Every company that accepts consumer and business credit and debit cards should stop for a moment right now and think about how the company processes credit and debit cards. Why the urgency, you ask?  We all know that when a data breach occurs, affected consumers may be able to unite and file a class action lawsuit against the company that failed to protect their payment card information (PCI).  And we all know that these lawsuits will likely be dismissed because the consumers failed to show “legally cognizable” harm.  Basically, many courts have ruled that the future threat of identity theft is too speculative of a harm to allow consumers to bring such lawsuits.

The recent breach of Arby’s Restaurant Group’s PCI systems demonstrates that companies that accept consumer credit and debit cards may want to worry less about consumers and worry more about the banks, specifically those banks that serve as consumer payment card issuers.  Arby’s is facing several class action lawsuits (e.g., Case No. 17-cv-00715) brought by issuing banks in the U.S. District Court in Atlanta after the restaurant chain experienced a data breach involving its payment card systems and networks.  The breach involved malware placed on Arby’s corporate payment card systems that allowed hackers to steal Track 1 and Track 2 data (credit and debit card information such as cardholder name, primary account number, expiration date, and in certain circumstances PIN number).

Beware of the issuing banks because courts may view their data-breach related damages as “real.”  Here, the issuing banks claim to have suffered real damages related to the costs of cancelling and reissuing cards, investigating and refunding fraudulent charges, and purchasing customer identity theft and credit monitoring.  The issuing banks claim to also have suffered losses related to lost profits related to unrealized card interest and transaction fees resulting from reduced card usage.

We are following these Arby’s cases as they develop and we will keep you up to date.  In the meantime, we recommend you take a hard look at your PCI systems.  If your company is not using a chip reader or utilizing the latest encryption technologies, the company will need to update its systems to protect PCI and comply with industry standards.

Please contact any member of Miller Johnson’s Privacy and Data Security team if you have any questions or would like assistance evaluating whether your PCI systems are PCI-DSS compliant and more importantly, whether they are secure.

Post authored by Jason Crow.