On January 5, 2021, Chief Judge John E. Jones, III of the U.S. District Court for the Middle District of Pennsylvania granted-in-part and denied-in-part convenience store chain Rutter’s motion to dismiss claims arising from a massive data breach that occurred after hackers installed malware on its point-of-sale (“POS”) payment systems. Information compromised in this data breach included payment card numbers, card expiration dates, security codes (commonly referred to as “CVV” numbers), and customers’ names from at least August 2018 through May 2019.

The Court allowed Plaintiffs’ negligence, implied contract, and unjust enrichment claims to go forward. Significantly, the Court rejected Rutter’s argument that it did not owe a duty of care to safeguard data collected form customers that used payment cards at its locations, holding that under the Pennsylvania Supreme Court decision in Dittman v. UMPC, 196 A.3d 1036 (Pa. 2018), “Defendant’s affirmative act of retaining credit and debit card information which created a risk of foreseeable harm from unscrupulous third parties is enough to recognize a legal duty here.”

Lowey Dannenberg’s Christian Levis currently serves as co-lead counsel in this ongoing class action. The case is In re Rutter’s Inc. Data Security Breach Litigation, Case No. 20-cv-00382 (M.D. Pa.) and the opinion can be found here:

Please contact or Christian Levis (clevis@lowey.com), Anthony Christina (achristina@lowey.com), or Amanda Fiorilla (afiorilla@lowey.com) with any questions about the case.