Sonic to Pay $5.73 Million to Settle Class-Action Credit Union Lawsuit
New agreement will end long and highly-contested court battles over one of the largest payment card data breaches.
After nearly three years of highly-contested court battles and arduous marathon negotiations, Sonic has agreed to pay $5.73 million to settle a class-action lawsuit for one of the largest payment card data breaches in 2017 that affected at least 4,000 credit unions and banks and more than five million customers.
In March 2019, the class-action claim against Sonic Corp. was brought by the $9.3 billion American Airlines Federal Credit Union in Fort Worth, Texas, the $1.8 billion Arkansas Federal Credit Union in Little Rock and the $7.9 billion Redstone Federal Credit Union in Huntsville, Ala. The credit unions alleged that Sonic’s security deficiencies enabled hackers to breach and install card-scaping malware on point-of-sale systems at more than 700 Sonic franchised drive-ins across the nation. The hackers stole payment card data and posted five million payment cards for sale on the dark web, according to court documents.
Following three days of marathon negotiations in January and February, the credit unions and Sonic arrived at a tentative agreement on Feb. 2. Last week, U.S. District Court Judge James S. Gwin in Cleveland granted preliminary approval of the proposed settlement agreement.
Sonic has agreed to pay $3 million to fund claims that are filed by credit unions and banks, which breaks down to $1 for each payment card reissued by the affected financial institutions and $1.50 for each payment card experiencing fraud within four weeks of the breach, according to the proposed settlement document.
The drive-in fast-food chain also has agreed to pay $500,000 for settlement administration costs and a $10,000 service award for each credit union. In addition, Sonic will pay $2.2 million in attorneys’ fees and expenses.
“At this stage, the settlement agreement seems arguably fair, reasonable and adequate,” Judge Gwin wrote in his ruling. “Granting preliminary approval does not create a commitment to grant final approval. The court will take all evidence into account, including any objections, before making a financial approval decision after the hearing.”
That hearing is scheduled for Oct. 6 in Cleveland. If the settlement is granted final approval, credit unions and banks will be notified and can then file a claim. To receive a claim payment, credit unions and banks must complete a claim form and either provide basic data regarding the timing of its reissued and fraud cards, or the total amount of reissued and fraud cards along with an explanation of how the financial institutions calculated the numbers, according to court documents. Sonic will have the right to audit any claim and will pay for those costs.
“It was a hard-fought case, but we’re pretty proud of the outcome of the settlement,” Charles H. Van Horn in Atlanta said on Friday, who is one of the lawyers representing Redstone.
In support of the settlement’s preliminary approval, the three credit unions said continuing the litigation posed significant risks for the class action suit.
“This complex case has been heavily litigated for three years and, at the time of settlement, significant motions were pending that may have significantly impacted the issues and extent of damages in this case,” the credit unions wrote in court documents. “Plaintiffs have obtained numerous successes and contend they maintain a high chance of success at trial, especially as to Sonic’s liability for the Data Breach and resulting harm. However, Sonic’s challenges to damages and liability and threaten to undermine Plaintiffs’ claims entirely or reduce the amount of damages.”
The credit unions also noted that Sonic levied an aggressive defense at every stage in this case. Compared to the risks of continued litigation in which credit unions and banks may receive nothing, the settlement allows for recovery of some losses through a claims-made process, the credit unions said.