The chairman of its board of directors, whose job includes overseeing the CEO, is founding-family heir Richard D. Wood Jr. He has held the chairman job since retiring as CEO in 2004, and has presided over the board during the period of Wawa’s rapid growth from a regional cokes-smokes-milk-and-hoagies chain to a convenience store and gasoline outlet with more than $12 billion in annual sales at 850 stores from New Jersey to Florida.
Target, as a publicly traded company, was required by U.S. securities law to announce its data breach if it believed the resulting losses could materially affect the company’s profitability. Also, as a company doing business in California, it was required to tell customers in the largest U.S. state when their “unencrypted personal information” had been “acquired, or reasonably believed to have been acquired, by an unauthorized person,” whether or not the company believed that customers had suffered a loss.
Can’t let it happen again
Wawa, as a private company, has fewer investor disclosure requirements. And Pennsylvania, where Wawa is based, has a more conditional data breach notification requirement: A company has to tell customers when it decides the loss of personal information is likely to “cause loss or injury” — which potentially gave Wawa more time to delay disclosure, according to a data-management company founder who asked that he not be identified by name because he has business ties to Wawa.
Even with delayed disclosure, a massive data breach is time for a board to review management closely, the executive added. “Wawa is a digital company, like everyone else,” he said. “When you have a data breach like this, there is usually a failure, either in management, or in the quality of security.”