Whole Foods is known as a high-end grocery retailer, but at some of its 470 stores it also offers taprooms and restaurants. The complaint for this class action alleges that its taprooms and restaurants were the subjects of a data breach in September 2017.
The Nationwide Class for this action is all persons in the US for whom Whole Foods stored private, personal information that was released as a result of the Whole Foods data breach disclosed in September 2017. The complaint also proposes an Ohio Subclass.
Point-of-sale (POS) systems capture customer information, including names, credit card number, card expiration dates, three-digit codes, and so on. This information is known as personally identifying information or PII. The complaint claims that Whole Foods uses different POS systems in its taprooms and restaurants than it does at its grocery checkout counters.
When Whole Foods discovered the data breach, the complaint alleges, it began an internal investigation and involved third-party forensic experts and law enforcement. However, the complaint claims, it was only when the news broke in the public media on September 28, 2017 that those whose data had been stolen found out about it.
According to the complaint, when plaintiff Patricia Banus made a purchase at a taproom in Rocky River, Ohio, Whole Foods processed her transaction on a system that the company knew was already compromised and exposed her PII and credit card information to unauthorized persons.
Interestingly, the complaint claims that Whole Foods violated the Fair Credit Reporting Act (FCRA) because, it contends, Whole Foods should be considered a “consumer reporting agency” (CRA) under that law. The violation occurred because, the complaint alleges, “CRAs must maintain reasonable procedures to ensure that … third-party disclosures” of consumer information “are made exclusively for permissible purposes.”
The complaint also mentioned the credit card industry’s PCI Security Standards Council and its Data Security Standard (DSS), which applies to all merchants that store, process, or transmit card information. The complaint quotes a Visa official as saying that “no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.” The complaint thus claims that Whole Foods did not live up to acceptable industry standards in its handling of credit card information.
In addition, the complaint says that Whole Foods violated Ohio laws in accepting plaintiff Banus’s information into a compromised system and also that the company breached the duty of care it owed to its customers.