In the wake of a massive security breach that left millions of credit cards vulnerable, Schnucks is now facing multiple lawsuits in Missouri and Illinois from customers and lawyers who say the company should have alerted shoppers sooner -- and should never have let this happened in the first place. The local supermarket chain has repeatedly apologized, saying it was a victim of a cyber attack, that it told the public as soon as it possibly could and that the stores are now safe for credit card use.
But if a judge agrees with those bringing forward the class-action suit -- who say that Schnucks was negligent and violated consumer laws -- how much would it potentially owe customers?
The company touched upon that question in its latest court filing, which notes that, if the suit prevailed, Schnucks could owe nearly $80 million to customers. And that's only referring to Illinois shoppers.
See also: - Schnucks Runs Full-Page Apology for Credit-Card Scandal As Suits Allege Negligence - Schnucks Massive Credit Card Security Breach May Have Impacted 2.4 Million - Boy, 5, Found Wandering Schnucks Alone at Night, Doesn't Know His Last Name
Jeff Millar -- an attorney who has filed the class-action lawsuit on behalf of Illinois customers -- says that Schnucks' most recent court action offers useful insight into the scope of the potential damages.
Schnucks, however, continues to argue that the lawsuit is completely without merit.
CEO Scott Schnuck's latest apology.
Millar alerted Daily RFT to Schnucks' latest court filing on Friday, which is a request to move the case from state court to federal court. While that motion is not newsworthy, what is, he says, is the math Schnucks' attorneys complete in the document explaining how much the damages could cost.
"This is the first time that Schnucks has really looked at this and put a dollar amount to it," he says.
He highlights these components of the Schnucks motion, full document on view below:
- "approximately 500,000 unique credit or debit cards were used in Schnucks' Illinois stores during the relevant time period. Thus, based on Plaintiff's allegations, the proposed putative class has at least 500,000 members."
- "For example, even valuing Plaintiff's and the putative class members' alleged 'time and effort' damages at the federal minimum wage ($7.25 per hour), and interpreting 'numerous hours' to equal only two (2) hours, the potential amount in controversy is equal to approximately $7.25 million."
- "the Illinois Supreme Court has approved a punitive damage award with a ratio of punitive to compensatory damages of approximately 11 to 1."
Millar says that, by the company's own calculations, if a judge found Schnucks guilty and ordered the company to pay punitive damages to Illinois customers, that could total nearly $80 million (given that the company cites $7.25 million in compensatory damages and an eleven-to-one ratio in punitive to compensatory damages).
Lori Willis, spokeswoman for Schnucks, tells Daily RFT in an e-mail that moving a class-action suit filed in state court to federal court is common. She adds:
Defendants in lawsuits like this one have the right to move the case to federal court if the plaintiffs are claiming entitlement to more than $5 million. Removing the case to federal court does not mean that the defendant agrees with any of the plaintiffs' claims or the amount of the damages being claimed.
Just to be clear, there were no "admissions" in the Schnucks filing. Schnucks believes the complaint is without merit and plans to put forth an aggressive defense.
Simply put, Shnucks is still denying liability, which is also spelled out in the motion.
Continue for more from Jeff Millar and for full copies of the documents in question.
Still, Millar says it's useful for customers to see these calculations.
Since his suit was filed, Millar says that he's gotten steady calls from customers facing problems with credit cards.
"I'm getting four or five inquiries a day," he says.
Here's the motion from Schnucks, followed by the original complaint.
And here's a section of Schnucks' April 15 statement that addresses the question of its response time.
Why did you wait until now to make this announcement? It was important that we acquired all of the facts. A cyber-attack is not like a bank robbery where you know immediately when it occurred and who was affected. The investigation of a cyber-attack requires painstaking analysis of digital evidence that takes time in order to determine what happened. Since we first received notice of this issue, our team and the computer forensics experts we hired have been working non-stop to find and contain the issue. The forensic investigation firm found the first indication of an issue on March 28, we contained the issue by March 30, and we have been working to identify affected stores and card numbers since then. From the outset, we have been communicating reliable facts and useful information as they became available.