[BreachExchange] Wawa data breach aftermath: Observations from the legal side of things

Destry Winant destry at riskbasedsecurity.com
Wed Jun 3 09:37:11 EDT 2020


Back in December 2019, Wawa, Inc. announced that it had “experienced a
data security incident” involving malware that had been running on its
payment processing systems since as early as March 2019, which
“affected payment card information,” including credit and debit card
numbers and other information.” By January 2020, Wawa stated that it
had learned of “reports of criminal attempts to sell some customer
payment card information potentially involved” in the original data
security incident it had reported in December. It expressed its
confidence that the malware was contained in mid-December and that
only payment card information was involved.

The Road Ahead for Wawa

While the adequacy of Wawa’s efforts to avoid a breach in the first
place still remains to be determined, Wawa appears to have proceeded
as a responsible corporate citizen should following discovery of a
breach. It has disclosed the incident, notified law enforcement and
payment card companies, retained a forensics firm to investigate, and
offered free credit monitoring and identity theft protection. It has
apologized profusely and offered to “work with” individual customers
who are not reimbursed by their credit card company if they have
promptly notified the company of fraudulent charges related to the
Wawa breach.

But, of course, the last chapter of the story has yet to be written.
Months later, Wawa’s investigation is presumably ongoing. As far as
publicly available information goes, it has not disclosed the pathway
through which the malware found its way into Wawa’s system. It has
said that it “continues to take steps to enhance the security of our
systems.” And, over a dozen lawsuits have been filed arising from the
breach, all of which essentially claim that Wawa failed to use
reasonable measures to adequately secure its computer systems and
timely detect the malware on its servers and that the measures that
Wawa has voluntarily offered to its customers do not do enough to
cover all the costs and injuries that they have suffered and will
suffer. The lawsuits seek, among other things, compensatory damages
for any injuries to Wawa’s customers and punitive damages for Wawa’s
alleged knowing failure to maintain up-to-date security.

>From all accounts, the Wawa breach appears to be running the all too
familiar course for a “modern” data breach. But, with 31 million
records allegedly accessed, and with more than 850 Wawa convenience
stores and gas stations that seem to be “everywhere” to anyone who
travels the roads in the Mid-Atlantic states, Florida and Washington,
D.C., perhaps this breach will provide a clarion call to businesses
and individuals alike to step up measures to prevent cyber incidents
and limit the damages they may cause.

Troubling Legal Trends

The Wawa breach comes in the midst of ever-expanding legal obligations
in the cybersecurity field. The trend in many legal quarters toward
imposing upon businesses affirmative duties to implement measures to
help prevent data breaches and comply with ever-expanding data privacy
regulation has brought increased scrutiny of the actions, or more
likely inactions, of various players in the cyberspace—be they
businesses holding private personal information, vendors with whom
they share that data, or information security professionals that
advise businesses on cyber issues. While large corporations like Wawa
have significant resources to devote to information security, small
and medium businesses are too often unaware of the legal requirements
and cyber threats under which they operate, or too frequently choose
not to find out what they need to do.

As but one example of escalating legal requirements, New York’s Stop
Hacks and Improve Electronic Data Security Act (“SHIELD Act”) went
into effect on March 20 – and required businesses covered by the law
to implement “reasonable” administrative, technical and physical
“safeguards” to protect against the unauthorized access to NY
residents’ “private information.” The Act provides examples of such
safeguards, including that businesses: designate a coordinator for the
security program; identify internal and external risks; design and
implement technical and physical safeguards to control the risks;
assess and test the sufficiency of those safeguards on an ongoing
basis; train and manage employees in the security program’s practices
and procedures, and require their “service providers” to maintain
appropriate safeguards.

Other states have adopted or are considering similar laws. As a
general statement, some cyber and privacy laws are specific and
require particularized actions. Many others are more general and
nebulous. The ABA Cybersecurity Handbook, Second Edition 73 notes that
the emerging legal standard “rejects requirements for specific
security measures (such as firewalls, passwords, or the like) and
instead adopts a fact-specific approach to business security
obligations that requires a ‘process’ to assess risks, identify and
implement appropriate security measures responsive to those risks,
verify that the measures are effectively implemented, and ensure that
they are continually updated in response to new developments.” Rhoads
and Litt, ABA Cybersecurity Handbook, Second Edition 73 (American Bar
Association, 2018).

Liability in the Data Breach Age

The expansion of these laws and the process they prescribe likely
precede an uptick in the demand for security professionals’ business –
but may also expose them to potential liability when a business whom
they advise suffers a data breach. The nature of the legal duties
involved and who may sue whom in court creates a unique legal dynamic
between security professionals, businesses, and individuals.
Businesses may be liable to individuals for any damages flowing from a
breach that discloses the individual’s personal information, even if
that breach was the fault of a security professional. Security
professionals, in turn, often have no duty, and thus no liability,
directly to the individual. Rather, their sole duty will be to the
business itself based primarily on the terms of its security contract.

For this reason, security professionals often include limitations on
liability in their contracts, such as disclaiming certain types of
damages or placing a flat cap on damages. For example, the contract
may disclaim liability for any consequential, special, incidental,
indirect, or punitive damages, as well as lost profits/reputational
harm, which would mean that the business could most likely recover
only the costs for the service to date and the costs to correct the
security professional’s work product. Alternatively, the contract may
limit any damages to the total fees paid under the contract so far.
Depending on the circumstances, some provisions may limit damages
based upon the type of data that was accessed or extracted, such as a
bar on damages for disclosure of a customer’s HIPAA-protected

While these provisions may place the majority of the risk on the
business, they nonetheless make economic sense for security
professionals. No security system is flawless, and a security
professional would be disinclined to accept a contract with a massive
business for, say, $40,000 per month if a breach could require the
security professional to pay millions in damages. Some commentators
have called for legislatures or the courts to impose responsibility
upon security professionals in certain circumstances. Although that
may theoretically prompt them to be more careful and provide their
clients with “better security,” it may also simply drive up security
professionals’ prices to compensate for the increased risk or lead
them to decline contracts with companies who present greater risks of
significant consequences resulting from a breach, particularly when
there is no way to guarantee that a system is 100% secure.

The Need to Negotiate

Barring any such changes in the law, businesses are often left to try
to negotiate some of the common liability and damages limitations
away, likely in exchange for greater monthly payments or to place
their information security in the hands of a third-party with a
theoretically weaker legal incentive to ensure that the business’s
security system is functioning as it should. This is not to say that
businesses are powerless, and security professionals may be willing to
permit certain carve-outs tailored to a particular business without
exacting a massive price tag. For example, depending upon
circumstances, a security professional may agree that the limitations
on liability do not apply if the breach resulted from the security
professional’s gross negligence or if the breach results in the
disclosure of the business’s own trade secrets or intellectual
property. Likewise, the business may require the security professional
to maintain strong cybersecurity insurance. Ultimately, both the
security professional and the business need to be aware of these
issues and address them in their contract negotiations, particularly
in light of the security risks and the growing legal requirements to
use reasonable measures to secure protected information from
unauthorized access.

More information about the BreachExchange mailing list