Sonic Drive-In reached a $4.3 million settlement on October 10 with its customers over the chain’s data security breach in 2017 that exposed customer credit and debit card information at 325 Sonic Drive-In locations. The attack followed a pattern familiar in the retail and restaurant context, where hackers infect the point-of-sale system with malware that copied and transmitted the information from consumers payments cards when used to make a purchase. Plaintiffs filed several class action lawsuits for violations of state consumer protection laws and data breach notification statutes, along with various common law causes of action. The lawsuits were consolidated into a multidistrict litigation proceeding in the Northern District of Ohio in early 2018.
Sonic agreed to pay $4,325,000 to settle the claims. Class members whose debit and credit card information were compromised and who made purchases using a credit or debit card at one of the affected locations can receive $10, and class members who actually experienced fraudulent or unauthorized charges can receive $40.
In the settlement agreement, which is pending court approval, Sonic contended that it had adequate security precautions in place, and denied that it is liable in any way for the third-party cyberattack on its point-of-sale systems. It is notable that Sonic is a franchise system, which resulted in special provisions in its settlement agreement. In addition to several enterprise-wide commitments, the company agreed to require that its franchisees comply with Payment Card Industry Data Security Standards (PCI-DSS), facilitate data privacy reporting and discussions among its franchisees to members of Sonic’s corporate cybersecurity team, and report on at least a quarterly basis to a franchise owner committee on issues concerning the Sonic information security and data privacy program related to Sonic Drive-In locations.
While the food safety risks and legal obligations are apparent in the restaurant business, cybersecurity may be less so. The Sonic settlement is one of several in the last few years involving restaurant chains, such as Pizza Hut, Arby’s, and Chili’s, to name a few.
If you have any questions or would like more information on the issues discussed in this post, please contact Ezra Church or Hilary Lewis.
 Settlement Agmt. and Release, In Re: Sonic Corp. Customer Data Security Breach, No. 1:17-md-02807 (N.D. Ohio), Dkt. No. 132-2.