Bellwether Cmty. Credit Union v. Chipotle Mexican Grill, Inc.

• Decision Date: 24 October 2018
• Docket Number: Civil Action No. 17-cv-1102-WJM-STV
• Citation: 353 F.Supp.3d 1070
• Parties: BELLWETHER COMMUNITY CREDIT UNION, on Behalf of Itself and All Others Similarly Situated, Plaintiffs, v. CHIPOTLE MEXICAN GRILL, INC., Defendant.
• Court: U.S. District Court — District of Colorado

353 F.Supp.3d 1070

BELLWETHER COMMUNITY CREDIT UNION, on Behalf of Itself and All Others Similarly Situated, Plaintiffs,

v.CHIPOTLE MEXICAN GRILL, INC., Defendant.

Civil Action No. 17-cv-1102-WJM-STV

United States District Court, D. Colorado.

Signed October 24, 2018

Bryan L. Bleichner, Chestnut & Cambronne, P.A., Karen Hanson Riebel, Kate M. Baxter-Kauf, Rachel M. Bohman, Lockridge Grindal Nauen P.L.L.P., Brian C Gudmundson, Zimmerman Reed, P.L.L.P., Minneapolis, MN, Arthur Mahony Murray, Caroline Thomas White, Kenneth Joseph Wink, Murray Law Firm, New Orleans, LA, Carey Alexander, Joseph Peter Guglielmo, Scott & Scott, Attorneys at Law, LLP, New York, NY, Erin Green Comite, Stephen John Teti, ScottScott, Attorneys at Law, LLP, Colchester, CT, Gary F. Lynch, Carlson Lynch Sweet Kilpela & Carpenter LLP, Pittsburgh, PA, for Plaintiffs.

Carrie Dettmer Slye, Baker & Hostetler, LLP, Cincinnati, OH, Paul Gregory Karlsgodt, Xakema Henderson, Baker & Hostetler, LLP, Denver, CO, Sam Anthony Camardo, Baker & Hostetler, LLP, Cleveland, OH, for Defendant.

ORDER GRANTING IN PART DEFENDANT'S MOTION TO DISMISS AND DENYING PLAINTIFFS' MOTION TO STRIKE EXHIBITS

William J. Martínez, United States District Judge

This case arises out of a 2017 data breach of Defendant Chipotle Mexican Grill, Inc.'s ("Chipotle") computer system and point of service terminals which resulted in the theft of customers' credit card and debit card data. Plaintiffs Bellwether Community Credit Union ("Bellwether) and Alcoa Community Federal Credit Union ("Alcoa") (together, "Plaintiffs") are financial institutions whose members patronized Chipotle during that period and whose data were compromised, forcing Plaintiffs to cancel and replace members' credit and debit cards and refund any fraudulent payment resulting from the data breach.

Plaintiffs bring this lawsuit against Chipotle on behalf of themselves and those similarly situated alleging eleven causes of action: negligence, negligence per se , misappropriation of trade secrets, a claim for declaratory judgment, and violation of the unfair competition laws of Arkansas, California, Florida, Maine, Massachusetts, New Hampshire, and Vermont. (ECF No. 44.) Before the Court is Chipotle's Motion to Dismiss ("Motion") all of Plaintiffs' claims. (ECF No. 57.) Also before the Court is Plaintiffs' "Motion to Strike Exhibits A–C Attached to Defendant's Motion to Dismiss" ("Motion to Strike"). (ECF No. 59.) For the reasons set forth below, Plaintiffs' Motion to Strike is denied, and Defendant's Motion is granted in part and denied in part.

I. BACKGROUND

The Court accepts the following facts as true for purposes of the Motion.

A. Factual Background

Between March 24 and April 18, 2017, a hacker accessed Chipotle's computer system and installed malware that impacted point of service ("POS") terminals at more than 2,200 Chipotle restaurants in the United States (the "Data Breach"). (ECF No. 44 ¶ 1.)¹ A POS system manages cash and credit card and debit card ("payment card") transactions. Approximately 70% of Chipotle's sales are made by payment cards. (Id. ¶ 17.) When a payment card is used, data are passed from the card through a variety of systems and networks before reaching the retailer's payment processor. (Id. ¶ 18.) "Before transmitting customer data ... POS systems typical, and very briefly, store the data in plain text within the system's memory." (Id. ) This information can be valuable to hackers who can sell payment card data on the black market. (Id. ¶ 19.) Malware installed on the POS systems allegedly permitted the hacker to access the names, payment card numbers, card expiration dates, card verification values ("CVVs"), service codes, and other information ("payment card data") of customers who paid for their purchases at Chipotle by payment card during the breach period. (Id. )

Understanding Plaintiffs' claims requires understanding the mechanics of payment card transactions. To process a single transaction, payment card data flows through multiple systems and parties in four major steps. (Id. ¶¶ 83, 116).

• Authorization : when a customer presents a card to make a purchase, the merchant (here, Chipotle) requests authorization of the transaction from the issuing bank (here, Plaintiffs) using the payment card data and the relevant card network (e.g. , Visa or MasterCard);

• Clearance : if the issuing bank authorizes the transaction, the merchant completes the transaction with the customer, and sends a purchase receipt to its own bank (the "acquiring bank");

• Settlement : the acquiring bank pays merchant for the purchase and sends the receipt to the issuing bank, who reimburses the acquiring bank; and

• Post-settlement : the issuing bank charges the customer's credit or debit account.

(Id. ¶¶ 96, 116, 118.) See also Selco Cmty. Credit Union v. Noodles & Co. , 267 F.Supp.3d 1288, 1294 (D. Colo. 2017) (explaining the same electronic payment process); Cmty. Bank of Trenton v. Schnuck Markets, Inc. , 887 F.3d 803, 808–09 (7th Cir. 2018). Though not explicit in the complaint's description of a payment card transaction, payment card networks (such as Visa or MasterCard) maintain relationships with both issuing banks (such as Plaintiffs), acquiring banks (here, Chipotle's bank), and merchants (here, Chipotle). See Schnuck , 887 F.3d at 808–09. Issuing banks, acquiring banks, and merchants join payment card networks to facilitate transactions between merchants and consumers. Id. (See ECF No. 57-1; 57-2.) Payment card networks govern how transactions occur though a series of contracts and agreements. (ECF No. 44 ¶ 96; see ECF No. 57-1 (Visa rules); 57-2 (MasterCard rules).) Credit card companies and financial institutions also issue "rules and standards governing the basic measure that merchants must take to ensure consumers' valuable data are protected." (ECF No. 44 ¶ 96.)

The payment card data, which are encoded on the magnetic strip or chip of a payment card, are the means of authenticating the cardholder and authorizing the transaction. (Id. ¶ 117.) Data are at risk both pre-authorization, when the merchant has captured the data and they are being sent (or waiting to be sent) to the acquirer/processor, as well as post-authorization, when data are sent back to the merchant with authorization and are stored in merchant's environment for analytics and back-office processes. (Id. ¶ 83.) When payment card data are sent to the issuer during the authorization step, the issuer uses the data "to locate the computer data on the financial institution's computer for the payment card's specific record." (Id. ¶ 118.) Thus, Plaintiffs contend, when payment card data are compromised, the corresponding computer database records become susceptible to fraud. (Id. ¶ 119.)

When payment card data are compromised, the financial institution must issue a replacement card with new payment card data. (Id. ¶¶ 122–23.) Financial institutions are required by federal law to maintain various safeguards to protect the confidentiality of payment card data and protect them against from unauthorized use or disclosure. (Id. ¶ 133.) Federal law also makes financial institutions financially responsible from fraudulent card activity. (Id. ¶ 126.) Thus, financial institutions, the alleged owners of the payment card data, have multiple safeguards to maintain the confidentiality of payment card data. (Id. ¶¶ 117, 133.)

Organizations issue rules and guidance for securing payment card data. The Payment Card Industry Security Standards Council promulgated the Payment Card Industry Data Security Standard ("PCI DSS"), twelve requirements which requires organization to protect payment card data and maintain adequate security measures. (Id. ¶¶ 97–98.) PCI DSS 3.2 "sets forth detailed and comprehensive requirements that must be followed to meet each of the 12 mandates." (Id. ¶ 99.) "Chipotle's business operations and payment systems are governed by PCI DSS." (Id. ¶ 138.) Federal agencies and other organizations have also issued guidance on how to adequately secure data. (Id. ¶¶ 101–07.)

Plaintiffs contend that they rely on merchants, including Chipotle, to "keep that sensitive information secure from would-be data thieves in accordance with at least the PCI DSS requirements." (Id. ¶ 108.)

Plaintiffs allege that Chipotle ignored known risks to data security, disregarded warnings that its POS was incompatible with antivirus software, refused to upgrade its POS system when the manufacturer stopped providing security and technical updates, lacked adequate firewall protection and segmentation, refused to implement protocols that could have prevented malware from being installed on its systems, failed to adequately track network access and unusual activity, and did not implement EMV chip-based technology for its POS systems. (Id. ¶¶ 39, 55–56, 63, 66, 76, 78, 81, 87–88, 90–92.) In addition, Plaintiffs claim that Chipotles senior management was aware of the outdated nature of the POS systems but did not implement changes. (Id. ¶¶ 40, 58, 68, 89, 93).

Plaintiffs assert that there are numerous measures Chipotle could have taken to prevent or limit unauthorized persons from accessing the POS systems, including end-to-end encryption of data, tokenization, and use of EMV chip-based payment cards. (Id. ¶¶ 4, 22, 84.) Encryption "mitigates security weaknesses that exist when [Payment Card Data] has been capture but not yet authorized." (Id. ¶ 84.) Tokenization protects data by replacing payment card numbers with a series of letters and numbers as a placeholder for payment card data after a transaction is authorized. (Id. ¶¶ 4, 84.) EMV technology, which uses computer chips instead of the magnetic stripe to store data, uses dynamic data, meaning that each time the EMV chip is used, it creates a unique transaction code that cannot be reused. (Id. ¶ 91.) Thus, the switch from magnetic strips to chip technology increases payment card data security. (Id. ) The payment card industry (e.g.,...