Wendy’s Highlights Potential Perils of an Overbroad Class in Data Breach Lawsuit

In late 2015, Wendy’s was subject to two different malware attacks at its various franchise restaurants. Wendy’s was then hit with a class action in February 2016 in the United States District Court for the Middle District of Florida. Wendy’s recent opposition to the plaintiffs’ motion for class certification raises an issue that defendants in such class actions should be mindful of—overbreadth of the proposed class definition.

Wendy’s opposes the class because it is not adequately defined and is overbroad. Based on the complex data breach at issue, Wendy’s argues that the class definition would include millions of members who have no cause of action. To better understand Wendy’s position, we must understand the timing and reach of the two malware attacks at issue. 

The first malware (labeled “Variant A”) only impacted restaurants that used one brand of point-of-sale system (of several used by Wendy’s restaurants), and Variant A’s infection lasted from October 25, 2015 to no later than March 10, 2016, when it was disabled. The second malware (labeled “Variant B”), which affected different point-of-sale systems than Variant A, began its infection on November 30, 2015 and was completely disabled at all impacted franchise restaurants by June 9, 2016. If Variant A and Variant B were considered collectively, the malware attack at Wendy’s spanned from October 25, 2015 to June 9, 2016; but of course, not all franchise restaurants were infected for this entire timeframe. Nevertheless, plaintiffs’ proposed class includes all customers who made a credit or debit card purchase at any of the affected restaurants from October 1, 2015 to June 9, 2016. 

Wendy’s argues in its opposition to class certification that the proposed class would sweep in numerous individuals, potentially millions, who have no claim. For example, although Variant A was disabled by March 10, 2016 at all restaurants using the Variant A point-of-sale system, the proposed class would include customers that dined at those restaurants after the malware was disabled on March 10, 2016. Wendy’s therefore asks the court to deny plaintiffs’ motion for class certification on the grounds that the class would be incredibly overbroad and include millions of individuals who had no claim and could not conceivably have been injured by the data breach. 

TIP: Wendy’s position is a fresh reminder that a technical understanding of the specific aspects of a breach can help defense lawyers beat back data breach lawsuits.