United States District Court, D. Colorado
BELLWETHER COMMUNITY CREDIT UNION, on behalf of itself and all others similarly situated, Plaintiffs,
v.
CHIPOTLE MEXICAN GRILL, INC., Defendant.
ORDER GRANTING IN PART DEFENDANT'S MOTION TO
DISMISS AND DENYING PLAINTIFFS' MOTION TO STRIKE
EXHIBITS
WILLIAM J. MARTINEZ UNITED STATES DISTRICT JUDGE.
This
case arises out of a 2017 data breach of Defendant Chipotle
Mexican Grill, Inc.'s (“Chipotle”) computer
system and point of service terminals which resulted in the
theft of customers' credit card and debit card data.
Plaintiffs Bellwether Community Credit Union
(“Bellwether) and Alcoa Community Federal Credit Union
(“Alcoa”) (together, “Plaintiffs”)
are financial institutions whose members patronized Chipotle
during that period and whose data were compromised, forcing
Plaintiffs to cancel and replace members' credit and
debit cards and refund any fraudulent payment resulting from
the data breach.
Plaintiffs
bring this lawsuit against Chipotle on behalf of themselves
and those similarly situated alleging eleven causes of
action: negligence, negligence per se,
misappropriation of trade secrets, a claim for declaratory
judgment, and violation of the unfair competition laws of
Arkansas, California, Florida, Maine, Massachusetts, New
Hampshire, and Vermont. (ECF No. 44.) Before the Court is
Chipotle's Motion to Dismiss (“Motion”) all
of Plaintiffs' claims. (ECF No. 57.) Also before the
Court is Plaintiffs' “Motion to Strike Exhibits A-C
Attached to Defendant's Motion to Dismiss”
(“Motion to Strike”). (ECF No. 59.) For the
reasons set forth below, Plaintiffs' Motion to Strike is
denied, and Defendant's Motion is granted in part and
denied in part.
I.
BACKGROUND
The
Court accepts the following facts as true for purposes of the
Motion.
A.
Factual Background
Between
March 24 and April 18, 2017, a hacker accessed Chipotle's
computer system and installed malware that impacted point of
service (“POS”) terminals at more than 2, 200
Chipotle restaurants in the United States (the “Data
Breach”). (ECF No. 44 ¶ 1.)[1] A POS system
manages cash and credit card and debit card (“payment
card”) transactions. Approximately 70% of
Chipotle's sales are made by payment cards. (Id.
¶ 17.) When a payment card is used, data are passed from
the card through a variety of systems and networks before
reaching the retailer's payment processor. (Id.
¶ 18.) “Before transmitting customer data . . .
POS systems typical, and very briefly, store the data in
plain text within the system's memory.”
(Id.) This information can be valuable to hackers
who can sell payment card data on the black market.
(Id. ¶ 19.) Malware installed on the POS
systems allegedly permitted the hacker to access the names,
payment card numbers, card expiration dates, card
verification values (“CVVs”), service codes, and
other information (“payment card data”) of
customers who paid for their purchases at Chipotle by payment
card during the breach period. (Id.)
Understanding
Plaintiffs' claims requires understanding the mechanics
of payment card transactions. To process a single
transaction, payment card data flows through multiple systems
and parties in four major steps. (Id. ¶¶
83, 116).
• Authorization: when a customer presents a
card to make a purchase, the merchant (here, Chipotle)
requests authorization of the transaction from the issuing
bank (here, Plaintiffs) using the payment card data and the
relevant card network (e.g., Visa or MasterCard);
• Clearance: if the issuing bank authorizes the
transaction, the merchant completes the transaction with the
customer, and sends a purchase receipt to its own bank (the
“acquiring bank”);
• Settlement: the acquiring bank pays merchant
for the purchase and sends the receipt to the issuing bank,
who reimburses the acquiring bank; and
• Post-settlement: the issuing bank charges the
customer's credit or debit account.
(Id. ¶¶ 96, 116, 118.) See also Selco
Cmty. Credit Union v. Noodles & Co., 267 F.Supp.3d
1288, 1294 (D. Colo. 2017) (explaining the same electronic
payment process); Cmty. Bank of Trenton v. Schnuck
Markets, Inc., 887 F.3d 803, 808-09 (7th Cir. 2018).
Though not explicit in the complaint's description of a
payment card transaction, payment card networks (such as Visa
or MasterCard) maintain relationships with both issuing banks
(such as Plaintiffs), acquiring banks (here, Chipotle's
bank), and merchants (here, Chipotle). See Schnuck,
887 F.3d at 808-09. Issuing banks, acquiring banks, and
merchants join payment card networks to facilitate
transactions between merchants and consumers. Id.
(See ECF No. 57-1; 57-2.) Payment card networks
govern how transactions occur though a series of contracts
and agreements. (ECF No. 44 ¶ 96; see ECF No.
57-1 (Visa rules); 57-2 (MasterCard rules).) Credit card
companies and financial institutions also issue “rules
and standards governing the basic measure that merchants must
take to ensure consumers' valuable data are
protected.” (ECF No. 44 ¶ 96.)
The
payment card data, which are encoded on the magnetic strip or
chip of a payment card, are the means of authenticating the
cardholder and authorizing the transaction. (Id.
¶ 117.) Data are at risk both pre-authorization, when
the merchant has captured the data and they are being sent
(or waiting to be sent) to the acquirer/processor, as well as
post-authorization, when data are sent back to the merchant
with authorization and are stored in merchant's
environment for analytics and back-office processes.
(Id. ¶ 83.) When payment card data are sent to
the issuer during the authorization step, the issuer uses the
data “to locate the computer data on the financial
institution's computer for the payment card's
specific record.” (Id. ¶ 118.) Thus,
Plaintiffs contend, when payment card data are compromised,
the corresponding computer database records become
susceptible to fraud. (Id. ¶ 119.)
When
payment card data are compromised, the financial institution
must issue a replacement card with new payment card data.
(Id. ¶¶ 122-23.) Financial institutions
are required by federal law to maintain various safeguards to
protect the confidentiality of payment card data and protect
them against from unauthorized use or disclosure.
(Id. ¶ 133.) Federal law also makes financial
institutions financially responsible from fraudulent card
activity. (Id. ¶ 126.) Thus, financial
institutions, the alleged owners of the payment card data,
have multiple safeguards to maintain the confidentiality of
payment card data. (Id. ¶¶ 117, 133.)
Organizations
issue rules and guidance for securing payment card data. The
Payment Card Industry Security Standards Council promulgated
the Payment Card Industry Data Security Standard (“PCI
DSS”), twelve requirements which requires organization
to protect payment card data and maintain adequate security
measures. (Id. ¶¶ 97-98.) PCI DSS 3.2
“sets forth detailed and comprehensive requirements
that must be followed to meet each of the 12 mandates.”
(Id. ¶ 99.) “Chipotle's business
operations and payment systems are governed by PCI
DSS.” (Id. ¶ 138.) Federal agencies and
other organizations have also issued guidance on how to
adequately secure data. (Id. ¶¶ 101-07.)
Plaintiffs contend that they rely on merchants, including
Chipotle, to “keep that sensitive information secure
from would-be data thieves in accordance with at least the
PCI DSS requirements.” (Id. ¶ 108.)
Plaintiffs
allege that Chipotle ignored known risks to data security,
disregarded warnings that its POS was incompatible with
antivirus software, refused to upgrade its POS system when
the manufacturer stopped providing security and technical
updates, lacked adequate firewall protection and
segmentation, refused to implement protocols that could have
prevented malware from being installed on its systems, failed
to adequately track network access and unusual activity, and
did not implement EMV chip-based technology for its POS
systems. (Id. ¶¶ 39, 55-56, 63, 66, 76,
78, 81, 87-88, 90-92.) In addition, Plaintiffs claim that
Chipotles senior management was aware of the outdated nature
of the POS systems but did not implement changes.
(Id. ¶¶ 40, 58, 68, 89, 93).
Plaintiffs
assert that there are numerous measures Chipotle could have
taken to prevent or limit unauthorized persons from accessing
the POS systems, including end-to-end encryption of data,
tokenization, and use of EMV chip-based payment cards.
(Id. ¶¶ 4, 22, 84.) Encryption
“mitigates security weaknesses that exist when [Payment
Card Data] has been capture but not yet authorized.”
(Id. ¶ 84.) Tokenization protects data by
replacing payment card numbers with a series of letters and
numbers as a placeholder for payment card data after a
transaction is authorized. (Id. ¶¶ 4, 84.)
EMV technology, which uses computer chips instead of the
magnetic stripe to store data, uses dynamic data, meaning
that each time the EMV chip is used, it creates a unique
transaction code that cannot be reused. (Id. ¶
91.) Thus, the switch from magnetic strips to chip technology
increases payment card data security. (Id.) The
payment card industry (e.g., MasterCard, Visa,
Discover, and American Express) set a deadline of October 1,
2015 for business to transition their POS systems to EVM
technology. (Id. ¶ 90.) Notably, Chipotle did
not comply with the deadline, claiming that the chip
technology would slow down its customer lines. (Id.
¶¶ 90, 92.)
Plaintiffs
allege that as a result of the breach, they have suffered a
variety of damages, including monetary and property damages.
They allege that they were forced to replace computer data
rendered useless by the Data Breach, cancel or reissue
payment cards, close accounts impacted by the Data Breach,
refund cardholders for any unauthorized transactions, respond
to cardholder complaints, and increase fraud monitoring
efforts. (Id. ¶ 7.)
B.
Procedural History
Bellwether
filed a complaint on May 4, 2017 in this District. Bellwether
alleged that venue is proper in this District in part because
“a substantial part of the events giving rise to this
action arose in this District.” (ECF No. 1 ¶
13.)[2]
On September 1, 2017, the undersigned granted Bellwether and
Chipotle's motion to consolidate this action with
Alcoa Community Federal Credit Union v. Chipotle Mexican
Grill, Inc., No. 17-cv-1283-RM-STV (D. Colo. filed May
26, 2017). (ECF No. 34.) Thereafter, Plaintiffs filed a
consolidated amended complaint. (ECF No. 44 (redacted);
see ECF No. 42 (unredacted).) Bellwether and Alcoa
both allege claims of negligence, negligence per se,
misappropriation of trade secrets, and a claim under the
Declaratory Judgment Act. (ECF No. 44 ¶¶ 149-81,
275-79.)
Plaintiffs
jointly assert their misappropriation and Declaratory
Judgment Act claims on behalf of a putative nationwide class
of financial institutions, and their negligence claims on
behalf of a putative statewide class in each of Arkansas,
California, Florida, Maine, Massachusetts, New Hampshire, and
Vermont.[3] (Id. ¶¶ 140-41.)
Bellwether asserts violations of state unfair competition
laws on behalf of itself and putative state-wide classes in
California, Florida, Maine, Massachusetts, New Hampshire, and
Vermont. (Id. ¶¶ 141, 195-274.) Alcoa
asserts a similar putative class claim under Arkansas's
unfair competition law. (Id. ¶¶ 182-94.)
Each proposed statewide class is defined as
All Financial Institutions-including, but not limited to,
banks and credit unions-that either (a) are located in
Arkansas, California, Florida, Maine, Massachusetts, New
Hampshire, . . . [and] Vermont . . . that issue payment
cards, including credit and debit cards, or perform,
facilitate, or support card-issuing services, whose customers
made purchases from Chipotle stores from March 1, 2017 to the
present, or (b) have customers located in Arkansas,
California, Florida, Main, Massachusetts, New Hampshire, . .
. [and] Vermont . . . that were issued payment cards used at
Chipotle stores from March 1, 2017 to the present.
(Id. ¶ 141.)[4]
Chipotle
moves to dismiss all claims in the amended complaint,
attaching excerpts of Visa and MasterCard's rules for
issuing banks. Plaintiffs filed a separate “Motion to
Strike Exhibits Attached to Defendant's Motion to
Dismiss” (“Motion to Strike”). (ECF No.
59.) Chipotle filed two notices of supplemental authority in
support of its Motion. (ECF No. 68; ECF No. 78.)
II.
LEGAL STANDARD
A.
Article III Standing
Article
III of the U.S. Constitution restricts federal courts to
deciding “cases” and “controversies.”
See U.S. Const. art. III, § 2, cl. 1. These
words have been interpreted to restrict federal courts from
giving “advisory opinions, ” Flast v.
Cohen, 392 U.S. 83, 96 (1968), meaning that a federal
court may not resolve questions in the abstract, but instead
may only resolve “disputes arising out of specific
facts when the resolution of the dispute will have practical
consequences to the conduct of the parties, ”
Columbian Fin. Corp. v. BancInsure, Inc., 650 F.3d
1372, 1376 (10th Cir. 2011).
To
safeguard this restriction, the Supreme Court has articulated
a three-element test for “Article III standing”:
First, the plaintiff must have suffered an “injury in
fact”-an invasion of a legally protected interest which
is (a) concrete and particularized, and (b) “actual or
imminent, not ‘conjectural' or
‘hypothetical.'” Second, there must be a
causal connection between the injury and the conduct
complained of . . . . Third, it must be “likely,
” as opposed to merely “speculative, ” that
the injury will be “redressed by a favorable
decision.”
Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61
(1992) (citations omitted; certain alterations incorporated).
Importantly, “the plaintiff bears the burden of
proof” to establish that these elements exist.
Id. at 561; see also United States v.
Bustillos, 31 F.3d 931, 933 (10th Cir. 1994) (“The
party seeking to invoke the jurisdiction of a federal court
must demonstrate that the case is within the court's
jurisdiction. The facts supporting jurisdiction must be
affirmatively alleged, and if challenged, the burden is on
the party claiming that the court has subject matter
jurisdiction.”). Preponderance of the evidence is the
proper burden of persuasion in a proceeding to determine
subject matter jurisdiction. Bustillos, 31 F.3d at
933.
B.
Rule 12(b)(6)
Under
Federal Rule of Civil Procedure 12(b)(6), a party may move to
dismiss a claim in a complaint for “failure to state a
claim upon which relief can be granted.” Rule 8
requires a complaint to contain “a short and plain
statement showing that the pleader is entitled to
relief.” Fed.R.Civ.P. 8(a)(2). “Each allegation
must be simple, concise, and direct.” Id.
8(d). Rule 8(a) also requires minimal factual allegations on
the material elements that must be proven to recover on each
of the Plaintiffs' claims. Hall v. Bellmon, 935
F.2d 1106, 1110 (10th Cir. 1991). Rule 12(b)(6) then requires
the Court to “assume the truth of the plaintiff's
well-pleaded factual allegations and view them in the light
most favorable to the plaintiff.” Ridge at Red
Hawk, LLC, 493 F.3d at 1177. In ruling on such a motion,
the dispositive inquiry is “whether the complaint
contains ‘enough facts to state a claim to relief that
is plausible on its face.'” Id. (quoting
Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570
(2007)); see also Ashcroft v. Iqbal, 556 U.S. 662,
678 (2009).
Granting
a motion to dismiss “is a harsh remedy which must be
cautiously studied, not only to effectuate the spirit of the
liberal rules of pleading, but also to protect the interests
of justice.” Dias v. City & Cnty. of
Denver, 567 F.3d 1169, 1178 (10th Cir. 2009) (internal
quotation marks omitted). “Thus, ‘a well-pleaded
complaint may proceed even if it strikes a savvy judge that
actual proof of those facts is improbable, and that a
recovery is very remote and unlikely.'”
Id. (quoting Twombly, 550 U.S. at 556).
However, “[t]he burden is on the plaintiff to frame a
complaint ‘with enough factual matter (taken as true)
to suggest' that he or she is entitled to relief.”
Robbins v. Oklahoma, 519 F.3d 1242, 1247 (10th Cir.
2008) (quoting Twombly, 550 U.S. at 556).
“[C]omplaints that are no more than ‘labels and
conclusions' or ‘a formulaic recitation of the
elements of a cause of action,' . . . ‘will not
do.'” Id. (quoting Twombly, 550
U.S. at 555).
III.
ANALYSIS
A.
Preliminary Matter of Documents Outside the
Pleadings
Chipotle
attaches to its Motion three additional documents for the
Court's consideration, namely, excerpts of Visa and
MasterCard's payment card network rules. (See
ECF No. 57-1; 57-2; 57-3.) The Court may consider these
documents if they are (1) “mentioned in the complaint,
” (2) “central to [the] claims [at issue],
” and (3) not challenged as inauthentic. Toone v.
Wells Fargo Bank, N.A., 716 F.3d 516, 521 (10th Cir.
2013).[5]
Chipotle's
Motion to dismiss Plaintiffs' negligence claim relies in
part on these attached documents to establish that the
parties' relationship arises out of a network of
contractual obligations. (ECF No. 57 at 8-10.) However,
Plaintiffs never allege the existence of any contracts
directly in the complaint, and artfully plead their claims
without stating the role of that payment card networks play
in a payment card transaction. Plaintiffs seek to exclude
these network agreement exhibits as outside the four corners
of the complaint, inauthentic, and an “incomplete
representation of the scope of the contractual relationship
that exists among all the relevant actors in the payment card
transaction process.” (ECF No. 59 at 2.)
The
Court will consider these exhibits. Plaintiffs' claims
with regard to transactions are rooted in the payment card
network contracts which govern the mechanics of payment card
transactions. Plaintiffs allege the mechanics of payment card
transactions without making explicit the role of the payment
card networks. (ECF No. 44 ¶ 116.) The communication
between customers, merchants, acquiring banks, and issuing
banks alleged by Plaintiffs is facilitated by the payment
card networks. Moreover, the existence of a relationship
between the parties depends entirely on the use of payment
cards, and thus documents which may govern that relationship
are central to Plaintiffs' negligence claim.
Plaintiffs'
challenge to the authenticity of the documents does not
impact the Court's decision to consider the contracts.
Chipotle explains the genesis of the documents. (ECF No. 67
at 5.) One of the attachments was produced by MasterCard in
responses to plaintiffs' subpoenas. (Id.; ECF
No. 57-3.) The other documents are or were publicly
available. Moreover, Plaintiffs, as signatories to the
agreements, should be able to determine whether the documents
are accurate or whether they are inauthentic, and have
asserted nothing that would make the Court doubt the
authenticity of the agreements. The Court will consider the
documents as evidence of the existence of a network of
contracts that govern the payment card system, and thus
denies Plaintiffs' Motion to Strike.
B.
...