Individually v. Global Payments, Inc.
| Decision Date | 05 February 2013 |
| Docket Number | CIVIL ACTION FILE NO. 1:12-CV-01157-RWS-JFK |
| Parties | NATALIE WILLINGHAM individually, and on behalf of all others similarly situated, NADINE HIELSCHER and ROBERT HIELSCHER individually, and on behalf of all others similarly situated, Plaintiffs, v. GLOBAL PAYMENTS, INC., Defendant. |
| Court | U.S. District Court — Northern District of Georgia |
The complaint in this putative class action was filed by Plaintiff Natalie Willingham [Doc. 1] and amended after Global Payments, Inc., filed a motion to dismiss the complaint to add Nadine and Robert Hielscher as Plaintiffs and to cure deficiencies outlined in Defendant's Fed. R. Civ. P. 12(b)(1) and 12(b)(6) motion for dismissal of this action [see Doc. 19]. Plaintiffs' first amended complaint ("FAC") removes a negligence per se cause of action; no new causes of action are added. [Doc. 21]. Now pending before the court are Defendant's Rule 12(b)(1) and 12(b)(6) motion [Doc. 23] to dismiss the FAC, Plaintiffs' response [Doc. 27], and Defendant's reply [Doc. 29].
The facts relevant to the court's review of the pending motion are drawn from the FAC and the exhibits attached to Defendant's motion to dismiss. [Doc. 23, Exhibits A-C].1 Defendant Global Payments, a Georgia corporation in business for over forty years throughout the United States, Canada, Europe, and the Asia-Pacific region, is among other things "a provider of electronic transaction processing services for merchants." [FAC ¶¶ 2, 15, 22]. Defendant "contracts with retailers to handle the processing of card transactions" and, as such, is called a "merchant acquirer" or "credit card processor." [Id. ¶¶ 19, 26]. "[T]he retailer sends consumer information to GlobalPayments and Global Payments then forwards that information to Visa, MasterCard, or another issuer, who clears the transaction with the consumer's bank." [Id. ¶ 26].
On March 30, 2012, an internet security website reported: "In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised . . . the breached credit card processor was compromised between January 21, 2012[,] and February 25, 2012[,] . . . [and] full Track 1 and Track 2 data was taken -- meaning that the information could be used to counterfeit new cards." [FAC ¶ 28, citing http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach].2 [FAC at 12, n.5 (internal quotation marks omitted)].
Global Payments took the following actions. "By the end of the day on March 30, 2012, Global Payments issued a public statement acknowledging that it had been the target of an attack and had suffered unauthorized third party access into 'a portion of its processing system[ ]'. . . [and] had first learned of the unauthorized access in 'early March of 2012.'" [FAC ¶ 29]. "On April 1, 2012, Global Payments issued a press release indicating the company believed the affected portion of its processing system was confined to North America and that less than 1.5 million card numbers may have been exported." [Id. ¶ 30]. [Id. ¶ 31].
"Also on April 2, 2012, Global Payments held an investor conference call about the unauthorized third party access into Global Payment's computer systems . . . admitted that the breach involved a handful of their servers in their North American system, and . . . indicated that the information exported was believed to be limited to Track 2 data, and so would not include names or social security numbers of consumers." [Id. ¶ 32 (internal quotation marks omitted)]. Global Payments stated that "the 1.5 million potentially affected accounts had not been deactivated en masseand [that] Global Payments would look to the individual issuing institutions to monitor those accounts for fraudulent activity. . . ." [Id.]. "[S]ubsequent reports from Visa and MasterCard indicate the breach could date back to June 7, 2011." [Id. ¶ 34, citing http://krebsonsecurity.com/2012/05/global-payments-breach-window -expands/].
Prior to the announcement of the data breach, Global Payments was listed "as being PCI DSS compliant[,]" that is, it met the "Payment Card Industry Data Security Standard ("PCI DSS")." [FAC ¶¶ 37, 40]. On March 31, 2012, Visa, and, on May 2, 2012, MasterCard removed Global Payments from their lists of PCI DSS compliant payment processors. [Id. ¶ 41]. "In a press release on June 12, 2012, Global Payments continued to . . . indicate the potential card exportation was limited to Track 2 data." [Id. ¶ 35].
After returning home from a trip to Minnesota in mid-March 2012, Plaintiff Natalie Willingham, a resident of Kansas, discovered "fraudulent charges in the approximate amounts of $600 and $300 made to her Bank of America Visa card." [FAC ¶¶ 12, 51, 52]. She alleges, based upon information and belief, that she entered into one or more retail transactions with a merchant who contracts with Global Payments and that Defendant, upon receiving her sensitive "Personally Identifiable Information" ("PII") "owed a duty to [Plaintiff] . . . including the obligation to preventthat data from being stolen by outside attackers or hackers." [Id. ¶¶ 53, 54]. Willingham alleges that Global Payments breached this duty -- that her "PII was compromised by Defendant through its misconduct [and] continuing failure to provide [Plaintiff] with proper notification of the Data Breach." [Id. ¶ 55].
Plaintiffs Nadine and Robert Hielscher, who reside in California, have a Visa branded debit card issued by Chase Bank. [FAC ¶¶ 13, 14, 58]. [Id. ¶ 59]. "The following day, April 3, 2012, upon access by an unauthorized user, Robert Hielscher's debit card information was used to purchase products from militarygear.com in the amount of $303.96." [Id. ¶ 60]. Upon information and belief, the Hielschers allege that they "entered into a retail transaction with a merchant who contracts with Global Payments for credit card processing or other services, that Global Payments "obtained [their] sensitive PII [and] owed [them] a duty . . . including the obligation to prevent that data from being stolen by outsideattackers or hackers [and] breached this duty . . . through its misconduct [and] continuing failure to provide [Plaintiffs] with proper notice of the Data Breach." [Id. ¶¶ 61-63].
Plaintiffs' FAC alleges causes of action for: negligence (Count I); violation of the Federal Stored Communications Act ("SCA"), 18 U.S.C. §§ 2702(a)(1), (a)(2), (Count II); willful and negligent violation of the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681(b), (Counts III and IV); violation of the Georgia Uniform Deceptive Trade Practices Act ("UDTPA"), O.C.G.A. §§ 10-1-372(5), (7), (12), (Count V); and third party beneficiary (Count VI) and implied contract (Count VII) breach of contract claims. Plaintiffs allege that:
As a direct and proximate cause of Defendant's conduct, Plaintiffs and Class Members have suffered, and will continue to suffer damages, including, but not limited to, monetary loss for fraudulent charges; interest, overdraft or "overlimit" penalties on their accounts; fear and apprehension of fraud, abuse, loss of money, and identity theft; actual identity theft; loss of privacy; the burden and cost of monitoring their credit, bank accounts and credit history; the burden and cost of closing compromised accounts and opening new accounts; the burden of closely scrutinizing credit card statements for past and future transactions; loss of time spent seeking to prevent or undo harm by monitoring their bank and credit, damages to their credit history; loss of privacy; anxiety and emotional distress, and other economic and noneconomic damages.
[Id. ¶¶ 97, 113, 125, 170, 183 (emphasis added)].3 Defendant contends that the FAC still fails to allege sufficient facts to establish Article III standing or to state a claim for which relief can be granted against Defendant.
Additional facts will be set forth as needed in the court's discussion of the Defendant's motion to dismiss the FAC.
The court must first address Defendant's Rule 12(b)(1) motion to dismiss Plaintiffs' putative class action for lack of Article III standing. "[P]rior to the certification of a class, and technically speaking before undertaking any formal typicality or commonality review, the district court must determine that at least one named class representative has Article III standing to raise each class subclaim." Prado-Steiman ex. rel. Prado v. Bush, 221 F.3d 1266, 1280 (11th Cir. 2000). "[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class." O'Shea v. Littleton, 94 S. Ct. 669, 675 (1974).
"'In essence the question of [Article III]...
To continue reading
Request your trial