Gordon v. Chipotle Mexican Grill, Inc.

• Decision Date: 01 August 2018
• Docket Number: Civil Action No. 17-cv-1415-CMA-MLC
• Parties: TODD GORDON, et al., individually and on behalf of all others similarly situated, Plaintiffs, v, CHIPOTLE MEXICAN GRILL, INC., Defendant.
• Court: U.S. District Court — District of Colorado

TODD GORDON, et al., individually and on behalf of all others similarly situated, Plaintiffs,v,CHIPOTLE MEXICAN GRILL, INC., Defendant.

Civil Action No. 17-cv-1415-CMA-MLC

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLORADO

August 1, 2018

RECOMMENDATION ON MOTION TO DISMISS

Magistrate Judge Mark L. Carman

This purported class action regards a data breach that Defendant Chipotle Mexican Grill, Inc. ("Chipotle") experienced in early 2017. Doc. 36 (Am. Complaint) ¶ 1. Plaintiffs Todd Gordon, Marc Mercer, Kristen Mercer, Kristin Baker, Michelle Fowler, Greg Lawson and Judy Conrad allege they used credit or debit cards to make purchases at Chipotle restaurants during the data breach.¹ They allege their personally identifiable information ("PII") was thereby compromised, and consequently they had to take steps to redress fraud and protect themselves from further fraud, including identity theft. On their own behalf and that of others similarly situated, Plaintiffs bring several tort, contract, statutory and equitable claims, apparently under the laws of the states in which they made the purchases. The court has subject matter jurisdictionunder the Class Action Fairness Act of 2005 (28 U.S.C. § 1332(d)(2)(A)) and supplemental jurisdiction under 28 U.S.C. § 1367.

Defendant moves to dismiss the claims of Plaintiffs Kristin Baker and Greg Lawson for lack of standing. Defendant further moves to dismiss all claims for failure to state a claim. Judge Christine M. Arguello referred the motion to the undersigned magistrate judge for a recommendation. As follows, the court recommends granting in part and denying in part.

I. BACKGROUND

Plaintiffs allege Chipotle used inadequate measures to secure customers' payment card information it received at most of its stores in the continental United States. Among other things, Plaintiffs point in particular to Chipotle's alleged decision to not implement the payment card industry's ("PCI") "EMV technology," where EMV stands for "Europay, MasterCard and Visa." Doc. 36 ¶¶ 1-9. EMV technology is a "'global standard' for cards equipped with computer chips and technology used to authenticate chip card transactions" which generates a "unique transaction code that cannot be used again. Such technology greatly increases payment card security because if an EMV chip's information is stolen, the unique number cannot be used by the thieves, making it much more difficult for criminals to profit from what is stolen." Id. ¶ 68.

Plaintiffs allege that because Chipotle did not implement EMV technology (or other reasonable measures), its point of service ("POS") systems were vulnerable to malware that fraudsters had used several times to infiltrate other major retailers' POS, in order to steal payment card information. According to Chipotle's announcement, it discovered the malware had been operative on its POS systems from March 24, 2017 to April 18, 2017. Doc. 36 ¶ 1. Chipotle allegedly did not "timely and accurately notify Plaintiffs and Class Members that their personal and financial information had been compromised," Id. ¶ 2, and did not offer assistance, such asfree credit monitoring. Doc. 36 ¶¶ 8, 102-04. Plaintiffs assert Chipotle has still "not disclosed exactly what type of information was in fact exfiltrated in the Data Breach." Id. ¶ 32.

Plaintiffs allege their individual payment card purchases from Chipotle during the time of the data breach and specific harms each individual allegedly incurred due to the data breach. Doc. 36 ¶¶ 10-18. Overall, they allege Chipotle's data breach caused them

loss of time and money resolving fraudulent charges [and] ... obtaining protections against future identity theft; financial losses related to the purchases ... that Plaintiffs and Class members would have never made had they known of Chipotle"s careless approach to cybersecurity; lost control over the value of personal information; ... losses and fees relating to exceeding credit and debit card limits and balances, and bounced transactions; [and] harm resulting from damaged credit scores and information....

Id. ¶ 88.² Plaintiffs also allege Chipotle's misconduct has "placed [them] at [an] increased risk of harm from identity theft," to protect against which they are "placing 'freezes' and 'alerts' with credit reporting agencies, contacting their financial institutions, closing or modifying financial accounts, and closely reviewing and monitoring their credit reports and accounts." Id. ¶ 89. Plaintiffs seek several types of damages, penalties, equitable relief, injunctive relief, and declaratory relief, and their attorneys' fees and costs. Id. at 74 (prayer for relief).

II. ANALYSIS

A. Standing of Plaintiffs Baker and Lawson

Defendant argues Kristin Baker and Greg Lawson do not plausibly allege injuries that would satisfy the Article III "case" or "controversy" requirement for subject matter jurisdiction. Standing is first and foremost concerned with whether a plaintiff has suffered an "injury in fact," such that resolution of his or her claim involves the judicial power, not the executive or legislative. Lujan v. Defenders of Wildlife, 504 U.S. 555, 559-60 (1992). See also Clapper v. Amnesty Int'lUSA, 568 U.S. 398, 408 (2013) ("The law of Article III standing, which is built on separation-of-powers principles, serves to prevent the judicial process from being used to usurp the powers of the political branches."). Standing requires the plaintiff to show he or she has

suffered an "injury in fact"—an invasion of a legally protected interest which is (a) concrete and particularized ... and (b) "actual or imminent, not 'conjectural' or 'hypothetical,' ... Second, there must be a causal connection between the injury and the conduct complained of—the injury has to be "fairly ... trace[able] to the challenged action of the defendant, and not ... th[e] result [of] the independent action of some third party not before the court." ... Third, it must be "likely," as opposed to merely "speculative," that the injury will be "redressed by a favorable decision."

Lujan, 504 U.S. at 560-61 (internal citations omitted).

Plaintiffs bear the burden of proving standing. See, e.g., Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016) (as revised May 24, 2016). When standing is raised at the Rule 12 stage, the showing required depends whether the defendant raises a facial or factual challenge. Holt v. United States, 46 F.3d 1000, 1002-3 (10th Cir. 1995). A "facial attack on the complaint's allegations as to subject matter jurisdiction questions the sufficiency of the complaint," and in reviewing such an attack "a district court must accept the allegations in the complaint as true." Pueblo of Jemez v. United States, 790 F.3d 1143, 1148 n.4 (10th Cir. 2015) (citing Holt). In this case. Defendant brings a facial challenge, as it does not raise facts outside the complaint for this issue. Therefore, Plaintiffs must show their allegations plausibly support standing. Lujan, 504 U.S. at 561 (standing must be shown "with the manner and degree of evidence required at the successive stages of the litigation.").

Here, Defendant takes issue with the "injury in fact" element with respect to Lawson and Baker.³ Defendant raises three arguments. First, Defendant argues Lawson and Baker assert a"property right" or "independent value" in alleging they "lost control over the value of personal information." Doc. 36 ¶ 88. In response, Plaintiffs deny they brought such a claim. Doc. 57 (Response) at 7. However, Plaintiffs do not explain what meaning other than a property right or independent value of their PII could reasonably be inferred from the allegation in Paragraph 88. Since Plaintiffs admit they did not intend to bring a "property right" or "independent value" claim, the court recommends granting in part the Rule 12(b)(1) motion to partially dismiss Plaintiffs' claims to the extent the Amended Complaint alleges "lost control over the value of personal information." See Doc. 36 ¶¶ 88, 137, 182, 184, 238, 240.⁴

Second, Defendant argues Lawson and Baker claim they "overpaid" Chipotle by the implicit amount they believed Chipotle would spend to make the transaction secure. Defendant points to Plaintiffs' allegation of "financial losses related to purchases ... [they] would have never made had they known of Chipotle's careless approach to cybersecurity." Doc. 36 ¶ 88. Defendant cites several cases rejecting the overpayment theory in data breach cases, including Engl v. Natural Grocers by Vitamin Cottage, Inc., No. 15-cv-02129-MSK-NYW, 2016 WL 8578252, at *3 (D. Colo. Sept. 21, 2016). In response, Plaintiffs assert that they do not bring an "overpayment" claim. Doc. 57 (Response) at 7. They argue "if Plaintiffs had known of the lax security they would nothave purchased at Chipotle and so would not have suffered the financial losses they did." Id. at 8. See also Doc. 36 ¶ 88 (alleging same).

However, Plaintiffs do not address their allegations that part of the monies they paid "were supposed to be used by Chipotle ... to pay for the administrative costs of reasonable data privacy and security" (id. ¶ 169), they "paid more for that food service than they otherwise would have paid" if they had known Chipotle was not using part of the purchase price for reasonable data security in the transaction (id. ¶ 207), and the damages they seek for the portion of their purchase that Chipotle should have spent on data security. Id. ¶ 170. Plaintiffs also simultaneously defend their unjust enrichment and California Unfair Competition Law claims as premised on both theories that they would not have made the purchases at all, and that a portion of the purchase price was implicitly directed to providing a secure transaction that Defendant did not provide. Doc. 57 (Response) at 17, 23.

The court recommends granting in part the Rule 12(b)(1) motion to the extent Plaintiffs Lawson and Baker allege overpayment for two reasons. First, Plaintiffs argue they did not bring...