Third Circuit Issues Order In WaWa Data Breach – Data Protection – United States – Mondaq


Have you considered that someone could be secretly watching you or your child with your webcam right now? Is it worth taking such a risk? camDown can help stop them!

05 May 2022

Squire Patton Boggs LLP

To print this article, all you need is to be registered or login on

CPW has been covering the data breach litigation In re:
Wawa, Inc. Data Security Litigation
, pending in the U.S.
District Court for the Eastern District of Pennsylvania
(see here and here).  As a reminder, In Re:
Wawa Inc. Data Security Litigation
, No. 2: 19-cv-06019 arose
out of a data breach impacting Wawa, Inc. ("Wawa"), a
popular convenience store chain.  Several class action
lawsuits were filed in response to a data breach that
allegedly disclosed information collected from its consumers at
"most" of Wawa's 850 locations.  The complaint
alleges that the breach began in March 2019, when malicious actors
installed malware on Wawa's point-of-sale ("POS")
payment system.  According to the complaint, the malicious
actors then began harvesting the financial data submitted during
purchases, which continued until December 12, 2019, when Wawa
announced the breach.

According to the lawsuits, Wawa's practice of accepting
"swiped" payment cards, as opposed to "dipped"
cards with chips, enabled the data breach.  Whereas a
swipe-only payment processing system enables easier theft, a
chipped card uses "industry developed EMV chip
technology" that makes fraud "significantly more
difficult".  Broadly speaking, class action lawsuits were
filed on behalf of Wawa's customers, employees, and financial
institutions (e.g., credit unions). 
The Wawa  court's case management plan
created three distinct tracks for the litigation:  the
Consumer Track, the Employee Track, and the Financial Institution

As we previously covered, in ruling on the Financial Institution
Track plaintiffs' motion to dismiss, the court held that the
plaintiffs pleaded a plausible negligence claim based on their
novel theory that imposed a duty of care based on the Payment Card
Industry Data Security Standard ("PCI DSS"), but noted
that Wawa's argument that the "Payment Card Rules"
may place contractual limitations on the plaintiffs' rights and

The Consumer Track Plaintiffs and Wawa entered into a class
action settlement in late 2020.  Over the objections of the
Employee Track Plaintiffs, the court, granted final approval of the
settlement and dismissed the Consumer Track Action with prejudice
on April 20, 2022.  The proposed settlement class was
comprised of approximately 22 million class members.  The
agreement provided for compensation based on three
"tiers" of class members:  (1) Tier One, comprised
of customers who made a Wawa purchase using a payment card during
the data breach period, but did not experience any fraudulent
activity as a result, will receive a $5 Wawa gift card; (2) Tier
Two, comprised of customers who made a Wawa purchase using a
payment card during the data breach period and who submit proof of
a subsequent fraudulent charge or attempted fraudulent charge, will
receive a $15 Wawa gift card; (3) Tier Three, comprised of
customers who have demonstrated out-of-pocket expenses or losses in
connection with a fraudulent transaction incurred on a payment card
resulting from the data breach will be entitled to reimbursement up
to $500.  Wawa also agreed to various forms of injunctive
relief, including, but not limited to, retaining a qualified
security assessor on an annual basis to assess Wawa's
compliance with PCI DSS requirements.

The Employee Track Plaintiffs opposed the Consumer Track
settlement on the grounds that there was a lack of clarity
regarding the adequacy and fairness of the settlement with respect
to the rights and interests of the Employee Track Plaintiffs, who
are entitled to greater consideration relative to the Consumer
Track Plaintiffs.

Following the court's order granting final approval of the
Consumer Track settlement agreement, representatives of the
Employee Track Plaintiffs filed a notice of appeal to the Third
Circuit.  The court subsequently issued an order on April 26,
2022, stating that because the order only resolved the claims of
one out of three "track" of plaintiffs, it may not yet be
an appealable "final decision."  The court
instructed the parties to file written responses addressing the
issue within 14 days of the order.  The parties' responses
are due on May 10, 2022.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

In conclusion, I know that camDown helps make you invisible to hackers and guard your personal data!