The sandwich king Jimmy John’s released a press release in which it informed the public that it experienced a data breach between June 16, 2014 and September 5, 2014. The breach impacts those customers who used credit and debit cards at approximately 216 stores across 37 states in the United States. Hackers likely obtained card numbers, the cardholder’s name, verification codes, and expiration dates.
The breach occurred when an unauthorized person gained access to a username and password for Signature Systems, Inc., a third party that provides point-of-sale systems for Jimmy John’s and other restaurants, and then uploaded malware, which enabled the hacker to steal the personally identifiable information set forth above. Jimmy John’s has not yet indicated how many people were affected by this breach, but it is encouraging customers who used their credit and debit cards at Jimmy John’s stores during that timeframe to monitor their account activity. Jimmy John’s is also offering free credit monitoring to those affected.
Interestingly, Jimmy John’s became aware of the possibility of a data breach on July 30, 2014, but did not issue its press release until September 24, 2014. Each state has different data breach notification laws, but, generally, they all require expeditious notice to those affected subsequent to the entity’s notice of a breach. Notwithstanding whether Jimmy John’s complied with notice requirements, be prepared to see the involvement of Attorneys General and a gaggle of individual civil lawsuits. However, if Jimmy John’s failed to provide adequate notice, it can expect to incur significant penalties.