Hy-Vee has reached a preliminary settlement agreement in the class action lawsuit filed by customers who had their credit and debit card information stolen during a massive data breach at some of the company’s stores in 2018 and 2019.
According to papers filed in an Illinois federal court on Tuesday, the company began negotiating the proposed settlement deal with the plaintiffs’ attorneys after a judge refused to dismiss the lawsuit in April 2020. The next step in the lawsuit would have been the discovery phase, during which company officials would have been compelled to testify about the data breach under oath and produce documents related to it.
On Aug. 14, 2019, Hy-Vee issued a press release announcing it had discovered a data breach that affected customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). No purchases at “our grocery stores, drugstores and inside our convenience stores” were at risk, the company explained, because those sales are processed using a different, more secure system.
Locations in all eight Midwestern states where the chain has its more than 240 stores were affected by the breach, which lasted between seven to eight months, starting in December 2018 at some locations. Information from more than 5.3 million debit and credit cards was stolen during the data breach.
The stolen debit and credit card information was later reported to be on sale at Joker’s Stash, a site that traffics in stolen card data.
In October, two Hy-Vee customers who had their data stolen — one a resident of Illinois, the other a resident of Missouri — filed a class action lawsuit against Hy-Vee over the data breach. The following month, two Iowans were added as plaintiffs in the lawsuit.
According to a database of sites involved in the data breach, posted by the company, Hy-Vee locations in 41 Iowa cities were infected with the data-stealing malware, including locations in Iowa City, Coralville, Cedar Rapids and Marion.
If the court approves the settlement deal, people “residing in the United States who used a payment card to make a purchase at an affected Hy-Vee point-of-sale device during the Security Incident” will be eligible for a reimbursement of up to $225 “for the following categories of potential expenses incurred as a result of the Data Breach.”
• reimbursement of up to three (3) hours of documented lost time (at $20 per hour) spent dealing with replacement card issues or in reversing fraudulent charges (only if at least one full hour was spent and if it can be documented with reasonable specificity);
• an additional $20 payment for each credit or debit card on which documented fraudulent charges were incurred that were later reimbursed;
• unreimbursed bank fees, card reissuance fees, overdraft fees, late fees, charges related to unavailability of funds, and over-limit fees;
• long distance telephone charges, postage, cell minutes (if charged by the minute), text messages (if charged by the message), and Internet usage charges (if charged by the minute or by the amount of data usage);
• unreimbursed charges from banks or credit card companies;
• interest on payday loans due to card cancelation or due to over-limit situation;
• costs of credit report(s); and
• costs of credit monitoring and identity theft protection
Some people “who experienced extraordinary expenses will be eligible for reimbursement in the amount up to $5,000 per claim.” The 11 people listed as plaintiffs in the lawsuit will also receive “incentive awards” of $2,000 each.
The plaintiffs’ attorneys are seeking $727,000 in fees, “a number that the parties agreed upon with the assistance of the mediator through a mediator’s proposal,” according to the legal memorandum on the settlement filed Tuesday. Hy-Vee is also expected to pay $12,000 to cover the attorneys’ expenses.
In addition to agreeing to these payments, Hy-Vee agrees as part of the settlement to take “certain measures to increase its data security and consumer information protection procedures for a period of two years.”
These measures include: appointment of a Group Vice President, IT Security; maintenance of a written information security program; employee training on data security policies and detecting/handling suspicious emails; maintenance of a policy for responding to information security events; compliance with [current payment card industry data security] standards; and requiring third-party vendors to use multi-factor authentication to access Hy-Vee’s payment card environment.
If the proposed settlement is approved by the federal judge overseeing the case, anyone affected by the data breach will have 120 days following public notice of that approval to file a claim through a website the plaintiffs’ attorneys will create.