SELCO Community Credit Union v. Noodles & Company
ORDER granting 34 Motion to Dismiss; finding as moot 47 Motion for Appointment of Interim Class Counsel by Judge R. Brooke Jackson on 7/21/17. (jdyne, )
IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLORADO
Judge R. Brooke Jackson
Lead Civil Action No. 16-cv-02247-RBJ
Consolidated with 16-cv-02497-RBJ and 16-cv-02632-RBJ
SELCO COMMUNITY CREDIT UNION,
MIDWEST AMERICA FEDERAL CREDIT UNION,
VERIDIAN CREDIT UNION, and
KEMBA FINANCIAL CREDIT UNION, on behalf of themselves and a class of similarly
situated financial institutions,
NOODLES & COMPANY,
ORDER GRANTING DEFENDANT’S MOTION TO DISMISS
Defendant Noodles & Company moves to dismiss plaintiffs’ amended consolidated
complaint. ECF No. 34. The motion is granted. Accordingly, plaintiffs’ renewed motion for
appointment of interim class counsel, ECF No. 47, is moot.
In early 2016 hundreds of Noodles & Company restaurants suffered a cyberattack
targeting customers’ credit and debit card information. Plaintiffs are four credit unions whose
cardholders’ information might have been compromised by the data breach. Plaintiffs allege that
because of the breach they have had to cancel and reissue affected cards, close and reopen the
corresponding accounts, respond to cardholders’ inquiries about the breach, monitor accounts for
fraudulent charges, investigate such charges, and refund cardholders for any unauthorized
charges that went through. Plaintiffs also claim to have lost revenue due to their cardholders’
decrease in credit and debit card usage after the breach was publicized.
In September 2016 plaintiff SELCO Community Credit Union filed suit against Noodles
& Company for its alleged failure to prevent the data breach. ECF No. 1. Two months later this
case was consolidated with two other actions, ECF No. 23, and on November 30, 2016 plaintiffs
filed an amended consolidated class action complaint, ECF No. 27. This complaint seeks to
bring an action for negligence, negligence per se, and declaratory relief for the plaintiffs
individually and on behalf of all other similarly situated financial institutions. Plaintiffs have
filed a motion for appointment of interim class counsel, ECF No. 28, and they recently renewed
this motion, ECF No. 47.
On January 17, 2017 Noodles & Company filed a motion to dismiss. ECF No. 34. The
motion has been fully briefed. ECF Nos. 36, 43.
STANDARD OF REVIEW
To survive a 12(b)(6) motion to dismiss, the complaint must contain “enough facts to
state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570
(2007). While the Court must accept the well-pleaded allegations of the complaint as true and
construe them in the light most favorable to the plaintiff, Robbins v. Wilkie, 300 F.3d 1208, 1210
(10th Cir. 2002), purely conclusory allegations are not entitled to be presumed true, Ashcroft v.
Iqbal, 556 U.S. 662, 681 (2009). However, so long as the plaintiff offers sufficient factual
allegations such that the right to relief is raised above the speculative level, he has met the
threshold pleading standard. See Twombly, 550 U.S. at 556. “The court’s function on a Rule
12(b)(6) motion is not to weigh potential evidence that the parties might present at trial, but to
assess whether the plaintiff’s complaint alone is legally sufficient to state a claim for which relief
may be granted.” Miller v. Glanz, 948 F.2d 1562, 1565 (10th Cir. 1991).
Noodles & Company primarily argues that the economic loss rule bars plaintiffs’ claims.
The economic loss rule generally forbids recovery in tort for pure financial losses caused by a
defendant’s negligence in its performance of a contractual duty. Noodles & Company asserts
that plaintiffs’ alleged economic injuries are not cognizable under a negligence theory because
its duty of care was specified by the network of interrelated contracts among the company, its
bank, the bank card associations, and plaintiffs.
However, before reviewing the merits of this argument, the Court must consider which
state’s tort law applies to this dispute. Noodles & Company contends that a choice of law
analysis would select the laws of plaintiffs’ home states, and that the economic loss rules of these
states (as well as Colorado) uniformly bar plaintiffs’ claims. In response, plaintiffs argue that the
analysis would actually favor applying Colorado law and, in any event, that there is no conflict
between the laws of Colorado and plaintiffs’ home states because each state would recognize
When more than one body of law may apply to a claim, the Court “need not choose
which body of law to apply unless there is an outcome determinative conflict between the
potentially applicable bodies of law.” Iskowitz v. Cessna Aircraft Co., No. 07-CV-00968-REBCBS, 2010 WL 3075476, at *1 (D. Colo. Aug. 5, 2010); see also Restatement (Second) of
Conflict of Laws § 145 cmt. i (1971) (“When certain contacts involving a tort are located in two
or more states with identical local law rules on the issue in question, the case will be treated for
choice-of-law purposes as if these contacts were grouped in a single state.”). If there is no such
conflict there is no choice of law issue, and the forum state’s law applies.
Although each state’s economic loss rule has its own nuances, the relevant states all have
a core standard in common. Every state at issue here—Colorado, Oregon, Ohio, Indiana, and
Iowa—has adopted the economic loss rule. See Town of Alma v. AZCO Const., Inc., 10 P.3d
1256, 1264 (Colo. 2000); Abraham v. T. Henry Const., Inc., 249 P.3d 534, 540 (Or. 2011);
Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc., 835 N.E.2d 701, 704 (Ohio 2005);
Indianapolis-Marion Cnty. Pub. Library v. Charlier Clark & Linard, P.C., 929 N.E.2d 722, 736
(Ind. 2010); Annett Holdings, Inc. v. Kum & Go, L.C., 801 N.W.2d 499, 504 (Iowa 2011).
As plaintiffs point out, each of these states also has an exception allowing for recovery of
economic losses due to the breach of a duty arising independently of any contractually created
duties. See Town of Alma, 10 P.3d at 1264 (holding that Colorado’s economic loss rule applies
“absent an independent duty of care under tort law”); Abraham, 249 P.3d at 540 (noting that
Oregon’s economic loss rule applies unless the tortfeasor is subject to “a standard of care that is
independent of the terms of the contract,” such as when a statute or special relationship provides
for a heightened duty of care); Pavlovich v. Nat’l City Bank, 435 F.3d 560, 569 (6th Cir. 2006)
(“Ohio law prevents the recovery of purely economic losses in a negligence action . . . where
recovery of such damages is not based upon a tort duty independent of contractually created
duties.”); Indianapolis-Marion Cnty. Pub. Library, 929 N.E.2d at 736 (anticipating exceptions to
Indiana’s economic loss rule for breach of independent duties of care including “lawyer
malpractice, breach of a duty of care owed to a plaintiff by a fiduciary, [and] breach of a duty to
settle owed by a liability insurer to the insured”); Annett Holdings, 801 N.W.2d at 504, 506 n.3
(noting that the independent duty inquiry “rephrases the question, but does not answer it,” yet
recognizing such exceptions from the economic loss rule under Iowa law for “claims of
professional negligence against attorneys and accountants” and “when the duty of care arises out
of a principal-agent relationship”).
Since all of the relevant states have comparable independent duty exceptions to the
economic loss rule, there is no outcome-determinative conflict of law here. Accordingly,
Colorado law controls this dispute, though the outcome of this case would necessarily be the
same if the laws of plaintiffs’ home states applied instead. 1
On the merits, Noodles & Company argues that the duties of care it allegedly breached
stem not from an independent duty, but from the series of contracts governing plaintiffs’
payment-card networks. When a customer swipes a credit or debit card at Noodles & Company
the merchant routes the payment request through a payment-card network governed by a bank
card association, the largest of which are Visa and MasterCard. The transaction is sent
electronically to the customer’s “issuing bank,” the financial institution that issued the payment
card. (SELCO Community Credit Union and the other plaintiffs are issuing banks.) After the
issuing bank authorizes the transaction Noodles & Company notifies its “acquiring bank,” the
financial institution that processes credit and debit card payments for the merchant. The
Colorado law would apply here even if this case did present a conflict of law. The Court must apply the
choice of law rules of Colorado (the forum state), which follows the Restatement (Second) of Conflict of
Laws. Kipling v. State Farm Mut. Auto. Ins. Co., 774 F.3d 1306, 1310 (10th Cir. 2014). Several
Restatement factors support applying Colorado law over the laws of plaintiffs’ home states. In particular,
plaintiffs allege that Noodles & Company’s tortious conduct occurred at the company’s headquarters in
Colorado; more weight is accorded to the location of this conduct than normal because the resulting
injuries occurred in multiple states; and the location of these injuries is fortuitous because the Noodles &
Company customers whose information was compromised could have belonged to banks located
anywhere in the world. See Restatement (Second) of Conflicts § 145 & cmt. e (1971).
acquiring bank forwards funds to Noodles & Company to satisfy the transaction, and it is then
reimbursed by the customer’s issuing bank. Am. Compl., ECF No. 27 at ¶ 22; Mot. to Dismiss,
ECF No. 34 at 2.
Both Visa and MasterCard have sets of rules that directly regulate issuing banks and
acquiring banks. These rules are passed on through issuing banks’ agreements with cardholders
and acquiring banks’ agreements with merchants. See Am. Compl., ECF No. 27 at ¶¶ 25, 32;
Mot. to Dismiss, ECF No. 34 at 2–3; see also, e.g., Visa Rules, ECF No. 34-1, § 126.96.36.199 (“A
Member must . . . [e]nsure that agreements and contracts with agents and Merchants clearly
establish their responsibility to meet Visa standards . . . .”); MasterCard Rules, ECF No. 43-2, §
5.1 (“Each . . . Acquirer must directly enter into a written Merchant Agreement with each
Merchant . . . .”). 2 This chain of contractual relationships is illustrated in the diagram below.
“[T]he district court may consider documents referred to in the complaint if the documents are central to
the plaintiff’s claim and the parties do not dispute the documents’ authenticity.” Alvarado v. KOB-TV,
L.L.C., 493 F.3d 1210, 1215 (10th Cir. 2007) (quoting Jacobsen v. Deseret Book Co., 287 F.3d 936, 941
(10th Cir. 2002)).
The bank card associations’ rules require merchants like Noodles & Company to abide by
certain procedures in handling cardholders’ financial information. Most relevant here, Visa’s
and MasterCard’s rules require merchants to comply with the Payment Card Industry Data
Security Standard (“PCI DSS”). Visa Rules, ECF No. 34-1, § 188.8.131.52; MasterCard Sec. Rules
& Proc., ECF No. 34-3, § 10.1. That standard consists of the following list of best practices for
data security in the payment card industry:
Build and Maintain a Secure Network
1) Install and maintain a firewall configuration to protect cardholder data
2) Do not use vendor-supplied defaults for system passwords and other security
Protect Cardholder Data
3) Protect stored cardholder data
4) Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5) Protect all systems against malware and regularly update anti-virus software or
6) Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7) Restrict access to cardholder data by business need to know
8) Identify and authenticate access to system components
9) Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10) Track and monitor all access to network resources and cardholder data
11) Regularly test security systems and processes
Maintain an Information Security Policy
12) Maintain a policy that addresses information security for all personnel.
Am. Compl., ECF No. 27 at ¶ 27 (quoting PCI Security Standards Council, PCI DSS Quick
Reference Guide: Understanding the Payment Card Industry Data Security Standard version
3.2, at 9 (May 2016),
=1472840893444). The PCI DSS also “sets forth detailed and comprehensive requirements that
must be followed to meet each of the 12 mandates.” Id. at ¶ 28.
In plaintiffs’ view, these rules and standards are merely “proof that Noodles was aware
that it had adopted a duty of care related to obtaining, processing, and protecting Plaintiffs’
customers’ personal and financial information.” Resp., ECF No. 36 at 9. They allege that
“independent” duties applicable to Noodles & Company include a duty to use reasonable care “in
obtaining and processing” customers’ payment-card data, a duty to “provide adequate security”
to protect customers’ data, and a duty to “prevent the foreseeable risk of harm to others.” 3 Id. at
10. Plaintiffs contend that these duties are not “imposed by a contract,” but instead are “separate
and apart from any contractual duties.” Id.
I am not persuaded. Rather, in my view, the duties identified by plaintiffs are not
independent of Noodles & Company’s contractual obligation to comply with the PCI DSS.
Three factors aid in determining the source of a legal duty: “(1) whether the relief sought in
negligence is the same as the contractual relief; (2) whether there is a recognized common law
duty of care in negligence; and (3) whether the negligence duty differs in any way from the
contractual duty.” BRW, Inc. v. Dufficy & Sons, Inc., 99 P.3d 66, 74 (Colo. 2004). Plaintiffs
here seek both monetary and injunctive relief; they cite no support for the existence of specific
common law or statutory duties of care related to data security; and, most important of all, these
duties are “created by, and completely contained in, the contractual provisions.” Grynberg v.
Agri Tech, Inc., 10 P.3d 1267, 1270 (Colo. 2000).
The PCI DSS’s twelve requirements incorporate dozens of specific directions to maintain
secure payment-card processing systems and protect cardholder data. See PCI Security
Standards Council, supra, at 12–25. For example, the standards require merchants to “[p]rotect
all system components and software from known vulnerabilities by installing applicable vendor3
Plaintiffs allege that the second duty of care—requiring Noodles & Company to use reasonable data
security measures—arises both from the common law and from the Federal Trade Commission (“FTC”)
Act’s prohibition on “unfair . . . practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). But whatever
the source of a purportedly independent duty, the Court must “focus first on the contractual context
among and between the parties to see whether there was a contractual relationship that established the
duty of care alleged to have been breached.” BRW, Inc. v. Dufficy & Sons, Inc., 99 P.3d 66, 74 (Colo.
2004). As a result, the analysis below applies equally to plaintiffs’ negligence and negligence per se
supplied security patches,” ensure that internal vulnerability scans do “not contain high-risk
vulnerabilities in any component in the cardholder data environment,” “[p]rohibit direct public
access between the Internet and any system component in the cardholder data environment,”
“[e]nsure that all anti-virus mechanisms are kept current,” and “[u]se network intrusion detection
and/or intrusion prevention techniques to detect and/or prevent intrusions into the network.” Id.
at 12, 17, 23.
Plaintiffs focus on Noodles & Company’s alleged failure to implement these exact best
practices that it was contractually obligated to follow. See ECF No. 36 at 1. However, “even if
[a] duty would be imposed in the absence of a contract, it is not independent of a contract that
‘memorialize[s]’ it.” Haynes Trane Serv. Agency, Inc. v. Am. Standard, Inc., 573 F.3d 947, 962
(10th Cir. 2009) (quoting BRW, 99 P.3d at 74); see also, e.g., Makoto USA, Inc. v. Russell, 250
P.3d 625, 627 (Colo. App. 2009) (“[I]ndependence is not shown simply because a duty also
exists outside the contract.”). And even if plaintiffs think Noodles & Company should have
done more, the PCI DSS appears to flesh out the entirety of the more general duties that plaintiffs
say Noodles & Company breached.
Moreover, the only breach plaintiffs identify that does not appear to be covered by the
PCI DSS—Noodles & Company’s alleged failure to upgrade its point-of-sale systems to accept
chip-based smart payment cards—is similarly a duty Noodles & Company “agree[d]” to take on.
ECF No. 36 at 1; ECF No. 27 at ¶ 32. According to plaintiffs, “the payment card industry also
set rules requiring all businesses to upgrade to new card readers that accept EMV chips” by
October 1, 2015. ECF No. 27 at ¶¶ 30–31. Plaintiffs claim that “[u]nder Card Operating
Regulations, businesses accepting payment cards, but not meeting the October 1, 2015 deadline,
agree to be liable for damages resulting from any data breaches.” Id. at ¶ 32. Plaintiffs have thus
failed to direct the Court’s attention to any duties of care Noodles & Company may have
breached that “differed from the dut[ies] arising out of [its] contracts.” BRW, 99 P.3d at 74.
It makes no difference that Noodles & Company’s contractual duties arise from a web of
interrelated agreements coordinated by Visa and MasterCard rather than bilateral contracts
between the merchant and plaintiffs. “The policies underlying the application of the economic
loss rule to commercial parties are unaffected by the absence of a one-to-one contract
relationship. Contractual duties arise just as surely from networks of interrelated contracts as
from two-party agreements.” BRW, 99 P.3d at 72. Plaintiffs argue that they “do not contract
with Noodles and are not in a position to ‘reliably allocate risks and costs during their
bargaining,’ because they are not parties to those contracts.” ECF No. 36 at 10 (quoting BRW,
99 P.3d at 72). But the case plaintiffs cite rejects this very argument, writing that “[i]n such a
contract chain, the parties do have the opportunity to bargain and define their rights and
remedies, or to decline to enter into the contractual relationship if they are not satisfied with it.”
BRW, 99 P.3d at 72.
What’s more, the Visa and MasterCard agreements include contractual remedies that may
address Noodles & Company’s alleged wrongdoing. MasterCard’s rules “enable an Issuer to
partially recover costs incurred in reissuing Cards and for enhanced monitoring of compromised
and/or potentially compromised MasterCard Accounts associated with an [Account Data
Compromise] Event.” MasterCard Sec. Rules & Proc., ECF No. 34-3, § 10.2.5.3. These rules
also enable partial recovery of certain fraud losses attributable to such a data compromise event.
Id. MasterCard reserves the right to determine if an event qualifies for this loss shifting, and it
may choose to limit an issuing bank’s operational reimbursement or fraud recovery. Id. The
parties have submitted only a short excerpt of Visa’s rules, but this includes a provision making
acquiring banks liable under certain circumstances when their merchants suffer counterfeit
losses. Visa Rules, ECF No. 34-1, § 10.11.1.1. Although this provision is narrower than
MasterCard’s comprehensive reimbursement rules, it suggests that Visa either might have
developed a similar rule, which the parties have not filed with the Court; or that it intentionally
did not adopt such a policy, in which case plaintiffs were on notice that Visa’s terms were not as
favorable in the event of a data breach. MasterCard presumably included an issuing bank
reimbursement policy in its rules because Visa and MasterCard require these banks to hold their
customers harmless for most types of fraudulent transactions made with their cards. See Visa
Rules, ECF No. 34-1, § 184.108.40.206; MasterCard Sec. Rules & Proc., ECF No. 34-2, § 6.3. This
Court has no business sidestepping the agreements that sophisticated commercial entities like
plaintiffs and Noodles & Company voluntarily entered into to allocate the risk of payment-card
In sum, “the duties allegedly breached were contained in the network of interrelated
contracts, and the economic loss rule applies.” BRW, 99 P.3d at 74. Plaintiffs’ negligence and
negligence per se claims are thus dismissed. 4 Since plaintiffs’ substantive claims fail, their
request for declaratory relief must also be dismissed.
Plaintiffs’ negligence per se claim would fail even if they had put forward an independent duty of care
arising from Section 5 of the FTC Act. To state a claim for negligence per se, plaintiffs must show that
“the statute was intended to protect against the type of injury she suffered and that she is a member of the
group of persons the statute was intended to protect.” Scott v. Matlack, Inc., 39 P.3d 1160, 1166 (Colo.
2002). Here, “[t]he paramount aim of the act is the protection of the public from the evils likely to result
from the destruction of competition or the restriction of it in a substantial degree . . . .” FTC v. Raladam
Co., 283 U.S. 643, 647–48 (1931). Section 5 in particular seeks to protect “consumer[s]” and
“competitor[s]” from “unfair trade practice[s].” FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 244
1. Defendant’s Motion to Dismiss [ECF No. 34] is GRANTED. Plaintiffs’ Amended
Consolidated Class Action Complaint is dismissed with prejudice. As the prevailing party,
defendant is awarded its reasonable costs pursuant to Fed. R. Civ. P. 54(d)(1) and
2. Plaintiffs’ Renewed Motion for Appointment of Interim Class Counsel [ECF No. 47]
DATED this 21st day of July, 2017.
BY THE COURT:
R. Brooke Jackson
United States District Judge
(1972). Plaintiffs have alleged no harm from “the destruction of competition,” and they are neither
Noodles & Company’s consumers nor its competitors, so they cannot recover under a theory of
negligence per se based on alleged violations of the FTC Act.
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?