U.S. District Judge James L. Robart ordered Thursday that a complaint filed by Tousley Brain Stephens and its co-counsel, Scott+Scott, Carlson, Lynch Sweet Kilpela & Carpenter, Lockridge Grindal Nauen, Murray Law Firm, Zimmerman Reed, and Chestnut Cambronne, on behalf of a putative class of financial institutions could proceed against Washington-based retailer Eddie Bauer, LLC over damages incurred as a result of a 2016 data breach at its stores.
The plaintiff, Veridian Credit Union, alleges that Eddie Bauer failed to take proper measures to protect account information of credit and debit card holders on its point-of-sale systems that process customers’ payment card information at its retail stores nationwide. In January 2016, hackers accessed and installed malware on Eddie Bauer’s point-of-sale systems, compromising the account information of hundreds of thousands of payment card holders. Plaintiff Veridian Credit Union, which issued credit and debit cards that were compromised in the data breach, seeks to hold Eddie Bauer liable for damages incurred in the data breach fallout, including the cost of reissuing payment cards and reimbursing cardholders for fraudulent charges.
On Thursday, Judge Robart rejected most of Eddie Bauer’s motion to dismiss the complaint, finding that Veridian adequately pled state law claims against the retailer for negligence and violation of the Washington Consumer Protection Act. Judge Robart held that Eddie Bauer owed a duty to the credit union to safeguard its cardholders’ data under a Washington statute designed to protect financial institutions from damages caused by businesses which fail to protect payment card information from unauthorized access.
Judge Robart further held that Veridian adequately alleged that Eddie Bauer violated the Washington Consumer Protect Act, as its allegations of Eddie Bauer’s lax and inadequate security measures sufficiently constitute an “unfair act” under the statute. In light of the “known cyber-intrusion risks and breaches,” the credit union sufficiently pled that it was foreseeable that Eddie Bauer’s failure to take reasonable security measures to protect the data of payment card holders would result in substantial harm to customers and financial institutions.
The Judge also rejected Eddie Bauer’s request to apply Iowa law, holding that Washington law applies to this dispute.
For more information, click here.
The case is Veridian Credit Union v. Eddie Bauer LLC, case number 2:17-cv-00356, in the U.S. District Court for the Western District of Washington.
Plaintiff Veridian Credit Union is represented by Tousley Brain Stephens attorneys Kim D. Stephens and Chase C. Alvord, in conjunction with Joseph P. Guglielmo, Erin G. Comite, and Stephen J. Teti of Scott + Scott Attorneys at Law LLP, Gary F. Lynch and Kevin W. Tucker of Carlson Lynch Sweet Kilpela & Carpenter LLP, and Karen H. Riebel and Kate Baxter-Kauf of Lockridge Grindal Nauen PLLP.