Arby’s Must Extend Info Search In Data Breach Dispute

By Shayna Posses

Law360 (August 17, 2018, 7:51 PM EDT) – A Georgia federal judge ordered Arby’s on
Thursday to expand its electronic information search in litigation brought by financial institutions and consumers over a data breach, one day after agreeing to pause the patrons’
part of the dispute to give them time to finalize a settlement that has been agreed to in
principle.

U.S. District Judge Amy Totenberg partially granted the plaintiffs’ request to compel Arby’s
Restaurant Group Inc. to look for more electronic information relating to their consolidated
proposed class actions accusing the fast food chain of failing to implement appropriate data
security measures, opening the door to its systems being exposed to malware from October
2016 through January 2017.

The June 1 motion was filed by both the financial institution plaintiffs and the consumer
plaintiffs, which have been pursuing separate consolidated actions against Arby’s stemming
from the payment card breach.

However, the consumers and Arby’s told the court Tuesday that they had reached a
settlement in principle, requesting a 30-day pause on their action while they finalize the
details. The judge granted the request Wednesday, noting, “Neither the settlement nor this
stay impacts the status or schedule set in the consolidated financial institution case.”

Then, on Thursday, Judge Totenberg addressed the motion to compel, telling Arby’s that at
this point it didn’t need to extend its search to cover eight additional employees, as the
plaintiffs had requested, but did need to add one infrastructure manager and one security
engineer and must expand the time frame of the search by six months, through the end of
June 2017.

Arby’s had argued that the plaintiffs’ request wasn’t proportional to the needs of the case,
saying including eight additional employees and expanding the search period by a year — as
the plaintiffs had asked — would cost the company more than $2.2 million while producing
duplicative information.

Meanwhile, the plaintiffs countered that the cost estimate was greatly inflated and that the
expanded search would likely turn up important information.

For instance, the plaintiffs asserted, Arby’s proposed end date of Jan. 16, 2017, comes just
three days after the company identified and contained the breach, meaning it wouldn’t
capture key details discovered later about the cause and extent of the incident. Extending the
search by a year would ensure that important documentation about investigations,
remediation efforts and data security initiatives was turned over, they said.

In the end, Judge Totenberg granted the plaintiffs’ request in part, holding that adding two
lower-level workers might provide the sort of information that doesn’t always rise to the
attention of the most senior employees. The company’s claim that including additional
workers would lead to duplicative information seems to be based on assumptions rather than
concrete data, the judge concluded.

The judge also split the difference with regard to the time frame of the search, telling Arby’s
to tack on six months to the period, which will now go from January 2015 through the end of
June 2017.

As Arby’s argued, the additional six months will include substantially more information
covered by attorney-client privilege or work-product protections than the earlier part of the
search period, Judge Totenberg noted. However, “there will likely be discernible and highly
relevant information identified if the search is extended” to include the post-breach period,
she held, saying that has turned out to be the case in other similar data breach cases.

The litigation centers around a late 2016 to early 2017 breach wherein third-parties
purportedly hacked into Arby’s point-of-sale machines and used malware to steal customer
credit and debit card information from more than 950 restaurants.

Shortly after Arby’s announced the incident, financial institutions like North Alabama
Educators Credit Union, Wanigas Credit Union, Gulf Coast Bank & Trust Co. and First Choice
Federal Credit Union came after the restaurant chain with proposed class actions alleging
they suffered financial harm because of the company’s lacking data security measures.

Consumers also filed their own actions over the incident, making similar claims about the
company’s failure to properly safeguard payment card data despite knowing the restaurant
industry has been consistently plagued by massive data breaches in recent years.

The court granted a joint motion to consolidate the financial institution cases in April 2017
and did the same with regard to the two consumer cases in June of that year. However, the
judge determined that the consolidated consumer action and financial institution action should
proceed separately, rather than being consolidated together.

Arby’s has been fighting the actions ever since. The company’s bid to dismiss the financial
institution action failed in March — though it did sway the judge to trim the consumer suit
that month and got a few claims axed from the patrons’ subsequent amended complaint in
June.

After the judge’s decision on the amended consumer complaint, the patrons and Arby’s met
twice for mediation, which led to the agreement in principle that they alerted the court to on
Tuesday, according to court filings.

Representatives for the parties declined to comment Friday.

The consumers are represented by Robert W. Killorin, Stuart J. Guber and Timothy J. Peter of
Faruqi & Faruqi LLP, Roy E. Barnes, John R. Bevis and J. Cameron Tribble of Barnes Law Group
LLC, John Yanchunis and Marisa Glassman of Morgan & Morgan Complex Litigation Group and
James M. Evangelista and David J. Worley of Evangelista Worley LLC.

The financial institutions are represented by Kenneth S. Canfield of Doffermyre Shields
Canfield & Knowles LLC, Brian C. Gudmundson of Zimmerman Reed LLP, Karen Hanson Riebel
of Lockridge Grindal Nauen PLLP and James J. Pizzirusso of Hausfeld LLP.

Arby’s is represented by Robert B. Remar, Joshua P. Gunnemann and Austin J. Hemmer of
Rogers & Hardin LLP and Douglas H. Meal, Seth C. Harrington and Daniel M. Routh of Ropes &
Gray LLP.

The case is In re Arby’s Restaurant Group Inc. litigation, case number 1:17-mi-55555, in the
U.S. District Court for the Northern District of Georgia.

–Additional reporting by Joyce Hanson. Editing by Connor Relyea.