Financial institutions clear hurdle in Sonic data breach case - Reuters
A sign for drive-in fast food restaurant Sonic Corp. is seen San Diego, California, U.S. June 22, 2016. REUTERS/Mike Blake
- Law firms
- Summary judgment denied in class action accusing Sonic of negligence
- Litigation stems from 2017 point-of-sale system breach
The company and law firm names shown above are generated automatically based on the text of the article. We are improving this feature as we continue to test and develop in beta. We welcome feedback, which you can provide using the feedback tab on the right of the page.
(Reuters) - An Ohio federal judge on Tuesday denied Sonic Corp's bid for summary judgment in litigation brought by financial institutions over a 2017 data breach, allowing the case to proceed.
U.S. District Judge James Gwin in Cleveland found material facts in the case "remain unresolved," clearing the way for the case to go to trial. The litigation stems from a breach in which hackers used malware to access customers' payment card data through the point-of-sale system used at hundreds of Sonic's franchise locations.
Kari Rollins of Sheppard, Mullin, Richter Hampton, a lawyer for Sonic and its related entities named in the lawsuit, didn't immediately respond to a request for comment about the decision or a potential trial date. Brian Gudmundson of Zimmerman Reed and Charles Van Horn of Berman Fink Van Horn, who represent a class of financial institutions, declined to comment.
Gwin certified the class that includes certain banks, credit unions and financial institutions in November. A few months earlier, he partially granted Sonic's motion to dismiss, allowing only a negligence claim to go forward in July 2020.
The Sonic companies urged the judge to grant summary judgment because "no genuine issues of fact exist regarding the duty and causation requirements" of the remaining negligence claim under Oklahoma law.
The plaintiffs can't prove that Sonic committed "affirmative acts" that exposed them to an "unreasonably high risk of harm," Sonic said in its filing, pointing a finger instead to Infor Restaurants Services Inc, the point-of-sale vendor that served the affected Sonic franchises.
The judge disagreed with Sonic's argument, finding the Sonic companies owed an obligation to the financial institutions.
"Sonic had a duty to prevent the criminal acts of hackers because Sonic's affirmative acts created a risk of harm, and Sonic knew or should have known that the risk of hacking made its flawed security practices unreasonably dangerous," he said in the ruling. The judge cited several alleged actions by Sonic that created risk, including making a "permanently-enabled VPN tunnel" that gave system access to anyone with Infor credentials and a remote user credential without multifactor authentication.
The judge also concluded he can't grant summary judgment because there is enough evidence that Sonic's actions "were the proximate cause" of the financial institutions' injury.
Sonic could only succeed in arguing that its actions weren't the proximate cause of the breach if it showed the hacker's criminal actions were "independent of Sonic's negligent security practices," among two other things. "Questions of material fact block Sonic-favorable findings on each of these three conclusions," the judge found.
The case is In re Sonic Corp Customer Data Security Litigation, U.S. District Court for the Northern District of Ohio, No. 1:17-md-2807.
For the financial institutions: Brian Gudmundson of Zimmerman Reed and Charles Van Horn of Berman Fink Van Horn
For Sonic: Kari Rollins of Sheppard Mullin Richter Hampton
Financial institutions can sue Sonic as a class over data breach, judge rules
Credit unions can serve up negligence claim in Sonic data breach case - judge
Sara Merken reports on privacy and data security, as well as the business of law, including legal innovation and key players in the legal services industry. Reach her at [email protected]