print   email   Share

Class Action Liability From Financial Institutions For PoS Breaches

American Airlines Federal Credit Union is suing Sonic restaurants over lost revenue resulting from a 2017 data breach at Sonic.

In its lawsuit, the credit union claims that Sonic failed to adequately protect its point of sale systems or update them when new technology became available. The suit states that about a quarter of Sonic's POS systems were nearly 30 years old and could no longer receive security updates at the time of the breach. The lawsuit alleges that, as a result, cybercriminals were able to infiltrate the systems with malware and steal credit and debit card numbers.

The credit union alleges that it and other financial institutions lost significant amounts of money because of the Sonic data breach. The breach forced the credit union to cancel or reissue cards, close accounts, block transactions, refund affected customers, and increase fraud monitoring efforts, and also caused a decline in card usage.

The credit union is seeking class action status for the lawsuit to allow other financial institutions to seek compensation. The credit union believes it and other institutions are owed at least five million dollars.

Sonic recently agreed to pay up to $4.3 million to settle a lawsuit brought against it by customers affected by the 2017 data breach. Dale Denwalt "Sonic Corp. sued for $5 million over 2017 data breach" (Mar. 06, 2019).


In recent years, a number of organizations have faced lawsuits over unprotected point of sale systems. Several judges have ruled that lawsuits in which financial institutions sue companies for lost revenue following a breach can proceed. Many companies have settled these lawsuits, sometimes at great expense, to avoid the even higher costs of going to court. For example, in 2017, Office Depot paid $27 million to settle a lawsuit brought against it by financial institutions.

Because none of these cases have yet gone to trial, organizations do not know exactly how much liability they have when cybercriminals steal credit and debit card information and financial institutions sue. Without a precedent in place and to protect customers, organizations should err on the side of overprotecting customer financial information.

Organizations must make sure to use the latest, most secure software and hardware on systems that collect and store customer credit and debit card numbers and other financial information. If you use point of sale systems, only use those that are new enough to continue to receive patches and security updates. Install firewalls, security software, and other cyber protections to keep customer card numbers stored on computers and in your network safe. As soon as hardware becomes obsolete, immediately replace it with the latest, most secure model.

Although buying new hardware and software can be pricy, it costs far less in lost time and money than recovering from a data breach. Because breaches have become so common, using the latest technology will give you a competitive advantage in a field of companies who too often ignore cybersecurity.

Finally, your opinion is important to us. Please complete the opinion survey:


Log-in to access Training Modules, Article Archives, Model Policies and more!

Latest Numbers

Unemployment Rate

3.6% in Apr 2019

Payroll Employment

+263,000(p) in Apr 2019

Average Hourly Earnings

+$0.06(p) in Apr 2019

Employment Cost Index (ECI)

+0.7% in 1st Qtr of 2019


+3.6% in 1st Qtr of 2019

Source: Department of Labor

Chubb Offers for Employment Practices Liability (EPL) Insured:

Loss Prevention Reimbursement Credit

HR Acuity On-Demand

Best Practice Minute

Available presentations

What's New

Fighting Cybercrime Starts With Addressing Employee Cyber Negligence

New statistics show the risks associated with employee negligence and cybercrime. We provide the data and provide some best practice steps. Read More

Protecting Privileged Credentials: An Essential Step In Cybersecurity

Organizations must take measures to prevent privileged access credential abuse, the leading cause of data breaches. Read ways to protect these valuable credentials. Read More

Knowing The Risk, Why Do You Continue To Reuse Your Password?

Although they know better, most people still fail to use unique passwords for their online work and personal accounts. Learn ways to create passwords that are harder to decipher, but that you will remember. Read More