Sonic Corp. can’t dodge a lawsuit from banks over a 2017 hack of consumers’ payment cards from more than 300 of the burger chain’s drive-ins.
The company can’t beat a negligence claim under Oklahoma law, where it’s headquartered, for failing to protect against the hack, the U.S. District Court for the Northern District of Ohio ruled July 1.
Sonic’s lawyers argued that, although the company might have failed to act, it didn’t create the security vulnerabilities that hackers exploited. But the court sided with the banks suing Sonic, citing the chain’s control over technology franchisees used for payments.
The banks also faulted Sonic for not anticipating the risk of a breach after an earlier incident in which hackers attempted to install malware to skim payment card data.
Sonic didn’t immediately respond to a request for comment.
The company previously reached a $4.3 million deal to settle claims from customers whose credit and debit card information was exposed in the data breach. Banks including Arkansas Federal Credit Union and Redstone Federal Credit Union also sued for damages, since they’re responsible for replacing compromised cards and monitoring compromised accounts.
The Ohio court dismissed two other claims against Sonic, including a federal negligence claim, for a lack of clear standards, and a request for relief.
The case is In re Sonic Corp. Customer Data Sec. Breach Litig., N.D. Ohio, No. 1:17-md-2807, 7/1/20.