`
`
`
`
`UNITED STATES DISTRICT COURT
`DISTRICT OF DELAWARE
`
`
`
`
`
`CIVIL ACTION NO. _______________
`
`
`JURY TRIAL DEMANDED
`
`
`
`
`
`
`STEVEN SANDERS and PATRICIA
`SANDERS, on behalf of themselves and all
`others similarily situated,
`
`
`
`
`
`
`PLAINTIFFS
`
`
`
`v.
`
`
`
`
`
`
`
`
`
`WAWA, INC.,
`
`
`
`
`
`
`
`
`
`
`
`
`DEFENDANT
`
`CLASS ACTION COMPLAINT AND JURY DEMAND
`
`Plaintiffs Steven Sanders and Patricia Sanders (collectively, “Plaintiffs”), individually and
`
`on behalf of all similarly situated Delaware persons and entities (collectively, the “Class” or “Class
`
`Members”), upon personal knowledge of the facts pertaining to themselves and on information and
`
`belief as to all other matters, complain of the wrongful actions of Defendant Wawa, Inc. (“Wawa”),
`
`and respectfully allege the following:
`
`
`
`NATURE OF THE CASE
`
`1.
`
`This is a data breach case. On December 19, 2019, Wawa revealed that it had
`
`discovered malicious software (“malware”) on Wawa payment processing servers. According to
`
`Wawa, “[t]his malware affected customer payment card information used at potentially all Wawa
`
`locations beginning at different points in time after March 4, 2019 and until it was contained” on
`
`December 12, 2019. Plaintiffs bring this class action on behalf of themselves and a Delaware
`
`Class against Wawa for failing to protect the personal and confidential information of millions of
`
`its customers—including credit card and debit card (also known as payment cards) numbers,
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 2 of 21 PageID #: 2
`
`
`
`expiration dates, and cardholder names (collectively, “Payment Card Information”). Plaintiffs and
`
`Class Members have been injured and as a direct and proximate result of Wawa’s wrongful
`
`disclosure of their Payment Card Information (the “Wawa Data Breach” or “Data Breach”).
`
`
`
`JURISDICTION AND VENUE
`
`2.
`
`This Court has subject matter jurisdiction pursuant to the Class Action Fairness Act
`
`of 2005 (CAFA), 28 U.S.C. § 1332(d)(2), as this is a class action in which the amount in
`
`controversy exceeds $5,000,000, there are more than 100 proposed Class Members, and minimal
`
`diversity exists as Wawa is a citizen of a state different from that of at least one Class Member.
`
`3.
`
`This Court has personal jurisdiction over Wawa because at all relevant times,
`
`Wawa regularly conducted (and continues to conduct) business in this District.
`
`4.
`
`Venue is proper in this District, pursuant to 28 U.S.C. § 1391, because a substantial
`
`part of the wrongful conduct alleged herein occurred in, was directed to, and/or emanated from
`
`this District. Venue also is proper in this District because at all relevant times, Wawa regularly
`
`conducted (and continues to conduct) business in this District.
`
`
`
`5.
`
`Plaintiff Steven Sanders is a citizen and resident of Newark, Delaware. Plaintiff
`
`PARTIES
`
`Sanders paid for one or more purchases at a Wawa store and/or gas pump with a payment card
`
`between March 4, 2019 and December 12, 2019, and, on information and belief, his Payment Card
`
`Information was compromised in the Wawa Data Breach.
`
`6.
`
`Plaintiff Patricia Sanders is a citizen and resident of Newark, Delaware. Plaintiff
`
`Sanders paid for one or more purchases at a Wawa store and/or gas pump with a payment card
`
`between March 4, 2019 and December 12, 2019, and, on information and belief, her Payment Card
`
`Information was compromised in the Wawa Data Breach.
`
`
`
`2
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 3 of 21 PageID #: 3
`
`
`
`7.
`
`Defendant Wawa, Inc. is a New Jersey corporation with its principal place of
`
`business in the Wawa area of Chester Heights, Pennsylvania in Greater Philadelphia. Defendant
`
`Wawa owns and operates over 850 convenience stores and gas stations in Delaware, Pennsylvania,
`
`New Jersey, Maryland, Virginia, Washington, D.C., and Florida.
`
`
`
`FACTS
`
`8.
`
`According to Wawa, “at different points in time after March 4, 2019, malware
`
`began running on in-store payment processing systems at potentially all Wawa locations.” The
`
`malware “was present on most store systems by approximately April 22, 2019.”
`
`9.
`
`Wawa, however, did not discover the malware for over nine months after it infected
`
`Wawa’s payment processing systems, and did not disclose the Data Breach for over a week after
`
`Wawa discovered it.
`
`10.
`
`Although Wawa believes “this malware no longer poses a risk to customers using
`
`payment cards at Wawa,” Plaintiffs and Class Members are subject to identity fraud and identity
`
`theft because of their compromised Payment Card Information wrongfully disclosed in the Wawa
`
`Data Breach.
`
`11. Wawa had obligations, arising from promises made to its customers like Plaintiffs
`
`and other Class Members, and based on industry standards, to keep the Payment Card Information
`
`confidential and to protect it from unauthorized disclosures. Class Members provided their
`
`Payment Card Information to Wawa with the understanding that Wawa and any business partners
`
`to whom Wawa disclosed the Payment Card Information would comply with their obligations to
`
`keep such information confidential and secure from unauthorized disclosures.
`
`12. Wawa claims it “is fully committed to data security.” It further claims to “use
`
`security techniques on” its websites, “and through or in connection with our mobile apps or other
`
`
`
`3
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 4 of 21 PageID #: 4
`
`
`
`software- and Internet-enabled programs and services sponsored by Wawa (the “Sites”) to help
`
`protect against the loss, misuse or alteration of information collected from [its customers] at the
`
`Sites.”
`
`13.
`
`According to Wawa, when customers “access [their] account information or
`
`transmit personally identifiable data to the Sites, that information is stored on servers that the Sites
`
`have attempted to secure from unauthorized access or intrusion. ‘Secure Socket Layer’ software
`
`encrypts personal information [its customers] transmit to the Sites.”
`
`14.
`
`However, Secure Socket Layer encryption protects information only during its
`
`transmission, but not when stored on Wawa’s payment processing systems.
`
`15.
`
`The Wawa Data Breach demonstrates that Wawa failed to honor its duties,
`
`representations, and obligations to protect Plaintiffs’ and Class Members’ Payment Card
`
`Information by, inter alia, failing to maintain an adequate data security system to protect against
`
`(and reduce the risk of) data breaches and cyberattacks, failing to adequately monitor its payment
`
`card processing systems to identify data breaches and cyberattacks, and failing to adequately
`
`protect Plaintiffs’ and the Class Members’ Payment Card Information.
`
`16.
`
`Plaintiffs and Class Members have been injured and harmed by Wawa’s wrongful
`
`disclosure of their Payment Card Information in the Data Breach.
`
`17. Wawa’s data security obligations and promises were particularly important given
`
`the substantial increase in data breaches leading to identity theft and identity fraud, which are
`
`widely known to the public and to anyone in the retail grocery and convenience store industries.
`
`18.
`
`The United States Government Accountability Office (“GAO”) noted in a June
`
`2007 report on Data Breaches (“GAO Report”) that victims of identity theft will face “substantial
`
`costs and inconveniences repairing damage to their credit records” and their “good name.” Id. at
`
`
`
`4
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 5 of 21 PageID #: 5
`
`
`
`2,9. Identity theft and identity fraud victims frequently are required to spend many hours and large
`
`amounts of money repairing the impact to their credit inflicted upon them by fraudsters using their
`
`purloined Payment Card Information.
`
`19.
`
`There also may be a time lag between the time Payment Card Information is stolen
`
`and when it is used and once it is disclosed, fraudulent use of that information may continue for
`
`years;
`
`[L]aw enforcement officials told us that in some cases, stolen data may be held for
`up to a year or more before being used to commit identity theft. Further, once stolen
`data have been sold or posted on the Web, fraudulent use of that information may
`continue for years. As a result, studies that attempt to measure the harm resulting
`from data breaches cannot necessarily rule out all future harm.
`
`
`GAO Report at 29 (emphasis added).
`
`20.
`
`Payment Card Information, such as the Payment Card Information wrongfully
`
`disclosed in the Wawa Data Breach, is such a valuable commodity to identity thieves that once the
`
`information has been disclosed, criminals often trade the information on the “cyber black-market”
`
`for years—openly posting stolen Payment Card Information directly on various Internet websites
`
`and making the information publicly available. This fate could very well befall Plaintiffs’ and
`
`Class Members’ confidential Payment Card Information compromised in the Wawa Data
`
`Breach—and most likely already has.
`
`21.
`
`Had Plaintiffs known that Wawa would not adequately protect their Payment Card
`
`Information and other sensitive information entrusted to it, they would not have made regular
`
`purchases at Wawa using their credit cards.
`
`
`
`
`
`
`
`5
`
`
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 6 of 21 PageID #: 6
`
`
`
`CLASS ALLEGATIONS
`
`22.
`
`Pursuant to FED. R. CIV. P. 23, Plaintiffs bring this case as a national class action
`
`on behalf of the following Class:
`
`All Delaware individuals and entities whose credit and debit card numbers,
`expiration dates, and cardholder names were maintained on Wawa, Inc.’s payment
`processing servers and compromised in the Data Breach announced by Wawa, Inc.
`on December 19, 2019.
`23.
`Excluded from the Class are all Wawa officers, directors, and employees, the Court,
`
`and Court personnel.
`
`24.
`
`The Class is so numerous that joinder of all members is impracticable. The Class
`
`has hundreds of thousands members geographically dispersed over Wawa’s Delaware area of
`
`operations. The identities of the Class Members are unknown to Plaintiffs at this time, but can
`
`easily be determined from Wawa’s payment card processing system records.
`
`25.
`
`There are numerous questions of law and fact common to Plaintiffs and Class
`
`Members, including, inter alia:
`
`(i) Whether Wawa’s payment card processing data security protections prior to the
`Data Breach complied with all applicable legal requirements and/or industry
`standards;
`
`(ii) Whether Plaintiffs’ and Class Members’ Payment Card Information was
`compromised in the Wawa Data Breach;
`
`
`(iii) Whether Wawa’s above-described wrongful actions violated one or more of the
`common laws and/or statutes set forth below;
`
`
`(iv) Whether Plaintiffs and Class Members suffered injury and/or harm as a direct
`and/or proximate result of the Wawa Data Breach;
`
`
`(v) Whether Plaintiffs and Class Members are entitled to actual, consequential,
`punitive, and/or treble damages as a direct and/or proximate result of Wawa’s
`wrongful conduct and the resulting Data Breach; and
`
`
`(vi) Whether Plaintiffs and Class Members are entitled to attorneys’ fees, litigation
`expenses, and court costs.
`
`
`
`
`
`6
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 7 of 21 PageID #: 7
`
`
`
`26.
`
`Plaintiffs’ claims are typical of the claims of the Class’ claims. Plaintiffs suffered
`
`the same injury and harm as the other Class Members; to wit, Plaintiffs’ and Class Members’
`
`Payment Card Information was compromised in the Wawa Data Breach.
`
`27.
`
`Plaintiffs and their counsel will fairly and adequately represent the interests of Class
`
`Members. Plaintiffs have no interests antagonistic to, or in conflict with, the interests of any Class
`
`Members. Plaintiffs’ counsel are experienced in leading and prosecuting large multi-district class
`
`actions, including data breach class actions.
`
`28.
`
`A class action is superior to all other available methods for fairly and efficiently
`
`adjudicating Plaintiffs’ and Class Members’ claims. Plaintiffs and Class Members have been (and
`
`will continue to be) harmed as a direct and proximate result of Wawa’s above-described wrongful
`
`actions, inaction, and/or omissions and the resulting Data Breach and its aftermath. Litigating this
`
`case as a class action is appropriate because (i) it will avoid a multiplicity of suits and the
`
`corresponding burden on the courts and Parties, (ii) it would be virtually impossible for all Class
`
`Members to intervene as individual parties-plaintiff in this action, and (iii) it will provide court
`
`oversight of the claims process once Wawa’s liability is adjudicated.
`
`29.
`
`Certification, therefore, is appropriate under FED. R. CIV. P. 23(b)(3) because the
`
`above-described common questions of law or fact predominate over any questions affecting
`
`individual Class Members, and a class action is superior to other available methods for the fair and
`
`efficient adjudication of this controversy.
`
`30.
`
`Certification also is appropriate under FED. R. CIV. P. 23(b)(1) because the
`
`prosecution of separate actions by individual Class Members would create a risk of establishing
`
`incompatible standards of conduct for Wawa. For example, individual actions could be dispositive
`
`
`
`7
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 8 of 21 PageID #: 8
`
`
`
`of the interests of the other Class Members who are not parties to such actions, and substantially
`
`impair or impede their ability to protect their interests.
`
`31. Wawa’s above-described wrongful actions, inaction, and/or omissions and the
`
`resulting Data Breach and its aftermath are applicable to the Class as a whole, for which Plaintiffs
`
`seek, inter alia, damages and other equitable remedies.
`
`32.
`
`Absent a class action, Wawa will retain the benefits of its wrongdoing despite
`
`seriously violating the law and inflicting actual and consequential injury, harm, and damages on
`
`Plaintiffs and Class Members and their property and businesses.
`
`CLAIMS AND CAUSES OF ACTION
`
`COUNT I
`
`NEGLIGENCE/GROSS NEGLIGENCE
`
`33.
`
`The preceding factual statements and allegations are incorporated by reference.
`
`34. Wawa required Plaintiffs and Class Members to submit non-public Payment Card
`
`
`
`Information to pay for goods and services.
`
`35.
`
`By collecting and storing Plaintiffs’ and Class Members’ Payment Card
`
`Information, and sharing it and using it for commercial gain, Wawa had a duty of care to use
`
`reasonable means to safeguard and protect the Payment Card Information to prevent its disclosure
`
`and guard against its theft.
`
`36. Wawa’s duties and obligations included, inter alia, a responsibility to implement
`
`policies and procedures to safeguard and protect the Payment Card Information, detect a breach of
`
`its payment card processing systems in a reasonably expeditious period of time, and promptly
`
`notify data breach victims so that they could take swift action to further protect their finances and
`
`credit.
`
`
`
`8
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 9 of 21 PageID #: 9
`
`
`
`37. Wawa also owed Plaintiffs and Class Members a duty to provide Payment Card
`
`Information security consistent with industry standards.
`
`38.
`
`Only Wawa could ensure its payment card processing systems were sufficient to
`
`protect against the injury and harm to Plaintiffs and Class Members resulting from a data breach.
`
`39. Wawa breached its duties and obligations to Plaintiffs and Class Members by, inter
`
`alia:
`
`
`
`(i)
`
`(ii)
`
`(iii)
`
`
`(iv)
`
`
`40.
`
`failing to adopt, implement, and maintain adequate security measures to safeguard
`and protect Plaintiffs’ and Class Members’ Payment Card Information;
`
`failing to adequately monitor the security of its payment card processing system;
`
`allowing unauthorized access to Plaintiffs’ and Class Members’ Payment Card
`Information; and
`
`failing to recognize and report in a timely manner the malware on its payment card
`processing system and that Plaintiffs’ and Class Members’ Payment Card
`Information had been wrongfully disclosed and compromised.
`
`It was foreseeable that Wawa’s above-described wrongful actions, inaction,
`
`omissions, negligence, gross negligence, failure to timely and accurately report the Data Breach,
`
`and failure to use reasonable measures to safeguard, protect, and monitor the security of Plaintiffs’
`
`and Class Members’ Payment Card Information would proximately and/or directly result in injury
`
`and harm to Plaintiffs and Class Members in the form of, inter alia, the ongoing, imminent, and
`
`impending threat of identity theft and identity fraud; actual identity theft and identity fraud; loss
`
`of the confidentiality of the wrongfully disclosed and compromised Payment Card Information;
`
`the illegal sale of the compromised Payment Card Information on the deep web black market; lost
`
`value of the compromised Payment Card Information; cost of monitoring, credit freezes, and/or
`
`identity theft insurance; time spent scrutinizing bank statements, credit card statements, credit
`
`reports, and repairing damaged credit; expenses and/or time spent initiating fraud alerts; decreased
`
`
`
`9
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 10 of 21 PageID #: 10
`
`
`
`credit scores and ratings; lost work time; and/or other economic and non-economic injury, harm,
`
`and damages.
`
`41.
`
`There is no other foreseeable group of individuals and entities that would be directly
`
`and/or proximately injured or harmed by Wawa’s above-described wrongful actions, inaction,
`
`omissions, negligence, and/or gross negligence other than Plaintiffs and Class Members.
`
`42. Wawa’s above-described wrongful actions, inaction, and omissions constitute
`
`negligence and/or gross negligence under Delaware common law.
`
`COUNT II
`
`NEGLIGENCE PER SE
`
`The preceding factual statements and allegations are incorporated by reference.
`
`Section 5 of the Federal Trade Commission (“FTC”) Act, 15 U.S.C. § 45, prohibits
`
`
`
`43.
`
`44.
`
`“unfair . . . practices in or affecting commerce” including, as interpreted and enforced by the FTC,
`
`the unfair act or practice by companies, such as Wawa, of failing to use reasonable measures to
`
`safeguard and protect their customers’ Payment Card Information. Various FTC publications and
`
`orders also form the basis of Wawa’s duty.
`
`45. Wawa violated Section 5 of the FTC Act by failing to use reasonable measures to
`
`safeguard and protect Plaintiffs’ and Class Members’ Payment Card Information and failing to
`
`comply with industry data security standards (including, without limitation, the Payment Card
`
`Industry Data Security Standard (“PCI DSS”)).
`
`46.
`
`Plaintiffs and Class Members are consumers within the class of persons Section 5
`
`of the FTC Act is intended to protect.
`
`47. Wawa’s above-described wrongful actions, inaction, omissions, negligence, gross
`
`negligence, failure to comply with Section 5 of the FTC Act and the PCI DSS, failure to timely
`
`
`
`10
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 11 of 21 PageID #: 11
`
`
`
`and accurately report the Data Breach, and failure to use reasonable measures to safeguard, protect,
`
`and monitor the security of Plaintiffs’ and Class Members’ Payment Card Information directly
`
`and/or proximately resulted in injury, harm, and damages to Plaintiffs and Class Members in the
`
`form of, inter alia, the ongoing, imminent, and impending threat of identity theft and identity fraud;
`
`actual identity theft and identity fraud; loss of the confidentiality of the wrongfully disclosed and
`
`compromised Payment Card Information; the illegal sale of the compromised Payment Card
`
`Information on the deep web black market; lost value of the compromised Payment Card
`
`Information; cost of monitoring, credit freezes, and/or identity theft insurance; time spent
`
`scrutinizing bank statements, credit card statements, credit reports, and repairing damaged credit;
`
`expenses and/or time spent initiating fraud alerts; decreased credit scores and ratings; lost work
`
`time; and/or other economic and non-economic injury, harm, and damages.
`
`48.
`
`Such, injury, harm, and damages are precisely the type of injury, harm, and
`
`damages the FTC Act is intended to guard against. Indeed, the FTC has pursued over fifty
`
`enforcement actions against entities that, as a result of their failure to employ reasonable data
`
`security measures and avoid unfair and deceptive practices and the resulting data breaches, caused
`
`the same injury, harm, and damages inflicted by Wawa on Plaintiffs and Class Members.
`
`49. Wawa’s above-described wrongful actions, inaction, omissions, negligence, gross
`
`negligence, and failure to comply with Section 5 of the FTC Act and the PCI DSS, constitute
`
`negligence per se under Delaware common law.
`
`COUNT III
`
`BREACH OF IMPLIED CONTRACT
`
`50.
`
`The preceding factual statements and allegations are incorporated by reference.
`
`51. When Plaintiffs and Class Members provided their Payment Card Information to
`
`11
`
`
`
`
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 12 of 21 PageID #: 12
`
`Wawa in exchange for goods or services, they entered into implied contracts with Wawa pursuant
`
`to which Wawa agreed to safeguard and protect their Payment Card Information and timely and
`
`accurately notify them if their Payment Card Information is breached and compromised.
`
`52. Wawa solicited and invited its customers (i.e., Plaintiffs and Class Members) to
`
`provide their Payment Card Information as part of its regular business practices. Plaintiffs and
`
`Class Members accepted Wawa’s offers and provided their Payment Card Information to Wawa.
`
`In entering into such implied contracts, Plaintiffs and the Class understood that Wawa’s data
`
`security practices, policies, and procedures were reasonable and consistent with industry
`
`standards and the law, and that Wawa would use part of the funds received from Plaintiffs and
`
`Class Members to pay for adequate data security practices, policies, and procedures.
`
`53.
`
`Plaintiffs and Class Members would not have entrusted their Payment Card
`
`Information to Wawa in the absence of the implied contract between them and Wawa to safeguard
`
`and protect such information.
`
`54.
`
`Plaintiffs and Class Members fully performed their obligations under their implied
`
`contracts with Wawa.
`
`55. Wawa, however, breached its implied contracts with Plaintiffs and Class Members
`
`by, inter alia, failing to adopt, implement, and maintain adequate security measures to safeguard
`
`and protect Plaintiffs’ and Class Members’ Payment Card Information; failing to adequately
`
`monitor the security of its payment card processing system; allowing unauthorized access to
`
`Plaintiffs’ and Class Members’ Payment Card Information; and failing to recognize and report in
`
`a timely manner the malware on its payment card processing system and that Plaintiffs’ and Class
`
`Members’ Payment Card Information had been wrongfully disclosed and compromised.
`
`56. Wawa’s above-described wrongful actions, inaction, and omissions, failure to
`
`12
`
`
`
`
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 13 of 21 PageID #: 13
`
`
`
`
`
`timely and accurately report the Data Breach, and failure to use reasonable measures to safeguard,
`
`protect, and monitor the security of Plaintiffs’ and Class Members’ Payment Card Information
`
`directly and/or proximately resulted in injury, harm, and damages to Plaintiffs and Class Members
`
`in the form of, inter alia, the ongoing, imminent, and impending threat of identity theft and
`
`identity fraud; actual identity theft and identity fraud; loss of the confidentiality of the wrongfully
`
`disclosed and compromised Payment Card Information; the illegal sale of the compromised
`
`Payment Card Information on the deep web black market; lost value of the compromised Payment
`
`Card Information; cost of monitoring, credit freezes, and/or identity theft insurance; time spent
`
`scrutinizing bank statements, credit card statements, credit reports, and repairing damaged credit;
`
`expenses and/or time spent initiating fraud alerts; decreased credit scores and ratings; lost work
`
`time; and/or other economic and non-economic injury, harm, and damages.
`
`57. Wawa’s above-described wrongful actions, inaction, and omissions constitute
`
`breaches of their implied contracts with Plaintiffs and Class Members under Delaware common
`
`law.
`
`COUNT IV
`
`VIOLATION OF THE DELAWARE COMPUTER SECURITY BREACH ACT
`(6 Del. C. §§ 12B- 102, et seq.)
`
`58.
`
`The preceding factual statements and allegations are incorporated by reference.
`
`59. Wawa is a “business” that owns or licenses computerized data that includes
`
`Personal Information as defined by 6 Del. C. § 12B-102(a).
`
`60.
`
`Plaintiffs’ and Class Members’ Payment Card Information includes “personal
`
`information” as defined by 6 Del. C. § 12B-101(4).
`
`61. Wawa is required to accurately notify consumers (including Plaintiffs and Class
`
`Members) if Wawa becomes aware of a data breach that is reasonably likely to result in the misuse
`
`
`
`13
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 14 of 21 PageID #: 14
`
`
`
`of a Delaware resident’s “personal information” in the most expedient time possible and without
`
`unreasonable delay under 6 Del. C. § 12B-102(a).
`
`62.
`
`Because Wawa was aware of a breach of its payment card processing system
`
`involving Delaware Plaintiffs’ and Class Members’ Payment Card Information that is reasonably
`
`likely to result in its misuse, Wawa had an obligation to disclose the Data Breach in a timely and
`
`accurate fashion per 6 Del. C. § 12B-102(a).
`
`63.
`
`By failing to disclose the Data Breach in a timely and accurate manner, Wawa
`
`violated 6 Del. C. § 12B-102(a).
`
`64. Wawa’s
`
`above-described wrongful
`
`actions,
`
`inaction,
`
`and omissions,
`
`unconscionable, unfair, and deceptive acts or practices, failure to timely and accurately report the
`
`Data Breach, and failure to use reasonable measures to safeguard, protect, and monitor the security
`
`of Plaintiffs’ and Class Members’ Payment Card Information, directly and/or proximately resulted
`
`in injury, harm, and damages to Plaintiffs and Class Members in the form of, inter alia, the
`
`ongoing, imminent, and impending threat of identity theft and identity fraud; actual identity theft
`
`and identity fraud; loss of the confidentiality of the wrongfully disclosed and compromised
`
`Payment Card Information; the illegal sale of the compromised Payment Card Information on the
`
`deep web black market; lost value of the compromised Payment Card Information; cost of
`
`monitoring, credit freezes, and/or identity theft insurance; time spent scrutinizing bank statements,
`
`credit card statements, credit reports, and repairing damaged credit; expenses and/or time spent
`
`initiating fraud alerts; decreased credit scores and ratings; lost work time; and/or other economic
`
`and non-economic injury, harm, and damages.
`
`65. Wawa’s above-described wrongful actions, inaction, and omissions constitute
`
`breaches of the Delaware Computer Security Breach Act.
`
`
`
`14
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 15 of 21 PageID #: 15
`
`
`
`
`
`COUNT V
`
`VIOLATION OF THE DELAWARE CONSUMER FRAUD ACT
`(6 Del. C. §§ 2513, et seq.)
`
`66.
`
`The preceding factual statements and allegations are incorporated by reference.
`
`67. Wawa is a “person” that is involved in the “sale” of “merchandise,” as defined by
`
`6 Del. C. § 2511(7), (8), and (6).
`
`68. Wawa advertised, offered, or sold goods or services in Delaware and engaged in
`
`trade or commerce directly or indirectly affecting the people of Delaware.
`
`69. Wawa used and employed deception, fraud, false pretense, false promise,
`
`misrepresentation, and the concealment, suppression, and omission of material facts with intent
`
`that others rely upon such concealment, suppression and omission, in connection with the sale and
`
`advertisement of merchandise, in violation of 6 Del. C. § 2513(a) by, inter alia, failing to implement
`
`and maintain reasonable security and privacy measures to protect Plaintiffs’ and Class Members’
`
`Payment Card Information, which was a direct and proximate cause of the Data Breach; failing to
`
`identify foreseeable security and privacy risks and remediate identified security and privacy risks,
`
`which was a direct and proximate cause of the Data Breach; failing to comply with common law
`
`and statutory duties pertaining to the security and privacy of Plaintiffs and Class Members’
`
`Payment Card Information, including duties imposed by the FTC Act, 15 U.S.C. § 45, and
`
`Delaware’s data security statute, 6 Del. C. § 12B-100, which was a direct and proximate cause of
`
`the Data Breach; misrepresenting that it would protect the privacy and confidentiality of Plaintiffs
`
`and Class Members’ Payment Card Information, including by implementing and maintaining
`
`reasonable security measures; misrepresenting that it would comply with common law and
`
`statutory duties pertaining to the security and privacy of Plaintiffs’ and Class Members’ Payment
`
`Card Information, including duties imposed by the FTC Act, 15 U.S.C. § 45, and Delaware’s data
`
`
`
`15
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 16 of 21 PageID #: 16
`
`
`
`security statute, 6 Del. C. § 12B-100; omitting, suppressing, and concealing the material fact that
`
`it did not reasonably or adequately secure Plaintiffs’ and Class Members’ Payment Card
`
`Information; and omitting, suppressing, and concealing the material fact that it did not comply
`
`with common law and statutory duties pertaining to the security and privacy of Plaintiffs’ and
`
`Class Members’ Payment Card Information, including duties imposed by the FTC Act, 15 U.S.C.
`
`§ 45, and Delaware’s data security statute, 6 Del. C. § 12B-100.
`
`70. Wawa’s representations and omissions were material because they are likely to
`
`deceive reasonable consumers (including Plaintiffs and Class Members) about the adequacy of its
`
`data security and ability to protect the confidentiality of consumers’ Payment Card Information,
`
`including Plaintiffs’ and Class Members’ Payment Card Information.
`
`71. Wawa acted intentionally, knowingly, and maliciously to violate Delaware’s
`
`Consumer Fraud Act, and recklessly disregarded Plaintiffs’ and Class Members’ rights.
`
`72.
`
`Plaintiffs and Class Members acted reasonably
`
`in relying on Wawa’s
`
`misrepresentations and omissions, the truth of which they could not have discovered.
`
`73. Wawa’s unlawful trade practices were gross, oppressive, and aggravated, and
`
`Wawa breached the trust of Plaintiffs and Class Members.
`
`74. Wawa’s
`
`above-described wrongful
`
`actions,
`
`inaction,
`
`and omissions,
`
`unconscionable, unfair, and deceptive acts or practices, failure to timely and accurately report the
`
`Data Breach, and failure to use reasonable measures to safeguard, protect, and monitor the security
`
`of Plaintiffs’ and Class Members’ Payment Card Information directly and/or proximately resulted
`
`in injury, harm, and damages to Plaintiffs and Class Members in the form of, inter alia, the
`
`ongoing, imminent, and impending threat of identity theft and identity fraud; actual identity theft
`
`and identity fraud; loss of the confidentiality of the wrongfully disclosed and compromised
`
`
`
`16
`
`
`
`Case 1:20-cv-00029-UNA Document 1 Filed 01/09/20 Page 17 of 21 PageID #: 17
`
`
`
`Payment Card Information; the illegal sale of the compromised Payment Card Information on the
`
`deep web black market; lost value of the compromised Payment Card Information; cost of
`
`monitoring, credit freezes, and/or identity theft insurance; time spent scrutinizing bank statements,
`
`credit card statements, credit reports, and repairing damaged credit; expenses and/or time spent
`
`initiating fraud alerts; decreased credit scores and ratings; lost work time; and/or other economic
`
`and non-economic injury, harm, and damages.
`
`75. Wawa’s above-described wrongful actions, inaction, and omissions constitute
`
`breaches of the Delaware Consumer Fraud Act.
`
`COUNT VI
`
`UNJUST ENRICHMENT
`
`This claim is plead in the alternative to the above implied contract claim.
`
`Plaintiffs and Class Members conferred a monetary benefit upon Wawa in the form
`
`76.
`
`77.
`
`of monies paid for the purchase of fuel and/or food and food-related services at its locations.
`
`78. Wawa appreciated or h