Summary
finding a plausible Declaratory Judgment Act claim where the plaintiffs sought a declaration that the defendant "owe[d] them a legal duty to secure payment card data, that [the defendant] continues to breach this legal duty, and that these ongoing breaches of duty continue to cause harm to [the plaintiffs]"
Summary of this case from Murtagh v. Bed Bath & Beyond Inc.Opinion
Civil Action No. 17-cv-1102-WJM-STV
2018-10-24
Bryan L. Bleichner, Chestnut & Cambronne, P.A., Karen Hanson Riebel, Kate M. Baxter-Kauf, Rachel M. Bohman, Lockridge Grindal Nauen P.L.L.P., Brian C Gudmundson, Zimmerman Reed, P.L.L.P., Minneapolis, MN, Arthur Mahony Murray, Caroline Thomas White, Kenneth Joseph Wink, Murray Law Firm, New Orleans, LA, Carey Alexander, Joseph Peter Guglielmo, Scott & Scott, Attorneys at Law, LLP, New York, NY, Erin Green Comite, Stephen John Teti, ScottScott, Attorneys at Law, LLP, Colchester, CT, Gary F. Lynch, Carlson Lynch Sweet Kilpela & Carpenter LLP, Pittsburgh, PA, for Plaintiffs. Carrie Dettmer Slye, Baker & Hostetler, LLP, Cincinnati, OH, Paul Gregory Karlsgodt, Xakema Henderson, Baker & Hostetler, LLP, Denver, CO, Sam Anthony Camardo, Baker & Hostetler, LLP, Cleveland, OH, for Defendant.
Bryan L. Bleichner, Chestnut & Cambronne, P.A., Karen Hanson Riebel, Kate M. Baxter-Kauf, Rachel M. Bohman, Lockridge Grindal Nauen P.L.L.P., Brian C Gudmundson, Zimmerman Reed, P.L.L.P., Minneapolis, MN, Arthur Mahony Murray, Caroline Thomas White, Kenneth Joseph Wink, Murray Law Firm, New Orleans, LA, Carey Alexander, Joseph Peter Guglielmo, Scott & Scott, Attorneys at Law, LLP, New York, NY, Erin Green Comite, Stephen John Teti, ScottScott, Attorneys at Law, LLP, Colchester, CT, Gary F. Lynch, Carlson Lynch Sweet Kilpela & Carpenter LLP, Pittsburgh, PA, for Plaintiffs.
Carrie Dettmer Slye, Baker & Hostetler, LLP, Cincinnati, OH, Paul Gregory Karlsgodt, Xakema Henderson, Baker & Hostetler, LLP, Denver, CO, Sam Anthony Camardo, Baker & Hostetler, LLP, Cleveland, OH, for Defendant.
ORDER GRANTING IN PART DEFENDANT'S MOTION TO DISMISS AND DENYING PLAINTIFFS' MOTION TO STRIKE EXHIBITS
William J. Martínez, United States District Judge
This case arises out of a 2017 data breach of Defendant Chipotle Mexican Grill, Inc.'s ("Chipotle") computer system and point of service terminals which resulted in the theft of customers' credit card and debit card data. Plaintiffs Bellwether Community Credit Union ("Bellwether) and Alcoa Community Federal Credit Union ("Alcoa") (together, "Plaintiffs") are financial institutions whose members patronized Chipotle during that period and whose data were compromised, forcing Plaintiffs to cancel and replace members' credit and debit cards and refund any fraudulent payment resulting from the data breach. Plaintiffs bring this lawsuit against Chipotle on behalf of themselves and those similarly situated alleging eleven causes of action: negligence, negligence per se , misappropriation of trade secrets, a claim for declaratory judgment, and violation of the unfair competition laws of Arkansas, California, Florida, Maine, Massachusetts, New Hampshire, and Vermont. (ECF No. 44.) Before the Court is Chipotle's Motion to Dismiss ("Motion") all of Plaintiffs' claims. (ECF No. 57.) Also before the Court is Plaintiffs' "Motion to Strike Exhibits A–C Attached to Defendant's Motion to Dismiss" ("Motion to Strike"). (ECF No. 59.) For the reasons set forth below, Plaintiffs' Motion to Strike is denied, and Defendant's Motion is granted in part and denied in part.
I. BACKGROUND
The Court accepts the following facts as true for purposes of the Motion.
A. Factual Background
Between March 24 and April 18, 2017, a hacker accessed Chipotle's computer system and installed malware that impacted point of service ("POS") terminals at more than 2,200 Chipotle restaurants in the United States (the "Data Breach"). (ECF No. 44 ¶ 1.) A POS system manages cash and credit card and debit card ("payment card") transactions. Approximately 70% of Chipotle's sales are made by payment cards. (Id. ¶ 17.) When a payment card is used, data are passed from the card through a variety of systems and networks before reaching the retailer's payment processor. (Id. ¶ 18.) "Before transmitting customer data ... POS systems typical, and very briefly, store the data in plain text within the system's memory." (Id. ) This information can be valuable to hackers who can sell payment card data on the black market. (Id. ¶ 19.) Malware installed on the POS systems allegedly permitted the hacker to access the names, payment card numbers, card expiration dates, card verification values ("CVVs"), service codes, and other information ("payment card data") of customers who paid for their purchases at Chipotle by payment card during the breach period. (Id. )
Plaintiffs filed a restricted version of their complaint that redacted from public view non-public information obtained from Chipotle in discovery and information regarding Chipotle's data security measures. (ECF No. 42; see ECF No. 43.) See D.C.COLO.LCivR 7.2. The Court will cite to the publicly filed version, except for when referencing redacted information. In this Order, the Court has endeavored to respect Defendant's confidentiality interests. Nonetheless, having weighed the parties' confidentiality interests against the public's right of access, the Court finds that any Restricted material quoted or summarized below does not qualify for Restricted Access to the extent quoted or summarized, particularly given the need to provide a proper, publicly available explanation of the Court's decision. See D.C.COLO.LCivR 7.2 ; cf. Lucero v. Sandia Corp. , 495 F. App'x 903, 913 (10th Cir. 2012) ("The strongest arguments for [public] access [to court records] apply to materials used as the basis for a judicial decision of the merits of the case, as by summary judgment." (internal quotation marks omitted) ).
Understanding Plaintiffs' claims requires understanding the mechanics of payment card transactions. To process a single transaction, payment card data flows through multiple systems and parties in four major steps. (Id. ¶¶ 83, 116).
• Authorization : when a customer presents a card to make a purchase, the merchant (here, Chipotle) requests authorization of the transaction from the issuing bank (here, Plaintiffs) using the payment card data and the relevant card network (e.g. , Visa or MasterCard);
• Clearance : if the issuing bank authorizes the transaction, the merchant completes the transaction with
the customer, and sends a purchase receipt to its own bank (the "acquiring bank");
• Settlement : the acquiring bank pays merchant for the purchase and sends the receipt to the issuing bank, who reimburses the acquiring bank; and
• Post-settlement : the issuing bank charges the customer's credit or debit account.
(Id. ¶¶ 96, 116, 118.) See also Selco Cmty. Credit Union v. Noodles & Co. , 267 F.Supp.3d 1288, 1294 (D. Colo. 2017) (explaining the same electronic payment process); Cmty. Bank of Trenton v. Schnuck Markets, Inc. , 887 F.3d 803, 808–09 (7th Cir. 2018). Though not explicit in the complaint's description of a payment card transaction, payment card networks (such as Visa or MasterCard) maintain relationships with both issuing banks (such as Plaintiffs), acquiring banks (here, Chipotle's bank), and merchants (here, Chipotle). See Schnuck , 887 F.3d at 808–09. Issuing banks, acquiring banks, and merchants join payment card networks to facilitate transactions between merchants and consumers. Id. (See ECF No. 57-1; 57-2.) Payment card networks govern how transactions occur though a series of contracts and agreements. (ECF No. 44 ¶ 96; see ECF No. 57-1 (Visa rules); 57-2 (MasterCard rules).) Credit card companies and financial institutions also issue "rules and standards governing the basic measure that merchants must take to ensure consumers' valuable data are protected." (ECF No. 44 ¶ 96.)
The payment card data, which are encoded on the magnetic strip or chip of a payment card, are the means of authenticating the cardholder and authorizing the transaction. (Id. ¶ 117.) Data are at risk both pre-authorization, when the merchant has captured the data and they are being sent (or waiting to be sent) to the acquirer/processor, as well as post-authorization, when data are sent back to the merchant with authorization and are stored in merchant's environment for analytics and back-office processes. (Id. ¶ 83.) When payment card data are sent to the issuer during the authorization step, the issuer uses the data "to locate the computer data on the financial institution's computer for the payment card's specific record." (Id. ¶ 118.) Thus, Plaintiffs contend, when payment card data are compromised, the corresponding computer database records become susceptible to fraud. (Id. ¶ 119.)
When payment card data are compromised, the financial institution must issue a replacement card with new payment card data. (Id. ¶¶ 122–23.) Financial institutions are required by federal law to maintain various safeguards to protect the confidentiality of payment card data and protect them against from unauthorized use or disclosure. (Id. ¶ 133.) Federal law also makes financial institutions financially responsible from fraudulent card activity. (Id. ¶ 126.) Thus, financial institutions, the alleged owners of the payment card data, have multiple safeguards to maintain the confidentiality of payment card data. (Id. ¶¶ 117, 133.)
Organizations issue rules and guidance for securing payment card data. The Payment Card Industry Security Standards Council promulgated the Payment Card Industry Data Security Standard ("PCI DSS"), twelve requirements which requires organization to protect payment card data and maintain adequate security measures. (Id. ¶¶ 97–98.) PCI DSS 3.2 "sets forth detailed and comprehensive requirements that must be followed to meet each of the 12 mandates." (Id. ¶ 99.) "Chipotle's business operations and payment systems are governed by PCI DSS." (Id. ¶ 138.) Federal agencies and other organizations have also issued guidance on how to adequately secure data. (Id. ¶¶ 101–07.) Plaintiffs contend that they rely on merchants, including Chipotle, to "keep that sensitive information secure from would-be data thieves in accordance with at least the PCI DSS requirements." (Id. ¶ 108.)
Plaintiffs allege that Chipotle ignored known risks to data security, disregarded warnings that its POS was incompatible with antivirus software, refused to upgrade its POS system when the manufacturer stopped providing security and technical updates, lacked adequate firewall protection and segmentation, refused to implement protocols that could have prevented malware from being installed on its systems, failed to adequately track network access and unusual activity, and did not implement EMV chip-based technology for its POS systems. (Id. ¶¶ 39, 55–56, 63, 66, 76, 78, 81, 87–88, 90–92.) In addition, Plaintiffs claim that Chipotles senior management was aware of the outdated nature of the POS systems but did not implement changes. (Id. ¶¶ 40, 58, 68, 89, 93).
Plaintiffs assert that there are numerous measures Chipotle could have taken to prevent or limit unauthorized persons from accessing the POS systems, including end-to-end encryption of data, tokenization, and use of EMV chip-based payment cards. (Id. ¶¶ 4, 22, 84.) Encryption "mitigates security weaknesses that exist when [Payment Card Data] has been capture but not yet authorized." (Id. ¶ 84.) Tokenization protects data by replacing payment card numbers with a series of letters and numbers as a placeholder for payment card data after a transaction is authorized. (Id. ¶¶ 4, 84.) EMV technology, which uses computer chips instead of the magnetic stripe to store data, uses dynamic data, meaning that each time the EMV chip is used, it creates a unique transaction code that cannot be reused. (Id. ¶ 91.) Thus, the switch from magnetic strips to chip technology increases payment card data security. (Id. ) The payment card industry (e.g., MasterCard, Visa, Discover, and American Express) set a deadline of October 1, 2015 for business to transition their POS systems to EVM technology. (Id. ¶ 90.) Notably, Chipotle did not comply with the deadline, claiming that the chip technology would slow down its customer lines. (Id. ¶¶ 90, 92.)
Plaintiffs allege that as a result of the breach, they have suffered a variety of damages, including monetary and property damages. They allege that they were forced to replace computer data rendered useless by the Data Breach, cancel or reissue payment cards, close accounts impacted by the Data Breach, refund cardholders for any unauthorized transactions, respond to cardholder complaints, and increase fraud monitoring efforts. (Id. ¶ 7.)
B. Procedural History
Bellwether filed a complaint on May 4, 2017 in this District. Bellwether alleged that venue is proper in this District in part because "a substantial part of the events giving rise to this action arose in this District." (ECF No. 1 ¶ 13.) On September 1, 2017, the undersigned granted Bellwether and Chipotle's motion to consolidate this action with Alcoa Community Federal Credit Union v. Chipotle Mexican Grill, Inc. , Case No. 17-cv-1283-RM-STV (D. Colo. filed May 26, 2017). (ECF No. 34.) Thereafter, Plaintiffs filed a consolidated amended complaint. (ECF No. 44 (redacted); see ECF No. 42 (unredacted).) Bellwether and Alcoa both allege claims of negligence, negligence per se , misappropriation of trade secrets, and a claim under the Declaratory Judgment Act. (ECF No. 44 ¶¶ 149–81, 275–79.)
Plaintiffs similarly allege venue in their amended complaint. (ECF No. 44 ¶ 15.) ]
Plaintiffs jointly assert their misappropriation and Declaratory Judgment Act claims on behalf of a putative nationwide class of financial institutions, and their negligence claims on behalf of a putative statewide class in each of Arkansas, California, Florida, Maine, Massachusetts, New Hampshire, and Vermont. (Id. ¶¶ 140–41.) Bellwether asserts violations of state unfair competition laws on behalf of itself and putative state-wide classes in California, Florida, Maine, Massachusetts, New Hampshire, and Vermont. (Id. ¶¶ 141, 195–274.) Alcoa asserts a similar putative class claim under Arkansas's unfair competition law. (Id. ¶¶ 182–94.) Each proposed statewide class is defined as
Although Plaintiffs also, for some unknown reason, list Virginia and Wisconsin, Plaintiffs assert no allegations related to either state. (ECF No. 44 ¶ 141.)
All Financial Institutions—including, but not limited to, banks and credit unions—that either (a) are located in Arkansas, California, Florida, Maine, Massachusetts, New Hampshire, ...[and] Vermont ... that issue payment cards, including credit and debit cards, or perform, facilitate, or support card-issuing services, whose customers made purchases from Chipotle stores from March 1, 2017 to the present, or (b) have customers located in Arkansas, California, Florida, Main, Massachusetts, New Hampshire, ... [and] Vermont ... that were issued payment cards used at Chipotle stores from March 1, 2017 to the present.
Again, Virginia and Wisconsin are also listed although Plaintiffs assert no claims related to either state.
Chipotle moves to dismiss all claims in the amended complaint, attaching excerpts of Visa and MasterCard's rules for issuing banks. Plaintiffs filed a separate "Motion to Strike Exhibits Attached to Defendant's Motion to Dismiss" ("Motion to Strike"). (ECF No. 59.) Chipotle filed two notices of supplemental authority in support of its Motion. (ECF No. 68; ECF No. 78.)
II. LEGAL STANDARD
A. Article III Standing
Article III of the U.S. Constitution restricts federal courts to deciding "cases" and "controversies." See U.S. Const. art. III, § 2, cl. 1. These words have been interpreted to restrict federal courts from giving "advisory opinions," Flast v. Cohen , 392 U.S. 83, 96, 88 S.Ct. 1942, 20 L.Ed.2d 947 (1968), meaning that a federal court may not resolve questions in the abstract, but instead may only resolve "disputes arising out of specific facts when the resolution of the dispute will have practical consequences to the conduct of the parties," Columbian Fin. Corp. v. BancInsure, Inc. , 650 F.3d 1372, 1376 (10th Cir. 2011).
To safeguard this restriction, the Supreme Court has articulated a three-element test for "Article III standing":
First, the plaintiff must have suffered an "injury in fact"—an invasion of a legally protected interest which is (a) concrete and particularized, and (b) "actual or imminent, not ‘conjectural’ or ‘hypothetical.’ " Second, there must be a causal connection between the injury and the conduct complained of .... Third, it must be "likely," as opposed to merely "speculative," that the injury will be "redressed by a favorable decision."
Lujan v. Defenders of Wildlife , 504 U.S. 555, 560–61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) (citations omitted; certain alterations incorporated). Importantly, "the plaintiff bears the burden of proof" to establish that these elements exist. Id. at 561, 112 S.Ct. 2130 ; see also United States v. Bustillos , 31 F.3d 931, 933 (10th Cir. 1994) ("The party seeking to invoke the jurisdiction of a federal court must demonstrate that the case is within the court's jurisdiction. The facts supporting jurisdiction must be affirmatively alleged, and if challenged, the burden is on the party claiming that the court has subject matter jurisdiction."). Preponderance of the evidence is the proper burden of persuasion in a proceeding to determine subject matter jurisdiction. Bustillos , 31 F.3d at 933.
B. Rule 12(b)(6)
Under Federal Rule of Civil Procedure 12(b)(6), a party may move to dismiss a claim in a complaint for "failure to state a claim upon which relief can be granted." Rule 8 requires a complaint to contain "a short and plain statement showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). "Each allegation must be simple, concise, and direct." Id. 8(d). Rule 8(a) also requires minimal factual allegations on the material elements that must be proven to recover on each of the Plaintiffs' claims. Hall v. Bellmon , 935 F.2d 1106, 1110 (10th Cir. 1991). Rule 12(b)(6) then requires the Court to "assume the truth of the plaintiff's well-pleaded factual allegations and view them in the light most favorable to the plaintiff." Ridge at Red Hawk, LLC v. Schneider , 493 F.3d 1174, 1177 (2007). In ruling on such a motion, the dispositive inquiry is "whether the complaint contains ‘enough facts to state a claim to relief that is plausible on its face.’ " Id. (quoting Bell Atl. Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ); see also Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009).
Granting a motion to dismiss "is a harsh remedy which must be cautiously studied, not only to effectuate the spirit of the liberal rules of pleading, but also to protect the interests of justice." Dias v. City & Cnty. of Denver , 567 F.3d 1169, 1178 (10th Cir. 2009) (internal quotation marks omitted). "Thus, ‘a well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of those facts is improbable, and that a recovery is very remote and unlikely.’ " Id. (quoting Twombly , 550 U.S. at 556, 127 S.Ct. 1955 ). However, "[t]he burden is on the plaintiff to frame a complaint ‘with enough factual matter (taken as true) to suggest’ that he or she is entitled to relief." Robbins v. Oklahoma , 519 F.3d 1242, 1247 (10th Cir. 2008) (quoting Twombly , 550 U.S. at 556, 127 S.Ct. 1955 ). "[C]omplaints that are no more than ‘labels and conclusions’ or ‘a formulaic recitation of the elements of a cause of action,’ ... ‘will not do.’ " Id. (quoting Twombly , 550 U.S. at 555, 127 S.Ct. 1955 ).
III. ANALYSIS
A. Preliminary Matter of Documents Outside the Pleadings
Chipotle attaches to its Motion three additional documents for the Court's consideration, namely, excerpts of Visa and MasterCard's payment card network rules. (See ECF No. 57-1; 57-2; 57-3.) The Court may consider these documents if they are (1) "mentioned in the complaint," (2) "central to [the] claims [at issue]," and (3) not challenged as inauthentic. Toone v. Wells Fargo Bank, N.A. , 716 F.3d 516, 521 (10th Cir. 2013). Chipotle's Motion to dismiss Plaintiffs' negligence claim relies in part on these attached documents to establish that the parties' relationship arises out of a network of contractual obligations. (ECF No. 57 at 8–10.) However, Plaintiffs never allege the existence of any contracts directly in the complaint, and artfully plead their claims without stating the role of that payment card networks play in a payment card transaction. Plaintiffs seek to exclude these network agreement exhibits as outside the four corners of the complaint, inauthentic, and an "incomplete representation of the scope of the contractual relationship that exists among all the relevant actors in the payment card transaction process." (ECF No. 59 at 2.)
"If the rule were otherwise, a plaintiff with a deficient claim could survive a motion to dismiss simply by not attaching a dispositive document upon which the plaintiff relied." GFF Corp. v. Associated Wholesale Grocers, Inc. , 130 F.3d 1381, 1385 (10th Cir. 1997) ; see also Magellan Int'l Corp. v. Salzgitter Handel GmbH , 76 F.Supp.2d 919, 923 (N.D. Ill. 1999) ("it would be totally wasteful to uphold a claim on the false premise created by less than complete documentation when the delayed consideration of the remaining documents would lead to dismissal of that claim").
The Court will consider these exhibits. Plaintiffs' claims with regard to transactions are rooted in the payment card network contracts which govern the mechanics of payment card transactions. Plaintiffs allege the mechanics of payment card transactions without making explicit the role of the payment card networks. (ECF No. 44 ¶ 116.) The communication between customers, merchants, acquiring banks, and issuing banks alleged by Plaintiffs is facilitated by the payment card networks. Moreover, the existence of a relationship between the parties depends entirely on the use of payment cards, and thus documents which may govern that relationship are central to Plaintiffs' negligence claim.
Plaintiffs' challenge to the authenticity of the documents does not impact the Court's decision to consider the contracts. Chipotle explains the genesis of the documents. (ECF No. 67 at 5.) One of the attachments was produced by MasterCard in responses to plaintiffs' subpoenas. (Id. ; ECF No. 57-3.) The other documents are or were publicly available. Moreover, Plaintiffs, as signatories to the agreements, should be able to determine whether the documents are accurate or whether they are inauthentic, and have asserted nothing that would make the Court doubt the authenticity of the agreements. The Court will consider the documents as evidence of the existence of a network of contracts that govern the payment card system, and thus denies Plaintiffs' Motion to Strike.
B. Negligence (Claim One)
Chipotle contends that Plaintiffs' negligence claim is barred by the economic loss rule because Chipotle's relationship to Plaintiffs arises out of a series of contractual agreements. (ECF No. 57.)
In Colorado, a party suffering only economic loss from breach of a contractual duty may not assert a tort claim absent an independent duty of care. Town of Alma v. AZCO Const., Inc. , 10 P.3d 1256, 1264 (Colo. 2000) (concluding that the contract assigned a duty of care and no independent duty existed to support a negligence claim). "Economic loss is defined generally as damages other than physical harm to persons or property." Id. at 1264. To determine whether contract or tort law is the source of the duty allegedly breached, courts look at "(1) whether the relief sought in negligence is the same as the contractual relief; (2) whether there is a recognized common law duty of care in negligence; and (3) whether the negligence duty differs in any way from the contractual duty." BRW, Inc. v. Dufficy & Sons, Inc. , 99 P.3d 66, 74 (Colo. 2004).
The parties agree that Colorado law applies to Plaintiffs' negligence claims. (ECF No. 57 at 5; ECF No. 60 at 3 n.5.)
The purpose of the economic loss rule is to prevent parties from turning contract claims into tort claims, encourage parties to allocate risks and costs in their contract bargaining, and enforce those expectancy interests. Id. at 72. The economic loss rule thus serves to distinguish between contractual obligations and tort duties. Id. The economic loss rule applies even when parties do not directly contract with one another and the losses arise out of interrelated contracts. Id.
Two recent Colorado cases have explored the economic loss doctrine in the context of a payment card data breach. In Noodles & Co. , U.S. District Judge R. Brooke Jackson of this District dismissed financial institutions' negligence claims against a restaurant chain pursuant to a data breach. 267 F.Supp.3d 1288, 1294 (D. Colo. 2017). Judge Jackson found that Visa and MasterCard's rule required merchants to comply with the PCI DSS and established best practices for data security. Id. He concluded that the financial institutions had not alleged any independent duty because they sought monetary and injunctive relief and cited no support for the common law or statutory source of the alleged independent duties, and because the duties were contained in the contractual provisions. Id. at 1295.
In Gordon v. Chipotle Mexican Grill, Inc. , impacted consumers brought negligence claims against Chipotle for the same 2017 data breach at issue in this case. 2018 WL 3653173 (D. Colo. Aug. 1, 2018), adopted in part and rev'd in part , 2018 WL 4620342 (D. Colo. Sept. 26, 2018). U.S. Magistrate Judge Mark L. Carman, sitting in this District by designation, found that plaintiffs failed to allege any independent duty for merchants to safeguard consumers' payment card data separate from the payment card network agreements. Id.
The Court finds Noodles & Co. and Gordon persuasive. As in those two cases, Plaintiffs have failed to establish that Chipotle owed a duty to them independent of the interrelated contracts. Although Plaintiffs argue that the PCI DSS establish only a minimum standard of care, and thus the duty in tort law differs from that under the contracts, Plaintiffs entered into the contract and therefore agreed to the PCI DSS security measures. Plaintiffs cite no support for the existence of specific common law or statutory duties of care related to data security. See Noodles , 267 F.Supp.3d at 1295. Moreover, the contracts govern the data security standards and impose duties on the parties to protect data security in a specific way. Thus, the source of any duty regarding data security arises under the contract. Because the source of the duty is contained in the contract and there is no basis in Colorado statutory or common law for imposing a duty of care related to data security, Plaintiffs' claims are barred by the economic loss doctrine.
Plaintiffs creatively argue that they suffered property damage to their computer data in order to attempt to remove the dispute from the realm of the economic loss rule. (ECF No. 60 20–21.) See Town of Alma , 10 P.3d at 1264. The property damage exception exists because "tort law is designed to protect all citizens from the risk of physical harm to their persons or to their property." Id. Thus, if there is harm to property, tort law, not contract law, should apply.
Damage to computer data is not the sort of "risk of physical harm to ... property" that would prevent the application of the economic loss doctrine, and mandate imposing tort remedies as opposed to contractual ones. In re TJX Companies Retail Security Breach Litigation , the First Circuit rejected a similar claim where plaintiffs alleged a property interest in payment card information (electronic data). 564 F.3d 489, 498 (1st Cir. 2009), as amended on reh'g in part (May 5, 2009). While the court acknowledged that such data could have value and could be lost, it concluded that "the loss here is not a result of physical destruction of property." Id. Similarly, Plaintiffs' alleged loss to the value of electronic data did not result from any physical injury to property from the Data Breach.
Plaintiffs also argue that a number of potential factual circumstances would result in Plaintiffs' losses not being covered by the contracts. (ECF No. 60 at 8.) Plaintiffs also acknowledge that "all the facts are not before the Court." (Id. ) Notice pleading does not require a complaint to cover all possible factual scenarios. However, at the motion to dismiss stage, the Court must consider whether the facts before it state a plausible claim for relief. The Court finds that, on the facts before it, Plaintiffs have not stated a plausible negligence tort claim because the parties' relationship arises out of a network of contracts, and is thus barred by the economic loss doctrine. If there is a plausible factual basis for asserting a negligence tort claim not barred by the economic loss doctrine, Plaintiffs have failed to present it in their complaint.
Simply because a particular loss is not covered by the interrelated contracts, does not necessarily mean that a plaintiff may state a claim where a network of interrelated contracts imposes contractual obligations. See Schnuck Markets, Inc. , 887 F.3d at 815. The Seventh Circuit recently explained that, even where the details of reimbursement remedies were not clear from the contract excerpts presented, "what matters is not the details of the remedies but their existence. " Id. (emphasis in original). That court thus affirmed dismissal with prejudice of financial institutions' negligence claims against a merchant stating that "[t]he plaintiff banks seek additional recovery because they are disappointed by the reimbursement they received through the contractual card payment systems they joined voluntarily." Id. The Court finds the Seventh Circuit's reasoning persuasive. No amount of amendment of the complaint would change the essential fact that the payment card network agreements impose the relevant duties at issue here and also govern the relief available to the allegedly aggrieved parties. The Court will thus dismiss the negligence claim with prejudice.
C. Negligence Per Se (Claim 2)
Plaintiffs allege that Defendant was negligent per se because it violated a "clear duty and standard of conduct" under Section 5 of the Federal Trade Commission Act (the "FTC Act"). (ECF No. 44 at 58 ¶¶ 161–67; ECF No. 60 at 12–14.) Section 5 declares unlawful any "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." 15 U.S.C. § 45(a)(1). Defendant contends that the FTC does not regulate security data and that Plaintiffs are not within the class of persons Congress enacted the statute to protect. (ECF No. 57 at 15.)
In Colorado, before a plaintiff may use violation of a statutory standard to establish negligence, "the plaintiff must show that he is a member of the class the statute was intended to protect, and that the injuries he suffered were of the kind the statute was enacted to prevent." Largo Corp. v. Crespin , 727 P.2d 1098, 1108 (Colo. 1986). Thus, whether Plaintiffs can establish negligence per se depends on whether Section 5 of the FTC Act was intended to protect entities like Plaintiffs.
In enacting Section 5 of the FTC Act, Congress "charged the FTC with protecting consumers as well as competitors." FTC v. Sperry & Hutchinson Co. , 405 U.S. 233, 244, 92 S.Ct. 898, 31 L.Ed.2d 170 (1972). The paramount aim of the act is the protection of the public from the evils likely to result from the destruction of competition or the restriction of it in a substantial degree. Noodles , 267 F.Supp.3d at 1297 n. 4 (quoting FTV v. Raladam Co. , 283 U.S. 643, 647–48, 51 S.Ct. 587, 75 L.Ed. 1324 (1931) ). Thus, to use Section 5 to establish negligence per se , Plaintiffs must be consumers, competitors, or otherwise harmed by destruction of competition resulting from Defendant's acts. Id. In Noodles , Judge Jackson dismissed a financial institution's negligence per se claim against a merchant under similar facts to the instant case because plaintiff was not within the scope of intended beneficiaries of Section 5. Id.
The Court finds Noodles persuasive on this point. Like the plaintiffs in Noodles , Plaintiffs here are financial institutions who are neither consumers nor competitors of Chipotle. Nor have Plaintiffs alleged that they were otherwise harmed by destruction of competition resulting from Chipotle's acts. Instead, Plaintiffs merely allege that they are "within the class of persons" protected by Section 5 because they are "engaged in trade and commerce and bear primary responsibility for directly reimbursing customers for fraud losses and maintaining the confidentiality of Payment Card Data." (ECF No. 44 ¶ 165.) Absent a showing of harm resulting from any restriction or destruction of competition, Plaintiffs have not demonstrated that they are within the scope of intended beneficiaries of Section 5. As such, under Colorado law, Plaintiffs cannot recover under a theory of negligence per se based on violations of the FTC Act. The Court therefore dismisses Claim 2 of Plaintiffs' complaint. Because the Court cannot say with certainty that Plaintiffs will be unable to plausibly plead in a future amended complaint that they were "harmed by the restriction of competition[,]" the dismissal will be without prejudice.
D. Misappropriation of Trade Secrets (Claim 3)
Plaintiffs allege that Chipotle violated the federal Defend Trade Secrets Act, 18 U.S.C. §§ 1831 et seq. ("DTSA"), the federal analogue to state misappropriation of trade secret laws. The DTSA allows an owner of a misappropriated trade secret to bring a civil action if the trade secret is "related to a product or service used in, or intended for use in, interstate or foreign commerce" within three years. 18 U.S.C. § 1836(b). To state a claim for relief, Plaintiffs must allege: the existence of a trade secret; misappropriation of that trade secret by Chipotle; and set forth how the trade secret implicates interstate or foreign commerce. Space Sys./Loral, LLC v. Orbital ATK, Inc. , 306 F.Supp.3d 845, 853 (E.D. Va. 2018) ; Bartlett v. Bartlett , 2017 WL 5499403, at *5 (S.D. Ill. Nov. 16, 2017).
The DTSA defines a trade secret as "all forms and types of financial ... information, including ... compilations ... or codes. 18 U.S.C. § 1839(3). In addition, an owner must take "reasonable measures" to keep secret, and the trade secret must "derive[ ] independent economic value, actual or potential, from not being generally known." Id.
Neither party has cited any authority clearly establishing whether payment card data are a trade secret, nor has the Court located any. Chipotle cites cases in which courts have found that methods used to protect trade secrets, such as usernames and passwords, or the key to a safe, are not themselves trade secrets because their value is derivative of the thing that it is intended to protect. See N. Star Media, LLC v. Winogradsky-Sobel , 2011 WL 13220157, at *10–11 (C.D. Cal. May 23, 2011) ; State Analysis, Inc. v. Am. Fin. Servs. Assoc. , 621 F.Supp.2d 309, 321 (E.D. Va. 2009) ; see also MicroStrategy Inc. v. Bus. Objects, S.A. , 331 F.Supp.2d 396, 429 (E.D. Va. 2004) (expressing skepticism that a CD key is a trade secret); Tryco, Inc. v. U.S. Med. Source, L.L.C. , 80 Va. Cir. 619, 2010 WL 7373703 (2010) ("Courts have repeatedly held that collections of numbers and/or letters, whose only value is to access other potentially valuable information, do not by themselves have independent economic value."). Thus, the access mechanism—as opposed to the underlying information—has no independent economic value.
Plaintiffs argue that the payment card information is their financial data that they have taken reasonable measures to keep secret, and that these data have independent economic value. (ECF No. 44 ¶¶ 170–72; see ECF No. 60 at 15.) Plaintiffs also allege a nexus to interstate and foreign commerce. (ECF No. 44 ¶ 169.) Chipotle claims that payment card users are not under a legal obligation to keep payment card information secret and that payment cards have no independent economic value. (ECF No. 57 at 18–20.)
The Court finds that the payment card data has no independent economic value. Payment card data (including cardholder names, credit or debit card numbers, and corresponding CVVs) are akin to passwords and usernames that provide access to something of value. See N.Star Media , 2011 WL 13220157, at *11. Like the passwords and usernames at issue in North Star Media , payment card data merely provides access to an individual's line of credit with a financial institution or money in an account with a financial institution. Absent a connection to either a line of credit or a bank account, payment card data are simply a string of alpha or numeric (or indeed other typographical) symbols. Thus, the Court concludes that payment card data have no independent economic value.
The case cited by Plaintiffs does not support its argument. (ECF No. 60 at 16–17.) See Miller v. People , 193 Colo. 415, 566 P.2d 1059, 1060 (1977) ("Valuation of credit cards, however, presents a problem of first impression in this jurisdiction."). In that case, a criminal defendant attempted to sell a victim's fourteen credit cards either back to the victim or on the black market. Id. The question before the Colorado Supreme Court was whether "street value" evidence was admissible to prove the value of credit cards for the purposes of a theft prosecution. The Court determined that the credit cards had "no market value in lawful channels," and thus allowed evidence of their black market value based on the $100 "authorization-free purchase limit." Id. at 1061. Thus, Miller suggests that credit cards have no lawful market value, even if they have some illegitimate value on the black market. Id. Moreover, the Miller court tied the black market value of a physical payment card directly to the users ability to access the connected line of credit. Id. Thus, Miller can be read to support Defendant's theory that the payment card data have no independent value, but rather have value derived from their connection to an underlying financial account.
In addition to not having independent economic value, payment card data do not derive their value from their nondisclosure. Plaintiff argues that disclosure of payment card data to a third party renders "computer data for the specific payment card ... susceptible to fraud" and therefore the data loses its integrity. (ECF No. 44 ¶ 119.) This is partially correct. While disclosure to unauthorized third parties may make the underlying data susceptible to fraud, disclosure to authorized third parties (such as merchants) is the raison d'être of payment cards. In other words, disclosure to authorized parties is what makes the payment card valuable because it provides access to a line of credit or money in an account. Thus, because it derives value solely from their authorized disclosure, payment card data are not a trade secret. See 18 U.S.C. § 1839(3).
Because the Court has determined that there is no trade secret to implicate the application of the DTSA in the first instance, it does not need to assess whether the payment card data were misappropriated. The Court thus dismisses Claim 3 with prejudice.
E. Declaratory and Injunctive Relief (Claim 11)
Plaintiffs conflate requests for a declaratory judgment and injunctive relief in Claim 11. First, Plaintiffs seek a declaration under the Declaratory Judgment Act, 28 U.S.C. §§ 2201, et seq. , that Chipotle owes to them a legal duty to secure payment card data, that Chipotle continues to breach this legal duty, and that these ongoing breaches of duty continue to cause harm to Plaintiffs and members of the purported classes. (ECF No. 44 ¶¶ 277–78.) Plaintiffs also ask that the Court issue injunctive relief requiring Chipotle to employ additional security protocols. (Id. ¶ 279.)
"Injunctive relief is not a separate cause of action; rather it is one form of relief for the other legal violations alleged." Burns v. Mac , 2014 WL 1242032, at *2 n.1 (D. Colo. Mar. 26, 2014). The Court thus interprets the request for injunctive relief as the relief Plaintiffs would seek should they prevail on the merits of their claims.
The Declaratory Judgment Act, on the other hand, allows a party in an actual case or controversy to ask the court to declare the rights or other legal relations of any interested party seeking such a declaration. "The purpose of the Declaratory Judgment Act is to settle actual controversies before they ripen into violations of law or a breach of duty." United States v. Fisher-Otis Co. , 496 F.2d 1146, 1151 (10th Cir. 1974). The Declaratory Judgment Act allows parties who are uncertain of their legal rights to seek a declaration of rights from a federal court prior to injury. Kunkel v. Cont'l Cas. Co. , 866 F.2d 1269, 1274 (10th Cir. 1989) ; see also MedImmune, Inc. v. Genentech, Inc. , 549 U.S. 118, 138, 127 S.Ct. 764, 166 L.Ed.2d 604 (2007) ("[T]he Act merely provides a different procedure for bringing an actual case or controversy before a federal court....").
Chipotle summarily contends that Plaintiffs' claim for declaratory relief is not an independent cause of action, and thus should be dismissed. In support, Chipotle quotes two cases out of context. First, in CCPS Transportation, LLC v. Sloan , the Tenth Circuit found, in an unpublished decision, that Rule 54(b) certification of an order granting partial summary judgment was inappropriate where plaintiff had improperly separated his single claim into three parts, each corresponding to the relief requested. 611 F. App'x 931 (10th Cir. 2015). Here, unlike in CCPS Transportation , Plaintiffs do not request a declaration merely as relief sought in connection with another claim; rather Plaintiffs make a separate claim under the Declaratory Relief Act. Second, in Savant Homes v. Collins , this Court dismissed a claim for declaratory relief, only after it granted summary judgment on all other claims in the case, leaving the declaratory judgment cause of action an empty vessel devoid of content and therefore—in that context—purely a remedy and not a cause of action. 2015 WL 899302, at *11 (D. Colo. Feb. 27, 2015), aff'd , 809 F.3d 1133 (10th Cir. 2016) ; cf. United Fire & Cas. Co. v. Contractor Heating, Inc. , 2008 WL 2572124, at *4 (D. Colo. June 24, 2008) (holding that the "lack of an underlying complaint... [was] fatal to [the Court's] ability to render a decision in this action seeking anticipatory declaratory relief on the issue"). Here, there is a live controversy, and as a result dismissal is not appropriate at this time. The Court thus denies Chipotle's Motion with respect to Claim 11.
Chipotle makes a limited argument: Plaintiffs' claim for declaratory relief is a remedy, not a cause of action. As discussed, this is incorrect in the current context. Chipotle does not raise any argument as to whether the Court should exercise its power to enter a declaratory judgment. St. Paul Fire & Marine Ins. Co. v. Runyon , 53 F.3d 1167, 1168 (10th Cir. 1995) (stating that whether a court should exercise power to enter a declaratory judgment is committed to the sound discretion of the district court). Arguments not raised or inadequately developed in an opening brief are waived. United States v. Hunter , 739 F.3d 492, 495 (10th Cir. 2013) (deeming waived an argument inadequately developed in opening brief); Thompson R2-J Sch. Dist. v. Luke P., ex rel. Jeff P. , 540 F.3d 1143, 1148 n.3 (10th Cir. 2008) (same); Rojem v. Gibson , 245 F.3d 1130, 1141 n.8 (10th Cir. 2001) (same).
F. State Unfair Competition Law Claims
1. Standing
Before addressing the individual state law claims, the Court must address whether Bellwether has standing to assert claims under statutes of California, Florida, Maine, Massachusetts, and Vermont law. At each stage of a case, a federal court should satisfy itself as to the justiciability of the dispute presented, including the standing of a plaintiff to maintain the action. Warth v. Seldin , 422 U.S. 490, 498, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975). If a plaintiff cannot establish standing, the court may not proceed with the case. Citizens Concerned for Separation of Church and State v. City & Cnty. of Denver , 628 F.2d 1289, 1296 (10th Cir. 1980).
Chipotle does not challenge Bellwether's standing to bring claims under New Hampshire law or Alcoa's standing to bring claims under Arkansas law. Chipotle's arguments to dismiss those claims will be addressed in turn below.
In a class action, the named plaintiffs must allege an actual injury, not an "injury [that] has been suffered by other, unidentified members of the class." Spokeo, Inc. v. Robins , ––– U.S. ––––, 136 S.Ct. 1540, 1547 n.6, 194 L.Ed.2d 635 (2016) (quoting Simon v. Eastern Ky. Welfare Rights Org. , 426 U.S. 26, 40 n.20, 96 S.Ct. 1917, 48 L.Ed.2d 450 (1976) ). "Standing is not dispensed in gross." Davis v. Fed. Election Comm'n , 554 U.S. 724, 734, 128 S.Ct. 2759, 171 L.Ed.2d 737 (2008) (quoting Lewis v. Casey , 518 U.S. 343, 358 n.6, 116 S.Ct. 2174, 135 L.Ed.2d 606 (1996) ). Each plaintiff must "demonstrate standing for each claim he seeks to press" and "for each form of relief" sought. DaimlerChrysler Corp. v. Cuno , 547 U.S. 332, 352, 126 S.Ct. 1854, 164 L.Ed.2d 589 (2006). Under the "injury in fact" requirement of standing, an injury must "affect the plaintiff in a personal and individual way." Spokeo , 136 S.Ct. at 1548 ; Rector v. City & Cnty. of Denver , 348 F.3d 935, 949 (10th Cir. 2003) ("A prerequisite for certification is that the class representatives be a part of the class and possess the same interest and suffer the same injury as class members." (emphasis added) ).
Chipotle argues that Bellwether has failed to plausibly allege that an injury occurred in each relevant state, relying on Smith v. Pizza Hut , 2011 WL 2791331 (D. Colo. July 14, 2011). (ECF No. 57 at 25.) In Smith , the court held that a plaintiff in an Fair Labor Standards Act ("FLSA") action did not "have standing to allege claims on his own behalf under the laws of states where he has never lived or resided because he has not suffered an injury under those laws, nor is he protected by those laws." 2011 WL 2791331, at *8. Similarly, in Clark v. Strad Energy Services, USA, Ltd. , this Court dismissed an FLSA plaintiff's claim and class claims under Pennsylvania and Utah law where the complaint made no allegations that the plaintiff had ever lived, worked, or resided in either state, or otherwise established any connection to the state such that the plaintiff would be subject to that state's laws. 2018 WL 3647922, at *5 (D. Colo. Aug. 1, 2018). The Court concluded that plaintiff had not suffered any injury under the laws of those states and thus could not bring claims on behalf of a class under those state laws. Id.
The instant case is distinguishable from Smith and Clark. In those cases, the named plaintiff alleged no connection, however tenuous, to certain states other than employment by an employer who also employed persons other than himself in those states. See Smith , 2011 WL 2791331, at *8 ; Clark , 2018 WL 3647922, at *5. Here, Bellwether—as a corporate person and as the named plaintiff on behalf of a putative class—alleges that, as a result of Chipotle's conduct, it incurred losses in each of six states. (ECF No. 44 ¶¶ 208, 221, 234, 247, 272.) These allegations are sufficient to allow Bellwether to attempt to establish a claim under the laws of those states. Thus, Bellwether has pled an injury in fact caused by Chipotle in each state. See Lujan , 504 U.S. at 560–61, 112 S.Ct. 2130.
Moreover, Bellwether's injuries would be redressed by a favorable decision if the Court were to award legal or equitable relief as a remedy for alleged injuries. See id. Bellwether has thus met its burden to establish standing under the laws of each state referenced in its complaint. See id. Because Bellwether has standing, the Court will address each of Chipotle's remaining arguments to dismiss the state law claims directly on their merits.
2. Arkansas Deceptive Trade Practices Act (Claim 4)
The Arkansas Deceptive Trade Practices Act, Ark. Code Ann. §§ 4-88-101 et seq. ("ADTPA"), lists specific types of behavior which constitute deceptive and unconscionable trade practices, and includes a catchall provision which prohibits "[e]ngaging in any other unconscionable, false, or deceptive act or practices in business, commerce, or trade." Ark. Code. Ann. § 4-88-107(a)(10). "The elements of such a cause of action are (1) a deceptive consumer-oriented act or practice which is misleading in a material respect and (2) injury resulting from such act." Apprentice Info. Sys., Inc. v. DataScout, LLC , 2018 Ark. 149, 544 S.W.3d 536, 539 (Ark. 2018).
"An ‘unconscionable’ act is an act that ‘affront[s] the sense of justice, decency, or reasonableness’ " and may include conduct that violates Arkansas public policy or statutes. Baptist Health v. Murphy , 365 Ark. 115, 226 S.W.3d 800, 811 & n.6 (Ark. 2006) (quoting Black's Law Dictionary 1561 (8th ed. 2004) ). However, not every allegation of illegal conduct or violations of public policy is a violation of the ADTPA. Universal Cooperatives, Inc. v. AAC Flying Serv., Inc. , 710 F.3d 790, 795 (8th Cir. 2013). Courts have refused to "convert the relatively nuanced modifying phrase chosen by the state legislature for the catch-all provision—‘unconscionable, false, or deceptive’—into a general reference to any unlawful conduct." Id. ; Dickinson v. SunTrust Mortg., Inc. , 2015 WL 1868827, at *2 (E.D. Ark. Apr. 23, 2015) ; Chruby v. Glob. Tel*link Corp. , 2017 WL 4320330, at *11 (W.D. Ark. Sept. 28, 2017). Thus, the Eighth Circuit interpreted the term "unconscionable" in the catch-all subsection to include instances of "false representation, fraud, or the improper use of economic leverage in a trade transaction." Universal Cooperatives , 710 F.3d at 796. Chipotle contends that Alcoa's allegation is unrelated to fraud or improper application of economic leverage, and is thus insufficient to establish unconscionable conduct under ADTPA. (ECF No. 57 at 21; ECF No. 66 at 15.) Alcoa argues that, for Chipotle's own economic benefit and to the detriment of consumers and competition, Chipotle maintained inadequate data security measures, which in turn undermined Arkansas's public policy that businesses protect personal and financial information. (ECF No. 44 ¶¶ 187–88, 191; ECF No. 60 at 28.) See Ark. Code Ann. §§ 4-110-102 to -103 (encouraging businesses that acquire personal information about Arkansas citizens to "provide reasonable security" for individual's names when combined with payment card numbers, security or access codes, or passwords).
The Court concludes that Alcoa has not stated a claim for relief on the facts alleged. As explained in Universal Cooperatives , the violations of public policy and the complained-of conduct must relate to, among other things, the improper application of economic leverage in a trade transaction. Thus, Chipotle's alleged violation of Arkansas public policy set forth in Ark. Code Ann. §§ 4-100-102 and -103 is not, without more, sufficient to state a claim for relief under ADTPA. Alcoa has also not alleged facts to support a claim that Chipotle used improper "economic leverage in a trade transaction." See Universal Cooperatives , 710 F.3d at 795. While Alcoa alleges that "Chipotle cut corners and saved money," Alcoa does not address how Chipotle's decisions improperly used economic leverage. Nor does Alcoa tie any improper leverage to a trade transaction. Moreover, Alcoa has not alleged facts to support that Chipotle's choices were "misleading in a material respect." See Apprentice Info. Sys. , 544 S.W.3d at 539. The Court thus dismisses Alcoa's ADTPA claim.
3. California Unfair Competition Law (Claim 5)
California's Unfair Competition Law ("UCL") provides a cause of action for unlawful, unfair, or fraudulent business practices. Cal. Bus. & Prof. Code §§ 17200 et seq . Under the UCL, standing is expansive and remedies are limited. Korea Supply Co. v. Lockheed Martin Corp. , 29 Cal.4th 1134, 131 Cal.Rptr.2d 29, 63 P.3d 937, 943 (2003). Unfair competition claims may be brought "by any person acting for the interests of itself, its members or the general public," to obtain equitable relief. Id. (quoting Cal. Bus. & Prof. Code § 17204 ). Private individuals may seek restitution or injunctive relief. In re Anthem, Inc. Data Breach Litig. , 162 F.Supp.3d 953, 984 (N.D. Cal. 2016). Notably, "[d]amages cannot be recovered." Korea Supply Co. , 29 Cal. 4th at 1143, 131 Cal.Rptr.2d 29, 63 P.3d 937.
The theory of harm alleged by Bellwether is similar to the harm alleged in a consumer action pending against Chipotle in this District. In Gordon v. Chipotle , the plaintiffs did not allege a threat of future harm if or when they make another purchase at Chipotle with a payment card. 2018 WL 4620342, at *15 (D. Colo. Sept. 26, 2018). Instead, another judge of this District Court allowed the plaintiffs' UCL claim to proceed because the plaintiffs there had alleged that they remained at risk of future damages because their personal information remained on Chipotle's insufficiently secured servers. Id. ("[I]f Plaintiff prove a realistic threat of future harm, they could be entitle to injunctive relief under California's Unfair Competition Law.").
In the instant proceeding, Bellwether contends that it "continue[s] to suffer injury as additional fraudulent charges are being made on payment cards issued to Chipotle customers." (ECF No. 44 ¶ 277.) Like the plaintiffs in Gordon , Bellwether plausibly claims that it could be injured in the future as a result of the breach. Thus, Bellwether has stated a claim for relief under the UCL. The Court thus denies Chipotle's Motion with respect to Claim 5.
Bellwether also argues that the risk of another data breach is "real, immediate, and substantial," such that Bellwether is entitled to injunctive relief. (ECF No. 60 at 22.) Allegations based solely on speculation that Chipotle's systems would again be breached are likely insufficient to state a claim for future harm, particularly where only names, credit and debit card numbers, expiration dates, CVVs, service codes and "other information" are at alleged risk. In re Sony Gaming Networks & Customer Data Sec. Breach Litig. , 903 F.Supp.2d 942, 965–66 (S.D. Cal. 2012) ("Plaintiffs' allegations that the heightened risk of identity theft, time and money spent on mitigation of that risk, and property value in one's information, do not suffice as injury under the UCL....").
4. Florida Deceptive and Unfair Trade Practices Act (Claim 6)
Bellwether also claims that Chipotle violated the Florida Deceptive and Unfair Trade Practices Act, Fla. Stat. §§ 501.201 et seq. ("FDUTPA"). (ECF No. 44 ¶¶ 211–23.)
Florida appellate courts have conflicting views on whether the FDUTPA extends to out-of-state consumers, and the Florida Supreme Court has not resolved this issue. Ohio State Troopers Ass'n, Inc. v. Point Blank Enters., Inc. , 2018 WL 3109632, at *4 (S.D. Fla. Apr. 5, 2018). Compare Oce Printing Sys. USA, Inc. v. Mailers Data Servs., Inc. , 760 So.2d 1037, 1042 (Fla. 2d Dist. Ct. App. 2000) ("[O]nly in-state consumers can pursue a valid claim under the Unfair Trade Act.") with Millennium Commc'ns & Fulfillment, Inc. v. Office of Attorney Gen., Dep't of Legal Affairs, State of Fla. , 761 So.2d 1256, 1262 (Fla. Dist. Ct. App. 2000) ("[W]e can discern no legislative intent for the Department to be precluded from taking corrective measures under FDUTPA even where those persons affected by the conduct reside outside of the state."). "Most federal courts in the Southern District of Florida that have considered the issue have followed Millennium ," which permits out-of-state consumers to sue under certain circumstances. Ohio State Troopers , 2018 WL 3109632, at *4 (citation omitted). "Federal courts in the Middle District of Florida agree." Bank of Am., N.A. v. Zaskey , 2016 WL 2897410, at *9 (S.D. Fla. May 18, 2016) (citing cases). Federal courts in Florida generally allow out-of-state consumers to pursue a claim under FDUTPA "if the offending conduct took place predominantly or entirely in Florida." Karhu v. Vital Pharm., Inc. , 2013 WL 4047016, at *10 (S.D. Fla. Aug. 9, 2013). The Court will apply the standard applied by most Florida federal courts.
Chipotle contends that Bellwether fails to state a claim under FDUTPA because the law "does not apply to a New Hampshire bank's claim against a Colorado company where few, if any, of the allegations in the complaint actually occurred in Florida." (ECF No. 57 at 27.) In response, Bellwether states that Chipotle's "lax data security extended to its Florida restaurants where the inadequately protected POS systems were located," the allegedly breached data "belonged to Florida consumers," and "Florida-based financial institutions suffered damages [in Florida] when they reimbursed consumers ... and incurred additional operational costs." (ECF No. 60 at 23; see ECF No. 44 ¶ 221.) Bellwether notes that the putative Florida class is limited to financial institutions with Florida-based customers or Florida-based financial institutions. (ECF No. 60 at 23.) Bellwether also alleges in its venue statement that a "substantial part of the events giving rise to the action" arose in Colorado. (ECF No. 44 ¶ 15.)
Bellwether's allegations do not state a claim under FDUTPA because they do not plausibly establish that the offending conduct took place "predominantly or entirely" in Florida. See Karhu , 2013 WL 4047016, at *10. While Bellwether pleads that it has members located in Florida whose payment cards were impacted by the breach (see ECF No. 44 ¶ 221), this allegation alone is not sufficient to plausibly establish that the conduct occurred predominantly or entirely in Florida. This is particularly so in light of Bellwether's competing and indeed conflicting allegation—for purposes of establishing venue in the District of Colorado in the first instance—that the events at issue in this litigation substantially occurred in Colorado. Cf. Amjad Ltd. v. Ocean Marine Eng'g , 2017 WL 1365580 (M.D. Fla. Apr. 14, 2017) (finding that allegations of venue that supported personal jurisdiction over the defendant in Florida also "suffice[d] to establish that a substantial part of events giving rise to the claims occurred in this district"). Because claims can "substantially" occur only in one place, venue in Colorado and venue for purposes of Bellwether's FDUTPA claims are, in this context, mutually exclusive.
In addition, Bellwether cannot rely on the alleged injuries of unnamed Florida class members to support a claim for relief under FDUTPA. See Smith , 2011 WL 2791331, at *8 ; Clark , 2018 WL 3647922, at *5. Therefore, the Court grants Chipotle's motion as to Claim 6 with prejudice.
5. Maine Unfair Trade Practices Act (Claim 7)
The Maine Unfair Trade Practices Act ("MUTPA") provides a private right of action to "any person who purchases or leases goods, service or property, real or personal, primarily for personal, family or household purposes and thereby suffers any loss of money or property, real or personal" as the result of an unfair trade practice. Me. Rev. Stat. tit. 5, § 213(1) ; Campbell v. First Am. Title Ins. Co. , 644 F.Supp.2d 126, 134 (D. Me. 2009) ; Enercon v. Global. Computer Supplies, Inc. , 675 F.Supp.2d 188, 193 (D. Me. 2009) (dismissing with prejudice a claim under the statute where the plaintiff purchased a good primarily for resale purposes).
Chipotle argues that Bellwether did not purchase anything from it, and thus cannot state a claim under Maine law. (ECF No 57 at 28.) Bellwether does not dispute this statement. Instead, Bellwether urges the Court to "reject such a narrow interpretation" of MUTPA. (ECF No. 60 at 25.) In support, Bellwether cites two cases from the Northern District of California and Eastern District of Pennsylvania which, they contend, support construing similar statutory language broadly and allowing "legal entities to assert claims on behalf of personal users." (Id. )
The Court declines to construe this provision broadly. The First Circuit observed that "the Maine courts have consistently read the private right of action provision of the [M]UTPA narrowly" and that "narrow application of the private right of action section is consistent with the Maine legislature's choice of statutory language, which is narrower than that of other states." Anderson v. Hannaford Bros. Co. , 659 F.3d 151, 160 (1st Cir. 2011). For example, one court dismissed the MUTPA claim of a minor because "his parents, not he, purchased the defendant's product." Hoglund ex rel. Johnson v. DiamlerChrysler Corp. , 102 F.Supp.2d 30, 31 (D. Me. 2000).
Bellwether has not alleged a plausible claim under the plain terms of the MUTPA. Bellwether merely alleges that its members located in Maine used payment cards "to purchase food for personal consumption from Chipotle" and that Bellwether was injured because it had to reimburse members for fraudulent transactions and reissue payment cards. (ECF No. 44 ¶ 234.) Notably, Bellwether does not allege that it made a purchase from Chipotle "primarily for personal, family or household purposes." Indeed, such a claim would be inconsistent with Bellwether's theory of the case. Given that Bellwether has not and cannot make such a claim, the Court finds that Bellwether has failed to state a claim for relief under MUTPA and dismisses the MUTPA claim with prejudice. See Enercon , 675 F.Supp.2d at 193.
6. Massachusetts Consumer Protection Act (Claim 8)
The Massachusetts Consumer Protection Act, Mass. Gen. Laws Ann. ch. 93A et seq. ("Chapter 93A"), requires that "the alleged unfair method of competition or the unfair or deceptive act or practice occur[ ] primarily and substantially within [Massachusetts]." Mass. Gen. Laws Ann. ch. 93A, § 11. The statute allocates the burden of proof to the party claiming that transactions or actions did not occur "primarily and substantially" within Massachusetts. Id. " Section 11 suggests an approach in which a judge should, after making findings of fact, and after considering those findings in the context of the entire § 11 claim, determine whether the center of gravity of the circumstances that give rise to the claim is primarily and substantially within the Commonwealth." Kuwaiti Danish Computer Co. v. Digital Equip. Corp. , 438 Mass. 459, 781 N.E.2d 787, 799 (Mass. 2003). "The applicable standard is not ‘some acts,’ but rather, whether in their totality, the facts establish" Massachusetts as the center of gravity for the relevant conduct. Evergreen Partnering Grp., Inc. v. Pactiv Corp. , 2014 WL 304070, at *4 (D. Mass. Jan. 28, 2014). While Massachusetts courts have refused to create a list of factors to be used in determining the center of gravity, courts consider the alleged place of injury or loss, where the deceptive or unfair conduct occurred, the number of instances of misconduct, and the severity of each instance of misconduct. Kuwaiti Danish Computer Co. , 781 N.E.2d at 798–99 ; Evergreen , 2014 WL 304070, at *4–5.
Chipotle argues that the alleged unfair practices did not primarily and substantially occur in Massachusetts. (ECF No. 57 at 32.) In support of its argument, and without citation to the complaint, Chipotle asserts that "Bellwether is headquartered in New Hampshire" and that Bellwether "alleged that Chipotle harmed it through conduct occurring in Colorado." (Id. ) While Chipotle recognizes that Bellwether issued "some unidentified number of replacement cards" to Massachusetts customers, it contends that fact alone is in insufficient to establish Massachusetts as the center of gravity. (Id. ) As a factual matter, Chipotle somewhat overstates Bellwether's pleadings: Bellwether did not allege that Chipotle's conduct occurred in Colorado. Instead, Bellwether states that Chipotle "conducts substantial business" in the District of Colorado, has an executive office in Denver, Colorado, and that a "substantial part of the events giving rise to this action arose in" the District of Colorado." (ECF No. 44 ¶¶ 11, 14.)
In response, Bellwether states that its complaint alleges that its claim "occurred primarily and substantially" in Massachusetts because Chipotle's unlawful conduct was intended to and did impact transactions at its Massachusetts-based stores, cards used by Massachusetts consumers were stolen in Massachusetts and used to commit fraud there, and Chipotle's unlawful conduct interfered with trade or commerce in Massachusetts. (ECF No. 60 at 27; ECF No. 44 ¶¶ 246–47.) Bellwether adds that "members of the Massachusetts Class were located in Massachusetts and incurred losses and suffered damages there." (ECF No. 60 at 27; ECF No. 44 ¶ 246.)
The Court finds that Bellwether has not alleged the requisite facts to support a claim for relief under Chapter 93A. Specifically, as discussed above in relation to the FDUTPA claim, Bellwether's own allegations state that a "substantial part of the events giving rise to this action" arose in Colorado. (ECF No. 44 ¶ 15.) This claim is at odds with Bellwether's claim that Chipotle's acts "occurred primarily and substantially in Massachusetts." (Id. ¶ 246.) Again, both statements cannot factually be true and this Court is not required to accept Plaintiff's related legal contentions as valid.
As for Bellwether's other allegations about activities in Massachusetts, Bellwether cannot rely on the injuries of unidentified members of a proposed Massachusetts Class to support Bellwether's own claim for relief. See Smith , 2011 WL 2791331, at *8 ; Clark , 2018 WL 3647922, at *5. Bellwether's remaining allegations establish only that "some acts" took place in Massachusetts, not that Massachusetts was the center of gravity of those facts. See Evergreen , 2014 WL 304070 at *5 ; Fishman Transducers, Inc. v. Paul , 684 F.3d 187, 197 (1st Cir. 2012) ("Where wrongdoing is not focused on Massachusetts but has relevant and substantial impact across the country, the ‘primarily’ requirement of section 11 cannot be satisfied."). Even accepting Bellwether's allegations as true, it has not plausibly alleged that a substantial part of the conduct at issue occurred in Massachusetts. Therefore the Court finds that Bellwether has not stated a claim for relief under Chapter 93A. See Ridge at Red Hawk, LLC , 493 F.3d at 1177.
The Court also notes the inherent tension between the FDUTPA and Chapter 93A claims. The unfair competition laws in Florida and Massachusetts each require that a substantial action occur within the state. While these claim may be pled in the alternative at the pleadings state, as a factual matter it simply cannot be that the claims occurred "predominantly or entirely" in Florida and also "primarily and substantially" in Massachusetts. Even if this issue is not predominant at the pleadings stage, it would arise either at the Rule 23 or Rule 56 stages of these proceedings. Specifically, at the Rule 23 stage, a single plaintiff would have difficulty establishing him or herself as a typical or adequate representative of both the Florida and Massachusetts classes: a named plaintiff must personally have standing to be an adequate representative, and a single plaintiff would likely not have standing under both Florida and Massachusetts unfair competition laws. See Fed R. Civ. P. 23 ; Smith , 2011 WL 2791331, at *8. At the Rule 56 stage, only one state could factually be the locus of the claims. Thus, depending on the factual development of the case, the Court would likely be compelled to grant summary judgment dismissing at least one of these two claims.
Moreover, as discussed in the context of Bellwether's FDUTPA claim, claims may "substantially" occur in only one place. Thus, venue in this District and a Chapter 93A claim are mutually exclusive. Compare 28 U.S.C. § 1391(b)(2) (allowing a civil action to be brought in a judicial district where a "substantial part of the events or omissions giving rise to the claim occurred") with Mass. Gen. Laws Ann. ch. 93A, § 11 (requiring "the alleged unfair method of competition or the unfair or deceptive act or practice [to occur] primarily and substantially within [Massachusetts]"). The Court therefore grants Chipotle's Motion as to Claim 8 with prejudice.
7. New Hampshire Consumer Protection Act (Claim 9)
The New Hampshire Consumer Protection Act ("NHCPA") makes it unlawful "for any person to use any unfair method of competition or any unfair or deceptive act or practice in the conduct of any trade or commerce" and enumerates seventeen unlawful types of unfairly competitive or deceptive acts. N.H. Rev. Stat. Ann. § 358-A:2. However, the statutory list is not exhaustive, and other actions may constitute prohibited conduct as long as they are "of the same type as proscribed by the enumerated categories." State v. Moran , 151 N.H. 450, 861 A.2d 763, 765 (2004) ; see Roberts v. Gen. Motors Corp. , 138 N.H. 532, 643 A.2d 956, 960 (N.H. 1994). To determine whether an action is "of the same type," New Hampshire courts employ a "rascality test." Moran , 861 A.2d at 765. "Under the rascality test, the objectionable conduct must attain a level of rascality that would raise an eyebrow of someone inured to the rough and tumble of the world of commerce." Id. (Internal quotations omitted). In addition, New Hampshire courts look to the federal court's interpretation of the FTCA for guidance in determining "what actions are unlawful outside the enumerated categories." Id. at 765–66.
Chipotle seemingly suggests that Bellwether must satisfy the "same type" requirement under the NHCPA and the rascality test. (ECF No. 23–24; see ECF No. 60 at 20.) This is not so. New Hampshire courts use the rascality test to determine whether a violation is of the "same type" of act as the enumerated provision in the NHCPA. This is but one more example of unforced errors by Defendant in briefing this Motion.
The Court is disappointed with the sloppy briefing with which it has had to contend in support of and in opposition to the Motion on critical issues. The Court expects that sophisticated parties, represented by sophisticated (and no doubt, expensive) counsel to make reasonable, developed arguments based on correct statements of law. Both parties, but most notably counsel for the Defendant, have repeatedly failed to do so. For instance, Defendant argued that Bellwether failed to meet a notice requirement under Chapter 93A Section 9 even though Bellwether pled a claim under Section 11, which does not have a notice requirement; Defendant cited an ADTPA statute that was recently amended and did not apply retroactively, and thus was inapplicable to the present dispute; and it also argued that Bellwether was required to allege the "same type" of act under the NHCPA and meet the rascality test, when it is clear from the caselaw that New Hampshire uses the rascality test to determine whether an act qualifies as the "same type" as those enumerated under the NHCPA. Both parties also briefed certain issues on a very cursory or superficial level, requiring the Court to undertake a large part of the heavy lifting in regards to the necessary legal research needed to resolve the large multitude of issues raised by the Defendant's sprawling Motion. Counsel are on notice that the Court will not further tolerate such sloppy lawyering, and that it will not hesitate to summarily reject out of hand inadequately developed arguments, especially in the context of anticipated future Rule 23 and Rule 56 briefing.
It is "especially difficult" to show rascality in business-to-business transactions. Animal Hosp. of Nashua, Inc. v. Antech Diagnostics , 2012 WL 1801742 (D.N.H. May 17, 2012). "[I]n the ‘rough and tumble’ of arms-length business transactions, common disputes over broken promises ordinarily will not rise to a level sufficient to support a claim under the Act." Orion Seafood Int'l Inc. v. Supreme Grp. B.V. , 2012 WL 3765172, at *5 (D.N.H. Aug. 29, 2012). Thus, contractual breach alone does not satisfy the level of rascality required. Beer v. Bennett , 160 N.H. 166, 993 A.2d 765, 769 (2010). Similarly, negligence claims are not generally cognizable under the NHCPA. Yost v. US Airways, Inc. , 2011 WL 1655714, at *3 (D.N.H. May 2, 2011). Instead, NHCPA claims require a "degree of knowledge or intent," although reckless disregard may also satisfy that requirement. Kelton v. Hollis Ranch, LLC , 155 N.H. 666, 927 A.2d 1243, 1246 (2007) ; Beer , 993 A.2d at 769. Often, whether a party has committed an unfair or deceptive act under the NHCPA is a question of fact. Fin Brand Positioning, LLC v. Take 2 Dough Prods., Inc. , 2012 WL 27917, at *9 (D.N.H. Jan. 5, 2012).
Chipotle argues that its conduct related to data security does not fall within these enumerated prohibited practices, and thus the claim should be dismissed. (ECF No. 57 at 27.) It also argues that Bellwether fails to satisfy the rascality test. In response, Bellwether contends that Chipotle's conduct meets the rascality standard. (ECF No. 60 at 21.) The Court agrees with Bellwether on this issue.
Bellwether alleges that Chipotle was aware that it received payment card information that could be used for nefarious purposes by unauthorized third parties, that its stores a significant volume of payment card transactions, and that failure to safeguard that data could result in significant harm. (ECF No. 44 ¶¶ 24–26.) Bellwether adds that Chipotle ignored well-known data security risks thus allowing deficiencies to persist, disregarded warnings that its POS system was incompatible with antivirus software, and lacked adequate firewall protection. (Id. ¶ 39.) Bellwether also contends that "Chipotle's senior management ... knowingly failed to upgrade POS hardware and software and failed to maintain a system of accountability over data security." (Id. ¶ 40.) Taking Bellwether's allegations in the light most favorable to it, Bellwether has sufficiently alleged that Chipotle, at a minimum, recklessly disregarded risks to its data security systems when it decided not to upgrade its POS systems. Such a failure could "raise an eyebrow," as required by New Hampshire's rascality test. Thus, the Court finds that Bellwether has stated a claim under NHCPA.
8. Vermont Consumer Fraud Act (Claim 10)
Vermont's Consumer Fraud Act ("VCFA") provides a private right of action to "any consumer" who either contracts for goods or services in reliance on, or who sustains damages or injury as a result of, fraudulent statements, unfair competition, or deceptive trade practices may sue for equitable relief and may recover damages from the "seller, solicitor, or other violator." Vt. Stat. Ann. tit. 9, § 2461(b). The VCFA defines "consumer" as, among other things,
a person who purchases, leases, contracts for, or otherwise agrees to pay consideration for goods or services not for resale in the ordinary course of his or her trade or business but for the use or benefit of his or her business or in connection with the operation of his or her business.
Vt. Stat. Ann. tit. 9, § 2451a(a) ; see Ascension Tech. Corp. v. McDonald Invs., Inc. , 327 F.Supp.2d 271, 276 (D. Vt. 2003) (construing "person" to include a corporation under the VCFA).
While the statute does not impose a strict privity requirement, it does require the purchase of some good or service. Maurice v. Fed. Ins. Co. , 2009 WL 10679101, at *3 (D. Vt. Jan. 23, 2009) ("Although privity of contract is not required ... the existence of a relationship akin to that of buyer and seller is." (internal citation omitted) ). For example, in Elkins v. Microsoft Corporation , the Vermont Supreme Court allowed an VCFA claim by a consumer against a manufacturer who sold a product wholesale, who then sold the product to the consumer. 174 Vt. 328, 817 A.2d 9, 13 (2002). Nonetheless, the Vermont Supreme Court has insisted on some relationship between the parties. See Messier v. Bushman , 2018 VT 93, ¶ 25 (Vt. Aug. 24, 2018). In Meissier , the court held that the plaintiff had no VCPA claim because he was not a "consumer" where he "did not purchase anything ... he did not lease, contract, or otherwise agree to pay consideration ... for goods or services." Id.
Bellwether alleges that it is a "consumer" within the meaning of the statute because it agreed "to pay for services in connection with the operation of [its] business to enable [its] members to purchase goods from Chipotle with [ ] payment cards." (ECF No. 44 ¶ 264.) Chipotle disputes this conclusion and contends that the VCFA applies only to actual purchasers. (ECF No. 57 at 28.) In response, Bellwether asserts that it falls within the portion of the definition of "a person who ... agrees to pay consideration for goods or services ... in connection with the operation of his or her business." (ECF No. 60 at 24–25 (quoting Vt. Stat. Ann. tit. 9, § 2451a ).) Bellwether further adds that it fits the definition of consumer because it was "an active participant in the payment card transaction process." (ECF No. 57 at 25.)
The Court concludes that Bellwether has not alleged facts to support a plausible conclusion that it is a "consumer" within the meaning of the VCFA. See Robbins , 519 F.3d at 1247. Bellwether alleges that it "agree[d] to pay for services" but does not assert that it paid Chipotle for those services. (ECF No. 44 ¶ 264.) Instead, it appears that Bellwether agreed to pay an unidentified entity (likely, Visa or MasterCard) for the benefit of its own members to allow them to make purchases from merchants (such as Chipotle). Bellwether does not state that it is suing the parties that it paid for services. See Vt. Stat. Ann. tit. 9, § 2461(b) (consumer may sue to recover damages from the violator). Moreover, unlike Elkins , Bellwether does not suggest that Chipotle is merely a company further up the supply chain, or that Bellwether's members were a mere intermediary in the purchase of a good or service that flowed from Chipotle to Bellwether.
Bellwether also claims that it is an "active participant in the payment card transaction process," and thus is a consumer within the meaning of the VCTA, citing Ascension. (ECF No. 60 at 25.) Ascension is distinguishable from the present case. 327 F.Supp.2d at 276. In Ascension , the plaintiff sued its brokerage firm which had allegedly provided bad advice on investments, which the plaintiff intended to use in its own business. Unlike Bellwether, the plaintiff in Ascension actually purchased services from the defendant. 327 F.Supp.2d at 276. Here, Bellwether has not and cannot make that same claim.
In sum, Bellwether made no purchase from Chipotle—directly or indirectly—for use in Bellwether's business. Bellwether cannot remedy this pleading defect by amendment, and the Court thus dismisses Claim 10 with prejudice.
IV. CONCLUSION
For the reasons set forth above, the Court hereby ORDERS as follows:
1. Plaintiffs' Motion to Strike Exhibits A–C Attached to Defendant's Motion to Dismiss (ECF No. 59) is DENIED;
2. Defendant's Motion to Dismiss (ECF No. 57) is GRANTED IN PART as follows:
a. Claim 1 (Negligence), Claim 3 (Misappropriation of Trade Secrets), Claim 6 (Florida Deceptive and Unfair Trade Practices Act), Claim 7 (Maine Unfair Trade Practices Act), Claim 8 (Massachusetts Consumer Protection Act), and Claim 10 (Vermont Consumer Fraud Act) are DISMISSED WITH PREJUDICE;
b. Claim 2 (Negligence per se ) and Claim 4 (Arkansas Deceptive Trade Practices) are DISMISSED WITHOUT PREJUDICE; and
3. The remainder of Defendant's Motion to Dismiss is DENIED.