Sonic, the largest chain of drive-ins in the US, has become the latest popular company to experience a data breach and expose the information of countless customers’ personally identifying information (PII). The complaint for this class action alleges that Sonic failed to take adequate measures to protect its data systems, failed to stop the breach from happening, failed to monitor and detect the breach on a timely basis, and failed to inform customers promptly. It claims that Sonic is guilty of negligence as well as breaches of Florida and New Jersey state laws.
The Nationwide Class for this action is all persons living in the US whose PII was acquired by unauthorized persons during the data breach announced by Sonic in 2017. As an alternative, the complaint proposes two statewide classes under state laws for Florida and New Jersey.
The complaint claims that breaches of other restaurant chains, such as Wendy’s, should have alerted Sonic to the potential for hacking and the need for precautions, but that Sonic continued to use a payment system that was more than thirty years old. The complaint acknowledges that some locations had been updated, but others had not.
The complaint alleges that Sonic customers have suffered the following damages and potential damages:
In more concrete terms, the complaint says, the damages to consumers can include things such as the cloning of their credit or ATM cards, the use of their health insurance policies, and the obtaining of loans under their names. Surveillance of accounts for fraudulent charges, withdrawals, and other uses will need to go on for years.
In addition, the complaint points out that Sonic continues to hold the PII and card information of its customers and must take precautions against future data breaches.