Earlier this week, fast food giant Wendy’s announced that it has agreed to pay $50 million to resolve a 2016 lawsuit by financial institutions nationwide.
The class-action suit alleged that the company’s negligence allowed hackers to steal credit and debit card information in a 2015 data breach. The settlement will be paid to approximately 7,500 banks and credit unions that issued about 18 million credit or debit cards exposed in the data breach.
Company executives were happy to put the incident to rest. “With this settlement, we have now reached agreements in principle to resolve all of the outstanding legal matters related to these criminal cyberattacks,” Wendy’s president and CEO Todd Penegor said in a press release. “We look forward to putting this behind us so that we can continue to focus on growing the Wendy’s brand.”
The Wendy’s breach teaches something very important about the evolving definition of liability when it comes to digital security. Wendy’s has had to settle with both financial institutions and consumers. This shows that companies are considered responsible to insure–at least to a degree–the safety of digital identities and financial information.
In many ways this outcome is the natural consequence of a wave of consumer privacy laws that have been enacted over the recent period, both internationally and within the United States, from Europe’s General Data Protection regulation (GDPR) to California’s Privacy Act. The issue of accountability and responsibility of data holders is becoming more and more codified. This is having real manifestations, and companies are being forced to pay up for mishandling private data. With any luck this will push businesses to improve their data protection and privacy capabilities.