[BreachExchange] Financial institutions clear hurdle in Sonic data breach case

[Sophia Kingsbury]

https://www.reuters.com/legal/litigation/financial-institutions-clear-hurdle-sonic-data-breach-case-2021-09-07/

An Ohio federal judge on Tuesday denied Sonic Corp's bid for summary
judgment in litigation brought by financial institutions over a 2017 data
breach, allowing the case to proceed.

U.S. District Judge James Gwin in Cleveland found material facts in the
case "remain unresolved," clearing the way for the case to go to trial. The
litigation stems from a breach in which hackers used malware to access
customers' payment card data through the point-of-sale system used at
hundreds of Sonic's franchise locations.

Kari Rollins of Sheppard, Mullin, Richter & Hampton, a lawyer for Sonic and
its related entities named in the lawsuit, didn't immediately respond to a
request for comment about the decision or a potential trial date. Brian
Gudmundson of Zimmerman Reed and Charles Van Horn of Berman Fink Van Horn,
who represent a class of financial institutions, declined to comment.

Gwin certified the class that includes certain banks, credit unions and
financial institutions in November. A few months earlier, he partially
granted Sonic's motion to dismiss, allowing only a negligence claim to go
forward in July 2020.

The Sonic companies urged the judge to grant summary judgment because "no
genuine issues of fact exist regarding the duty and causation requirements"
of the remaining negligence claim under Oklahoma law.

The plaintiffs can't prove that Sonic committed "affirmative acts" that
exposed them to an "unreasonably high risk of harm," Sonic said in its
filing, pointing a finger instead to Infor Restaurants Services Inc, the
point-of-sale vendor that served the affected Sonic franchises.

The judge disagreed with Sonic's argument, finding the Sonic companies owed
an obligation to the financial institutions.

"Sonic had a duty to prevent the criminal acts of hackers because Sonic's
affirmative acts created a risk of harm, and Sonic knew or should have
known that the risk of hacking made its flawed security practices
unreasonably dangerous," he said in the ruling. The judge cited several
alleged actions by Sonic that created risk, including making a
"permanently-enabled VPN tunnel" that gave system access to anyone with
Infor credentials and a remote user credential without multifactor
authentication.

The judge also concluded he can't grant summary judgment because there is
enough evidence that Sonic's actions "were the proximate cause" of the
financial institutions' injury.

Sonic could only succeed in arguing that its actions weren't the proximate
cause of the breach if it showed the hacker's criminal actions were
"independent of Sonic's negligent security practices," among two other
things. "Questions of material fact block Sonic-favorable findings on each
of these three conclusions," the judge found.

The case is In re Sonic Corp Customer Data Security Litigation, U.S.
District Court for the Northern District of Ohio, No. 1:17-md-2807.

For the financial institutions: Brian Gudmundson of Zimmerman Reed and
Charles Van Horn of Berman Fink Van Horn

For Sonic: Kari Rollins of Sheppard Mullin Richter & Hampton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210908/77e49dca/attachment.html>