A final order was issued by the US District Court for the Northern District of Ohio on October 17, 2022, settling the second class action brought against Sonic Corp., a US-based drive-in restaurant chain, as a result of a 2017 data breach. The first settlement, resolved following mediation, involved individual consumers whose payment card information was compromised in the data breach.
The current settlement involves a class certified as “all banks, credit unions, and financial institutions in the United States that received notice and took action to reissue credit cards or debit cards or reimbursed a compromised account from any card brand in the Sonic Data Breach.” The court reaffirmed the certification, finding that the class met the numerosity, commonality and typicality requirements of Rules 23(a) and (b) of the Federal Rules of Civil Procedure, as it was comprised of thousands of financial institutions presenting the same questions of law and fact, with representative plaintiffs solidly within the class, and common questions predominating over individual issues.
The settlement requires Sonic to pay up to $5.73 million, of which $3 million would be $1 and $1.50 per-card fees for re-issued and reimbursed payment cards. In considering whether the proposed settlement was fair, reasonable and adequate as required by FRCP 23(e), the court examined the risk of collusion, the complexity and potential duration of the litigation in the absence of settlement, the extent of discovery conducted by the parties, the likelihood of success on the merits, the opinions of the parties, objections by absent class members, and whether the settlement would serve the public interest. Finding that the proposed settlement satisfied the legal standard, the court gave its final stamp of approval.