Gordon v. Chipotle Mexican Grill, Inc.
Decision Date | 01 August 2018 |
Docket Number | Civil Action No. 17-cv-1415-CMA-MLC |
Parties | TODD GORDON, et al., individually and on behalf of all others similarly situated, Plaintiffs, v, CHIPOTLE MEXICAN GRILL, INC., Defendant. |
Court | U.S. District Court — District of Colorado |
RECOMMENDATION ON MOTION TO DISMISS
This purported class action regards a data breach that Defendant Chipotle Mexican Grill, Inc. ("Chipotle") experienced in early 2017. Doc. 36 (Am. Complaint) ¶ 1. Plaintiffs Todd Gordon, Marc Mercer, Kristen Mercer, Kristin Baker, Michelle Fowler, Greg Lawson and Judy Conrad allege they used credit or debit cards to make purchases at Chipotle restaurants during the data breach.1 They allege their personally identifiable information ("PII") was thereby compromised, and consequently they had to take steps to redress fraud and protect themselves from further fraud, including identity theft. On their own behalf and that of others similarly situated, Plaintiffs bring several tort, contract, statutory and equitable claims, apparently under the laws of the states in which they made the purchases. The court has subject matter jurisdictionunder the Class Action Fairness Act of 2005 (28 U.S.C. § 1332(d)(2)(A)) and supplemental jurisdiction under 28 U.S.C. § 1367.
Defendant moves to dismiss the claims of Plaintiffs Kristin Baker and Greg Lawson for lack of standing. Defendant further moves to dismiss all claims for failure to state a claim. Judge Christine M. Arguello referred the motion to the undersigned magistrate judge for a recommendation. As follows, the court recommends granting in part and denying in part.
Plaintiffs allege Chipotle used inadequate measures to secure customers' payment card information it received at most of its stores in the continental United States. Among other things, Plaintiffs point in particular to Chipotle's alleged decision to not implement the payment card industry's ("PCI") "EMV technology," where EMV stands for "Europay, MasterCard and Visa." Doc. 36 ¶¶ 1-9. EMV technology is a "'global standard' for cards equipped with computer chips and technology used to authenticate chip card transactions" which generates a Id. ¶ 68.
Plaintiffs allege that because Chipotle did not implement EMV technology (or other reasonable measures), its point of service ("POS") systems were vulnerable to malware that fraudsters had used several times to infiltrate other major retailers' POS, in order to steal payment card information. According to Chipotle's announcement, it discovered the malware had been operative on its POS systems from March 24, 2017 to April 18, 2017. Doc. 36 ¶ 1. Chipotle allegedly did not "timely and accurately notify Plaintiffs and Class Members that their personal and financial information had been compromised," Id. ¶ 2, and did not offer assistance, such asfree credit monitoring. Doc. 36 ¶¶ 8, 102-04. Plaintiffs assert Chipotle has still "not disclosed exactly what type of information was in fact exfiltrated in the Data Breach." Id. ¶ 32.
Id. ¶ 88.2 Plaintiffs also allege Chipotle's misconduct has "placed [them] at [an] increased risk of harm from identity theft," to protect against which they are "placing 'freezes' and 'alerts' with credit reporting agencies, contacting their financial institutions, closing or modifying financial accounts, and closely reviewing and monitoring their credit reports and accounts." Id. ¶ 89. Plaintiffs seek several types of damages, penalties, equitable relief, injunctive relief, and declaratory relief, and their attorneys' fees and costs. Id. at 74 (prayer for relief).
Lujan, 504 U.S. at 560-61 (internal citations omitted).
Plaintiffs bear the burden of proving standing. See, e.g., Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016) (as revised May 24, 2016). When standing is raised at the Rule 12 stage, the showing required depends whether the defendant raises a facial or factual challenge. Holt v. United States, 46 F.3d 1000, 1002-3 (10th Cir. 1995). A "facial attack on the complaint's allegations as to subject matter jurisdiction questions the sufficiency of the complaint," and in reviewing such an attack "a district court must accept the allegations in the complaint as true." Pueblo of Jemez v. United States, 790 F.3d 1143, 1148 n.4 (10th Cir. 2015) (citing Holt). In this case. Defendant brings a facial challenge, as it does not raise facts outside the complaint for this issue. Therefore, Plaintiffs must show their allegations plausibly support standing. Lujan, 504 U.S. at 561 ( ).
Here, Defendant takes issue with the "injury in fact" element with respect to Lawson and Baker.3 Defendant raises three arguments. First, Defendant argues Lawson and Baker assert a"property right" or "independent value" in alleging they "lost control over the value of personal information." Doc. 36 ¶ 88. In response, Plaintiffs deny they brought such a claim. Doc. 57 (Response) at 7. However, Plaintiffs do not explain what meaning other than a property right or independent value of their PII could reasonably be inferred from the allegation in Paragraph 88. Since Plaintiffs admit they did not intend to bring a "property right" or "independent value" claim, the court recommends granting in part the Rule 12(b)(1) motion to partially dismiss Plaintiffs' claims to the extent the Amended Complaint alleges "lost control over the value of personal information." See Doc. 36 ¶¶ 88, 137, 182, 184, 238, 240.4
Second, Defendant argues Lawson and Baker claim they "overpaid" Chipotle by the implicit amount they believed Chipotle would spend to make the transaction secure. Defendant points to Plaintiffs' allegation of "financial losses related to purchases ... [they] would have never made had they known of Chipotle's careless approach to cybersecurity." Doc. 36 ¶ 88. Defendant cites several cases rejecting the overpayment theory in data breach cases, including Engl v. Natural Grocers by Vitamin Cottage, Inc., No. 15-cv-02129-MSK-NYW, 2016 WL 8578252, at *3 (D. Colo. Sept. 21, 2016). In response, Plaintiffs assert that they do not bring an "overpayment" claim. Doc. 57 (Response) at 7. They argue "if Plaintiffs had known of the lax security they would nothave purchased at Chipotle and so would not have suffered the financial losses they did." Id. at 8. See also Doc. 36 ¶ 88 (alleging same).
However, Plaintiffs do not address their allegations that part of the monies they paid "were supposed to be used by Chipotle ... to pay for the administrative costs of reasonable data privacy and security" (id. ¶ 169), they "paid more for that food service than they otherwise would have paid" if they had known Chipotle was not using part of the purchase price for reasonable data security in the transaction (id. ¶ 207), and the damages they seek for the portion of their purchase that Chipotle should have spent on data security. Id. ¶ 170. Plaintiffs also simultaneously defend their unjust enrichment and California Unfair Competition Law claims as premised on both theories that they would not have made the purchases at all, and that a portion of the purchase price was implicitly directed to providing a secure transaction that Defendant did not provide. Doc. 57 (Response) at 17, 23.
The court recommends granting in part the Rule 12(b)(1) motion to the extent Plaintiffs Lawson and Baker allege overpayment for two reasons. First, Plaintiffs argue they did not bring...
To continue reading
Request your trial