267 F. Supp. 3d 1288
D. Colo.2017Background
- In 2016 hundreds of Noodles & Company locations suffered a data breach exposing customers' payment-card information; four credit unions (issuing banks) sued alleging costs from reissuing cards, monitoring, refunds, and lost revenue.
- Plaintiffs filed an amended consolidated class complaint asserting negligence, negligence per se, and declaratory relief; Noodles moved to dismiss under Rule 12(b)(6).
- Defendant argued the economic loss rule bars tort recovery because duties arose from the interrelated contractual payment-card network (Visa/MasterCard rules and merchant/acquirer/issuer agreements) and PCI DSS obligations.
- Plaintiffs contended Colorado law should apply or, alternatively, that multiple states' laws do not conflict because each would allow recovery via an independent tort duty; they asserted independent duties to secure data and cited FTC §5.
- The court held there was no outcome-determinative conflict among Colorado, Oregon, Ohio, Indiana, and Iowa economic-loss doctrines and applied Colorado law; it found plaintiffs’ asserted duties flowed from contractual regimes (including PCI DSS) and dismissed negligence, negligence per se, and declaratory claims with prejudice.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Choice of law | Colorado law should apply or no conflict exists because all states would permit recovery | Apply plaintiffs' home states; economic-loss rules of those states bar claims | No outcome-determinative conflict; Colorado law controls and would yield same result as plaintiffs' home states |
| Applicability of economic-loss rule | Plaintiffs suffered foreseeable economic harm and may recover in tort because duties are independent of contracts | Economic-loss rule bars tort recovery for pure economic losses when duties arise from contractual network | Economic-loss rule applies; plaintiffs' claims are barred because duties arise from contracts |
| Independent duty (data-security/PCI DSS) | Duties to secure cardholder data and to adopt reasonable security exist independently of contract (common law/FTC) | Duties plaintiffs identify are defined and memorialized by PCI DSS and card-network rules (contractual) | Duties alleged are created and contained in the contractual framework (PCI/card rules); not independent; dismissal granted |
| Negligence per se (FTC §5) | Violations of FTC §5 support negligence per se for failure to protect data | §5 protects consumers/competition; plaintiffs are issuers, not consumers/competitors | Negligence per se fails: §5 does not protect plaintiffs’ asserted interests; claim dismissed |
Key Cases Cited
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (plausibility standard for federal pleadings)
- Ashcroft v. Iqbal, 556 U.S. 662 (limits on treating conclusory allegations as true)
- BRW, Inc. v. Dufficy & Sons, Inc., 99 P.3d 66 (Colo. 2004) (test for whether tort duty is independent of contract under Colorado economic-loss rule)
- Town of Alma v. AZCO Constr., Inc., 10 P.3d 1256 (Colo. 2000) (Colorado adoption of the economic-loss rule)