Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Gordon v. Chipotle Mexican Grill, Inc.

United States District Court, D. Colorado

August 1, 2018

TODD GORDON, et al, individually and on behalf of all others similarly situated, Plaintiffs,


          Mark L. Carman, United States Magistrate Judge

         This purported class action regards a data breach that Defendant Chipotle Mexican Grill. Inc. ("Chipotle") experienced in early 2017. Doc. 36 (Am. Complaint) ¶ 1. Plaintiffs Todd Gordon, Marc Mercer, Kristen Mercer, Kristin Baker, Michelle Fowler, Greg Lawson and Judy Conrad allege they used credit or debit cards to make purchases at Chipotle restaurants during the data breach.[1] They allege their personally identifiable information ("PII") was thereby compromised, and consequently they had to take steps to redress fraud and protect themselves from further fraud, including identity theft. On their own behalf and that of others similarly situated, Plaintiffs bring several tort, contract, statutory and equitable claims, apparently under the laws of the states in which they made the purchases. The court has subject matter jurisdiction under the Class Action Fairness Act of 2005 (28 U.S.C. § 1332(d)(2)(A)) and supplemental jurisdiction under 28 U.S.C. § 1367.

         Defendant moves to dismiss the claims of Plaintiffs Kristin Baker and Greg Lawson for lack of standing. Defendant further moves to dismiss all claims for failure to state a claim. Judge Christine M. Arguello referred the motion to the undersigned magistrate judge for a recommendation. As follows, the court recommends granting in part and denying in part.

         I. BACKGROUND

         Plaintiffs allege Chipotle used inadequate measures to secure customers' payment card information it received at most of its stores in the continental United States. Among other things, Plaintiffs point in particular to Chipotle's alleged decision to not implement the payment card industry's ("PCI") "EMV technology," where EMV stands for "Europay, MasterCard and Visa."' Doc. 36 ¶¶ 1-9. EMV technology is a '"global standard' for cards equipped with computer chips and technology used to authenticate chip card transactions" which generates a "unique transaction code that cannot be used again. Such technology greatly increases payment card security because if an EMV chip's information is stolen, the unique number cannot be used by the thieves, making it much more difficult for criminals to profit from what is stolen." Id. ¶ 68.

         Plaintiffs allege that because Chipotle did not implement EMV technology (or other reasonable measures), its point of service ("POS") systems were vulnerable to malware that fraudsters had used several times to infiltrate other major retailers' POS, in order to steal payment card information. According to Chipotle's announcement, it discovered the malware had been operative on its POS systems from March 24, 2017 to April 18, 2017. Doc. 36 ¶ 1. Chipotle allegedly did not "timely and accurately notify Plaintiffs and Class Members that their personal and financial information had been compromised," Id. ¶ 2, and did not offer assistance, such as free credit monitoring. Doc. 36 ¶¶ 8, 102-04. Plaintiffs assert Chipotle has still "not disclosed exactly what type of information was in fact exfiltrated in the Data Breach." Id. ¶ 32.

         Plaintiffs allege their individual payment card purchases from Chipotle during the time of the data breach and specific harms each individual allegedly incurred due to the data breach. Doc. 36 ¶¶ 10-18. Overall, they allege Chipotle's data breach caused them

loss of time and money resolving fraudulent charges [and] ... obtaining protections against future identity theft; financial losses related to the purchases ... that Plaintiffs and Class members would have never made had they known of Chipotle's careless approach to cybersecurity; lost control over the value of personal information; ... losses and fees relating to exceeding credit and debit card limits and balances, and bounced transactions: [and] harm resulting from damaged credit scores and information....

Id. ¶ 88.[2] Plaintiffs also allege Chipotle's misconduct has ''placed [them] at [an] increased risk of harm from identity theft." to protect against which they are "placing 'freezes' and 'alerts' with credit reporting agencies, contacting their financial institutions, closing or modifying financial accounts, and closely reviewing and monitoring their credit reports and accounts." Id. ¶ 89.

         Plaintiffs seek several types of damages, penalties, equitable relief, injunctive relief and declaratory relief, and their attorneys' fees and costs. Id. at 74 (prayer for relief).

         II. ANALYSIS

         A. Standing of Plaintiffs Baker and Lawson

         Defendant argues Kristin Baker and Greg Lawson do not plausibly allege injuries that would satisfy the Article III "case" or "controversy" requirement for subject matter jurisdiction. Standing is first and foremost concerned with whether a plaintiff has suffered an "injury in fact," such that resolution of his or her claim involves the judicial power, not the executive or legislative. Lujan v. Defenders of Wildlife, 504 U.S. 555. 559-60 (1992). See also Clapper v. Amnesty In("l USA, 568 U.S. 398, 408 (2013) ("The law of Article III standing, which is built on separation-of- powers principles, serves to prevent the judicial process from being used to usurp the powers of the political branches."). Standing requires the plaintiff to show he or she has

suffered an "injury in fact"-an invasion of a legally protected interest which is (a) concrete and particularized ... and (b) "actual or imminent, not 'conjectural' or 'hypothetical,' ... Second, there must be a causal connection between the injury and the conduct complained of-the injury has to be "fairly ... trace[able] to the challenged action of the defendant, and not ... th[e] result [of] the independent action of some third party not before the court." ... Third, it must be "likely," as opposed to merely "speculative," that the injury will be "redressed by a favorable decision."

Lujan, 504 U.S. at 560-61 (internal citations omitted).

         Plaintiffs bear the burden of proving standing. See, e.g., Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016) (as revised May 24, 2016). When standing is raised at the Rule 12 stage, the showing required depends whether the defendant raises a facial or factual challenge. Holt v. United States, 46 F.3d 1000, 1002-3 (10th Cir. 1995). A "facial attack on the complaint's allegations as to subject matter jurisdiction questions the sufficiency of the complaint," and in reviewing such an attack "a district court must accept the allegations in the complaint as true." Pueblo of Jemez v. United States, 790 F.3d 1143, 1148 n.4 (10th Cir. 2015) (citing Holt). In this case. Defendant brings a facial challenge, as it does not raise facts outside the complaint for this issue. Therefore. Plaintiffs must show their allegations plausibly support standing. Lujan, 504 U.S. at 561 (standing must be shown "with the manner and degree of evidence required at the successive stages of the litigation.").

         Here, Defendant takes issue with the "injury in fact" element with respect to Lawson and Baker.[3] Defendant raises three arguments. First, Defendant argues Lawson and Baker assert a "property right" or "independent value" in alleging they 'lost control over the value of personal information." Doc. 36 ¶ 88. In response, Plaintiffs deny they brought such a claim. Doc. 57 (Response) at 7. However, Plaintiffs do not explain what meaning other than a property right or independent value of their PII could reasonably be inferred from the allegation in Paragraph 88. Since Plaintiffs admit they did not intend to bring a "property right" or "independent value" claim. the court recommends granting in part the Rule 12(b)(1) motion to partially dismiss Plaintiffs" claims to the extent the Amended Complaint alleges "lost control over the value of personal information." See Doc. 36 ¶¶ 88, 137, 182, 184, 238, 240.[4]

         Second, Defendant argues Lawson and Baker claim they "overpaid" Chipotle by the implicit amount they believed Chipotle would spend to make the transaction secure. Defendant points to Plaintiffs' allegation of "financial losses related to purchases ... [they] would have never made had they known of Chipotle"s careless approach to cybersecurity." Doc. 36 ¶ 88. Defendant cites several cases rejecting the overpayment theory in data breach cases, including Engl v. Natural Grocers by Vitamin Cottage, Inc., No. 15-cv-02129-MSK-NYW, 2016 WL 8578252, at *3 (D. Colo. Sept. 21, 2016). In response, Plaintiffs assert that they do not bring an "overpayment" claim, Doc. 57 (Response) at 7. They argue "if Plaintiffs had known of the lax security they would not have purchased at Chipotle and so would not have suffered the financial losses they did." Id. at 8, See also Doc. 36 ¶ 88 (alleging same).

         However, Plaintiffs do not address their allegations that part of the monies they paid "were supposed to be used by Chipotle ... to pay for the administrative costs of reasonable data privacy and security" (id. ¶ 169), they "paid more for that food service than they otherwise would have paid" if they had known Chipotle was not using part of the purchase price for reasonable data security in the transaction (id. ¶ 207), and the damages they seek for the portion of their purchase that Chipotle should have spent on data security. Id. ¶ 170. Plaintiffs also simultaneously defend their unjust enrichment and California Unfair Competition Law claims as premised on both theories that they would not have made the purchases at all, and that a portion of the purchase price was implicitly directed to providing a secure transaction that Defendant did not provide. Doc. 57 (Response) at 17, 23.

         The court recommends granting in part the Rule 12(b)(1) motion to the extent Plaintiffs Lawson and Baker allege overpayment for two reasons. First, Plaintiffs argue they did not bring such a claim. This constitutes either an admission or withdrawal of the allegations that assert overpayment. Second, even if Plaintiffs did not intend to admit or withdraw their overpayment allegations for certain claims, they allege overpayment in conclusory fashion. The overpayment theory also fails for the same reasons as in Engl. Plaintiffs do not allege facts to plausibly support that part of the purchase price was dedicated to data security. Plaintiffs allege "Chipotle has acknowledged that approximately 70% of its sales are attributable to credit and debit card transactions." Doc. 36 ¶ 23. The court infers that the other 30% of Chipotle's sales are conducted with cash currency. Plaintiffs do not allege they paid higher prices than cash customers. See, e.g.. In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1178 (D. Minn. 2014); Community Bank, 887 F.3d at 820. Plaintiffs argue that this is irrelevant because cash customers are not part of the proposed class, but they do not address the reasonable inference that a cash customer - who gives no PII to Defendant in a purchase - would pay lower prices than Plaintiffs if their "overpayment" assertion were plausible. Plaintiffs also cite cases in which an overpayment theory survived on unjust enrichment claims: In re Premera Blue Cross Customer Data Sec. Breach Litig, 198 F.Supp.3d 1183. 1201 (D. Or. 2016); In re Anthem, Inc. Data Breach Litig. 2016 U.S. Dist. LEXIS 70594. at *167-*175 (N.D. Cal. May 27, 2016); and Resnick v. AvMed 7«c, 693 F.3d 1317, 1328 (11th Cir. 2012). Premera, Anthem and Resnick did not address whether the plaintiffs paid more than cash customers. Those cases in fact did not address whether the defendants even had a significant number of cash customers, considering that all three were providers of health insurance.

         This brings the court to Defendant's argument that Lawson and Baker lack standing because they do not allege the actual "time and effort incurred in dealing with [his or her credit/debit card issuer] to address the fraudulent charges actually made on his account or a risk that he might be held responsible for future fraudulent charges.'* Doc. 43 (Motion) at 8 (quoting Engl, 2016 WL 8578252, at *7). Defendants do not take issue with whether the alleged harms are sufficiently particularized[5] or traceable, but only whether Lawson and Baker's nanus are sufficiently concrete.

         In Engl, the court recognizes the two well-established types of injuries that plausibly allege concrete injury in fact: "an actual harm, or ... a future harm that is 'certainly impending' or one for which there is 'a substantial risk that the harm will occur.'" Engl, 2016 WL 8578252, at *3 (quoting Clapper, 133 S.Ct. at 1147). Defendant believes Lawson and Baker argue in their response only the former (actual harm), not the latter (risk of future harm). Doc. 64 (Reply) at 1. But Lawson and Baker allege both existing injuries (Doc. 36 ¶¶ 14, 17) and a risk of future harm. Id. ¶¶ 87-104. They also argue both types of harm in their brief, albeit focused primarily on existing injuries. Doc. 57 (Response) at 5 (citing paragraph 102 of the Am. Complaint). 6 n.3 (arguing Lawson's out of pocket expense was justified to mitigate the risk of future harm), 7 (arguing "costs incurred and time spent to... prevent future fraud against them"). The court accordingly considers the allegations of both actual harm and risk of future harm.

         1. A liege d A dual Harms

         Regarding actual harms, "[a] 'concrete' injury must be 'de fato'; that is, it must actually exist. ... 'Concrete' is not. however, necessarily synonymous with 'tangible.' Although tangible injuries are perhaps easier to recognize, we have confirmed in many of our previous cases that intangible injuries can nevertheless be concrete." Spokeo, 136 S.Ct. at 1549. "In determining whether an intangible harm constitutes injury in fact, both history and the judgment of Congress play important roles." Id. It is "instructive" if the "alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts." or if Congress identified the intangible harm as sufficient. Id.

         In Spokeo, plaintiff asserted a "people search engine" violated the Fair Credit Reporting Act by failing to use reasonable methods to ensure accuracy in consumer reports it provides. Plaintiff alleged Spokeo delivered inaccurate information regarding him, such as marital status, age, education and economic status. 136 S.Ct. at 1546. The Court reversed and remanded for the Ninth Circuit to address whether the alleged statutory violation was sufficiently concrete. On remand, the Ninth Circuit found the alleged FCRA violation was in itself a concrete harm, as evinced by the Congressional intent for the FCRA (to protect consumers from inaccurate reports of personal information that could affect not only their ability to obtain credit but also employment) and the similarity to longstanding reputational and privacy torts. Robins v. Spokeo, Inc., 867 F.3d 1108, 1114-15 (9th Cir. 2017). cert, den'd, 138 S.Ct. 931 (2018). Plaintiff had standing because he alleged Spokeo"s inaccurate report "harmed his employment prospects at a time when he was out of work and that he continues to be unemployed and suffers emotional distress as a consequence." Id. at 1111.

         Spokeo's focus on whether the inaccuracy of personal information can harm the individual is likewise the focus for standing in the consumer data breach context. In Engl, plaintiffs card issuer did not hold him responsible for the unauthorized charge, and he was deprived of the use of his account for only a de minimis time. Engl, 2016 WL 8578252, at *2. In those circumstances. "[w]ithout the ability to point to time and effort incurred in dealing with Visa to address the fraudulent charges actually made on his account, '* the plaintiff did not allege an actual harm. Id. at *7. In Weinstein v. Intermoimtain Healthcare, Inc., No. 2:16-cv-00280-DN, 2017 WL 1233829, at *4 (D. Utah Apr. 3, 2017), appeal dismissed, No. 17-4071, 2017 WL 5158637 (10th Cir. July 27, 2017), plaintiff alleged defendant violated a statutory requirement to not print the expiration date of his payment card on receipts. He did not, however, allege any misuse of those receipts and thereby failed to allege injury. In Hammer v. Sam's E., Inc., No. 12-cv-2618-CM, 2013 WL 3756573, at *3 (D. Kan. July 16, 2013), plaintiff claimed defendant's website misrepresented its data security but did not allege a security breach or misuse of his Information and therefore did not have standing. The Second Circuit similarly found a lack of actual harm from allegations that only payment card information was stolen, the card issuer rejected the attempted fraudulent charges. and a generic, class-wide statement of time or money spent to monitor and address the situation. Whalen v. Michaels Stores, Inc., 689 Fed.Appx. 89, 90-91 (2d Cir. 2017).

         These cases contrast to consumers who allege the stolen PII was of a type sufficient to enable identity theft (i.e., social security numbers or other personal information required to open new accounts), such as Hapka v. Carecentrix, Inc., Civ. 16-2372-CM, 2016 WL 7336407 (D. Kan. Dec. 19, 2016). In Hapka, plaintiff alleged a fraudster obtained PII including social security numbers, birthdates, etc. Shortly after plaintiff was notified of the breach, the IRS notified her that someone had filed a fraudulent tax return using her information. This was sufficient actual harm to support standing.

         Here, Ms. Baker alleges:

On or about March 29, 2017, [she] used her debit card to make a food purchase at ... Chipotle ... [in] Riverside, California. ... On April 3, 2017, three unauthorized charges were attempted on Plaintiffs debit card. She learned about the attempts via email alerts from her bank, for online purchases of $69.99. $19.99. and $49.99, respectively. The charge of $49.99 went through, but the others were declined. Ultimately, Plaintiffs bank refunded the unauthorized charge.

Doc. 36 ¶ 14 (in relevant part). Much like plaintiff in England Whalen, Ms. Baker does not allege actual harm: she does not allege she spent time or money addressing the fraudulent charges, whether she was deprived of the use of her account for a time, nor any expenses incurred from the need to (apparently) close and reopen a new account with a new card number.[6]

         Mr. Lawson alleges:

On or around March 28, 2017, ... [he] visited [a] Chipotle restaurant ... in St. Joseph, Missouri, and purchased food items using his debit card. This debit card is the primary card [he] ... uses for daily expenditures because of the cash back rewards benefit. Within a few weeks of this visit. Plaintiff Lawson was contacted by the issuing bank and advised that his debit card had been compromised as a result of the Chipotle Data Breach. The bank informed [him] ... that it would be closing the account, opening a new account, and re-issuing a new debit card. Because Plaintiff Lawson had upcoming travel plans, he paid $45 to have the new debit card expedited to him. Unfortunately, despite the attempt to expedite and the money expenditure, a new card did not arrive before he left town. Therefore, Plaintiff Lawson did not have his debit card to use for his travel expenses as he planned. As a result of having been victimized by the Chipotle Data Breach, Plaintiff Lawson has been required to spend time communicating with his bank regarding his compromised card, account transfer, and replacement card.

Doc. 36 ¶ 17 (in relevant part). Based on this paragraph. Defendant argues Mr. Lawson did not suffer a fraudulent charge. Doc. 43 (Motion) at 9; Doc. 64 (Reply) at 2. Mr. Lawson responds that he did suffer misuse of his card, citing the same paragraph. Doc. 57 (Response) at 4. Although the pleading could be clearer, Mr. Lawson's allegations reasonably infer that his issuing bank went to the trouble of closing and reissuing a new payment card because there was some attempted misuse of his payment card. Defendant is free to pursue the fact issue in discovery, but the court cannot resolve it on a facial challenge to standing.

         Mr. Lawson also alleges actual harm in not obtaining the "cash back rewards" on his travel expenses. Defendant argues this is insufficient, citing Engl, 2016 WL 8578096, at *6. But in EngL plaintiff alleged only that he lacked the use of his card for several days, not that he thereby lost cash back rewards. Defendant does not explain why the court should consider cash back rewards as having no monetary value as a matter of law. Cf., Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 969 (7th Cir. 2016) ("Kosner also alleges that he was unable to accrue points on his debit card while he was waiting for a replacement. If that loss has any monetary value (a question on which we take no position), it would be compensable").

         Mr. Lawson also alleges actual harm in time spent addressing the theft of his payment card information and new card issuance. Defendant notes that unlike the other named Plaintiffs. Mr. Lawson alleges his lost time generally instead of specifying the duration, inferring he spent only de minimis time. Doc. 64 (Reply) at 2. Defendant cites Engl on this point, but in that case, plaintiff did not allege he spent any time at all. Nor do Defendant's other cited cases support its argument. In Randolph v. ING Life Ins., 486 F.Supp.2d 1, 8 (D.D.C. 2007), plaintiffs alleged their personal information was contained on a laptop stolen from a home. Because they did not allege the laptop was stolen to obtain that information, and alleged no attempts to misuse it, the court held the time and inconvenience plaintiffs incurred to monitor their credit was inadequate to allege standing. In Whalen, the court found a generic, class-wide allegation of lost time did not suffice. 689 Fed.Appx. at 91. To the extent Whalen could be read as requiring consumers to plead with specificity the amount of time they lost, this would run contrary to the pleading standard. Pueblo of Jemez, 790 F.3d at 1172 ("Under Rule 8. specific facts are not necessary; the statement need only give the defendant fair notice of what the ... claim is and the ground upon which it rests."). At this phase. the court gives reasonable inferences in Mr. Lawson's favor. Sanchez v. Hartley, 810 F.3d 750, 754 (10th Cir. 2016). Defendant is free to pursue the fact issue, but the court cannot resolve it on this motion.

         Defendant argues Mr. Lawson's out of pocket expense was "self-inflicted," in the sense that no one required him to expedite delivery of his new card. It is true "self-imposed risk-mitigation costs, when "incurred in response to a speculative threat" do not suffice for standing. Attias v. Carefirst, Inc., 865 F.3d 620, 629 (D.C. Cir. 2017), cert, denied, 138 S.Ct. 981 (2018) (quoting Clapper, 568 U.S. at 416-17). But Mr. Lawson's allegations infer that he incurred the expediting fee in the attempt to not lose the cash back rewards he expected on his travel expenses. This plausibly alleges an actual harm for standing. Thus, as to Mr. Lawson, the court sees no need to reach whether he also alleges a risk of future harm. The court proceeds to that question only as to Ms. Baker.

         2. Alleged Risk of Future Harm

         In addition to harms that are actual and existing, a harm that is "imminent, not 'conjectural" or 'hypothetical'" also suffices for standing. Lujan, 504 U.S. at 560. "An allegation of future injury may suffice if the threatened injury is 'certainly impending, * or there is a 'substantial risk" that the harm will occur." Susan B. Anthony List v. Driehaus, 134 S.Ct. 2334, 2341 (2014) (internal quotation marks omitted, quoting Clapper, 568 U.S. at 414, n.5). The Court has not decided whether a "substantial risk" of future harm is different from a "certainly impending" harm (see, e.g., In re SuperValu, Inc., 870 F.3d 763, 769, n.3 (8th Cir. 2017)), but both concepts require something more than an "objectively reasonable likelihood" of future harm. Clapper. 568 U.S. at 410.

Although imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes-that the injury is certainly impending..... Thus, we have repeatedly reiterated that threatened injury must be certainly impending to constitute injury in fact, and that [allegations of possible future injury are not sufficient.

Id. at 409 (emphasis original, internal quotation marks omitted). In Clapper, plaintiffs lacked standing because their alleged risk of future harm - of having their private communications with international persons intercepted under the Foreign Intelligence Surveillance Act - depended on an attenuated chain of causation. In short, '"some day' speculations are insufficient." Colo. Outfitters Ass'n v. Hickenlooper, 823 F.3d 537, 551 (10th Cir. 2016).

         Engl reviewed the then-extant consumer data breach cases and concluded in order for a consumer to allege a sufficient risk of future harm from a data breach, the consumer must allege "(i) his or her credit card or other financial or personal data was exposed to hackers in a data breach, and (ii) that there is reason to believe that the hackers or others are making actual fraudulent use of the purloined data.*' Engl, 2016 WL 8578252 at *6. Plaintiff in that case alleged actual misuse of his stolen credit card number, and the court recognized in "ordinary circumstances, '' that would be sufficient to plausibly allege injury. Id. However, plaintiffs other allegations showed there was no ongoing potential for harm (the compromised account was closed, he was reimbursed, and only his payment card information was stolen), so plaintiffs assertions regarding future harm were speculative. Id.

         Post-Engl, several circuit courts have addressed the issue of future harm from data breaches. See, e.g., Joseph F. Yenouskas, Levi W. Swank, Emerging Legal Issues in Data Breach Class Actions, 73 Bus. Law. 475 (Spring 2018) (collecting cases); SuperValu, 870 F.3d at 769 (also collecting cases). In re, Inc., 888 F.3d 1020 (9th Cir. 2018); Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018); Hutton v. Natl Bd. of Examiners in Optometry, Inc., No. 17-1506, 2018 WL 2927626, at *5-6 (4th Cir. June 12, 2018). As the Eighth Circuit notes, "[t]hese cases came to differing conclusions on the question of standing. We need not reconcile this out-of-circuit precedent because the cases ultimately turned on the substance of the allegations before each court." SuperValu, 870 F.3d at 769. That is, a risk of future identity theft is sufficient for standing only if the data breach exposed the types of PII that can enable identity theft.

         For instance, in SuperValu, consumers brought a putative class action after their payment card information was stolen, alleging

The hackers installed malicious software on defendants' network that allowed them to gain access to the payment card information of defendants' customers (hereinafter, Card Information), including their names, credit or debit card account numbers, expiration dates, card verification value (CVV) codes, and personal identification numbers (PINs). By harvesting the data on the network, the hackers stole customers' Card Information.

SuperValu, 870 F.3d at 766. Those allegations are quite similar to Plaintiffs' allegations here:

When Chipotle's customers pay using credit or debit cards, Chipotle collects Customer Data related to those cards including the cardholder name, the account number, expiration date, card verification value (CVV), and PIN data for debit cards. Chipotle stores the Customer Data in its POS system and transmits this information to a third party for completion of the payment.
Beginning on or about March 24, 2017, hackers utilizing malicious software accessed the point-of-sale ("POS") systems at Chipotle and Pizzeria Locale locations throughout the United States and stole copies of customers" Card Information and other personal information. The software used in the attack was a malware strain designed to siphon data from cards when they are swiped at infected POS systems.

Doc. 36 ¶¶ 24-25. Much like Plaintiffs in this case (doc. 36 ¶¶ 91-95), plaintiffs in SuperValu alleged the breach of their payment card information caused a substantial risk of future identity theft. 870 F.3d at 770. They cited the same Government Accounting Office ("GAO") report that Plaintiffs cite here. Doc. 36 at 33, n. 24 (citing GAO 07-737, Report to Congressional Requesters, "Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown," at 33 (June 2007), available at <>. But as the Eighth Circuit notes, the GAO report lends no support to allegations of future harm, if only payment card information is breached.

[T]he allegedly stolen Card Information does not include any personally identifying information, such as social security numbers, birth dates, or driver's license numbers. As the GAO report points out, compromised credit or debit card information, like the Card Information here, "generally cannot be used alone to open unauthorized new accounts.'* Id. at 30 ... As such, ... there is little to no risk that anyone will use the Card Information stolen in these data breaches to open unauthorized accounts in the plaintiffs' names.

SuperValu, 870 F.3d at 770.[7] See also Whalen, 689 Fed.Appx. at 90; Alonso v. Blue Sky Resorts, LLC, 179 F.Supp.3d 857, 864 (S.D. Ind. 2016). appeal dismissed (7th Cir. May 16, 2016). Plaintiffs also do not point to any historical practice or Congressional intent finding a "certainly impending" harm or "substantial risk" thereof when payment card information is stolen, once the compromised account is closed.

         In this case, there is a fact issue regarding whether more than just Ms. Baker's name and credit card account number were stolen. Plaintiffs allege the stolen information includes "cardholder name, the account number, expiration date, card verification value (CVV), and PIN data for debit cards." Doc. 36 ¶¶ 24-25. See also Id. ¶ 28 (alleging Chipotle confirmed a breach involving "track data" including those same categories of information ''read from the magnetic stripe"). Plaintiffs allege Chipotle has not said precisely what types of information were actually taken. Id. ¶¶ 32-33. Plaintiffs allege in other data breaches, fraudsters stole personal information regarding far more customers than those whose payment card information they stole in the breach, or combine the PII obtained from multiple sources. Id. ¶¶ 44-45. On the other hand, the only named Plaintiff to allege fraudulent accounts were opened in her name is Ms. Fowler, and she alleges that occurred two months after the misuse of her stolen card information. Id. ¶ 15. However, identity theft can take years to surface. Id. ¶ 94.

         In short, the court will infer from the allegations that additional personal information was taken in the Chipotle breach that could enable fraudulent accounts to be opened in Ms. Baker's name, or other benefits to be taken fraudulently in her name. This is the "ordinary circumstance" recognized in Engl. Because Ms. Baker alleges she suffered actual fraudulent charges on her account, and she does not know for certain whether PII beyond her payment card information was stolen, she plausibly alleges a certainly impending harm or substantial risk thereof. Defendant is of course free to pursue the fact issues regarding Ms. Baker's standing.

         In sum, the court recommends denying the Rule 12(b)(1) motion except as to the allegations of "lost control over the value of personal information" and overpayment.

         B. Failure to State a Claim

         The court turns to Defendant's motion to dismiss for failure to state a claim under Rule 12(b)(6). A court may dismiss a complaint for "failure to state a claim upon which relief can be granted/' See Fed. R. Civ. P. 12(b)(6). In deciding a motion under Rule 12(b)(6), we "assume the truth of all well-pleaded facts in the complaint, and draw all reasonable inferences therefrom in the light most favorable to the plaintiffs." W. Watersheds Project v. Michael 869 F.3d 1189, 1193 (10th Cir. 2017) (internal quotation marks omitted). However, a plaintiff may not rely on mere labels or legal conclusions, "and a formulaic recitation of the elements of a cause of action will not do."' Bell All Corp. v. Twombfy, 550 U.S. 544, 555 (2007).

         To withstand a motion to dismiss, a "complaint must allege facts that, if true, state a claim to relief that is plausible on its face. A claim is facially plausible when the allegations give rise to a reasonable inference that the defendant is liable/* Big Cats of Serenity Springs, Inc. v. Rhodes. 843 F.3d 853, 858 (10th Cir. 2016) (internal quotation marks omitted). See also Ashcroft v. Iqbal. 556 U.S. 662, 678 (2009). Once plaintiff pleads sufficient facts to make the claim plausible, "a well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of [the alleged] facts is improbable, and that a recovery is very remote and unlikely.*' Sanchez, 810 F.3d at 756 (internal quotation marks omitted, quoting Twombfy, 550 U.S. at 556).

         Generally, a court considers only the contents of the complaint when ruling on a Rule 12(b)(6) motion. Gee v. Pacheco, 627 F.3d 1178, 1186 (10th Cir. 2010). Exceptions to this general rule include: documents incorporated by reference in the complaint; documents referred to in and central to the complaint, when no party disputes their authenticity; and "matters of which a court may take judicial notice." Id. (quoting Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308, 322 (2007)). If a plaintiff does not incorporate by reference or attach a document to its complaint, a defendant may submit an indisputably authentic copy which the court may consider in ruling on the motion without converting it to summary judgment. GFF Corp. v. Ass 'd Wholesale Grocers, Inc., 130 F.3d 1381, 1384 (10th Cir. 1997).

         I. Negligence Claim (Count I)

         Defendant argues the negligence claim is barred by the economic loss doctrine. As negligence is a matter of state law, the court must first address whether choice-of-law analysis is required. Defendant argues this is unnecessary because in its view these claims fail under the law of all five states in question: the forum state (Colorado) and each named Plaintiffs home state (Arizona, California, Illinois and Missouri). In response. Plaintiffs argue their claims survive under all five states' laws and do not address whether a choice of law is necessary.[8]

         "When more than one body of law may apply to a claim, the Court need not choose which body of law to apply unless there is an outcome determinative conflict between the potentially applicable bodies of law." SELCO Cmty. Credit Union v. Noodles & Co., 267 F.Supp.3d 1288. 1292 (D. Colo. 2017), appeal dismissed, No. 17-1289, 2017 WL 7668565 (10th Cir. Nov. 20. 2017) (internal quotation marks omitted). See also Security Serv. Fed. Credit Union v. First Am. Mortg. Funding LLC 861 F.Supp.2d 1256, 1264 (D. Colo. 2012), recon. den'd 906 F.Supp.2d 1108 (D. Colo. 2012). The "economic loss doctrine" is recognized in the five states at issue, but as will be seen there are outcome-determinative differences between Colorado on the one hand and Arizona and California on the other.

         Arizona (Plaintiff Gordon). Arizona recognizes a "narrow version" of the economic loss doctrine. Flagstaff Affordable Hous. Ltd. P'ship v. Design All, Inc., 223 P.3d 664, 668 (Ariz. 2010). Arizona first limits the doctrine to contracting parties. Flagstaff, 223 P.3d at 667. "[A]bsent any contract between the parties," it does not apply to tort claims. Id. Even as between contracting parties,

[r]ather than adopting the majority rule as a blanket disallowance of tort recovery for economic losses, we think the better rule is one which examines the loss in light of the nature of the defect that caused it, the manner in which it occurred, and the nature of any other contemporaneous losses.

Salt River Project Agric. Improvement & Power Dist. v. Weslinghouse Elec. Corp., 694 P.2d 198, 209 (Ariz. 1984).

Under Salt River, the economic nature of the loss is only one factor in a three-part test to determine whether tort remedies will be available: a court must also consider whether the defect was "unreasonably dangerous" and whether the loss occurred in a "sudden, accidental manner." ... When these factors are present. Salt River allows a plaintiff to recover in tort for purely economic loss.

Flagstaff, 223 P.3d at 668 (quoting Salt River, 694 P.2d at 209).

         Thus "[t]he economic loss doctrine may vary in its application depending on context-specific policy considerations. To determine whether the doctrine should apply..., we must consider the underlying policies of tort and contract law" in the case-specific context. Id. at 669. "The principal function of the economic loss doctrine, in our view, is to encourage private ordering of economic relationships and to uphold the expectations of the parties by limiting a plaintiff to contractual remedies for loss of the benefit of the bargain. These concerns are not implicated when the plaintiff lacks privity and cannot pursue contractual remedies." Id. at 671. See also Sullivan v. Pulte Home Corp.. 306 P.3d 1. 3 (Ariz. 2013) ("encourage the private ordering of economic relationships, protect the expectations of contracting parties, ensure the adequacy of contractual remedies, and promote accident-deterrence and loss-spreading.").

         To date, the Arizona Supreme Court has recognized the economic loss doctrine only in product liability and construction cases that involved contracting parties. Flagstaff, 223 P.3d at 665. It has declined to extend the doctrine to a non-contracting party's construction claim, regardless that the party at one time "had a possible contractual remedy under an implied warranty claim. Such a remedy was imposed as a matter of Arizona's common law; it did not result from any opportunity the [subsequent homeowners] had to negotiate with [the defendant homebuilder] over remedies." Sullivan, 306 P.3d at 3.

         The District of Arizona has predicted the Arizona Supreme Court would extend the doctrine to claims regarding credit card payment processing between two sophisticated contracting entities. TSYS Acquiring Sols., LLC v. Elec. Payment Sys.. LLC, No. CV10-1060 PHX, 2010 WL 3882518, at *2 (D. Ariz. Sept. 29, 2010) (the defendant did "not argue that it lacked the sophistication to assess risks, negotiate the contract, or prospectively identify remedies for breach. Nor does it allege that breach of the contract was unforeseeable"). The court also predicts Arizona would extend the doctrine to claims regarding damages from underground pollution that was the subject of contract between two sophisticated parties. Greyhound Lines Inc. v. Viad Corp.. No. CV-15-01820-PHX-DGC, 2016 WL 6833938, at *8 (D. Ariz. Nov. 21, 2016).

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;However, the District of Arizona has predicted the state would not extend the economic loss doctrine in two data breach cases. Cumis Ins. Society, Inc. v. Merrick Bank Corp., No. CV- 07-374-TUC-CKJ, 2008 WL 4277877 (D. Ariz. Sept. 18, 2008); In re Banner Health Data BreachLitig, No. CV-16-02696-PHX-SRB, 2017 WL 6763548 (D. Ariz. Dec. 20, 2017). In Cumis, plaintiff was the insurer of credit unions whose customers had their payment card information stolen from a card processor's computers in a data breach. The insurer claimed one defendant (Merrick) had contracted (it is unclear with whom, but not with the insurer) to guarantee a processor's compliance with PCI standards; the other defendant (Savvis) contracted (apparently with Merrick or the processor) to certify the ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.