Hy-Vee Moves to Settle Data Breach Class Action
Hy-Vee has reached a preliminary settlement agreement in a class action brought by customers whose credit and debit card information was exposed as a result of a huge data breach at some of the company’s stores, according to a published report.
Papers filed in an Illinois federal court on Jan. 12 noted that the grocer began negotiating the proposed settlement with the plaintiffs’ attorneys after a judge declined to dismiss the lawsuit last April, Little Village magazine reported.
In Aug. 2019, Hy-Vee revealed the existence of a data breach affecting customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants. Locations across the grocer’s eight-state Midwestern market area were affected by the breach, which lasted between seven to eight months, starting in Dec. 2018 at some locations. Information from more than 5.3 million debit and credit cards was compromised over that time.
Little Village reported that the stolen debit and credit card information was purported to be on sale at Joker’s Stash, a site featuring stolen card data.
In Oct. 2019, two Hy-Vee customers affected by the breach, one in Illinois, the other in Missouri, brought a class action against the company, with two Iowa residents added as plaintiffs the following month.
In its filing on the settlement, plaintiffs’ attorneys admitted, “Prosecuting this litigation through trial and appeal would likely be lengthy, complex and impose significant costs on all parties.”
If the court approves the settlement deal, the class, consisting of those “residing in the United States who used a payment card to make a purchase at an affected Hy-Vee point-of-sale device during the Security Incident,” will be eligible for a reimbursement of as much as $225 for various categories of potential expenses incurred as a result of the breach, including the replacement of cards; the reversal of fraudulent charges; unreimbursed bank fees, card reissuance fees, overdraft fees, late fees, charges related to unavailability of funds, and over-limit fees; unreimbursed charges from banks or credit card companies; interest on payday loans because of card cancelation or an over-limit situation; costs of credit report(s); and costs of credit-monitoring and identity theft protection.
Some “who experienced extraordinary expenses” could get up to $5,000 per claim. The 11 plaintiffs will additionally receive “incentive awards” of $2,000 each.
Further, the plaintiffs’ attorneys are seeking $727,000 in fees, and Hy-Vee is expected to pay $12,000 to cover the attorneys’ expenses.
As well as agreeing to these payments under the settlement deal, Hy-Vee will take “certain measures to increase its data security and consumer information protection procedures for a period of two years.” Among these measures are the appointment of a group VP, IT security; maintenance of a written information security program; employee training on data security policies and detecting/handling suspicious emails; maintenance of a policy for addressing information security events; compliance with [current payment card industry data security] standards; and requiring third-party vendors to employ multifactor authentication to access Hy-Vee’s payment card environment.
On its own, Hy-Vee has already bolstered data security practices in the wake of the breach, as the retailer noted in Oct. 2019.
A Hy-Vee spokeswoman told Progressive Grocer that once the settlement is approved, “those involved in the lawsuit will receive notification as to how to file a claim, pending they meet certain criteria approved by the court.”
With sales of $11 billion annually, the employee-owned Hy-Vee operates more than 275 retail stores in eight Midwestern states. The company is No. 33 on The PG 100, PG’s 2020 list of the top food and consumables retailers in North America.