Sonic Case Demonstrates How Merchants Put Consumer Privacy At Risk

September 15, 2021 at 9:15 am Leave a comment

For those of you in Washington this week, a recent decision in the Sonic data breach litigation underscores why merchants need to comply with baseline data breach prevention standards. On September 7th a group of credit unions survived Sonic’s motion to dismiss claims that its negligence facilitated yet another massive data breach resulting in credit unions costs, such as the need to reissue cards, for which Sonic should be responsible (SONIC CORP. CUSTOMER DATA SECURITY BREACH LITIGATION).  And let’s not forget the thousands of consumers who were inconvenienced as a result of Sonic’s alleged negligence. 

Between April and October of 2017, hackers used malware installed at 762 Sonic restaurants to steal transaction payment card data. Franchises generally were allowed to use two different types of processing systems. The hacks occurred in franchises that use the PAYS system to process transactions. Sonic facilitates payments by setting up a VPN to facilitate remote access to the system. The VPN system was set up so poorly that it allowed hackers to access unencrypted payment card data. The list of defects reads like a “What Not-To-Do List” when it comes to protecting customer data:

  • They did not use multi factor identification to authorize access to the system.
  • The stolen data was not always subject to end-to-end encryption.
  • Sonic even facilitated the storing of unencrypted data on business servers.

If a New York State bank or credit union treated data this way, it would be in violation of several provisions of New York State’s cyber security regulations which mandate that sensitive data be encrypted when it is in transit and that it be adequately protected when it is being held on its server. Furthermore, a failure to use multi factor identification has already resulted in fines under the framework. Even if you do not have the good fortune of living in New York, the Gramm Leach Bliley Act and a host of regulations outlaws this type of conduct for financial institutions. 

In contrast, there is no corresponding regulatory framework for businesses like Sonic; the only way to hold Sonic and similar companies accountable is through lawsuits. The problem is that not all states give financial institutions the right to sue merchants for purely economic harm. In short, we continue to have a hodge-podge of regulatory enforcement which incentivizes merchants to under-invest in their cybersecurity infrastructure.

Entry filed under: General. Tags: , , .

Key Week for CUs and Congress Four Things You Need To Know To Start Your Credit Union Day

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 755 other followers

Archives


%d bloggers like this: