344 F. Supp. 3d 1231
D. Colo.2018Background
- Chipotle experienced a point-of-sale data breach from March 24–April 18, 2017 that exposed customers' payment card information and other PII; Chipotle issued a public security notice on April 25, 2017.
- Plaintiffs (a putative nationwide class with state subclasses in AZ, CA, IL, and MO) allege fraudulent charges, time and money spent addressing fraud, costs for credit monitoring or replacement cards, and ongoing risk of identity theft; they assert tort, statutory, contract, and equitable claims under their home states' laws.
- Defendant moved to dismiss for lack of Article III standing as to two plaintiffs (Baker and Lawson) and for failure to state claims under Rule 12(b)(6) for multiple counts; the magistrate judge recommended granting in part and denying in part the motion.
- The district court reviewed objections de novo, adopted some of the magistrate judge’s recommendations, rejected others, and resolved choice-of-law, standing, and merits pleading issues.
- Outcome: Court GRANTED the motion to dismiss as to Counts 1 (negligence), 2 (negligence per se), 3 (Colorado Consumer Protection Act), 5 (unjust enrichment), and 11 (Illinois UDTPA); and DENIED dismissal as to Counts 4 (breach of implied contract), 6 (Arizona CFA omission-based claim), 7 (Cal. Customer Records Act), 8 (Cal. UCL), 9 (Cal. CLRA), 10 (Ill. Consumer Fraud Act), and 12 (Mo. Merchandising Practices Act).
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing for Baker and Lawson | Baker: risk of future identity theft and some unauthorized charge; Lawson: actual misuse, time spent, $45 expedited card cost | No injury in fact; alleged harms are speculative or self-inflicted and not traceable | Both have standing: Lawson alleged actual harms; Baker alleged a substantial risk of future harm (no actual injury alleged) |
| Choice of law for negligence | Plaintiffs: situs of injury (home states) should govern | Chipotle: Colorado law governs because conduct occurred in Colorado and injuries are fortuitous | Colorado law governs; negligence claim dismissed under economic loss doctrine (and related analysis) |
| Breach of implied contract based on payment transaction | Plaintiffs: providing card info implies term to protect PII; thus plausibly alleged implied contract | Chipotle: no implied promise to secure data in a purchase transaction | Claim survives pleading stage; not resolvable on 12(b)(6) — denial of dismissal for Count 4 |
| Unjust enrichment based on purchases | Plaintiffs: would not have purchased had they known of poor security; conferred benefit | Chipotle: plaintiffs received the goods paid for; no unjust enrichment or overpayment | Claim dismissed: plaintiffs received the contracted goods so unjust enrichment fails |
| Statutory fraud/omission claims (AZ, CA, IL) | Plaintiffs: Chipotle omitted material facts about insecure systems and customers relied (would have acted differently) | Chipotle: plaintiffs fail to plead a duty to disclose or actual reliance/exposure to omissions | Omissions plausibly pleaded; claims under Arizona CFA, California UCL/CLRA/Customer Records Act, and Illinois Consumer Fraud Act survive at pleading stage |
| Damages under CA, IL, MO consumer statutes | Plaintiffs: time, effort, monitoring costs, lost rewards, and out-of-pocket expenses are compensable economic harms | Chipotle: reimbursements negate damages; time/effort is de minimis and not recoverable | Court declines to resolve on 12(b)(6); allowed claims to proceed — pleaded time/effort and related harms held sufficient to survive dismissal in these statutes |
| Availability of injunctive relief under CA UCL | Plaintiffs: continued retention of insecure PII and prior incidents show risk and pattern warranting injunctive relief | Chipotle: plaintiffs lack a realistic threat of future harm and therefore lack standing for injunctive relief | Injunctive relief not foreclosed at pleading stage; UCL claim survives to allow equitable remedies if proven |
Key Cases Cited
- Clapper v. Amnesty Int'l USA, 568 U.S. 398 (2013) (standing requires threatened injury be "certainly impending" or present a substantial risk)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (general standing principles; conclusory allegations insufficient)
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility standard for pleadings)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (legal conclusions not entitled to assumption of truth for plausibility analysis)
- Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018) (data-breach plaintiffs can allege economic injuries from monitoring costs, lost use, and opportunity costs)
- In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017) (standing in data-breach cases requires exposure of PII sufficient to enable identity theft)
- SELCO Community Credit Union v. Noodles & Co., 267 F. Supp. 3d 1288 (D. Colo. 2017) (forum state's interest and location of defendant's conduct can govern choice-of-law in multi-state data-breach suits)
- J'Aire Corp. v. Gregory, 598 P.2d 60 (Cal. 1979) (California "special relationship" exception to economic loss doctrine)