Bellwether Community Credit Union v. Chipotle Mexican Grill, Inc.

          ORDER GRANTING IN PART DEFENDANT'S MOTION TO DISMISS AND DENYING PLAINTIFFS' MOTION TO STRIKE EXHIBITS

          WILLIAM J. MARTINEZ UNITED STATES DISTRICT JUDGE.

         This case arises out of a 2017 data breach of Defendant Chipotle Mexican Grill, Inc.'s (“Chipotle”) computer system and point of service terminals which resulted in the theft of customers' credit card and debit card data. Plaintiffs Bellwether Community Credit Union (“Bellwether) and Alcoa Community Federal Credit Union (“Alcoa”) (together, “Plaintiffs”) are financial institutions whose members patronized Chipotle during that period and whose data were compromised, forcing Plaintiffs to cancel and replace members' credit and debit cards and refund any fraudulent payment resulting from the data breach.

         Plaintiffs bring this lawsuit against Chipotle on behalf of themselves and those similarly situated alleging eleven causes of action: negligence, negligence per se, misappropriation of trade secrets, a claim for declaratory judgment, and violation of the unfair competition laws of Arkansas, California, Florida, Maine, Massachusetts, New Hampshire, and Vermont. (ECF No. 44.) Before the Court is Chipotle's Motion to Dismiss (“Motion”) all of Plaintiffs' claims. (ECF No. 57.) Also before the Court is Plaintiffs' “Motion to Strike Exhibits A-C Attached to Defendant's Motion to Dismiss” (“Motion to Strike”). (ECF No. 59.) For the reasons set forth below, Plaintiffs' Motion to Strike is denied, and Defendant's Motion is granted in part and denied in part.

         I. BACKGROUND

         The Court accepts the following facts as true for purposes of the Motion.

         A. Factual Background

         Between March 24 and April 18, 2017, a hacker accessed Chipotle's computer system and installed malware that impacted point of service (“POS”) terminals at more than 2, 200 Chipotle restaurants in the United States (the “Data Breach”). (ECF No. 44 ¶ 1.)^[1] A POS system manages cash and credit card and debit card (“payment card”) transactions. Approximately 70% of Chipotle's sales are made by payment cards. (Id. ¶ 17.) When a payment card is used, data are passed from the card through a variety of systems and networks before reaching the retailer's payment processor. (Id. ¶ 18.) “Before transmitting customer data . . . POS systems typical, and very briefly, store the data in plain text within the system's memory.” (Id.) This information can be valuable to hackers who can sell payment card data on the black market. (Id. ¶ 19.) Malware installed on the POS systems allegedly permitted the hacker to access the names, payment card numbers, card expiration dates, card verification values (“CVVs”), service codes, and other information (“payment card data”) of customers who paid for their purchases at Chipotle by payment card during the breach period. (Id.)

         Understanding Plaintiffs' claims requires understanding the mechanics of payment card transactions. To process a single transaction, payment card data flows through multiple systems and parties in four major steps. (Id. ¶¶ 83, 116).

• Authorization: when a customer presents a card to make a purchase, the merchant (here, Chipotle) requests authorization of the transaction from the issuing bank (here, Plaintiffs) using the payment card data and the relevant card network (e.g., Visa or MasterCard);

• Clearance: if the issuing bank authorizes the transaction, the merchant completes the transaction with the customer, and sends a purchase receipt to its own bank (the “acquiring bank”);

• Settlement: the acquiring bank pays merchant for the purchase and sends the receipt to the issuing bank, who reimburses the acquiring bank; and

• Post-settlement: the issuing bank charges the customer's credit or debit account.

(Id. ¶¶ 96, 116, 118.) See also Selco Cmty. Credit Union v. Noodles & Co., 267 F.Supp.3d 1288, 1294 (D. Colo. 2017) (explaining the same electronic payment process); Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 808-09 (7th Cir. 2018). Though not explicit in the complaint's description of a payment card transaction, payment card networks (such as Visa or MasterCard) maintain relationships with both issuing banks (such as Plaintiffs), acquiring banks (here, Chipotle's bank), and merchants (here, Chipotle). See Schnuck, 887 F.3d at 808-09. Issuing banks, acquiring banks, and merchants join payment card networks to facilitate transactions between merchants and consumers. Id. (See ECF No. 57-1; 57-2.) Payment card networks govern how transactions occur though a series of contracts and agreements. (ECF No. 44 ¶ 96; see ECF No. 57-1 (Visa rules); 57-2 (MasterCard rules).) Credit card companies and financial institutions also issue “rules and standards governing the basic measure that merchants must take to ensure consumers' valuable data are protected.” (ECF No. 44 ¶ 96.)

         The payment card data, which are encoded on the magnetic strip or chip of a payment card, are the means of authenticating the cardholder and authorizing the transaction. (Id. ¶ 117.) Data are at risk both pre-authorization, when the merchant has captured the data and they are being sent (or waiting to be sent) to the acquirer/processor, as well as post-authorization, when data are sent back to the merchant with authorization and are stored in merchant's environment for analytics and back-office processes. (Id. ¶ 83.) When payment card data are sent to the issuer during the authorization step, the issuer uses the data “to locate the computer data on the financial institution's computer for the payment card's specific record.” (Id. ¶ 118.) Thus, Plaintiffs contend, when payment card data are compromised, the corresponding computer database records become susceptible to fraud. (Id. ¶ 119.)

         When payment card data are compromised, the financial institution must issue a replacement card with new payment card data. (Id. ¶¶ 122-23.) Financial institutions are required by federal law to maintain various safeguards to protect the confidentiality of payment card data and protect them against from unauthorized use or disclosure. (Id. ¶ 133.) Federal law also makes financial institutions financially responsible from fraudulent card activity. (Id. ¶ 126.) Thus, financial institutions, the alleged owners of the payment card data, have multiple safeguards to maintain the confidentiality of payment card data. (Id. ¶¶ 117, 133.)

         Organizations issue rules and guidance for securing payment card data. The Payment Card Industry Security Standards Council promulgated the Payment Card Industry Data Security Standard (“PCI DSS”), twelve requirements which requires organization to protect payment card data and maintain adequate security measures. (Id. ¶¶ 97-98.) PCI DSS 3.2 “sets forth detailed and comprehensive requirements that must be followed to meet each of the 12 mandates.” (Id. ¶ 99.) “Chipotle's business operations and payment systems are governed by PCI DSS.” (Id. ¶ 138.) Federal agencies and other organizations have also issued guidance on how to adequately secure data. (Id. ¶¶ 101-07.) Plaintiffs contend that they rely on merchants, including Chipotle, to “keep that sensitive information secure from would-be data thieves in accordance with at least the PCI DSS requirements.” (Id. ¶ 108.)

         Plaintiffs allege that Chipotle ignored known risks to data security, disregarded warnings that its POS was incompatible with antivirus software, refused to upgrade its POS system when the manufacturer stopped providing security and technical updates, lacked adequate firewall protection and segmentation, refused to implement protocols that could have prevented malware from being installed on its systems, failed to adequately track network access and unusual activity, and did not implement EMV chip-based technology for its POS systems. (Id. ¶¶ 39, 55-56, 63, 66, 76, 78, 81, 87-88, 90-92.) In addition, Plaintiffs claim that Chipotles senior management was aware of the outdated nature of the POS systems but did not implement changes. (Id. ¶¶ 40, 58, 68, 89, 93).

         Plaintiffs assert that there are numerous measures Chipotle could have taken to prevent or limit unauthorized persons from accessing the POS systems, including end-to-end encryption of data, tokenization, and use of EMV chip-based payment cards. (Id. ¶¶ 4, 22, 84.) Encryption “mitigates security weaknesses that exist when [Payment Card Data] has been capture but not yet authorized.” (Id. ¶ 84.) Tokenization protects data by replacing payment card numbers with a series of letters and numbers as a placeholder for payment card data after a transaction is authorized. (Id. ¶¶ 4, 84.) EMV technology, which uses computer chips instead of the magnetic stripe to store data, uses dynamic data, meaning that each time the EMV chip is used, it creates a unique transaction code that cannot be reused. (Id. ¶ 91.) Thus, the switch from magnetic strips to chip technology increases payment card data security. (Id.) The payment card industry (e.g., MasterCard, Visa, Discover, and American Express) set a deadline of October 1, 2015 for business to transition their POS systems to EVM technology. (Id. ¶ 90.) Notably, Chipotle did not comply with the deadline, claiming that the chip technology would slow down its customer lines. (Id. ¶¶ 90, 92.)

         Plaintiffs allege that as a result of the breach, they have suffered a variety of damages, including monetary and property damages. They allege that they were forced to replace computer data rendered useless by the Data Breach, cancel or reissue payment cards, close accounts impacted by the Data Breach, refund cardholders for any unauthorized transactions, respond to cardholder complaints, and increase fraud monitoring efforts. (Id. ¶ 7.)

         B. Procedural History

         Bellwether filed a complaint on May 4, 2017 in this District. Bellwether alleged that venue is proper in this District in part because “a substantial part of the events giving rise to this action arose in this District.” (ECF No. 1 ¶ 13.)^[2] On September 1, 2017, the undersigned granted Bellwether and Chipotle's motion to consolidate this action with Alcoa Community Federal Credit Union v. Chipotle Mexican Grill, Inc., No. 17-cv-1283-RM-STV (D. Colo. filed May 26, 2017). (ECF No. 34.) Thereafter, Plaintiffs filed a consolidated amended complaint. (ECF No. 44 (redacted); see ECF No. 42 (unredacted).) Bellwether and Alcoa both allege claims of negligence, negligence per se, misappropriation of trade secrets, and a claim under the Declaratory Judgment Act. (ECF No. 44 ¶¶ 149-81, 275-79.)

         Plaintiffs jointly assert their misappropriation and Declaratory Judgment Act claims on behalf of a putative nationwide class of financial institutions, and their negligence claims on behalf of a putative statewide class in each of Arkansas, California, Florida, Maine, Massachusetts, New Hampshire, and Vermont.^[3] (Id. ¶¶ 140-41.) Bellwether asserts violations of state unfair competition laws on behalf of itself and putative state-wide classes in California, Florida, Maine, Massachusetts, New Hampshire, and Vermont. (Id. ¶¶ 141, 195-274.) Alcoa asserts a similar putative class claim under Arkansas's unfair competition law. (Id. ¶¶ 182-94.) Each proposed statewide class is defined as

All Financial Institutions-including, but not limited to, banks and credit unions-that either (a) are located in Arkansas, California, Florida, Maine, Massachusetts, New Hampshire, . . . [and] Vermont . . . that issue payment cards, including credit and debit cards, or perform, facilitate, or support card-issuing services, whose customers made purchases from Chipotle stores from March 1, 2017 to the present, or (b) have customers located in Arkansas, California, Florida, Main, Massachusetts, New Hampshire, . . . [and] Vermont . . . that were issued payment cards used at Chipotle stores from March 1, 2017 to the present.

(Id. ¶ 141.)^[4]

         Chipotle moves to dismiss all claims in the amended complaint, attaching excerpts of Visa and MasterCard's rules for issuing banks. Plaintiffs filed a separate “Motion to Strike Exhibits Attached to Defendant's Motion to Dismiss” (“Motion to Strike”). (ECF No. 59.) Chipotle filed two notices of supplemental authority in support of its Motion. (ECF No. 68; ECF No. 78.)

         II. LEGAL STANDARD

         A. Article III Standing

         Article III of the U.S. Constitution restricts federal courts to deciding “cases” and “controversies.” See U.S. Const. art. III, § 2, cl. 1. These words have been interpreted to restrict federal courts from giving “advisory opinions, ” Flast v. Cohen, 392 U.S. 83, 96 (1968), meaning that a federal court may not resolve questions in the abstract, but instead may only resolve “disputes arising out of specific facts when the resolution of the dispute will have practical consequences to the conduct of the parties, ” Columbian Fin. Corp. v. BancInsure, Inc., 650 F.3d 1372, 1376 (10th Cir. 2011).

         To safeguard this restriction, the Supreme Court has articulated a three-element test for “Article III standing”:

First, the plaintiff must have suffered an “injury in fact”-an invasion of a legally protected interest which is (a) concrete and particularized, and (b) “actual or imminent, not ‘conjectural' or ‘hypothetical.'” Second, there must be a causal connection between the injury and the conduct complained of . . . . Third, it must be “likely, ” as opposed to merely “speculative, ” that the injury will be “redressed by a favorable decision.”

Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992) (citations omitted; certain alterations incorporated). Importantly, “the plaintiff bears the burden of proof” to establish that these elements exist. Id. at 561; see also United States v. Bustillos, 31 F.3d 931, 933 (10th Cir. 1994) (“The party seeking to invoke the jurisdiction of a federal court must demonstrate that the case is within the court's jurisdiction. The facts supporting jurisdiction must be affirmatively alleged, and if challenged, the burden is on the party claiming that the court has subject matter jurisdiction.”). Preponderance of the evidence is the proper burden of persuasion in a proceeding to determine subject matter jurisdiction. Bustillos, 31 F.3d at 933.

         B. Rule 12(b)(6)

         Under Federal Rule of Civil Procedure 12(b)(6), a party may move to dismiss a claim in a complaint for “failure to state a claim upon which relief can be granted.” Rule 8 requires a complaint to contain “a short and plain statement showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). “Each allegation must be simple, concise, and direct.” Id. 8(d). Rule 8(a) also requires minimal factual allegations on the material elements that must be proven to recover on each of the Plaintiffs' claims. Hall v. Bellmon, 935 F.2d 1106, 1110 (10th Cir. 1991). Rule 12(b)(6) then requires the Court to “assume the truth of the plaintiff's well-pleaded factual allegations and view them in the light most favorable to the plaintiff.” Ridge at Red Hawk, LLC, 493 F.3d at 1177. In ruling on such a motion, the dispositive inquiry is “whether the complaint contains ‘enough facts to state a claim to relief that is plausible on its face.'” Id. (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)); see also Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009).

         Granting a motion to dismiss “is a harsh remedy which must be cautiously studied, not only to effectuate the spirit of the liberal rules of pleading, but also to protect the interests of justice.” Dias v. City & Cnty. of Denver, 567 F.3d 1169, 1178 (10th Cir. 2009) (internal quotation marks omitted). “Thus, ‘a well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of those facts is improbable, and that a recovery is very remote and unlikely.'” Id. (quoting Twombly, 550 U.S. at 556). However, “[t]he burden is on the plaintiff to frame a complaint ‘with enough factual matter (taken as true) to suggest' that he or she is entitled to relief.” Robbins v. Oklahoma, 519 F.3d 1242, 1247 (10th Cir. 2008) (quoting Twombly, 550 U.S. at 556). “[C]omplaints that are no more than ‘labels and conclusions' or ‘a formulaic recitation of the elements of a cause of action,' . . . ‘will not do.'” Id. (quoting Twombly, 550 U.S. at 555).

         III. ANALYSIS

         A. Preliminary Matter of Documents Outside the Pleadings

         Chipotle attaches to its Motion three additional documents for the Court's consideration, namely, excerpts of Visa and MasterCard's payment card network rules. (See ECF No. 57-1; 57-2; 57-3.) The Court may consider these documents if they are (1) “mentioned in the complaint, ” (2) “central to [the] claims [at issue], ” and (3) not challenged as inauthentic. Toone v. Wells Fargo Bank, N.A., 716 F.3d 516, 521 (10th Cir. 2013).^[5]

         Chipotle's Motion to dismiss Plaintiffs' negligence claim relies in part on these attached documents to establish that the parties' relationship arises out of a network of contractual obligations. (ECF No. 57 at 8-10.) However, Plaintiffs never allege the existence of any contracts directly in the complaint, and artfully plead their claims without stating the role of that payment card networks play in a payment card transaction. Plaintiffs seek to exclude these network agreement exhibits as outside the four corners of the complaint, inauthentic, and an “incomplete representation of the scope of the contractual relationship that exists among all the relevant actors in the payment card transaction process.” (ECF No. 59 at 2.)

         The Court will consider these exhibits. Plaintiffs' claims with regard to transactions are rooted in the payment card network contracts which govern the mechanics of payment card transactions. Plaintiffs allege the mechanics of payment card transactions without making explicit the role of the payment card networks. (ECF No. 44 ¶ 116.) The communication between customers, merchants, acquiring banks, and issuing banks alleged by Plaintiffs is facilitated by the payment card networks. Moreover, the existence of a relationship between the parties depends entirely on the use of payment cards, and thus documents which may govern that relationship are central to Plaintiffs' negligence claim.

         Plaintiffs' challenge to the authenticity of the documents does not impact the Court's decision to consider the contracts. Chipotle explains the genesis of the documents. (ECF No. 67 at 5.) One of the attachments was produced by MasterCard in responses to plaintiffs' subpoenas. (Id.; ECF No. 57-3.) The other documents are or were publicly available. Moreover, Plaintiffs, as signatories to the agreements, should be able to determine whether the documents are accurate or whether they are inauthentic, and have asserted nothing that would make the Court doubt the authenticity of the agreements. The Court will consider the documents as evidence of the existence of a network of contracts that govern the payment card system, and thus denies Plaintiffs' Motion to Strike.

         B. ...