Like most states, Missouri has in place a data breach notification law that requires any entity that experiences a data breach involving covered personal information to “provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach” and to provide such notification “without unreasonable delay.” In one lawsuit against Schnucks, a grocery store chain based in St. Louis, a group of class action plaintiffs allege that they were not notified in a timely manner of a breach. In an interesting recent development, however, reports indicate that the Missouri Attorney General has announced that Schnucks, did not violat
e Missouri laws the address data security. In its investigation, the AG’s office stated that Schnucks “was itself a victim of criminal wrongdoing.” In this case, the “wrongdoing” involved a breach of Schnucks security that led to exposure of at least 2.4 million credit and debit card between December of 2012 and March of 2013. The press secretary for the Missouri attorney general reportedly said “[a]fter reviewing the records and speaking with forensic investigators, we did not find that Schnuck Markets violated Missouri laws regarding data security.”
Schnucks reportedly hired a forensic investigator sometime in March, contained the breach on March 30th, but didn’t announce the breach until April 15th (providing notice via its website). While some may argue that such a delay exceeds the legal requirements, Missouri (again, like many other states) has a provision in its data breach law the allows notice to occur in a way that is “[c]onsistent with any measures necessary to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.” Since the law does not specify an actual time frame, it will be interesting to watch this case as it develops further.
In addition to the class action mentioned above, at least five other cases are pending in the breach that involved almost 80 store locations. Despite the announcement by the Missouri AG, Schnuck’s will need to continue defending itself against a whole host of claims, including that it breached: (a) the Missouri data breach law, (b) the Missouri Merchandising Practices Act (including allegations that its security practices were not adequate), (c) the Illinois Personal Information Act, (d) the Illinois Consumer Fraud and Deceptive Practices Act (including allegations that its security promises were broken), and (e) its duty to protect such information, leading to claims of negligence. More coverage to follow, including the impact of the Missouri AG’s announcement.