Bellwether Cmty. Credit Union v. Chipotle Mexican Grill, Inc.

Decision Date24 October 2018
Docket NumberCivil Action No. 17-cv-1102-WJM-STV
Citation353 F.Supp.3d 1070
Parties BELLWETHER COMMUNITY CREDIT UNION, on Behalf of Itself and All Others Similarly Situated, Plaintiffs, v. CHIPOTLE MEXICAN GRILL, INC., Defendant.
CourtU.S. District Court — District of Colorado

Bryan L. Bleichner, Chestnut & Cambronne, P.A., Karen Hanson Riebel, Kate M. Baxter-Kauf, Rachel M. Bohman, Lockridge Grindal Nauen P.L.L.P., Brian C Gudmundson, Zimmerman Reed, P.L.L.P., Minneapolis, MN, Arthur Mahony Murray, Caroline Thomas White, Kenneth Joseph Wink, Murray Law Firm, New Orleans, LA, Carey Alexander, Joseph Peter Guglielmo, Scott & Scott, Attorneys at Law, LLP, New York, NY, Erin Green Comite, Stephen John Teti, ScottScott, Attorneys at Law, LLP, Colchester, CT, Gary F. Lynch, Carlson Lynch Sweet Kilpela & Carpenter LLP, Pittsburgh, PA, for Plaintiffs.

Carrie Dettmer Slye, Baker & Hostetler, LLP, Cincinnati, OH, Paul Gregory Karlsgodt, Xakema Henderson, Baker & Hostetler, LLP, Denver, CO, Sam Anthony Camardo, Baker & Hostetler, LLP, Cleveland, OH, for Defendant.


William J. Martínez, United States District Judge

This case arises out of a 2017 data breach of Defendant Chipotle Mexican Grill, Inc.'s ("Chipotle") computer system and point of service terminals which resulted in the theft of customers' credit card and debit card data. Plaintiffs Bellwether Community Credit Union ("Bellwether) and Alcoa Community Federal Credit Union ("Alcoa") (together, "Plaintiffs") are financial institutions whose members patronized Chipotle during that period and whose data were compromised, forcing Plaintiffs to cancel and replace members' credit and debit cards and refund any fraudulent payment resulting from the data breach.

Plaintiffs bring this lawsuit against Chipotle on behalf of themselves and those similarly situated alleging eleven causes of action: negligence, negligence per se , misappropriation of trade secrets, a claim for declaratory judgment, and violation of the unfair competition laws of Arkansas, California, Florida, Maine, Massachusetts, New Hampshire, and Vermont. (ECF No. 44.) Before the Court is Chipotle's Motion to Dismiss ("Motion") all of Plaintiffs' claims. (ECF No. 57.) Also before the Court is Plaintiffs' "Motion to Strike Exhibits A–C Attached to Defendant's Motion to Dismiss" ("Motion to Strike"). (ECF No. 59.) For the reasons set forth below, Plaintiffs' Motion to Strike is denied, and Defendant's Motion is granted in part and denied in part.


The Court accepts the following facts as true for purposes of the Motion.

A. Factual Background

Between March 24 and April 18, 2017, a hacker accessed Chipotle's computer system and installed malware that impacted point of service ("POS") terminals at more than 2,200 Chipotle restaurants in the United States (the "Data Breach"). (ECF No. 44 ¶ 1.)1 A POS system manages cash and credit card and debit card ("payment card") transactions. Approximately 70% of Chipotle's sales are made by payment cards. (Id. ¶ 17.) When a payment card is used, data are passed from the card through a variety of systems and networks before reaching the retailer's payment processor. (Id. ¶ 18.) "Before transmitting customer data ... POS systems typical, and very briefly, store the data in plain text within the system's memory." (Id. ) This information can be valuable to hackers who can sell payment card data on the black market. (Id. ¶ 19.) Malware installed on the POS systems allegedly permitted the hacker to access the names, payment card numbers, card expiration dates, card verification values ("CVVs"), service codes, and other information ("payment card data") of customers who paid for their purchases at Chipotle by payment card during the breach period. (Id. )

Understanding Plaintiffs' claims requires understanding the mechanics of payment card transactions. To process a single transaction, payment card data flows through multiple systems and parties in four major steps. (Id. ¶¶ 83, 116).

Authorization : when a customer presents a card to make a purchase, the merchant (here, Chipotle) requests authorization of the transaction from the issuing bank (here, Plaintiffs) using the payment card data and the relevant card network (e.g. , Visa or MasterCard);
Clearance : if the issuing bank authorizes the transaction, the merchant completes the transaction with the customer, and sends a purchase receipt to its own bank (the "acquiring bank");
Settlement : the acquiring bank pays merchant for the purchase and sends the receipt to the issuing bank, who reimburses the acquiring bank; and
Post-settlement : the issuing bank charges the customer's credit or debit account.

(Id. ¶¶ 96, 116, 118.) See also Selco Cmty. Credit Union v. Noodles & Co. , 267 F.Supp.3d 1288, 1294 (D. Colo. 2017) (explaining the same electronic payment process); Cmty. Bank of Trenton v. Schnuck Markets, Inc. , 887 F.3d 803, 808–09 (7th Cir. 2018). Though not explicit in the complaint's description of a payment card transaction, payment card networks (such as Visa or MasterCard) maintain relationships with both issuing banks (such as Plaintiffs), acquiring banks (here, Chipotle's bank), and merchants (here, Chipotle). See Schnuck , 887 F.3d at 808–09. Issuing banks, acquiring banks, and merchants join payment card networks to facilitate transactions between merchants and consumers. Id. (See ECF No. 57-1; 57-2.) Payment card networks govern how transactions occur though a series of contracts and agreements. (ECF No. 44 ¶ 96; see ECF No. 57-1 (Visa rules); 57-2 (MasterCard rules).) Credit card companies and financial institutions also issue "rules and standards governing the basic measure that merchants must take to ensure consumers' valuable data are protected." (ECF No. 44 ¶ 96.)

The payment card data, which are encoded on the magnetic strip or chip of a payment card, are the means of authenticating the cardholder and authorizing the transaction. (Id. ¶ 117.) Data are at risk both pre-authorization, when the merchant has captured the data and they are being sent (or waiting to be sent) to the acquirer/processor, as well as post-authorization, when data are sent back to the merchant with authorization and are stored in merchant's environment for analytics and back-office processes. (Id. ¶ 83.) When payment card data are sent to the issuer during the authorization step, the issuer uses the data "to locate the computer data on the financial institution's computer for the payment card's specific record." (Id. ¶ 118.) Thus, Plaintiffs contend, when payment card data are compromised, the corresponding computer database records become susceptible to fraud. (Id. ¶ 119.)

When payment card data are compromised, the financial institution must issue a replacement card with new payment card data. (Id. ¶¶ 122–23.) Financial institutions are required by federal law to maintain various safeguards to protect the confidentiality of payment card data and protect them against from unauthorized use or disclosure. (Id. ¶ 133.) Federal law also makes financial institutions financially responsible from fraudulent card activity. (Id. ¶ 126.) Thus, financial institutions, the alleged owners of the payment card data, have multiple safeguards to maintain the confidentiality of payment card data. (Id. ¶¶ 117, 133.)

Organizations issue rules and guidance for securing payment card data. The Payment Card Industry Security Standards Council promulgated the Payment Card Industry Data Security Standard ("PCI DSS"), twelve requirements which requires organization to protect payment card data and maintain adequate security measures. (Id. ¶¶ 97–98.) PCI DSS 3.2 "sets forth detailed and comprehensive requirements that must be followed to meet each of the 12 mandates." (Id. ¶ 99.) "Chipotle's business operations and payment systems are governed by PCI DSS." (Id. ¶ 138.) Federal agencies and other organizations have also issued guidance on how to adequately secure data. (Id. ¶¶ 101–07.)

Plaintiffs contend that they rely on merchants, including Chipotle, to "keep that sensitive information secure from would-be data thieves in accordance with at least the PCI DSS requirements." (Id. ¶ 108.)

Plaintiffs allege that Chipotle ignored known risks to data security, disregarded warnings that its POS was incompatible with antivirus software, refused to upgrade its POS system when the manufacturer stopped providing security and technical updates, lacked adequate firewall protection and segmentation, refused to implement protocols that could have prevented malware from being installed on its systems, failed to adequately track network access and unusual activity, and did not implement EMV chip-based technology for its POS systems. (Id. ¶¶ 39, 55–56, 63, 66, 76, 78, 81, 87–88, 90–92.) In addition, Plaintiffs claim that Chipotles senior management was aware of the outdated nature of the POS systems but did not implement changes. (Id. ¶¶ 40, 58, 68, 89, 93).

Plaintiffs assert that there are numerous measures Chipotle could have taken to prevent or limit unauthorized persons from accessing the POS systems, including end-to-end encryption of data, tokenization, and use of EMV chip-based payment cards. (Id. ¶¶ 4, 22, 84.) Encryption "mitigates security weaknesses that exist when [Payment Card Data] has been capture but not yet authorized." (Id. ¶ 84.) Tokenization protects data by replacing payment card numbers with a series of letters and numbers as a placeholder for payment card data after a transaction is authorized. (Id. ¶¶ 4, 84.) EMV technology, which uses computer chips instead of the magnetic stripe to store data, uses dynamic data, meaning that each time the EMV chip is used, it creates a unique transaction code that cannot be reused. (Id. ¶ 91.) Thus, the switch from magnetic strips to chip technology increases payment card data security. (Id. ) The payment card industry (e.g.,...

To continue reading

Request your trial
18 cases
  • Bessemer Sys. Fed. Credit Union v. Fiserv Solutions, LLC
    • United States
    • U.S. District Court — Western District of Pennsylvania
    • July 14, 2020
    ...secret of another without express or implied consent." 12 Pa.C.S § 5302 ; 18 U.S.C. § 1839(5).Fiserv cites to Bellwether Cmty. Credit Union v. Chipotle Mexican Grill, Inc. , a United States District Court for the District of Colorado case, in support of its assertion that Bessemer's purport......
  • RV Horizons, Inc. v. Smith
    • United States
    • U.S. District Court — District of Colorado
    • November 13, 2020
    ...of the trade secret; and (3) the implication of interstate or foreign commerce. See Bellwether Cmty. Credit Union v. ChipotleMexican Grill, Inc., 353 F. Supp. 3d 1070, 1086 (D. Colo. 2018). The statute defines "trade secret" to include:all forms and types of financial, business, scientific,......
  • In re Intuniv Antitrust Litig.
    • United States
    • U.S. District Court — District of Massachusetts
    • September 21, 2020
    ...under FDUTPA ‘if the offending conduct took place predominantly or entirely in Florida.’ " Bellwether Comm. Credit Union v. Chipotle Mexican Grill, Inc., 353 F. Supp. 3d 1070, 1092 (D. Colo. 2018) (quoting Karhu v. Vital Pharm., Inc., No. 13-cv-60768, 2013 WL 4047016, at *10 (S.D. Fla. Aug.......
  • Vanterpool v. Fed'n of Chiropractic Licensing Bds.
    • United States
    • U.S. District Court — District of Colorado
    • November 2, 2022
    ...rather it is one form of relief for the other legal violations alleged.” Bellwether Cmty. Credit Union v. Chipotle Mexican Grill, Inc., 353 F.Supp.3d 1070, 1088 (D. Colo. 2018) (citing Burns v. Mac, 2014 WL 1242032, at *2 n.1 (D. Colo. Mar. 26, 2014)). Thus, Dr. Vanterpool's claim for injun......
  • Request a trial to view additional results
1 books & journal articles
  • § 6.02 Analysis of the DTSA
    • United States
    • Full Court Press Intellectual Property and Computer Crimes Title Chapter 6 Theft of Trade Secrets Under the Defend Trade Secrets Act (Civil)
    • Invalid date
    ...Services LLC, 407 F. Supp. 3d 1186, 1196 (W.D. Okla. 2019).[125] Bellwether Community Credit Union v. Chipotle Mexican Grill, Inc., 353 F. Supp. 3d 1070, 1087 (D. Colo. 2018) ("Neither party has cited any authority clearly establishing whether payment card data are a trade secret, nor has t......

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT