The Wawa breach comes in the midst of ever-expanding legal obligations in the cybersecurity field

Back in December 2019, Wawa, Inc. announced that it had "experienced a data security incident" involving malware that had been running on its payment processing systems since as early as March 2019, which "affected payment card information," including credit and debit card numbers and other information." By January 2020, Wawa stated that it had learned of "reports of criminal attempts to sell some customer payment card information potentially involved" in the original data security incident it had reported in December. It expressed its confidence that the malware was contained in mid-December and that only payment card information was involved.

The Road Ahead for Wawa

While the adequacy of Wawa's efforts to avoid a breach in the first place still remains to be determined, Wawa appears to have proceeded as a responsible corporate citizen should following discovery of a breach. It has disclosed the incident, notified law enforcement and payment card companies, retained a forensics firm to investigate, and offered free credit monitoring and identity theft protection. It has apologized profusely and offered to "work with" individual customers who are not reimbursed by their credit card company if they have promptly notified the company of fraudulent charges related to the Wawa breach.

But, of course, the last chapter of the story has yet to be written. Months later, Wawa's investigation is presumably ongoing. As far as publicly available information goes, it has not disclosed the pathway through which the malware found its way into Wawa's system. It has said that it "continues to take steps to enhance the security of our systems." And, over a dozen lawsuits have been filed arising from the breach, all of which essentially claim that Wawa failed to use reasonable measures to adequately secure its computer systems and timely detect the malware on its servers and that the measures that Wawa has voluntarily offered to its customers do not do enough to cover all the costs and injuries that they have suffered and will suffer. The lawsuits seek, among other things, compensatory damages for any injuries to Wawa's customers and punitive damages for Wawa's alleged knowing failure to maintain up-to-date security.

From all accounts, the Wawa breach appears to be running the all too familiar course for a "modern" data breach. But, with 31 million records allegedly accessed, and with more than 850 Wawa convenience stores and gas stations that seem to be "everywhere" to anyone who travels the roads in the Mid-Atlantic states, Florida and Washington, D.C., perhaps this breach will provide a clarion call to businesses and individuals alike to step up measures to prevent cyber incidents and limit the damages they may cause.

Troubling Legal Trends

The Wawa breach comes in the midst of ever-expanding legal obligations in the cybersecurity field. The trend in many legal quarters toward imposing upon businesses affirmative duties to implement measures to help prevent data breaches and comply with ever-expanding data privacy regulation has brought increased scrutiny of the actions, or more likely inactions, of various players in the cyberspace—be they businesses holding private personal information, vendors with whom they share that data, or information security professionals that advise businesses on cyber issues. While large corporations like Wawa have significant resources to devote to information security, small and medium businesses are too often unaware of the legal requirements and cyber threats under which they operate, or too frequently choose not to find out what they need to do.

As but one example of escalating legal requirements, New York's Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") went into effect on March 20 – and required businesses covered by the law to implement "reasonable" administrative, technical and physical "safeguards" to protect against the unauthorized access to NY residents' "private information." The Act provides examples of such safeguards, including that businesses: designate a coordinator for the security program; identify internal and external risks; design and implement technical and physical safeguards to control the risks; assess and test the sufficiency of those safeguards on an ongoing basis; train and manage employees in the security program's practices and procedures, and require their "service providers" to maintain appropriate safeguards.

Other states have adopted or are considering similar laws. As a general statement, some cyber and privacy laws are specific and require particularized actions. Many others are more general and nebulous. The ABA Cybersecurity Handbook, Second Edition 73 notes that the emerging legal standard "rejects requirements for specific security measures (such as firewalls, passwords, or the like) and instead adopts a fact-specific approach to business security obligations that requires a 'process' to assess risks, identify and implement appropriate security measures responsive to those risks, verify that the measures are effectively implemented, and ensure that they are continually updated in response to new developments." Rhoads and Litt, ABA Cybersecurity Handbook, Second Edition 73 (American Bar Association, 2018).

Liability in the Data Breach Age

The expansion of these laws and the process they prescribe likely precede an uptick in the demand for security professionals' business – but may also expose them to potential liability when a business whom they advise suffers a data breach. The nature of the legal duties involved and who may sue whom in court creates a unique legal dynamic between security professionals, businesses, and individuals. Businesses may be liable to individuals for any damages flowing from a breach that discloses the individual's personal information, even if that breach was the fault of a security professional. Security professionals, in turn, often have no duty, and thus no liability, directly  to the individual. Rather, their sole duty will be to the business itself based primarily on the terms of its security contract.

For this reason, security professionals often include limitations on liability in their contracts, such as disclaiming certain types of damages or placing a flat cap on damages. For example, the contract may disclaim liability for any consequential, special, incidental, indirect, or punitive damages, as well as lost profits/reputational harm, which would mean that the business could most likely recover only the costs for the service to date and the costs to correct the security professional's work product. Alternatively, the contract may limit any damages to the total fees paid under the contract so far. Depending on the circumstances, some provisions may limit damages based upon the type of data that was accessed or extracted, such as a bar on damages for disclosure of a customer's HIPAA-protected information. 

While these provisions may place the majority of the risk on the business, they nonetheless make economic sense for security professionals. No security system is flawless, and a security professional would be disinclined to accept a contract with a massive business for, say, $40,000 per month if a breach could require the security professional to pay millions in damages. Some commentators have called for legislatures or the courts to impose responsibility upon security professionals in certain circumstances. Although that may theoretically prompt them to be more careful and provide their clients with "better security," it may also simply drive up security professionals' prices to compensate for the increased risk or lead them to decline contracts with companies who present greater risks of significant consequences resulting from a breach, particularly when there is no way to guarantee that a system is 100% secure.

The Need to Negotiate

Barring any such changes in the law, businesses are often left to try to negotiate some of the common liability and damages limitations away, likely in exchange for greater monthly payments or to place their information security in the hands of a third-party with a theoretically weaker legal incentive to ensure that the business's security system is functioning as it should. This is not to say that businesses are powerless, and security professionals may be willing to permit certain carve-outs tailored to a particular business without exacting a massive price tag. For example, depending upon circumstances, a security professional may agree that the limitations on liability do not apply if the breach resulted from the security professional's gross negligence or if the breach results in the disclosure of the business's own trade secrets or intellectual property. Likewise, the business may require the security professional to maintain strong cybersecurity insurance. Ultimately, both the security professional and the business need to be aware of these issues and address them in their contract negotiations, particularly in light of the security risks and the growing legal requirements to use reasonable measures to secure protected information from unauthorized access.

Originally published by SecurityInfoWatch on the 1st of June, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.