On May 11, 2018, Chili’s Grill & Bar learned that “some of [their] guest’s payment card information was compromised at certain Chili’s restaurants” as the result of a “data incident,” according to a press release on the company’s website. Preliminary investigations suggest malware was used to gather payment card information for purchases between March and April 2018.
While such data incidents are increasingly common, Chili’s press release is notable for two reasons. Firstly, The release, presented as a letter to “valued guests,” provided information within days of the breach, despite the fact its investigation is ongoing. Secondly, the press release did not identify the “certain Chili’s restaurants” impacted by the breach, thwarting immediate class action litigation. Yahoo, in sharp contrast, waited approximately 22 months to report an incident, leading to significant trust issues, and a $35 million fine from the Securities and Exchange Commission (SEC). The Yahoo press release also provided fodder for the plaintiffs’ counsel, who pasted the entirety of the announcement in the class action complaint filed a mere one day later.
Predictably, the plaintiffs’ attorneys are waiting in the wings, poised to pounce on the opportunity for litigation against Chili’s. However, as the “certain Chili’s restaurants” are yet to be identified, no lawsuits have been filed. The Seventh Circuit’s recent ruling that consumers have standing with despite limited allegations of injury only increases the likelihood of litigation.
As companies develop incident response plans, they are encouraged address not only forensic investigations and compliance with breach notification laws, but also the impact on consumer trust and practical certainty of eventual litigation.