In re Rutter's Inc. Data Sec. Breach Litig.

• Decision Date: 05 January 2021
• Docket Number: 1:20-cv-382
• Citation: 511 F.Supp.3d 514
• Parties: IN RE RUTTER'S INC. DATA SECURITY BREACH LITIGATION
• Court: U.S. District Court — Middle District of Pennsylvania

511 F.Supp.3d 514

IN RE RUTTER'S INC. DATA SECURITY BREACH LITIGATION

1:20-cv-382

United States District Court, M.D. Pennsylvania.

Filed January 5, 2021

MEMORANDUM AND ORDER

John E. Jones III, Chief Judge

The matter presently before the Court is a putative class action arising out of a data breach by third-party cybercriminals. Plaintiffs are four Pennsylvanians who used their credit or debit cards to make purchases at various Rutter's convenience stores and gas stations. They each filed suit against Rutter's after the company reported that payment card data had potentially been improperly accessed over an eight-or nine-month period from late summer 2018 through May 2019 (the "Breach Period"). The four actions were consolidated, and Rutter's has now moved to dismiss all claims. For the following reasons, we will grant in part and deny in part the motion to dismiss.

I. BACKGROUND

In accordance with the standard of review applicable to a motion to dismiss, the following facts are derived from the operative complaint and viewed in the light most favorable to the Plaintiffs.

Defendant CHR Corporation, d/b/a Rutter's ("Rutter's") is a Pennsylvania corporation that operates 72 convenience stores in Central Pennsylvania. (Doc. 30 at ¶ 26). Many of these stores also operate as gas stations. (Id. ).

On February 13, 2020, Rutter's posted a statement to its website announcing the results of a third-party investigation into a possible data breach. (Id. at ¶ 31). According to that announcement, "the investigation identified evidence indicating that an unauthorized actor may have accessed payment card data from cards used on point-of-sale (POS) devices at some fuel pumps and inside some of our convenience stores through malware installed on the payment processing systems." (Id. ). Rutter's said that "specific timeframes when data from cards used at the locations involved may have been accessed vary by location over the general timeframe beginning October 1, 2018 through May 29, 2019." (Id. ). One Rutter's location, however, may have been implicated by the malware starting August 30, 2018, while nine other stores may have been affected as early as September 20. (Id. ). The malware targeted information including customers’ names, credit or debit card numbers, expiration dates, and internal verification codes, but for customers who paid at POS devices that accept EMV-capable cards (Europay, MasterCard, and Visa), it was believed that the malware only collected the numbers and expiration dates of those cards. (Id. at ¶ 33). Plaintiffs aver that, according to security experts, thieves can still make fraudulent purchases even without a card's three-digit security code. (Id. at ¶ 37).

In response to the breach, Rutter's advised its customers to review their payment card statements for unauthorized activity and to utilize free credit reporting services. (Id. at ¶¶ 34–35). Plaintiffs allege this response did not "provid[e] meaningful assistance to consumers .... [i]n contrast to what is and has been frequently made available to consumers in recent data breaches," such as "monitoring services or fraud insurance[.]" (Id. at ¶ 36).

In all, Plaintiffs allege that Rutter's "failed to properly safeguard [putative] class members’ Card Information" despite a "continuing duty pursuant to common law, industry standards, card network rules, and representations made in its own privacy policy to keep consumers’ Card Information confidential and to protect it from unauthorized access." (Id. at ¶¶ 38–39). According to Plaintiffs, Rutter's had also been on notice from a "Security Alert" issued by Visa in November 2019 that warned of "criminal threat actors" increasingly targeting POS systems at "fuel dispenser merchants" due to the "slower migration to chip technology on many terminals[.]" (Id. at ¶ 41). Because many fuel dispensing merchants still utilize "magnetic stripe payment card" systems instead of chip readers, Visa said such merchants were "an attractive target" for hackers. (Id. ). Visa warned that "[f]uel dispenser merchants should take note of this activity" and that "these attacks have the potential to compromise a high volume of payment accounts." (Id. ). Plaintiffs allege that "Rutter's failed to improve its cardholder data security despite these known critical risks." (Id. at ¶ 43). Specifically, Plaintiffs list six different examples of data security failures by Rutter's, including inadequate safeguarding of card information, inadequate maintenance of its data security environment to reduce the risk of a data breach, improper monitoring of its data security systems for existing intrusions and weaknesses, a failure to perform "penetration tests to determine the strength of its payment card processing systems," improper training of its information technology staff, and its failure to "retain outside vendors to periodically test its payment card processing systems." (Id. at ¶ 48).

Plaintiffs also point to the Payment Card Industry Data Security Standards ("PCI DSS"), promulgated by the Payment Card Industry Security Standards Council, which "apply to all organizations that store, process or transmit card data." (Id. at ¶ 50). Among these "detailed comprehensive requirements" is a "mandate" to "protect all systems against malware," and a requirement to "[t]rack and monitor all access to network resources." (Id. at ¶¶ 51–53). Plaintiffs allege that Rutter's violated these standards as well as "numerous other provisions of the PCI DDS." (Id. at ¶ 54). According to Plaintiffs, "[i]ndustry experts acknowledge that a data breach is indicative of data security failures." (Id. at ¶ 57). Plaintiffs also allege that Rutter's violated the Section 5 of the Federal Trade Commission Act ("FTCA"), 15 U.S.C. § 45, through its "failure to employ reasonable measures to protect against unauthorized access to confidential consumer data." (Id. at ¶¶ 58–62).

The first action against Rutter's arising out of this data breach was filed by Plaintiff Lloyd Collins on March 4, 2020. (Doc. 1). Two days later, Plaintiff Morgan K. Palermo filed her own suit against Rutter's.

Palermo v. Rutter's Holdings, Inc. et al. , No. 1:20-cv-398 (M.D. Pa. March 6, 2020). On March 26, 2020, we issued an order consolidating the Collins and Palermo actions as well as any future actions relating to the data breach. (Doc. 12). On April 3, 2020, we issued a second order adding two subsequently-filed suits—one filed by Plaintiff Kathleen Johnson and one by Plaintiff Jon Lavezza—into the consolidated action. (Doc. 17). Plaintiffs collectively filed the operative Amended Complaint on May 22, 2020. (Doc. 30).

The Amended Complaint brings forth five causes of action against Rutter's: negligence (Count I); negligence per se (Count II); breach of implied contract (Count III); violations of the Pennsylvania Unfair Trade Practices and Consumer Protection Law ("UTPCPL") (Count IV); and unjust enrichment (Count V). (Id. at ¶¶ 90–150). Plaintiffs seek class certification; an award of compensatory, consequential, statutory, and treble damages; injunctive relief compelling Rutter's to strengthen its data security and monitoring systems, submit to future audits of those systems, and provide class members with "several years" of free credit monitoring and identity theft insurance; and an award of attorneys’ fees, costs, and expenses, as well as pre-and post-judgment interest. (Id. at 43). Defendant Rutter's now seeks dismissal of the Amended Complaint in its entirety, and/or dismissal of Plaintiffs Johnson and Palermo for lack of standing. (Doc. 45) (the "Motion").

The Amended Complaint details the injuries allegedly incurred by each of the four plaintiffs in the data breach. Because Rutter's lodges a partial standing challenge, we will individually summarize Plaintiffs’ injuries.

a. Lloyd F. Collins

Plaintiff Collins alleges that he used a Chase credit card at Rutter's Shippensburg location—one of the stores Rutter's identified as having been impacted by the breach—on September 2, September 15, September 20, October 1, October 5, and December 12, 2018. (Doc. 30 at ¶ 8). On February 24, 2020, Plaintiff Collins discovered on his credit card account a fraudulent purchase in the amount of $2,477 from United Airlines. (Id. at ¶ 9). Chase promptly notified him of the fraudulent activity, and, after Plaintiff Collins disputed the charge, Chase cancelled the credit card and sent him a replacement, which took several days to arrive. (Id. ). Chase also reimbursed Plaintiff Collins for the fraudulent charge, but it took three business days for those funds to appear in his account. (Id. at ¶ 10). Overall, Plaintiff Collins alleges he spent several hours engaging in remedial activity—in addition to his communications with Chase, Plaintiff Collins also updated various vendors with his new credit card information and set up fraud alerts for his credit history. (Id. ). Plaintiff Collins avers that "[h]ad he known that Rutter's would not adequately protect his sensitive Card Information, he would not have made purchases at Rutter's." (Id. at ¶ 12).

b. Jon Lavezza

Plaintiff Lavezza alleges that he regularly made purchases at multiple Rutter's locations during the Breach Period. (Id. at ¶ 13). On around March 4, 2019, Plaintiff Lavezza discovered that his checking account (containing $1,854.96) was "compromised and emptied as a result of unauthorized access," which resulted in multiple overdraft fees. (Id. at ¶ 14). For "several days," he did not have access to his checking account, and it took one week for a new debit card to arrive. (Id. at ¶ 15). Like Plaintiff Collins, Plaintiff Lavezza alleges he lost "significant time" dealing with these troubles—he allegedly left work early one day, missed more work to file a police report, and missed another half day speaking to his bank—in addition to the "several gallons of gas" he expended driving around town remedying his injuries. (Id. at ¶ 16). Like Plaintiff Collins, Plaintif...