Hy-Vee to Settle Data Breach Class Action
Hy-Vee has reached a preliminary settlement in a class action lawsuit brought by customers whose credit and debit card information was leaked following a massive data breach at some of the company’s stores, according to a published report.
Documents filed in Illinois federal court on Jan. 12 said the grocer began negotiating the proposed settlement with the plaintiffs’ attorneys after a judge refused to dismiss the lawsuit last April, Small village the magazine reported.
In August 2019, Hy-Vee revealed the existence of a data breach affecting customers who used debit and credit cards at its gas pumps, drive-through cafes and restaurants. Locations across the grocer’s Midwest market area were affected by the breach, which lasted between seven and eight months, beginning in December 2018 in some locations. The information of more than 5.3 million debit and credit cards was compromised during this period.
Small village reported that the stolen debit and credit card information was believed to be for sale on Joker’s Stash, a site featuring stolen card data.
In October 2019, two Hy-Vee customers affected by the violation, one in Illinois and the other in Missouri, filed a class action lawsuit against the company, with two Iowa residents added as applicants the following month.
In its settlement brief, plaintiffs’ attorneys admitted, “pursuing this litigation through trial and appeal would likely be long, complex, and impose significant costs on all parties.”
If the court approves the settlement agreement, the group, made up of people “residing in the United States who used a payment card to make a purchase on an affected Hy-Vee point-of-sale device during the security incident. », Will be eligible for reimbursement of up to $ 225 for various categories of potential expenses incurred as a result of the default, including card replacement; cancellation of fraudulent charges; unreimbursed bank charges, card reissue charges, overdraft charges, late fees, charges related to unavailability of funds and over-limit charges; unreimbursed charges from banks or credit card companies; interest on payday loans due to card cancellation or over limit situation; credit report fee (s); and the costs of credit monitoring and identity theft protection.
Some “who suffered extraordinary expenses” could receive up to $ 5,000 per claim. The 11 complainants will also receive “incentive prizes” of $ 2,000 each.
In addition, the plaintiffs ‘attorneys are claiming $ 727,000 in fees and Hy-Vee is expected to pay $ 12,000 to cover the attorneys’ expenses.
In addition to accepting these payments as part of the settlement agreement, Hy-Vee will take “certain steps to increase its data security and consumer information protection procedures for a period of two years.” These measures include the appointment of a group VP, IT security; maintaining a written information security program; training of employees on data security policies and detection / handling of suspicious emails; maintaining an information security event management policy; compliance with [current payment card industry data security] standards; and require third-party vendors to use multi-factor authentication to access Hy-Vee’s payment card environment.
On its own, Hy-Vee has already tightened data security practices in the wake of the breach, as the retailer noted in October 2019.
A Hy-Vee spokeswoman said Progressive Grocery that once the settlement is approved, “those involved in the lawsuit will be notified on how to file a claim, pending their meeting certain criteria approved by the court.”
With annual revenue of $ 11 billion, the employee-owned company Hy-Vee operates more than 275 retail stores in eight Midwestern states. The company is No. 33 on the PG 100, PGthe 2020 list of leading food and consumable retailers in North America.