All Things Newz
Law \ Legal

$8 Million Multistate Settlement Resolves 2019 Data Breach Investigation – Data Protection

To print this article, all you need is to be registered or login on

State Attorneys General settle with Wawa, Inc. for 2019 data
breach that compromised approximately 34 million payment cards used
by consumers.

On July 26, 2022, Acting New Jersey Attorney General Matthew J.
Platkin announced that New Jersey is co-leading an $8
million multistate settlement with Wawa, Inc. (Wawa) that resolves
a data breach that occurred from April 18, 2019 to December 12,
2019 and affected stores in New Jersey, Pennsylvania, Florida,
Delaware, Maryland, Virginia and Washington DC. The data breach was
the result of malware that was used by hackers to harvest Wawa
customers’ card numbers, expiration dates, cardholder names and
other sensitive payment card data (though cards using chip
technology were not compromised). Notably, security card CVV2 codes
and personal identification numbers were not collected. According
to documents related to a private class action, the breakdown of
consumer pay card transactions during the relevant period was as
follows: approximately 27.2 percent in New Jersey, 27 percent in
Pennsylvania, 22.1 percent in Florida, 11.4 percent in Virginia,
6.4 percent in Maryland, 5.6 percent in Delaware and 0.2 percent in
Washington DC.

The Attorneys General found that potentially 34 million payment
cards were compromised in the breach. The Assurance of Voluntary Compliance (AVC) sets
forth additional findings, including (i) that upon investigation,
the Payment Card Industry forensic investigator (PFI) found three
violations of the Payment Card Industry Data Security Standard (PCI
DSS); (ii) that Wawa’s Information Security team did not
generate a log during the time period and is unable to produce a
log for any alerts from its security information events management
system prior to November 2019; and (iii) that Wawa failed to employ
reasonable data security measures, thus violating the various
states’ consumer protection acts and personal information
protection acts. Wawa does not admit, agree with or concede any of
the aforementioned findings.

As part of the AVC, Wawa must (i) develop, implement and
maintain an information security program within 180 days; (ii)
implement specific information security safeguards; (iii) have a
third party prepare a settlement compliance assessment within one
year; and (iv) pay $8 million in total to the states. Notable
features of the AVC include:

  • Information Security Program. Wawa must
    develop, implement and maintain a written information security
    program (the Program) that is reviewed at least annually and that

    • Documented methods and criteria for managing information
      security risks.
      Notably, Wawa is not required to curtail
      proper objectives or utility of its services, and the burden
      imposed by the safeguards must be proportionate to the risk

    • Annual comprehensive risk assessments for networks where
      sensitive personal information is stored.
      Additionally, risk
      assessments should occur after changes to the security of such
      networks that may significantly increase risks to consumers and
      must be “conducted by parties that are competent to model
      threats … and who may capably estimate risks that are created by
      those threats.”

    • Employing a qualified employee to oversee the Program and
      to advise the CEO and Board.

    • Conducting training that occurs at least annually for
      employees with key responsibilities for implementation and
      oversight of the Program.

  • Information Security Safeguards. Wawa is
    required to implement reasonable security for sensitive personal
    information that includes:

    • Reasonable knowledge of the actual and intended location
      and disposition of sensitive information.

    • Reasonable steps to ensure only approved software operates
      within its environment.

    • Segmenting of personal information from people, systems and
      networks outside the cardholder data environment (Wawa’s
      personnel, processes and technologies that store, process or
      transmit payment card information of consumers).

    • Reasonable measures to detect, investigate, contain,
      respond to, eradicate and recover from security incidents within
      reasonable time periods.

    • Reasonable implementation of access controls (e.g.,
      multifactor authentication, one-time pass codes, etc.).

    • Implementing and maintaining a system designed to collect,
      manage and analyze security logs and monitor its cardholder data

    • Compliance with PCI DSS and validating PCI DSS compliance
      as a Level 1 merchant/service provider through engaging a PCI
      qualified security assessor (QSA), resulting in delivery of a
      compliance report and attestation of compliance.
      with this requirement includes providing all internal and external
      risk assessments unless protected by attorney-client

  • Settlement Compliance Assessment. Within one
    year, Wawa must obtain an information security compliance
    assessment from a third party that includes (i) a description of
    administrative, physical and technical safeguards maintained by
    Wawa; (ii) an explanation of the extent to which these safeguards
    are appropriate; (iii) an explanation of the extent to which the
    safeguards meet the needs of the Program; and (iv) identification
    of Wawa’s QSA for the purposes of PCI validation. According to
    the AVC, a PCI Report of Compliance meets the third-party
    assessment requirement.


The Wawa data breach and settlement highlight the importance of
reviewing information security programs to ensure that they are
adequate and include sufficient oversight, mechanisms for logging
and capabilities to respond to potential security incidents. A
notable feature of this breach that contributed to its severity is
its nine-month duration. Businesses should ensure that they have
adequate network security mechanisms in place, particularly with
respect to detection and alerts to ensure that security incidents
do not go undetected. Breaches that go undetected for long periods
of time can cause significant consumer impact and may require
costly settlements.

Additionally, this settlement highlights the importance of
ensuring adherence to applicable standards like PCI DSS. Although
PCI DSS compliance is enforced by major card brands, failure to
comply with applicable industry standards may be an important
component of regulatory investigations and their resolution.
Businesses, in assessing their information programs, should be sure
to review compliance with industry standards, identify and
eliminate gaps where appropriate, and ensure employees are trained
on relevant policies and procedures.


1. PCI DSS is a set of security standards aimed at ensuring that all companies
that accept, process, store or transmit credit card information
maintain a secure environment. It is administered and managed by
the PCI SSC, an independent body created by major payment card
brands (Visa, Mastercard, American Express, Discover and JCB),
which are responsible for enforcing compliance.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

Privacy Policies – Some Simple Lessons

Jeffer Mangels Butler & Mitchell LLP

Online privacy policies are ubiquitous. Sometimes they are mandated by law – that’s been the case in California for years – and a variety of other states and federal agencies…

Source link

Related posts

NSW police misuse counter-terrorism powers – Crime

FinTech Global FS Regulatory Round-Up – W/e 22 July 2022 – Commodities/Derivatives/Stock Exchanges

Can ‘#zombiebrands’ Come Back To Life? Why Do Such Brands Cause Problems For #trademarklaw? Find Out This And More On – Trademark