they planned to use the bomb against plaintiffs in Oklahoma.61 In comparison, in the present case Plaintiffs allege that Sonic had already suffered a similar data breach within years of this litigation’s data breach. Additionally, Plaintiffs say that there have been several high-profile data breaches, particularly within the fast food industry, and that within the fast food industry, data experts had warned that hackers constantly look to breach data security systems. Although the Gaines-Tabb the court accepted the plaintiffs’ allegations that defendants were aware that terrorists used bombs in bombing plots, the court found this allegation outweighed by the allegation that the ammonium nitrate was misbranded and sold as fertilizer at a farmers’ co-op. In this case, no similar mitigating factors exist reduce Sonic’s knowledge of data breach risk. Furthermore, the Gaines-Tabb court considered that the ammonium nitrate had been sold in Kansas but used in Oklahoma weighed against reasonable foreseeability. However, despite Sonic’s attempts to paint its connection to Plaintiffs as extenuated given Sonic Defendants’ role as the franchisor and Plaintiffs’ role as Sonic-franchise-store-customers’ banks, Plaintiffs have pleaded sufficient facts to show that Sonic had reason to anticipate that cardholders’ banks, which are responsible for replacing compromised cards and monitoring compromised accounts, could be harmed by any data breach. Plaintiffs have pleaded sufficient facts to show that a reasonable person would have foreseen the data breach risk and its effects on Plaintiffs into account. Finally, Oklahoma law incorporates foreseeability into the duty analysis. In general, criminal acts are “less foreseeable than negligent or intentional (but legal) acts,” because “under ordinary circumstances it may reasonably assumed that no one will violate the criminal law.” However, as discussed above, Sonic Defendants had reason to assume, even anticipate, that many hackers would violate the law. Plaintiffs have pleaded sufficient facts to show that the data breach, even though caused by the criminal acts of a third party, was sufficiently foreseeable.