On May 6, 2021, Judge Gene E.K. Pratter of the U.S. District Court for the Eastern District of Pennsylvania granted-in-part and denied-in-part convenience store chain Wawa’s motion to dismiss claims brought by a class of financial institution Plaintiffs arising from a data breach Wawa suffered in March 2019 when hackers accessed Wawa’s point-of-sale systems and installed malware that targeted in-store payment terminals and gas station fuel dispensers. Hackers obtained payment card information over the next several months which was later made available for purchase on the “dark web.”

The Court allowed Plaintiffs’ negligence and declaratory and injunctive relief claims to go forward. Significantly, the Court rejected Wawa’s argument that the parties are bound by contract under the card brand’s “Payment Card Rules,” and that the economic loss doctrine bars recovery in tort for negligence claims because no duty independent of contract exists, holding that under the Pennsylvania Supreme Court decision in Dittman v. UMPC, 196 A.3d 1036 (Pa. 2018), “Pennsylvania law, post Dittman, imparts on companies an independent duty to reasonably secure their payment systems.” Furthermore, the Court found that, “Wawa’s affirmative conduct, in collecting payment card information and storing it in an insecure manner, created a risk of foreseeable harm from third parties and led to a data breach that proximately caused the Institutions’ alleged injuries.”

Lowey Dannenberg’s Christian Levis was appointed by the Court in June 2020 as Interim Co-Lead Class Counsel on behalf of a putative class of financial institutions. Mr. Levis is leading the prosecution in this ongoing class action along with attorneys at Carlson Lynch, LLP and Hausfeld LLP. The case is In re Wawa, Inc. Data Security Litigation, No. 2:19-cv-06019-GEKP (E.D. Pa.).

Please contact or Christian Levis (clevis@lowey.com), Anthony Christina (achristina@lowey.com), or Amanda Fiorilla (afiorilla@lowey.com) with any questions about the case.