A Washington state District Court judge has rejected retailer Eddie Bauer’s request to throw out a class-action suit brought by Veridian Credit Union in the wake of the company’s 2016 data breach.
Though the judge did grant some parts of Eddie Bauer’s motion to dismiss, the court’s refusal to dismiss the entire suit means the case can continue working its way through the court system.
According to Veridian’s original complaint, which it filed on March 7, 2017, hackers accessed Eddie Bauer’s point-of-sale systems and installed malware that stole customer data between January 2, 2016, and July 17, 2016. The breach compromised names, credit and debit card numbers, card expiration dates, card verification values (CVVs) and other information at approximately 350 of its locations, Veridian said.
Veridian also claimed that Eddie Bauer allegedly failed to implement adequate security measures and best practices, maintain an adequate firewall and notify customers promptly, among other things. That made the breach a foreseeable event, it argued.
Though Eddie Bauer got a heads up from a well-known information security investigator on July 5, 2016, the company did not officially confirm the breach until more than six weeks later, on August 18, 2016, Veridian also alleged.
In its order on the motion to dismiss, the court took particular issue with Eddie Bauer’s suggestion that consumers had some degree of control over the data breach.
“Eddie Bauer argues…that Veridian nevertheless has failed to adequately allege an ‘unfair act’ because consumers could have avoided the risk of data theft by paying for items at Eddie Bauer stores with cash,” the judge wrote.
“In light of the ubiquitous use of credit and debit cards in all types of commerce, the court finds this argument disingenuous. Further, the court agrees with Veridian that customers had no way of knowing that Eddie Bauer’s cybersecurity measures were allegedly deficient or that Eddie Bauer had allegedly failed to implement appropriate software updates or other reasonable security measures,” the order said. “Without this knowledge, and given the broad adoption of credit and debit cards as forms of payment in our economy, consumers had scant ability to avoid the harms engendered by Eddie Bauer’s alleged security failures.”
The judge also disagreed with Eddie Bauer’s argument that inadequate security practices don’t directly harm consumers and that the harm only happens when a third party actually steals the information.
Waterloo, Iowa-based Veridian has $3.4 billion in assets and about 214,000 members. Eddie Bauer is based in Bellevue, Washington and operates about 370 stores in the United States and Canada.
