wawa Photo: Shutterstock

As customers continue to file lawsuits against the convenience store chain Wawa over a data breach it experienced last year, credit card companies have begun filing class action lawsuits of their own over the hack that exposed payment card information from users at potentially all of the company's locations.

Since January, attorneys from the Pittsburgh data privacy boutique Carlson Lynch have filed three class action lawsuits in the U.S. District Court for the Eastern District of Pennsylvania, alleging that the Delaware County, Pennsylvania-based company negligently failed to protect its payment card data. In their complaints, the plaintiff-companies, Inspire Federal Credit Union, First Choice Federal Credit Union and Greater Cincinnati Credit Union, argued that they hold the ultimate burden of resolving the problems that Wawa consumers may now face.

"As a result of the Wawa data breach, plaintiff and class members are required, and will continue to be required, to cancel and reissue payment cards, change or close accounts, notify members/customers that their cards were compromised, investigate claims of fraudulent activity, refund fraudulent charges, increase fraud monitoring on potentially impacted accounts, and take other steps to protect themselves and their members/customers," Cincinnati Credit Union said in its complaint, which was filed Feb. 7. "Plaintiffs and members of the class also lost or will lose interest and transaction fees due to reduced card usage. Furthermore, debit and credit cards belonging to plaintiff and class members—as well as the account numbers on the face of the cards—were devalued."

Carlson Lynch attorney Gary Lynch filed the lawsuits. Lynch is on the steering committee in the class actions brought against Marriott Inc.'s data breach and played a lead role in convincing the Pennsylvania Supreme Court that companies have a common-law duty to protect their electronically stored employee data in Dittman v. UPMC.

Lynch said he has represented dozens of other financial institutions who have sued over prior data breaches, and has been in talks with those companies about the Wawa breach.

"If there are financial institutions that want to be class representatives, we will add them as appropriate," he said. "We are in discussions with other financial institutions who may be interested in joining the lawsuit."

Although only Lynch filed the Greater Cincinnati Credit Union's suit, on the Inspire Federal Credit Union suit, Lynch was joined by attorneys from Lowey Dannenberg in White Plains, New York; The Coffman Law Firm in Beaumont, Texas; Levin Sedran & Berman and Golomb & Honik in Philadelphia; and the firms Lockridge Grindal Nauen and Chestnut Cambronne in Minneapolis.

The new group of lawsuits filed by financial entities add to the growing consumer-focused litigation that is also pending in the Eastern District of Pennsylvania federal court.

The first lawsuits over the data breach began to be filed Dec. 20—the day after Wawa's CEO said in an open letter there had been a breach of the company card payment data. According to the letter, malware that had been active since March was discovered Dec. 10, and the company contained it by Dec. 12. The letter said the malware potentially exposed payment card information from customers at all Wawa locations, including credit and debit card numbers, expiration dates and names.

The suits brought by the financial institutions said Wawa refused to implement best practices, or upgrade critical security, and argued that, with the rise of high-profile data breaches at other chains like Wendy's and The Home Depot, it should have been aware of the need for increased data security. The companies also contended that Wawa failed to comply with the Federal Trade Commission's requirements, or the minimum security standards outlined by the Payment Card Industry Security Standards Council.

According to Lynch, historically, in data breach cases, the suits brought by financial institutions are put on a separate track from those that are brought by consumers.

Lynch, who has handled data breach cases since the hack of retail giant Target in 2013, also said the Wawa case is unique in that the customers are geographically concentrated, and the hack involved swipe point of sale machines, rather than machines that used chip technology, which, he said, could affect the damages.

No attorneys have entered their appearances yet on behalf of Wawa in the suits brought by either Inspire Federal Credit Union or Greater Cincinnati Credit Union, but, in the consumer class actions, Ezra Church at Morgan, Lewis & Bockius is representing the company. Church did not return a call seeking comment.

Wawa is incorporated in New Jersey.