United States District Court, D. Colorado
TODD GORDON, et al, individually and on behalf of all others similarly situated, Plaintiffs,
v.
CHIPOTLE MEXICAN GRILL, INC., Defendant.
RECOMMENDATION ON MOTION TO DISMISS
Mark
L. Carman, United States Magistrate Judge
This
purported class action regards a data breach that Defendant
Chipotle Mexican Grill. Inc. ("Chipotle")
experienced in early 2017. Doc. 36 (Am. Complaint) ¶ 1.
Plaintiffs Todd Gordon, Marc Mercer, Kristen Mercer, Kristin
Baker, Michelle Fowler, Greg Lawson and Judy Conrad allege
they used credit or debit cards to make purchases at Chipotle
restaurants during the data breach.[1] They allege their
personally identifiable information ("PII") was
thereby compromised, and consequently they had to take steps
to redress fraud and protect themselves from further fraud,
including identity theft. On their own behalf and that of
others similarly situated, Plaintiffs bring several tort,
contract, statutory and equitable claims, apparently under
the laws of the states in which they made the purchases. The
court has subject matter jurisdiction under the Class Action
Fairness Act of 2005 (28 U.S.C. § 1332(d)(2)(A)) and
supplemental jurisdiction under 28 U.S.C. § 1367.
Defendant
moves to dismiss the claims of Plaintiffs Kristin Baker and
Greg Lawson for lack of standing. Defendant further moves to
dismiss all claims for failure to state a claim. Judge
Christine M. Arguello referred the motion to the undersigned
magistrate judge for a recommendation. As follows, the court
recommends granting in part and denying in part.
I.
BACKGROUND
Plaintiffs
allege Chipotle used inadequate measures to secure
customers' payment card information it received at most
of its stores in the continental United States. Among other
things, Plaintiffs point in particular to Chipotle's
alleged decision to not implement the payment card
industry's ("PCI") "EMV technology,"
where EMV stands for "Europay, MasterCard and
Visa."' Doc. 36 ¶¶ 1-9. EMV technology is
a '"global standard' for cards equipped with
computer chips and technology used to authenticate chip card
transactions" which generates a "unique transaction
code that cannot be used again. Such technology greatly
increases payment card security because if an EMV chip's
information is stolen, the unique number cannot be used by
the thieves, making it much more difficult for criminals to
profit from what is stolen." Id. ¶ 68.
Plaintiffs
allege that because Chipotle did not implement EMV technology
(or other reasonable measures), its point of service
("POS") systems were vulnerable to malware that
fraudsters had used several times to infiltrate other major
retailers' POS, in order to steal payment card
information. According to Chipotle's announcement, it
discovered the malware had been operative on its POS systems
from March 24, 2017 to April 18, 2017. Doc. 36 ¶ 1.
Chipotle allegedly did not "timely and accurately notify
Plaintiffs and Class Members that their personal and
financial information had been compromised,"
Id. ¶ 2, and did not offer assistance, such as
free credit monitoring. Doc. 36 ¶¶ 8, 102-04.
Plaintiffs assert Chipotle has still "not disclosed
exactly what type of information was in fact exfiltrated in
the Data Breach." Id. ¶ 32.
Plaintiffs
allege their individual payment card purchases from Chipotle
during the time of the data breach and specific harms each
individual allegedly incurred due to the data breach. Doc. 36
¶¶ 10-18. Overall, they allege Chipotle's data
breach caused them
loss of time and money resolving fraudulent charges [and] ...
obtaining protections against future identity theft;
financial losses related to the purchases ... that Plaintiffs
and Class members would have never made had they known of
Chipotle's careless approach to cybersecurity; lost
control over the value of personal information; ... losses
and fees relating to exceeding credit and debit card limits
and balances, and bounced transactions: [and] harm resulting
from damaged credit scores and information....
Id. ¶ 88.[2] Plaintiffs also allege
Chipotle's misconduct has ''placed [them] at [an]
increased risk of harm from identity theft." to protect
against which they are "placing 'freezes' and
'alerts' with credit reporting agencies, contacting
their financial institutions, closing or modifying financial
accounts, and closely reviewing and monitoring their credit
reports and accounts." Id. ¶ 89.
Plaintiffs
seek several types of damages, penalties, equitable relief,
injunctive relief and declaratory relief, and their
attorneys' fees and costs. Id. at 74 (prayer for
relief).
II.
ANALYSIS
A.
Standing of Plaintiffs Baker and Lawson
Defendant
argues Kristin Baker and Greg Lawson do not plausibly allege
injuries that would satisfy the Article III "case"
or "controversy" requirement for subject matter
jurisdiction. Standing is first and foremost concerned with
whether a plaintiff has suffered an "injury in
fact," such that resolution of his or her claim involves
the judicial power, not the executive or legislative.
Lujan v. Defenders of Wildlife, 504 U.S. 555. 559-60
(1992). See also Clapper v. Amnesty In("l
USA, 568 U.S. 398, 408 (2013) ("The law of
Article III standing, which is built on separation-of- powers
principles, serves to prevent the judicial process from being
used to usurp the powers of the political branches.").
Standing requires the plaintiff to show he or she has
suffered an "injury in fact"-an invasion of a
legally protected interest which is (a) concrete and
particularized ... and (b) "actual or imminent, not
'conjectural' or 'hypothetical,' ... Second,
there must be a causal connection between the injury and the
conduct complained of-the injury has to be "fairly ...
trace[able] to the challenged action of the defendant, and
not ... th[e] result [of] the independent action of some
third party not before the court." ... Third, it must be
"likely," as opposed to merely
"speculative," that the injury will be
"redressed by a favorable decision."
Lujan, 504 U.S. at 560-61 (internal citations
omitted).
Plaintiffs
bear the burden of proving standing. See, e.g., Spokeo,
Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016) (as revised
May 24, 2016). When standing is raised at the Rule 12 stage,
the showing required depends whether the defendant raises a
facial or factual challenge. Holt v. United States,
46 F.3d 1000, 1002-3 (10th Cir. 1995). A "facial attack
on the complaint's allegations as to subject matter
jurisdiction questions the sufficiency of the
complaint," and in reviewing such an attack "a
district court must accept the allegations in the complaint
as true." Pueblo of Jemez v. United States, 790
F.3d 1143, 1148 n.4 (10th Cir. 2015) (citing Holt).
In this case. Defendant brings a facial challenge, as it does
not raise facts outside the complaint for this issue.
Therefore. Plaintiffs must show their allegations plausibly
support standing. Lujan, 504 U.S. at 561 (standing
must be shown "with the manner and degree of evidence
required at the successive stages of the litigation.").
Here,
Defendant takes issue with the "injury in fact"
element with respect to Lawson and Baker.[3] Defendant raises
three arguments. First, Defendant argues Lawson and Baker
assert a "property right" or "independent
value" in alleging they 'lost control over the value
of personal information." Doc. 36 ¶ 88. In
response, Plaintiffs deny they brought such a claim. Doc. 57
(Response) at 7. However, Plaintiffs do not explain what
meaning other than a property right or independent value of
their PII could reasonably be inferred from the allegation in
Paragraph 88. Since Plaintiffs admit they did not intend to
bring a "property right" or "independent
value" claim. the court recommends granting in part the
Rule 12(b)(1) motion to partially dismiss Plaintiffs"
claims to the extent the Amended Complaint alleges "lost
control over the value of personal information."
See Doc. 36 ¶¶ 88, 137, 182, 184, 238,
240.[4]
Second,
Defendant argues Lawson and Baker claim they
"overpaid" Chipotle by the implicit amount they
believed Chipotle would spend to make the transaction secure.
Defendant points to Plaintiffs' allegation of
"financial losses related to purchases ... [they] would
have never made had they known of Chipotle"s careless
approach to cybersecurity." Doc. 36 ¶ 88. Defendant
cites several cases rejecting the overpayment theory in data
breach cases, including Engl v. Natural Grocers by
Vitamin Cottage, Inc., No. 15-cv-02129-MSK-NYW, 2016 WL
8578252, at *3 (D. Colo. Sept. 21, 2016). In response,
Plaintiffs assert that they do not bring an
"overpayment" claim, Doc. 57 (Response) at 7. They
argue "if Plaintiffs had known of the lax security they
would not have purchased at Chipotle and so would not have
suffered the financial losses they did." Id. at
8, See also Doc. 36 ¶ 88 (alleging same).
However,
Plaintiffs do not address their allegations that part of the
monies they paid "were supposed to be used by Chipotle
... to pay for the administrative costs of reasonable data
privacy and security" (id. ¶ 169), they
"paid more for that food service than they otherwise
would have paid" if they had known Chipotle was not
using part of the purchase price for reasonable data security
in the transaction (id. ¶ 207), and the damages
they seek for the portion of their purchase that Chipotle
should have spent on data security. Id. ¶ 170.
Plaintiffs also simultaneously defend their unjust enrichment
and California Unfair Competition Law claims as premised on
both theories that they would not have made the
purchases at all, and that a portion of the purchase price
was implicitly directed to providing a secure transaction
that Defendant did not provide. Doc. 57 (Response) at 17, 23.
The
court recommends granting in part the Rule 12(b)(1) motion to
the extent Plaintiffs Lawson and Baker allege overpayment for
two reasons. First, Plaintiffs argue they did not bring such
a claim. This constitutes either an admission or withdrawal
of the allegations that assert overpayment. Second, even if
Plaintiffs did not intend to admit or withdraw their
overpayment allegations for certain claims, they allege
overpayment in conclusory fashion. The overpayment theory
also fails for the same reasons as in Engl.
Plaintiffs do not allege facts to plausibly support that part
of the purchase price was dedicated to data security.
Plaintiffs allege "Chipotle has acknowledged that
approximately 70% of its sales are attributable to credit and
debit card transactions." Doc. 36 ¶ 23. The court
infers that the other 30% of Chipotle's sales are
conducted with cash currency. Plaintiffs do not allege they
paid higher prices than cash customers. See, e.g.. In re
Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154,
1178 (D. Minn. 2014); Community Bank, 887 F.3d at
820. Plaintiffs argue that this is irrelevant because cash
customers are not part of the proposed class, but they do not
address the reasonable inference that a cash customer - who
gives no PII to Defendant in a purchase - would pay lower
prices than Plaintiffs if their "overpayment"
assertion were plausible. Plaintiffs also cite cases in which
an overpayment theory survived on unjust enrichment claims:
In re Premera Blue Cross Customer Data Sec. Breach
Litig, 198 F.Supp.3d 1183. 1201 (D. Or. 2016); In re
Anthem, Inc. Data Breach Litig. 2016 U.S. Dist. LEXIS
70594. at *167-*175 (N.D. Cal. May 27, 2016); and Resnick
v. AvMed 7«c, 693 F.3d 1317, 1328 (11th Cir.
2012). Premera, Anthem and Resnick did not
address whether the plaintiffs paid more than cash customers.
Those cases in fact did not address whether the defendants
even had a significant number of cash customers, considering
that all three were providers of health insurance.
This
brings the court to Defendant's argument that Lawson and
Baker lack standing because they do not allege the actual
"time and effort incurred in dealing with [his or her
credit/debit card issuer] to address the fraudulent charges
actually made on his account or a risk that he might be held
responsible for future fraudulent charges.'* Doc. 43
(Motion) at 8 (quoting Engl, 2016 WL 8578252, at
*7). Defendants do not take issue with whether the alleged
harms are sufficiently particularized[5] or traceable, but only whether
Lawson and Baker's nanus are sufficiently concrete.
In
Engl, the court recognizes the two well-established
types of injuries that plausibly allege concrete injury in
fact: "an actual harm, or ... a future harm that is
'certainly impending' or one for which there is
'a substantial risk that the harm will occur.'"
Engl, 2016 WL 8578252, at *3 (quoting
Clapper, 133 S.Ct. at 1147). Defendant believes
Lawson and Baker argue in their response only the former
(actual harm), not the latter (risk of future harm). Doc. 64
(Reply) at 1. But Lawson and Baker allege both existing
injuries (Doc. 36 ¶¶ 14, 17) and a risk of future
harm. Id. ¶¶ 87-104. They also argue both
types of harm in their brief, albeit focused primarily on
existing injuries. Doc. 57 (Response) at 5 (citing paragraph
102 of the Am. Complaint). 6 n.3 (arguing Lawson's out of
pocket expense was justified to mitigate the risk of future
harm), 7 (arguing "costs incurred and time spent to...
prevent future fraud against them"). The court
accordingly considers the allegations of both actual harm and
risk of future harm.
1.
A liege d A dual Harms
Regarding
actual harms, "[a] 'concrete' injury must be
'de fato'; that is, it must actually exist.
... 'Concrete' is not. however, necessarily
synonymous with 'tangible.' Although tangible
injuries are perhaps easier to recognize, we have confirmed
in many of our previous cases that intangible injuries can
nevertheless be concrete." Spokeo, 136 S.Ct. at
1549. "In determining whether an intangible harm
constitutes injury in fact, both history and the judgment of
Congress play important roles." Id. It is
"instructive" if the "alleged intangible harm
has a close relationship to a harm that has traditionally
been regarded as providing a basis for a lawsuit in English
or American courts." or if Congress identified the
intangible harm as sufficient. Id.
In
Spokeo, plaintiff asserted a "people search
engine" violated the Fair Credit Reporting Act by
failing to use reasonable methods to ensure accuracy in
consumer reports it provides. Plaintiff alleged Spokeo
delivered inaccurate information regarding him, such as
marital status, age, education and economic status. 136 S.Ct.
at 1546. The Court reversed and remanded for the Ninth
Circuit to address whether the alleged statutory violation
was sufficiently concrete. On remand, the Ninth Circuit found
the alleged FCRA violation was in itself a concrete harm, as
evinced by the Congressional intent for the FCRA (to protect
consumers from inaccurate reports of personal information
that could affect not only their ability to obtain credit but
also employment) and the similarity to longstanding
reputational and privacy torts. Robins v. Spokeo,
Inc., 867 F.3d 1108, 1114-15 (9th Cir. 2017). cert,
den'd, 138 S.Ct. 931 (2018). Plaintiff had standing
because he alleged Spokeo"s inaccurate report
"harmed his employment prospects at a time when he was
out of work and that he continues to be unemployed and
suffers emotional distress as a consequence."
Id. at 1111.
Spokeo's
focus on whether the inaccuracy of personal information can
harm the individual is likewise the focus for standing in the
consumer data breach context. In Engl, plaintiffs
card issuer did not hold him responsible for the unauthorized
charge, and he was deprived of the use of his account for
only a de minimis time. Engl, 2016 WL
8578252, at *2. In those circumstances. "[w]ithout the
ability to point to time and effort incurred in dealing with
Visa to address the fraudulent charges actually made on his
account, '* the plaintiff did not allege an actual harm.
Id. at *7. In Weinstein v. Intermoimtain
Healthcare, Inc., No. 2:16-cv-00280-DN, 2017 WL 1233829,
at *4 (D. Utah Apr. 3, 2017), appeal dismissed, No.
17-4071, 2017 WL 5158637 (10th Cir. July 27, 2017), plaintiff
alleged defendant violated a statutory requirement to not
print the expiration date of his payment card on receipts. He
did not, however, allege any misuse of those receipts and
thereby failed to allege injury. In Hammer v. Sam's
E., Inc., No. 12-cv-2618-CM, 2013 WL 3756573, at *3 (D.
Kan. July 16, 2013), plaintiff claimed defendant's
website misrepresented its data security but did not allege a
security breach or misuse of his Information and therefore
did not have standing. The Second Circuit similarly found a
lack of actual harm from allegations that only payment card
information was stolen, the card issuer rejected the
attempted fraudulent charges. and a generic, class-wide
statement of time or money spent to monitor and address the
situation. Whalen v. Michaels Stores, Inc., 689
Fed.Appx. 89, 90-91 (2d Cir. 2017).
These
cases contrast to consumers who allege the stolen PII was of
a type sufficient to enable identity theft (i.e.,
social security numbers or other personal information
required to open new accounts), such as Hapka v.
Carecentrix, Inc., Civ. 16-2372-CM, 2016 WL 7336407 (D.
Kan. Dec. 19, 2016). In Hapka, plaintiff alleged a
fraudster obtained PII including social security numbers,
birthdates, etc. Shortly after plaintiff was notified of the
breach, the IRS notified her that someone had filed a
fraudulent tax return using her information. This was
sufficient actual harm to support standing.
Here,
Ms. Baker alleges:
On or about March 29, 2017, [she] used her debit card to make
a food purchase at ... Chipotle ... [in] Riverside,
California. ... On April 3, 2017, three unauthorized charges
were attempted on Plaintiffs debit card. She learned about
the attempts via email alerts from her bank, for online
purchases of $69.99. $19.99. and $49.99, respectively. The
charge of $49.99 went through, but the others were declined.
Ultimately, Plaintiffs bank refunded the unauthorized charge.
Doc. 36 ¶ 14 (in relevant part). Much like plaintiff in
England Whalen, Ms. Baker does not allege actual
harm: she does not allege she spent time or money addressing
the fraudulent charges, whether she was deprived of the use
of her account for a time, nor any expenses incurred from the
need to (apparently) close and reopen a new account with a
new card number.[6]
Mr.
Lawson alleges:
On or around March 28, 2017, ... [he] visited [a] Chipotle
restaurant ... in St. Joseph, Missouri, and purchased food
items using his debit card. This debit card is the primary
card [he] ... uses for daily expenditures because of the cash
back rewards benefit. Within a few weeks of this visit.
Plaintiff Lawson was contacted by the issuing bank and
advised that his debit card had been compromised as a result
of the Chipotle Data Breach. The bank informed [him] ... that
it would be closing the account, opening a new account, and
re-issuing a new debit card. Because Plaintiff Lawson had
upcoming travel plans, he paid $45 to have the new debit card
expedited to him. Unfortunately, despite the attempt to
expedite and the money expenditure, a new card did not arrive
before he left town. Therefore, Plaintiff Lawson did not have
his debit card to use for his travel expenses as he planned.
As a result of having been victimized by the Chipotle Data
Breach, Plaintiff Lawson has been required to spend time
communicating with his bank regarding his compromised card,
account transfer, and replacement card.
Doc. 36 ¶ 17 (in relevant part). Based on this
paragraph. Defendant argues Mr. Lawson did not suffer a
fraudulent charge. Doc. 43 (Motion) at 9; Doc. 64 (Reply) at
2. Mr. Lawson responds that he did suffer misuse of his card,
citing the same paragraph. Doc. 57 (Response) at 4. Although
the pleading could be clearer, Mr. Lawson's allegations
reasonably infer that his issuing bank went to the trouble of
closing and reissuing a new payment card because there was
some attempted misuse of his payment card. Defendant is free
to pursue the fact issue in discovery, but the court cannot
resolve it on a facial challenge to standing.
Mr.
Lawson also alleges actual harm in not obtaining the
"cash back rewards" on his travel expenses.
Defendant argues this is insufficient, citing Engl,
2016 WL 8578096, at *6. But in EngL plaintiff
alleged only that he lacked the use of his card for several
days, not that he thereby lost cash back rewards. Defendant
does not explain why the court should consider cash back
rewards as having no monetary value as a matter of law.
Cf., Lewert v. P.F. Chang's China Bistro, Inc.,
819 F.3d 963, 969 (7th Cir. 2016) ("Kosner also alleges
that he was unable to accrue points on his debit card while
he was waiting for a replacement. If that loss has any
monetary value (a question on which we take no position), it
would be compensable").
Mr.
Lawson also alleges actual harm in time spent addressing the
theft of his payment card information and new card issuance.
Defendant notes that unlike the other named Plaintiffs. Mr.
Lawson alleges his lost time generally instead of specifying
the duration, inferring he spent only de minimis
time. Doc. 64 (Reply) at 2. Defendant cites Engl on
this point, but in that case, plaintiff did not allege he
spent any time at all. Nor do Defendant's other cited
cases support its argument. In Randolph v. ING Life
Ins., 486 F.Supp.2d 1, 8 (D.D.C. 2007), plaintiffs
alleged their personal information was contained on a laptop
stolen from a home. Because they did not allege the laptop
was stolen to obtain that information, and alleged no
attempts to misuse it, the court held the time and
inconvenience plaintiffs incurred to monitor their credit was
inadequate to allege standing. In Whalen, the court
found a generic, class-wide allegation of lost time did not
suffice. 689 Fed.Appx. at 91. To the extent Whalen
could be read as requiring consumers to plead with
specificity the amount of time they lost, this would run
contrary to the pleading standard. Pueblo of Jemez,
790 F.3d at 1172 ("Under Rule 8. specific facts are not
necessary; the statement need only give the defendant fair
notice of what the ... claim is and the ground upon which it
rests."). At this phase. the court gives reasonable
inferences in Mr. Lawson's favor. Sanchez v.
Hartley, 810 F.3d 750, 754 (10th Cir. 2016). Defendant
is free to pursue the fact issue, but the court cannot
resolve it on this motion.
Defendant
argues Mr. Lawson's out of pocket expense was
"self-inflicted," in the sense that no one required
him to expedite delivery of his new card. It is true
"self-imposed risk-mitigation costs, when "incurred
in response to a speculative threat" do not suffice for
standing. Attias v. Carefirst, Inc., 865 F.3d 620,
629 (D.C. Cir. 2017), cert, denied, 138 S.Ct. 981
(2018) (quoting Clapper, 568 U.S. at 416-17). But
Mr. Lawson's allegations infer that he incurred the
expediting fee in the attempt to not lose the cash back
rewards he expected on his travel expenses. This plausibly
alleges an actual harm for standing. Thus, as to Mr. Lawson,
the court sees no need to reach whether he also alleges a
risk of future harm. The court proceeds to that question only
as to Ms. Baker.
2.
Alleged Risk of Future Harm
In
addition to harms that are actual and existing, a harm that
is "imminent, not 'conjectural" or
'hypothetical'" also suffices for standing.
Lujan, 504 U.S. at 560. "An allegation of
future injury may suffice if the threatened injury is
'certainly impending, * or there is a 'substantial
risk" that the harm will occur." Susan B.
Anthony List v. Driehaus, 134 S.Ct. 2334, 2341 (2014)
(internal quotation marks omitted, quoting Clapper,
568 U.S. at 414, n.5). The Court has not decided whether a
"substantial risk" of future harm is different from
a "certainly impending" harm (see, e.g., In re
SuperValu, Inc., 870 F.3d 763, 769, n.3 (8th Cir.
2017)), but both concepts require something more than an
"objectively reasonable likelihood" of future harm.
Clapper. 568 U.S. at 410.
Although imminence is concededly a somewhat elastic concept,
it cannot be stretched beyond its purpose, which is to ensure
that the alleged injury is not too speculative for Article
III purposes-that the injury is certainly
impending..... Thus, we have repeatedly reiterated that
threatened injury must be certainly impending to
constitute injury in fact, and that [allegations of
possible future injury are not sufficient.
Id. at 409 (emphasis original, internal quotation
marks omitted). In Clapper, plaintiffs lacked
standing because their alleged risk of future harm - of
having their private communications with international
persons intercepted under the Foreign Intelligence
Surveillance Act - depended on an attenuated chain of
causation. In short, '"some day' speculations
are insufficient." Colo. Outfitters Ass'n v.
Hickenlooper, 823 F.3d 537, 551 (10th Cir. 2016).
Engl
reviewed the then-extant consumer data breach cases and
concluded in order for a consumer to allege a sufficient risk
of future harm from a data breach, the consumer must allege
"(i) his or her credit card or other financial or
personal data was exposed to hackers in a data breach, and
(ii) that there is reason to believe that the hackers or
others are making actual fraudulent use of the purloined
data.*' Engl, 2016 WL 8578252 at *6. Plaintiff
in that case alleged actual misuse of his stolen credit card
number, and the court recognized in "ordinary
circumstances, '' that would be sufficient to
plausibly allege injury. Id. However, plaintiffs
other allegations showed there was no ongoing potential for
harm (the compromised account was closed, he was reimbursed,
and only his payment card information was stolen), so
plaintiffs assertions regarding future harm were speculative.
Id.
Post-Engl,
several circuit courts have addressed the issue of future
harm from data breaches. See, e.g., Joseph F.
Yenouskas, Levi W. Swank, Emerging Legal Issues in Data
Breach Class Actions, 73 Bus. Law. 475 (Spring 2018)
(collecting cases); SuperValu, 870 F.3d at 769 (also
collecting cases). In re Zappos.com, Inc., 888 F.3d
1020 (9th Cir. 2018); Dieffenbach v. Barnes & Noble,
Inc., 887 F.3d 826 (7th Cir. 2018); Hutton v. Natl
Bd. of Examiners in Optometry, Inc., No. 17-1506, 2018
WL 2927626, at *5-6 (4th Cir. June 12, 2018). As the Eighth
Circuit notes, "[t]hese cases came to differing
conclusions on the question of standing. We need not
reconcile this out-of-circuit precedent because the cases
ultimately turned on the substance of the allegations before
each court." SuperValu, 870 F.3d at 769. That
is, a risk of future identity theft is sufficient for
standing only if the data breach exposed the types of PII
that can enable identity theft.
For
instance, in SuperValu, consumers brought a putative
class action after their payment card information was stolen,
alleging
The hackers installed malicious software on defendants'
network that allowed them to gain access to the payment card
information of defendants' customers (hereinafter, Card
Information), including their names, credit or debit card
account numbers, expiration dates, card verification value
(CVV) codes, and personal identification numbers (PINs). By
harvesting the data on the network, the hackers stole
customers' Card Information.
SuperValu, 870 F.3d at 766. Those allegations are
quite similar to Plaintiffs' allegations here:
When Chipotle's customers pay using credit or debit
cards, Chipotle collects Customer Data related to those cards
including the cardholder name, the account number, expiration
date, card verification value (CVV), and PIN data for debit
cards. Chipotle stores the Customer Data in its POS system
and transmits this information to a third party for
completion of the payment.
Beginning on or about March 24, 2017, hackers utilizing
malicious software accessed the point-of-sale
("POS") systems at Chipotle and Pizzeria Locale
locations throughout the United States and stole copies of
customers" Card Information and other personal
information. The software used in the attack was a malware
strain designed to siphon data from cards when they are
swiped at infected POS systems.
Doc. 36 ¶¶ 24-25. Much like Plaintiffs in this case
(doc. 36 ¶¶ 91-95), plaintiffs in
SuperValu alleged the breach of their payment card
information caused a substantial risk of future identity
theft. 870 F.3d at 770. They cited the same Government
Accounting Office ("GAO") report that Plaintiffs
cite here. Doc. 36 at 33, n. 24 (citing GAO 07-737,
Report to Congressional Requesters, "Personal
Information: Data Breaches Are Frequent, but Evidence of
Resulting Identity Theft Is Limited; However, the Full Extent
Is Unknown," at 33 (June 2007), available at
<http://www.gao.gov/new.items/d07737.pdf>. But as the
Eighth Circuit notes, the GAO report lends no support to
allegations of future harm, if only payment card information
is breached.
[T]he allegedly stolen Card Information does not include any
personally identifying information, such as social security
numbers, birth dates, or driver's license numbers. As the
GAO report points out, compromised credit or debit card
information, like the Card Information here, "generally
cannot be used alone to open unauthorized new accounts.'*
Id. at 30 ... As such, ... there is little to no
risk that anyone will use the Card Information stolen in
these data breaches to open unauthorized accounts in the
plaintiffs' names.
SuperValu, 870 F.3d at 770.[7] See also
Whalen, 689 Fed.Appx. at 90; Alonso v. Blue Sky
Resorts, LLC, 179 F.Supp.3d 857, 864 (S.D. Ind.
2016). appeal dismissed (7th Cir. May 16, 2016).
Plaintiffs also do not point to any historical practice or
Congressional intent finding a "certainly
impending" harm or "substantial risk" thereof
when payment card information is stolen, once the compromised
account is closed.
In this
case, there is a fact issue regarding whether more than just
Ms. Baker's name and credit card account number were
stolen. Plaintiffs allege the stolen information
includes "cardholder name, the account number,
expiration date, card verification value (CVV), and PIN data
for debit cards." Doc. 36 ¶¶ 24-25. See
also Id. ¶ 28 (alleging Chipotle confirmed a breach
involving "track data" including those
same categories of information ''read from the
magnetic stripe"). Plaintiffs allege Chipotle has not
said precisely what types of information were actually taken.
Id. ¶¶ 32-33. Plaintiffs allege in other
data breaches, fraudsters stole personal information
regarding far more customers than those whose payment card
information they stole in the breach, or combine the PII
obtained from multiple sources. Id. ¶¶
44-45. On the other hand, the only named Plaintiff to allege
fraudulent accounts were opened in her name is Ms. Fowler,
and she alleges that occurred two months after the misuse of
her stolen card information. Id. ¶ 15. However,
identity theft can take years to surface. Id. ¶
94.
In
short, the court will infer from the allegations that
additional personal information was taken in the Chipotle
breach that could enable fraudulent accounts to be opened in
Ms. Baker's name, or other benefits to be taken
fraudulently in her name. This is the "ordinary
circumstance" recognized in Engl. Because Ms.
Baker alleges she suffered actual fraudulent charges on her
account, and she does not know for certain whether PII beyond
her payment card information was stolen, she plausibly
alleges a certainly impending harm or substantial risk
thereof. Defendant is of course free to pursue the fact
issues regarding Ms. Baker's standing.
In sum,
the court recommends denying the Rule 12(b)(1) motion except
as to the allegations of "lost control over the value of
personal information" and overpayment.
B.
Failure to State a Claim
The
court turns to Defendant's motion to dismiss for failure
to state a claim under Rule 12(b)(6). A court may dismiss a
complaint for "failure to state a claim upon which
relief can be granted/' See Fed. R. Civ. P.
12(b)(6). In deciding a motion under Rule 12(b)(6), we
"assume the truth of all well-pleaded facts in the
complaint, and draw all reasonable inferences therefrom in
the light most favorable to the plaintiffs." W.
Watersheds Project v. Michael 869 F.3d 1189, 1193 (10th
Cir. 2017) (internal quotation marks omitted). However, a
plaintiff may not rely on mere labels or legal conclusions,
"and a formulaic recitation of the elements of a cause
of action will not do."' Bell All Corp. v.
Twombfy, 550 U.S. 544, 555 (2007).
To
withstand a motion to dismiss, a "complaint must allege
facts that, if true, state a claim to relief that is
plausible on its face. A claim is facially plausible when the
allegations give rise to a reasonable inference that the
defendant is liable/* Big Cats of Serenity Springs, Inc.
v. Rhodes. 843 F.3d 853, 858 (10th Cir. 2016) (internal
quotation marks omitted). See also Ashcroft v.
Iqbal. 556 U.S. 662, 678 (2009). Once plaintiff pleads
sufficient facts to make the claim plausible, "a
well-pleaded complaint may proceed even if it strikes a savvy
judge that actual proof of [the alleged] facts is improbable,
and that a recovery is very remote and unlikely.*'
Sanchez, 810 F.3d at 756 (internal quotation marks
omitted, quoting Twombfy, 550 U.S. at 556).
Generally,
a court considers only the contents of the complaint when
ruling on a Rule 12(b)(6) motion. Gee v. Pacheco,
627 F.3d 1178, 1186 (10th Cir. 2010). Exceptions to this
general rule include: documents incorporated by reference in
the complaint; documents referred to in and central to the
complaint, when no party disputes their authenticity; and
"matters of which a court may take judicial
notice." Id. (quoting Tellabs, Inc. v.
Makor Issues & Rights, Ltd., 551 U.S. 308, 322
(2007)). If a plaintiff does not incorporate by reference or
attach a document to its complaint, a defendant may submit an
indisputably authentic copy which the court may consider in
ruling on the motion without converting it to summary
judgment. GFF Corp. v. Ass 'd Wholesale Grocers,
Inc., 130 F.3d 1381, 1384 (10th Cir. 1997).
I.
Negligence Claim (Count I)
Defendant
argues the negligence claim is barred by the economic loss
doctrine. As negligence is a matter of state law, the court
must first address whether choice-of-law analysis is
required. Defendant argues this is unnecessary because in its
view these claims fail under the law of all five states in
question: the forum state (Colorado) and each named
Plaintiffs home state (Arizona, California, Illinois and
Missouri). In response. Plaintiffs argue their claims survive
under all five states' laws and do not address whether a
choice of law is necessary.[8]
"When
more than one body of law may apply to a claim, the Court
need not choose which body of law to apply unless there is an
outcome determinative conflict between the potentially
applicable bodies of law." SELCO Cmty. Credit Union
v. Noodles & Co., 267 F.Supp.3d 1288. 1292 (D. Colo.
2017), appeal dismissed, No. 17-1289, 2017 WL
7668565 (10th Cir. Nov. 20. 2017) (internal quotation marks
omitted). See also Security Serv. Fed. Credit Union v.
First Am. Mortg. Funding LLC 861 F.Supp.2d 1256, 1264
(D. Colo. 2012), recon. den'd 906 F.Supp.2d 1108
(D. Colo. 2012). The "economic loss doctrine" is
recognized in the five states at issue, but as will be seen
there are outcome-determinative differences between Colorado
on the one hand and Arizona and California on the other.
Arizona
(Plaintiff Gordon). Arizona recognizes a "narrow
version" of the economic loss doctrine. Flagstaff
Affordable Hous. Ltd. P'ship v. Design All, Inc.,
223 P.3d 664, 668 (Ariz. 2010). Arizona first limits the
doctrine to contracting parties. Flagstaff, 223 P.3d
at 667. "[A]bsent any contract between the
parties," it does not apply to tort claims. Id.
Even as between contracting parties,
[r]ather than adopting the majority rule as a blanket
disallowance of tort recovery for economic losses, we think
the better rule is one which examines the loss in light of
the nature of the defect that caused it, the manner in which
it occurred, and the nature of any other contemporaneous
losses.
Salt River Project Agric. Improvement & Power Dist.
v. Weslinghouse Elec. Corp., 694 P.2d 198, 209 (Ariz.
1984).
Under Salt River, the economic nature of the loss is
only one factor in a three-part test to determine whether
tort remedies will be available: a court must also consider
whether the defect was "unreasonably dangerous" and
whether the loss occurred in a "sudden, accidental
manner." ... When these factors are present. Salt
River allows a plaintiff to recover in tort for purely
economic loss.
Flagstaff, 223 P.3d at 668 (quoting Salt
River, 694 P.2d at 209).
Thus
"[t]he economic loss doctrine may vary in its
application depending on context-specific policy
considerations. To determine whether the doctrine should
apply..., we must consider the underlying policies of tort
and contract law" in the case-specific context.
Id. at 669. "The principal function of the
economic loss doctrine, in our view, is to encourage private
ordering of economic relationships and to uphold the
expectations of the parties by limiting a plaintiff to
contractual remedies for loss of the benefit of the bargain.
These concerns are not implicated when the plaintiff lacks
privity and cannot pursue contractual remedies."
Id. at 671. See also Sullivan v. Pulte Home
Corp.. 306 P.3d 1. 3 (Ariz. 2013) ("encourage the
private ordering of economic relationships, protect the
expectations of contracting parties, ensure the adequacy of
contractual remedies, and promote accident-deterrence and
loss-spreading.").
To
date, the Arizona Supreme Court has recognized the economic
loss doctrine only in product liability and construction
cases that involved contracting parties. Flagstaff,
223 P.3d at 665. It has declined to extend the doctrine to a
non-contracting party's construction claim, regardless
that the party at one time "had a possible contractual
remedy under an implied warranty claim. Such a remedy was
imposed as a matter of Arizona's common law; it did not
result from any opportunity the [subsequent homeowners] had
to negotiate with [the defendant homebuilder] over
remedies." Sullivan, 306 P.3d at 3.
The
District of Arizona has predicted the Arizona Supreme Court
would extend the doctrine to claims regarding credit card
payment processing between two sophisticated contracting
entities. TSYS Acquiring Sols., LLC v. Elec. Payment
Sys.. LLC, No. CV10-1060 PHX, 2010 WL 3882518, at *2 (D.
Ariz. Sept. 29, 2010) (the defendant did "not argue that
it lacked the sophistication to assess risks, negotiate the
contract, or prospectively identify remedies for breach. Nor
does it allege that breach of the contract was
unforeseeable"). The court also predicts Arizona would
extend the doctrine to claims regarding damages from
underground pollution that was the subject of contract
between two sophisticated parties. Greyhound Lines Inc.
v. Viad Corp.. No. CV-15-01820-PHX-DGC, 2016 WL 6833938,
at *8 (D. Ariz. Nov. 21, 2016).
However,
the District of Arizona has predicted the state would not
extend the economic loss doctrine in two data breach cases.
Cumis Ins. Society, Inc. v. Merrick Bank Corp., No.
CV- 07-374-TUC-CKJ, 2008 WL 4277877 (D. Ariz. Sept. 18,
2008); In re Banner Health Data BreachLitig, No. CV-16-02696-PHX-SRB, 2017 WL 6763548 (D.
Ariz. Dec. 20, 2017). In Cumis, plaintiff was the
insurer of credit unions whose customers had their payment
card information stolen from a card processor's computers
in a data breach. The insurer claimed one defendant (Merrick)
had contracted (it is unclear with whom, but not with the
insurer) to guarantee a processor's compliance with PCI
standards; the other defendant (Savvis) contracted
(apparently with Merrick or the processor) to certify the
...