Bellwether Community Credit Union v. Chipotle Mexican Grill, Inc.
Filing
83
ORDER granting in part and denying in part #57 Motion to Dismiss for Failure to State a Claim; denying #59 Motion to Strike #59 . Plaintiffs' Motion to Strike Exhibits AC Attached to Defendants Motion to Dismiss (ECF No. #59 ) is DENIED. Defendant's Motion to Dismiss (ECF No. #57 ) is GRANTED IN PART and DENIED IN PART. Claims 1, 3, 6, 7, 8, and 10 are DISMISSED WITH PREJUDICE. Claims 2 and 4 are DISMISSED WITHOUT PREJUDICE. The remainder of Defendant's Motion is DENIED. SO ORDERED by Judge William J. Martinez on 10/24/2018. (wjmlc2)
<![CDATA[
IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLORADO
Judge William J. Martínez
Civil Action No. 17-cv-1102-WJM-STV
BELLWETHER COMMUNITY CREDIT UNION, on behalf of itself and all others
similarly situated,
Plaintiffs,
v.
CHIPOTLE MEXICAN GRILL, INC.,
Defendant.
ORDER GRANTING IN PART DEFENDANT’S MOTION TO DISMISS AND
DENYING PLAINTIFFS’ MOTION TO STRIKE EXHIBITS
This case arises out of a 2017 data breach of Defendant Chipotle Mexican Grill,
Inc.’s (“Chipotle”) computer system and point of service terminals which resulted in the
theft of customers’ credit card and debit card data. Plaintiffs Bellwether Community
Credit Union (“Bellwether) and Alcoa Community Federal Credit Union (“Alcoa”)
(together, “Plaintiffs”) are financial institutions whose members patronized Chipotle
during that period and whose data were compromised, forcing Plaintiffs to cancel and
replace members’ credit and debit cards and refund any fraudulent payment resulting
from the data breach.
Plaintiffs bring this lawsuit against Chipotle on behalf of themselves and those
similarly situated alleging eleven causes of action: negligence, negligence per se,
misappropriation of trade secrets, a claim for declaratory judgment, and violation of the
unfair competition laws of Arkansas, California, Florida, Maine, Massachusetts, New
Hampshire, and Vermont. (ECF No. 44.) Before the Court is Chipotle’s Motion to
Dismiss (“Motion”) all of Plaintiffs’ claims. (ECF No. 57.) Also before the Court is
Plaintiffs’ “Motion to Strike Exhibits A–C Attached to Defendant’s Motion to Dismiss”
(“Motion to Strike”). (ECF No. 59.) For the reasons set forth below, Plaintiffs’ Motion to
Strike is denied, and Defendant’s Motion is granted in part and denied in part.
I. BACKGROUND
The Court accepts the following facts as true for purposes of the Motion.
A.
Factual Background
Between March 24 and April 18, 2017, a hacker accessed Chipotle’s com puter
system and installed malware that impacted point of service (“POS”) terminals at more
than 2,200 Chipotle restaurants in the United States (the “Data Breach”). (ECF No. 44
¶ 1.)1 A POS system manages cash and credit card and debit card (“payment card”)
transactions. Approximately 70% of Chipotle’s sales are made by payment cards. (Id.
¶ 17.) When a payment card is used, data are passed from the card through a variety
of systems and networks before reaching the retailer’s payment processor. (Id. ¶ 18.)
“Before transmitting customer data . . . POS systems typical, and very briefly, store the
1
Plaintiffs filed a restricted version of their complaint that redacted from public view nonpublic information obtained from Chipotle in discovery and information regarding Chipotle’s data
security measures. (ECF No. 42; see ECF No. 43.) See D.C.COLO.LCivR 7.2. The Court will
cite to the publicly filed version, except for when referencing redacted information. In this
Order, the Court has endeavored to respect Defendant’s confidentiality interests. Nonetheless,
having weighed the parties’ confidentiality interests against the public’s right of access, the
Court finds that any Restricted material quoted or summarized below does not qualify for
Restricted Access to the extent quoted or summarized, particularly given the need to provide a
proper, publicly available explanation of the Court’s decision. See D.C.COLO.LCivR 7.2; cf.
Lucero v. Sandia Corp., 495 F. App’x 903, 913 (10th Cir. 2012) (“The strongest arguments for
[public] access [to court records] apply to materials used as the basis for a judicial decision of
the merits of the case, as by summary judgment.” (internal quotation marks omitted)).
2
data in plain text within the system’s memory.” (Id.) This information can be valuable to
hackers who can sell payment card data on the black market. (Id. ¶ 19.) Malware
installed on the POS systems allegedly permitted the hacker to access the names,
payment card numbers, card expiration dates, card verification values (“CVVs”), service
codes, and other information (“payment card data”) of customers who paid for their
purchases at Chipotle by payment card during the breach period. (Id.)
Understanding Plaintiffs’ claims requires understanding the mechanics of
payment card transactions. To process a single transaction, payment card data flows
through multiple systems and parties in four major steps. (Id. ¶¶ 83, 116).
•
Authorization: when a customer presents a card to make a purchase, the
merchant (here, Chipotle) requests authorization of the transaction from
the issuing bank (here, Plaintiffs) using the payment card data and the
relevant card network (e.g., Visa or MasterCard);
•
Clearance: if the issuing bank authorizes the transaction, the merchant
completes the transaction with the customer, and sends a purchase
receipt to its own bank (the “acquiring bank”);
•
Settlement: the acquiring bank pays merchant for the purchase and sends
the receipt to the issuing bank, who reimburses the acquiring bank; and
•
Post-settlement: the issuing bank charges the customer’s credit or debit
account.
(Id. ¶¶ 96, 116, 118.) See also Selco Cmty. Credit Union v. Noodles & Co., 267 F.
Supp. 3d 1288, 1294 (D. Colo. 2017) (explaining the same electronic payment
3
process); Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 808–09 (7th
Cir. 2018). Though not explicit in the complaint’s description of a payment card
transaction, payment card networks (such as Visa or MasterCard) maintain
relationships with both issuing banks (such as Plaintiffs), acquiring banks (here,
Chipotle’s bank), and merchants (here, Chipotle). See Schnuck, 887 F.3d at 808–09.
Issuing banks, acquiring banks, and merchants join payment card networks to facilitate
transactions between merchants and consumers. Id. (See ECF No. 57-1; 57-2.)
Payment card networks govern how transactions occur though a series of contracts and
agreements. (ECF No. 44 ¶ 96; see ECF No. 57-1 (Visa rules); 57-2 (MasterCard
rules).) Credit card companies and financial institutions also issue “rules and standards
governing the basic measure that merchants must take to ensure consumers’ valuable
data are protected.” (ECF No. 44 ¶ 96.)
The payment card data, which are encoded on the magnetic strip or chip of a
payment card, are the means of authenticating the cardholder and authorizing the
transaction. (Id. ¶ 117.) Data are at risk both pre-authorization, when the merchant has
captured the data and they are being sent (or waiting to be sent) to the
acquirer/processor, as well as post-authorization, when data are sent back to the
merchant with authorization and are stored in merchant’s environment for analytics and
back-office processes. (Id. ¶ 83.) When payment card data are sent to the issuer
during the authorization step, the issuer uses the data “to locate the com puter data on
the financial institution’s computer for the payment card’s specific record.” (Id. ¶ 118.)
Thus, Plaintiffs contend, when payment card data are compromised, the corresponding
4
computer database records become susceptible to fraud. (Id. ¶ 119.)
When payment card data are compromised, the financial institution must issue a
replacement card with new payment card data. (Id. ¶¶ 122–23.) Financial institutions
are required by federal law to maintain various safeguards to protect the confidentiality
of payment card data and protect them against from unauthorized use or disclosure.
(Id. ¶ 133.) Federal law also makes financial institutions financially responsible from
fraudulent card activity. (Id. ¶ 126.) Thus, financial institutions, the alleged owners of
the payment card data, have multiple safeguards to maintain the confidentiality of
payment card data. (Id. ¶¶ 117, 133.)
Organizations issue rules and guidance for securing payment card data. The
Payment Card Industry Security Standards Council promulgated the Payment Card
Industry Data Security Standard (“PCI DSS”), twelve requirements which requires
organization to protect payment card data and maintain adequate security measures.
(Id. ¶¶ 97–98.) PCI DSS 3.2 “sets forth detailed and comprehensive requirements that
must be followed to meet each of the 12 mandates.” (Id. ¶ 99.) “Chipotle’s business
operations and payment systems are governed by PCI DSS.” (Id. ¶ 138.) Federal
agencies and other organizations have also issued guidance on how to adequately
secure data. (Id. ¶¶ 101–07.) Plaintiffs contend that they rely on merchants, including
Chipotle, to “keep that sensitive information secure from would-be data thieves in
accordance with at least the PCI DSS requirements.” (Id. ¶ 108.)
Plaintiffs allege that Chipotle ignored known risks to data security, disregarded
warnings that its POS was incompatible with antivirus software, refused to upgrade its
5
POS system when the manufacturer stopped providing security and technical updates,
lacked adequate firewall protection and segmentation, refused to implement protocols
that could have prevented malware from being installed on its systems, failed to
adequately track network access and unusual activity, and did not implement EMV chipbased technology for its POS systems. (Id. ¶¶ 39, 55–56, 63, 66, 76, 78, 81, 87–88,
90–92.) In addition, Plaintiffs claim that Chipotles senior management was aware of
the outdated nature of the POS systems but did not implement changes. (Id. ¶¶ 40, 58,
68, 89, 93).
Plaintiffs assert that there are numerous measures Chipotle could have taken to
prevent or limit unauthorized persons from accessing the POS systems, including endto-end encryption of data, tokenization, and use of EMV chip-based payment cards.
(Id. ¶¶ 4, 22, 84.) Encryption “mitigates security weaknesses that exist when [Payment
Card Data] has been capture but not yet authorized.” (Id. ¶ 84.) Tokenization protects
data by replacing payment card numbers with a series of letters and numbers as a
placeholder for payment card data after a transaction is authorized. (Id. ¶¶ 4, 84.)
EMV technology, which uses computer chips instead of the magnetic stripe to store
data, uses dynamic data, meaning that each time the EMV chip is used, it creates a
unique transaction code that cannot be reused. (Id. ¶ 91.) Thus, the switch from
magnetic strips to chip technology increases payment card data security. (Id.) The
payment card industry (e.g., MasterCard, Visa, Discover, and American Express) set a
deadline of October 1, 2015 for business to transition their POS systems to EVM
technology. (Id. ¶ 90.) Notably, Chipotle did not comply with the deadline, claiming that
6
the chip technology would slow down its customer lines. (Id. ¶¶ 90, 92.)
Plaintiffs allege that as a result of the breach, they have suffered a variety of
damages, including monetary and property damages. They allege that they were
forced to replace computer data rendered useless by the Data Breach, cancel or
reissue payment cards, close accounts impacted by the Data Breach, refund
cardholders for any unauthorized transactions, respond to cardholder complaints, and
increase fraud monitoring efforts. (Id. ¶ 7.)
B.
Procedural History
Bellwether filed a complaint on May 4, 2017 in this District. Bellwether alleged
that venue is proper in this District in part because “a substantial part of the events
giving rise to this action arose in this District.” (ECF No. 1 ¶ 13.) 2 On September 1,
2017, the undersigned granted Bellwether and Chipotle’s motion to consolidate this
action with Alcoa Community Federal Credit Union v. Chipotle Mexican Grill, Inc., Case
No. 17-cv-1283-RM-STV (D. Colo. filed May 26, 2017). (ECF No. 34.) Thereafter,
Plaintiffs filed a consolidated amended complaint. (ECF No. 44 (redacted); see ECF
No. 42 (unredacted).) Bellwether and Alcoa both allege claims of negligence,
negligence per se, misappropriation of trade secrets, and a claim under the Declaratory
Judgment Act. (ECF No. 44 ¶¶ 149–81, 275–79.)
Plaintiffs jointly assert their misappropriation and Declaratory Judgment Act
claims on behalf of a putative nationwide class of financial institutions, and their
negligence claims on behalf of a putative statewide class in each of Arkansas,
2
Plaintiffs similarly allege venue in their amended complaint. (ECF No. 44 ¶ 15.)]
7
California, Florida, Maine, Massachusetts, New Hampshire, and Vermont.3 (Id.
¶¶ 140–41.) Bellwether asserts violations of state unfair competition laws on behalf of
itself and putative state-wide classes in California, Florida, Maine, Massachusetts, New
Hampshire, and Vermont. (Id. ¶¶ 141, 195–274.) Alcoa asserts a similar putative class
claim under Arkansas’s unfair competition law. (Id. ¶¶ 182–94.) Each proposed
statewide class is defined as
All Financial Institutions—including, but not limited to, banks
and credit unions—that either (a) are located in Arkansas,
California, Florida, Maine, Massachusetts, New Hampshire,
. . . [and] Vermont . . . that issue payment cards, including
credit and debit cards, or perform, facilitate, or support cardissuing services, whose customers made purchases from
Chipotle stores from March 1, 2017 to the present, or (b)
have customers located in Arkansas, California, Florida,
Main, Massachusetts, New Hampshire, . . . [and] Vermont
. . . that were issued payment cards used at Chipotle stores
from March 1, 2017 to the present.
(Id. ¶ 141.)4
Chipotle moves to dismiss all claims in the amended complaint, attaching
excerpts of Visa and MasterCard’s rules for issuing banks. Plaintiffs filed a separate
“Motion to Strike Exhibits Attached to Defendant’s Motion to Dismiss” (“Motion to
Strike”). (ECF No. 59.) Chipotle filed two notices of supplemental authority in support
of its Motion. (ECF No. 68; ECF No. 78.)
3
Although Plaintiffs also, for some unknown reason, list Virginia and Wisconsin,
Plaintiffs assert no allegations related to either state. (ECF No. 44 ¶ 141.)
4
Again, Virginia and Wisconsin are also listed although Plaintiffs assert no claims
related to either state.
8
II. LEGAL STANDARD
A.
Article III Standing
Article III of the U.S. Constitution restricts federal courts to deciding “cases” and
“controversies.” See U.S. Const. art. III, § 2, cl. 1. These words have been interpreted
to restrict federal courts from giving “advisory opinions,” Flast v. Cohen, 392 U.S. 83, 96
(1968), meaning that a federal court may not resolve questions in the abstract, but
instead may only resolve “disputes arising out of specific facts when the resolution of
the dispute will have practical consequences to the conduct of the parties,” Columbian
Fin. Corp. v. BancInsure, Inc., 650 F.3d 1372, 1376 (10th Cir. 2011).
To safeguard this restriction, the Supreme Court has articulated a three-element
test for “Article III standing”:
First, the plaintiff must have suffered an “injury in fact”—an
invasion of a legally protected interest which is (a) concrete
and particularized, and (b) “actual or imminent, not
‘conjectural’ or ‘hypothetical.’” Second, there must be a
causal connection between the injury and the conduct
complained of . . . . Third, it must be “likely,” as opposed to
merely “speculative,” that the injury will be “redressed by a
favorable decision.”
Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992) (citations om itted; certain
alterations incorporated). Importantly, “the plaintiff bears the burden of proof” to
establish that these elements exist. Id. at 561; see also United States v. Bustillos, 31
F.3d 931, 933 (10th Cir. 1994) (“The party seeking to invoke the jurisdiction of a federal
court must demonstrate that the case is within the court’s jurisdiction. The facts
supporting jurisdiction must be affirmatively alleged, and if challenged, the burden is on
the party claiming that the court has subject matter jurisdiction.”). Preponderance of the
9
evidence is the proper burden of persuasion in a proceeding to determine subject
matter jurisdiction. Bustillos, 31 F.3d at 933.
B.
Rule 12(b)(6)
Under Federal Rule of Civil Procedure 12(b)(6), a party may move to dismiss a
claim in a complaint for “failure to state a claim upon which relief can be granted.” Rule
8 requires a complaint to contain “a short and plain statement showing that the pleader
is entitled to relief.” Fed. R. Civ. P. 8(a)(2). “Each allegation must be simple, concise,
and direct.” Id. 8(d). Rule 8(a) also requires minimal factual allegations on the material
elements that must be proven to recover on each of the Plaintiffs’ claims. Hall v.
Bellmon, 935 F.2d 1106, 1110 (10th Cir. 1991). Rule 12(b)(6) then req uires the Court
to “assume the truth of the plaintiff’s well-pleaded factual allegations and view them in
the light most favorable to the plaintiff.” Ridge at Red Hawk, LLC, 493 F.3d at 1177. In
ruling on such a motion, the dispositive inquiry is “whether the complaint contains
‘enough facts to state a claim to relief that is plausible on its face.’” Id. (quoting Bell Atl.
Corp. v. Twombly, 550 U.S. 544, 570 (2007)); see also Ashcroft v. Iqbal, 556 U.S. 662,
678 (2009).
Granting a motion to dismiss “is a harsh remedy which must be cautiously
studied, not only to effectuate the spirit of the liberal rules of pleading, but also to
protect the interests of justice.” Dias v. City & Cnty. of Denver, 567 F.3d 1169, 1178
(10th Cir. 2009) (internal quotation marks omitted). “Thus, ‘a well-pleaded complaint
may proceed even if it strikes a savvy judge that actual proof of those facts is
improbable, and that a recovery is very remote and unlikely.’” Id. (quoting Twombly,
10
550 U.S. at 556). However, “[t]he burden is on the plaintiff to frame a complaint ‘with
enough factual matter (taken as true) to suggest’ that he or she is entitled to relief.”
Robbins v. Oklahoma, 519 F.3d 1242, 1247 (10th Cir. 2008) (quoting Twombly, 550
U.S. at 556). “[C]omplaints that are no more than ‘labels and conclusions’ or ‘a
formulaic recitation of the elements of a cause of action,’ . . . ‘will not do.’” Id. (quoting
Twombly, 550 U.S. at 555).
III. ANALYSIS
A.
Preliminary Matter of Documents Outside the Pleadings
Chipotle attaches to its Motion three additional docum ents for the Court’s
consideration, namely, excerpts of Visa and MasterCard’s payment card network rules.
(See ECF No. 57-1; 57-2; 57-3.) The Court may consider these documents if they are
(1) “mentioned in the complaint,” (2) “central to [the] claims [at issue],” and (3) not
challenged as inauthentic. Toone v. Wells Fargo Bank, N.A., 716 F.3d 516, 521 (10th
Cir. 2013).5
Chipotle’s Motion to dismiss Plaintiffs’ negligence claim relies in part on these
attached documents to establish that the parties’ relationship arises out of a network of
contractual obligations. (ECF No. 57 at 8–10.) However, Plaintiffs never allege the
existence of any contracts directly in the complaint, and artfully plead their claims
5
“If the rule were otherwise, a plaintiff with a deficient claim could survive a motion to
dismiss simply by not attaching a dispositive document upon which the plaintiff relied.” GFF
Corp. v. Associated Wholesale Grocers, Inc., 130 F.3d 1381, 1385 (10th Cir. 1997); see also
Magellan Int’l Corp. v. Salzgitter Handel GmbH, 76 F. Supp. 2d 919, 923 (N.D. Ill. 1999) (“it
would be totally wasteful to uphold a claim on the false premise created by less than complete
documentation when the delayed consideration of the remaining documents would lead to
dismissal of that claim”).
11
without stating the role of that payment card networks play in a payment card
transaction. Plaintiffs seek to exclude these network agreement exhibits as outside the
four corners of the complaint, inauthentic, and an “incomplete representation of the
scope of the contractual relationship that exists among all the relevant actors in the
payment card transaction process.” (ECF No. 59 at 2.)
The Court will consider these exhibits. Plaintiffs’ claims with regard to
transactions are rooted in the payment card network contracts which govern the
mechanics of payment card transactions. Plaintiffs allege the mechanics of payment
card transactions without making explicit the role of the payment card networks. (ECF
No. 44 ¶ 116.) The communication between customers, merchants, acquiring banks,
and issuing banks alleged by Plaintiffs is facilitated by the payment card networks.
Moreover, the existence of a relationship between the parties depends entirely on the
use of payment cards, and thus documents which may govern that relationship are
central to Plaintiffs’ negligence claim.
Plaintiffs’ challenge to the authenticity of the documents does not impact the
Court’s decision to consider the contracts. Chipotle explains the genesis of the
documents. (ECF No. 67 at 5.) One of the attachments was produced by MasterCard
in responses to plaintiffs’ subpoenas. (Id.; ECF No. 57-3.) The other documents are or
were publicly available. Moreover, Plaintiffs, as signatories to the agreements, should
be able to determine whether the documents are accurate or whether they are
inauthentic, and have asserted nothing that would make the Court doubt the
authenticity of the agreements. The Court will consider the documents as evidence of
12
the existence of a network of contracts that govern the payment card system, and thus
denies Plaintiffs’ Motion to Strike.
B.
Negligence
(Claim One)
Chipotle contends that Plaintiffs’ negligence claim is barred by the economic loss
rule because Chipotle’s relationship to Plaintiffs arises out of a series of contractual
agreements. (ECF No. 57.)
In Colorado, a party suffering only economic loss from breach of a contractual
duty may not assert a tort claim absent an independent duty of care.6 Town of Alma v.
AZCO Const., Inc., 10 P.3d 1256, 1264 (Colo. 2000) (concluding that the contract
assigned a duty of care and no independent duty existed to support a negligence
claim). “Economic loss is defined generally as damages other than physical harm to
persons or property.” Id. at 1264. To determine whether contract or tort law is the
source of the duty allegedly breached, courts look at “(1) whether the relief sought in
negligence is the same as the contractual relief; (2) whether there is a recognized
common law duty of care in negligence; and (3) whether the negligence duty differs in
any way from the contractual duty.” BRW, Inc. v. Dufficy & Sons, Inc., 99 P.3d 66, 74
(Colo. 2004).
The purpose of the economic loss rule is to prevent parties from turning contract
claims into tort claims, encourage parties to allocate risks and costs in their contract
bargaining, and enforce those expectancy interests. Id. at 72. The economic loss rule
thus serves to distinguish between contractual obligations and tort duties. Id. The
6
The parties agree that Colorado law applies to Plaintiffs’ negligence claims. (ECF No.
57 at 5; ECF No. 60 at 3 n.5.)
13
economic loss rule applies even when parties do not directly contract with one another
and the losses arise out of interrelated contracts. Id.
Two recent Colorado cases have explored the economic loss doctrine in the
context of a payment card data breach. In Noodles & Co., U.S. District Judge R.
Brooke Jackson of this District dismissed financial institutions’ negligence claims
against a restaurant chain pursuant to a data breach. 267 F. Supp. 3d 1288, 1294 (D.
Colo. 2017). Judge Jackson found that Visa and MasterCard’s rule required merchants
to comply with the PCI DSS and established best practices f or data security. Id. He
concluded that the financial institutions had not alleged any independent duty because
they sought monetary and injunctive relief and cited no support for the common law or
statutory source of the alleged independent duties, and because the duties w ere
contained in the contractual provisions. Id. at 1295.
In Gordon v. Chipotle Mexican Grill, Inc., impacted consumers brought
negligence claims against Chipotle for the same 2017 data breach at issue in this case.
2018 WL 3653173 (D. Colo. Aug. 1, 2018), adopted in part and rev’d in part, 2018 WL
3620342 (D. Colo. Sept. 26, 2018). U.S. Magistrate Judge Mark L. Carman, sitting in
this District by designation, found that plaintiffs failed to allege any independent duty for
merchants to safeguard consumers’ payment card data separate from the payment
card network agreements. Id.
The Court finds Noodles & Co. and Gordon persuasive. As in those two cases,
Plaintiffs have failed to establish that Chipotle owed a duty to them independent of the
interrelated contracts. Although Plaintiffs argue that the PCI DSS establish only a
14
minimum standard of care, and thus the duty in tort law differs from that under the
contracts, Plaintiffs entered into the contract and therefore agreed to the PCI DSS
security measures. Plaintiffs cite no support for the existence of specific common law
or statutory duties of care related to data security. See Noodles, 267 F. Supp. 3d at
1295. Moreover, the contracts govern the data security standards and impose duties
on the parties to protect data security in a specific way. Thus, the source of any duty
regarding data security arises under the contract. Because the source of the duty is
contained in the contract and there is no basis in Colorado statutory or common law for
imposing a duty of care related to data security, Plaintiffs’ claims are barred by the
economic loss doctrine.
Plaintiffs creatively argue that they suffered property damage to their computer
data in order to attempt to remove the dispute from the realm of the economic loss rule.
(ECF No. 60 20–21.) See Town of Alma, 10 P.3d at 1264. The property damage
exception exists because “tort law is designed to protect all citizens from the risk of
physical harm to their persons or to their property.” Id. Thus, if there is harm to
property, tort law, not contract law, should apply.
Damage to computer data is not the sort of “risk of physical harm to . . . property”
that would prevent the application of the economic loss doctrine, and mandate imposing
tort remedies as opposed to contractual ones. In re TJX Companies Retail Security
Breach Litigation, the First Circuit rejected a similar claim where plaintiffs alleged a
property interest in payment card information (electronic data). 564 F.3d 489, 498 (1st
Cir. 2009), as amended on reh'g in part (May 5, 2009). While the court acknowledged
15
that such data could have value and could be lost, it concluded that “the loss here is not
a result of physical destruction of property.” Id. Similarly, Plaintiffs’ alleged loss to the
value of electronic data did not result from any physical injury to property from the Data
Breach.
Plaintiffs also argue that a number of potential factual circumstances would
result in Plaintiffs’ losses not being covered by the contracts. (ECF No. 60 at 8.)
Plaintiffs also acknowledge that “all the facts are not before the Court.” (Id.) Notice
pleading does not require a complaint to cover all possible factual scenarios. However,
at the motion to dismiss stage, the Court must consider whether the facts before it state
a plausible claim for relief. The Court finds that, on the facts before it, Plaintiffs have
not stated a plausible negligence tort claim because the parties’ relationship arises out
of a network of contracts, and is thus barred by the economic loss doctrine. If there is a
plausible factual basis for asserting a negligence tort claim not barred by the economic
loss doctrine, Plaintiffs have failed to present it in their complaint.
Simply because a particular loss is not covered by the interrelated contracts,
does not necessarily mean that a plaintiff may state a claim where a network of
interrelated contracts imposes contractual obligations. See Schnuck Markets, Inc., 887
F.3d at 815. The Seventh Circuit recently explained that, even where the details of
reimbursement remedies were not clear from the contract excerpts presented, “what
matters is not the details of the remedies but their existence.” Id. (emphasis in original).
That court thus affirmed dismissal with prejudice of financial institutions’ negligence
claims against a merchant stating that “[t]he plaintiff banks seek additional recovery
because they are disappointed by the reimbursement they received through the
16
contractual card payment systems they joined voluntarily.” Id. The Court finds the
Seventh Circuit’s reasoning persuasive. No amount of amendment of the complaint
would change the essential fact that the payment card network agreements impose the
relevant duties at issue here and also govern the relief available to the allegedly
aggrieved parties. The Court will thus dismiss the negligence claim with prejudice.
C.
Negligence Per Se
(Claim 2)
Plaintiffs allege that Defendant was negligent per se because it violated a “clear
duty and standard of conduct” under Section 5 of the Federal Trade Commission Act
(the “FTC Act”). (ECF No. 44 at 58 ¶¶ 161–67; ECF No. 60 at 12–14.) Section 5
declares unlawful any “unfair methods of competition in or affecting commerce, and
unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1).
Defendant contends that the FTC does not regulate security data and that Plaintiffs are
not within the class of persons Congress enacted the statute to protect. (ECF No. 57 at
15.)
In Colorado, before a plaintiff may use violation of a statutory standard to
establish negligence, “the plaintiff must show that he is a member of the class the
statute was intended to protect, and that the injuries he suffered were of the kind the
statute was enacted to prevent.” Largo Corp. v. Crespin, 727 P.2d 1098, 1108 (Colo.
1986). Thus, whether Plaintiffs can establish negligence per se depends on whether
Section 5 of the FTC Act was intended to protect entities like Plaintiffs.
In enacting Section 5 of the FTC Act, Congress “charged the FTC with
protecting consumers as well as competitors.” FTC v. Sperry & Hutchinson Co., 405
17
U.S. 233, 244 (1972). The paramount aim of the act is the protection of the public from
the evils likely to result from the destruction of competition or the restriction of it in a
substantial degree. Noodles, 267 F. Supp. 3d at 1297 n. 4 (quoting FTV v. Raladam
Co., 283 U.S. 643, 647–48 (1931)). Thus, to use Section 5 to establish negligence per
se, Plaintiffs must be consumers, competitors, or otherwise harmed by destruction of
competition resulting from Defendant’s acts. Id. In Noodles, Judge Jackson dismissed
a financial institution’s negligence per se claim against a merchant under similar facts to
the instant case because plaintiff was not within the scope of intended beneficiaries of
Section 5. Id.
The Court finds Noodles persuasive on this point. Like the plaintiffs in Noodles,
Plaintiffs here are financial institutions who are neither consumers nor competitors of
Chipotle. Nor have Plaintiffs alleged that they were otherwise harmed by destruction of
competition resulting from Chipotle’s acts. Instead, Plaintiffs merely allege that they are
“within the class of persons” protected by Section 5 because they are “engaged in trade
and commerce and bear primary responsibility for directly reimbursing customers for
fraud losses and maintaining the confidentiality of Payment Card Data.” (ECF No. 44
¶ 165.) Absent a showing of harm resulting from any restriction or destruction of
competition, Plaintiffs have not demonstrated that they are within the scope of intended
beneficiaries of Section 5. As such, under Colorado law, Plaintiffs cannot recover
under a theory of negligence per se based on violations of the FTC Act. The Court
therefore dismisses Claim 2 of Plaintiffs’ complaint. Because the Court cannot say with
certainty that Plaintiffs will be unable to plausibly plead in a future amended complaint
18
that they were “harmed by the restriction of competition[,]” the dismissal will be without
prejudice.
D.
Misappropriation of Trade Secrets
(Claim 3)
Plaintiffs allege that Chipotle violated the federal Defend Trade Secrets Act,
18 U.S.C. §§ 1831 et seq. (“DTSA”), the federal analogue to state misappropriation of
trade secret laws. The DTSA allows an owner of a misappropriated trade secret to
bring a civil action if the trade secret is “related to a product or service used in, or
intended for use in, interstate or foreign commerce” within three years. 18 U.S.C.
§ 1836(b). To state a claim for relief, Plaintiffs must allege: the existence of a trade
secret; misappropriation of that trade secret by Chipotle; and set forth how the trade
secret implicates interstate or foreign commerce. Space Sys./Loral, LLC v. Orbital ATK,
Inc., 306 F. Supp. 3d 845, 853 (E.D. Va. 2018); Bartlett v. Bartlett, 2017 WL 5499403,
at *5 (S.D. Ill. Nov. 16, 2017).
The DTSA defines a trade secret as “all forms and types of financial . . .
information, including . . . compilations . . . or codes. 18 U.S.C. § 1839(3). In addition,
an owner must take “reasonable measures” to keep secret, and the trade secret must
“derive[ ] independent economic value, actual or potential, from not being generally
known.” Id.
Neither party has cited any authority clearly establishing whether payment card
data are a trade secret, nor has the Court located any . Chipotle cites cases in which
courts have found that methods used to protect trade secrets, such as u sernames and
passwords, or the key to a safe, are not themselves trade secrets because their value is
19
derivative of the thing that it is intended to protect. See N. Star Media, LLC v.
Winogradsky-Sobel, 2011 WL 13220157, at *10–11 (C.D. Cal. May 23, 2011); State
Analysis, Inc. v. Am. Fin. Servs. Assoc., 621 F. Supp. 2d 309, 321 (E.D. Va. 2009); see
also MicroStrategy Inc. v. Bus. Objects, S.A., 331 F. Supp. 2d 396, 429 (E.D. Va. 2004)
(expressing skepticism that a CD key is a trade secret); Tryco, Inc. v. U.S. Med. Source,
L.L.C., 80 Va. Cir. 619 (2010) (“Courts have repeatedly held that collections of numbers
and/or letters, whose only value is to access other potentially valuable information, do
not by themselves have independent economic value.”). Thus, the access
mechanism—as opposed to the underlying information—has no independent economic
value.
Plaintiffs argue that the payment card information is their financial data that they
have taken reasonable measures to keep secret, and that these data ha ve
independent economic value. (ECF No. 44 ¶¶ 170–72; see ECF No. 60 at 15.)
Plaintiffs also allege a nexus to interstate and foreign commerce. (ECF No. 44 ¶ 169.)
Chipotle claims that payment card users are not under a legal obligation to keep
payment card information secret and that payment cards have no independent
economic value. (ECF No. 57 at 18–20.)
The Court finds that the payment card data has no independent econom ic value.
Payment card data (including cardholder names, credit or debit card numbers, and
corresponding CVVs) are akin to passwords and usernames that provide access to
something of value. See N. Star Media, 2011 WL 13220157, at *11. Like the
passwords and usernames at issue in North Star Media, payment card data merely
20
provides access to an individual’s line of credit with a financial institution or money in an
account with a financial institution. Absent a connection to either a line of credit or a
bank account, payment card data are simply a string of alpha or numeric (or indeed
other typographical) symbols. Thus, the Court concludes that payment card data have
no independent economic value.
The case cited by Plaintiffs does not support its argument. (ECF No. 60 at
16–17.) See Miller v. People, 566 P.2d 1059, 1060 (Colo. 1977) (“Valuation of credit
cards, however, presents a problem of first impression in this jurisdiction.”). In that
case, a criminal defendant attempted to sell a victim’s fourteen credit cards either back
to the victim or on the black market. Id. The question before the Colorado Supreme
Court was whether “street value” evidence was admissible to prove the value of credit
cards for the purposes of a theft prosecution. The Court determined that the credit
cards had “no market value in lawful channels,” and thus allowed evidence of their
black market value based on the $100 “authorization-free purchase limit.” Id. at 1061.
Thus, Miller suggests that credit cards have no lawful market value, even if they have
some illegitimate value on the black market. Id. Moreover, the Miller court tied the
black market value of a physical payment card directly to the users ability to access the
connected line of credit. Id. Thus, Miller can be read to support Defendant’s theory
that the payment card data have no independent value, but rather have value derived
from their connection to an underlying financial account.
In addition to not having independent economic value, payment card data do not
derive their value from their nondisclosure. Plaintiff argues that disclosure of payment
21
card data to a third party renders “computer data for the specific payment card . . .
susceptible to fraud” and therefore the data loses its integrity. (ECF No. 44 ¶ 119.)
This is partially correct. While disclosure to unauthorized third parties may make the
underlying data susceptible to fraud, disclosure to authorized third parties (such as
merchants) is the raison d’être of payment cards. In other words, disclosure to
authorized parties is what makes the payment card valuable because it provides access
to a line of credit or money in an account. Thus, because it derives value solely from
their authorized disclosure, payment card data are not a trade secret. See 18 U.S.C. §
1839(3).
Because the Court has determined that there is no trade secret to implicate the
application of the DTSA in the first instance, it does not need to assess whether the
payment card data were misappropriated. The Court thus dismisses Claim 3 with
prejudice.
E.
Declaratory and Injunctive Relief
(Claim 11)
Plaintiffs conflate requests for a declaratory judgment and injunctive relief in
Claim 11. First, Plaintiffs seek a declaration under the Declaratory Judgment Act,
28 U.S.C. §§ 2201, et seq., that Chipotle owes to them a legal duty to secure payment
card data, that Chipotle continues to breach this legal duty, and that these ongoing
breaches of duty continue to cause harm to Plaintiffs and members of the purported
classes. (ECF No. 44 ¶¶ 277–78.) Plaintiffs also ask that the Court issue injunctive
relief requiring Chipotle to employ additional security protocols. (Id. ¶ 279.)
22
“Injunctive relief is not a separate cause of action; rather it is one form of relief
for the other legal violations alleged.” Burns v. Mac, 2014 WL 1242032, at *2 n.1 (D.
Colo. Mar. 26, 2014). The Court thus interprets the request for injunctive relief as the
relief Plaintiffs would seek should they prevail on the merits of their claims.
The Declaratory Judgment Act, on the other hand, allows a party in an actual
case or controversy to ask the court to declare the rights or other legal relations of any
interested party seeking such a declaration. “The purpose of the Declaratory Judgment
Act is to settle actual controversies before they ripen into violations of law or a breach of
duty.” United States v. Fisher-Otis Co., 496 F.2d 1146, 1151 (10th Cir. 1974). T he
Declaratory Judgment Act allows parties who are uncertain of their legal rights to seek a
declaration of rights from a federal court prior to injury. Kunkel v. Cont’l Cas. Co., 866
F.2d 1269, 1274 (10th Cir. 1989); see also MedImmune, Inc. v. Genentech, Inc., 549
U.S. 118, 138 (2007) (“[T]he Act merely provides a different procedure for bringing an
actual case or controversy before a federal court. . . .”).
Chipotle summarily contends that Plaintiffs’ claim for declaratory relief is not an
independent cause of action, and thus should be dismissed. In support, Chipotle
quotes two cases out of context. First, in CCPS Transportation, LLC v. Sloan, the
Tenth Circuit found, in an unpublished decision, that Rule 54(b) certif ication of an order
granting partial summary judgment was inappropriate where plaintiff had improperly
separated his single claim into three parts, each corresponding to the relief requested.
611 F. App’x 931 (10th Cir. 2015). Here, unlike in CCPS Transportation, Plaintiffs do
not request a declaration merely as relief sought in connection with another claim;
23
rather Plaintiffs make a separate claim under the Declaratory Relief Act. Second, in
Savant Homes v. Collins, this Court dismissed a claim for declaratory relief, only after it
granted summary judgment on all other claims in the case, leaving the declaratory
judgment cause of action an empty vessel devoid of content and therefore—in that
context—purely a remedy and not a cause of action. 2015 WL 899302, at *11 (D.
Colo. Feb. 27, 2015), aff'd, 809 F.3d 1133 (10th Cir. 2016); cf. United Fire & Cas. Co. v.
Contractor Heating, Inc., 2008 WL 2572124, at *4 (D. Colo. June 24, 2008) (holding
that the “lack of an underlying complaint . . . [was] fatal to [the Court’s] ability to render
a decision in this action seeking anticipatory declaratory relief on the issue”). Here,
there is a live controversy, and as a result dismissal is not appropriate at this time.7 The
Court thus denies Chipotle’s Motion with respect to Claim 11.
F.
State Unfair Competition Law Claims
1.
Standing
Before addressing the individual state law claims, the Court must address
whether Bellwether has standing to assert claims under statutes of California, Florida,
Maine, Massachusetts, and Vermont law.8 At each stage of a case, a federal court
7
Chipotle makes a limited argument: Plaintiffs’ claim for declaratory relief is a remedy,
not a cause of action. As discussed, this is incorrect in the current context. Chipotle does not
raise any argument as to whether the Court should exercise its power to enter a declaratory
judgment. St. Paul Fire & Marine Ins. Co. v. Runyon, 53 F.3d 1167, 1168 (10th Cir. 1995)
(stating that whether a court should exercise power to enter a declaratory judgment is
committed to the sound discretion of the district court). Arguments not raised or inadequately
developed in an opening brief are waived. United States v. Hunter, 739 F.3d 492, 495 (10th
Cir. 2013) (deeming waived an argument inadequately developed in opening brief); Thompson
R2-J Sch. Dist. v. Luke P., ex rel. Jeff P., 540 F.3d 1143, 1148 n.3 (10th Cir. 2008) (same);
Rojem v. Gibson, 245 F.3d 1130, 1141 n.8 (10th Cir. 2001) (same).
8
Chipotle does not challenge Bellwether’s standing to bring claims under New
Hampshire law or Alcoa’s standing to bring claims under Arkansas law. Chipotle’s arguments
24
should satisfy itself as to the justiciability of the dispute presented, including the
standing of a plaintiff to maintain the action. Warth v. Seldin, 422 U.S. 490, 498 (1975).
If a plaintiff cannot establish standing, the court may not proceed with the case.
Citizens Concerned for Separation of Church and State v. City & Cnty. of Denver , 628
F.2d 1289, 1296 (10th Cir. 1980).
In a class action, the named plaintiffs must allege an actual injury, not an “injury
[that] has been suffered by other, unidentified members of the class.” Spokeo, Inc. v.
Robins, 136 S. Ct. 1540, 1547 n.6 (2016) (quoting Simon v. Eastern Ky. Welfare Rights
Org., 426 U.S. 26, 40 n.20 (1976)). “Standing is not dispensed in gross.” Davis v. Fed.
Election Comm’n, 544 U.S. 724, 734 (quoting Lewis v. Casey, 518 U.S. 343, 358 n.6
(1996)). Each plaintiff must “demonstrate standing for each claim he seeks to press”
and “for each form of relief” sought. DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 352
(2006). Under the “injury in fact” requirement of standing, an injury must “affect the
plaintiff in a personal and individual way.” Spokeo, 136 S. Ct. at 1548; Rector v. City &
Cnty. of Denver, 348 F.3d 935, 949 (10th Cir. 2003) (“A prerequisite for certification is
that the class representatives be a part of the class and possess the same interest and
suffer the same injury as class members.” (emphasis added)).
Chipotle argues that Bellwether has failed to plausibly allege that an injury
occurred in each relevant state, relying on Smith v. Pizza Hut, 2011 WL 2791331 (D.
Colo. July 14, 2011). (ECF No. 57 at 25.) In Smith, the court held that a plaintiff in an
Fair Labor Standards Act (“FLSA”) action did not “have standing to allege claims on his
to dismiss those claims will be addressed in turn below.
25
own behalf under the laws of states where he has never lived or resided because he
has not suffered an injury under those laws, nor is he protected by those laws.” 2011
WL 2791331, at *8. Similarly, in Clark v. Strad Energy Services, USA, Ltd., this Court
dismissed an FLSA plaintiff’s claim and class claims under Pennsylvania and Utah law
where the complaint made no allegations that the plaintiff had ever lived, worked, or
resided in either state, or otherwise established any connection to the state such that
the plaintiff would be subject to that state’s laws. 2018 WL 3647922, at *5 (D. Colo.
Aug. 1, 2018). The Court concluded that plaintiff had not suffered any injury under the
laws of those states and thus could not bring claims on behalf of a class under those
state laws. Id.
The instant case is distinguishable from Smith and Clark. In those cases, the
named plaintiff alleged no connection, however tenuous, to certain states other than
employment by an employer who also employed persons other than himself in those
states. See Smith, 2011 WL 2791331, at *8; Clark, 2018 WL 3647922, at *5. Here,
Bellwether—as a corporate person and as the nam ed plaintiff on behalf of a putative
class—alleges that, as a result of Chipotle’s conduct, it incurred losses in each of six
states. (ECF No. 44 ¶¶ 208, 221, 234, 247, 272.) T hese allegations are sufficient to
allow Bellwether to attempt to establish a claim under the laws of those states. Thus,
Bellwether has pled an injury in fact caused by Chipotle in each state. See Lujan, 504
U.S. at 560–61.
Moreover, Bellwether’s injuries would be redressed by a favorable decision if the
Court were to award legal or equitable relief as a remedy for alleged injuries. See id.
26
Bellwether has thus met its burden to establish standing under the laws of each state
referenced in its complaint. See id. Because Bellwether has standing, the Court will
address each of Chipotle’s remaining arguments to dismiss the state law claims directly
on their merits.
2.
Arkansas Deceptive Trade Practices Act
(Claim 4)
The Arkansas Deceptive Trade Practices Act, Ark. Code Ann. §§ 4-88-101 et
seq. (“ADTPA”), lists specific types of behavior which constitute deceptive and
unconscionable trade practices, and includes a catchall prov ision which prohibits
“[e]ngaging in any other unconscionable, false, or deceptive act or practices in
business, commerce, or trade.” Ark. Code. Ann. § 4-88-107(a)(10). “The elements of
such a cause of action are (1) a deceptive consumer-oriented act or practice which is
misleading in a material respect and (2) injury resulting from such act.” Apprentice Info.
Sys., Inc. v. DataScout, LLC, 544 S.W.3d 536, 539 (Ark. 2018).
“An ‘unconscionable’ act is an act that ‘affront[s] the sense of justice, decency, or
reasonableness’” and may include conduct that violates Arkansas public policy or
statutes. Baptist Health v. Murphy, 226 S.W.3d 800, 811 & n.6 (Ark. 2006) (quoting
Black’s Law Dictionary 1561 (8th ed. 2004)). However, not every allegation of illegal
conduct or violations of public policy is a violation of the ADTPA. Universal
Cooperatives, Inc. v. AAC Flying Serv., Inc., 710 F.3d 790, 795 (8th Cir. 2013). Courts
have refused to “convert the relatively nuanced modifying phrase chosen by the state
legislature for the catch-all provision—‘unconscionable, false, or deceptive’—into a
general reference to any unlawful conduct.” Id.; Dickinson v. SunTrust Mortg., Inc.,
27
2015 WL 1868827, at *2 (E.D. Ark. Apr. 23, 2015); Chruby v. Glob. Tel*link Corp., 2017
WL 4320330, at *11 (W.D. Ark. Sept. 28, 2017). Thus, the Eighth Circuit interpreted
the term “unconscionable” in the catch-all subsection to include instances of “false
representation, fraud, or the improper use of economic leverage in a trade transaction.”
Universal Cooperatives, 710 F.3d at 796.
Chipotle contends that Alcoa’s allegation is unrelated to fraud or improper
application of economic leverage, and is thus insufficient to establish unconscionable
conduct under ADTPA. (ECF No. 57 at 21; ECF No. 66 at 15.) Alcoa argues that, for
Chipotle’s own economic benefit and to the detriment of consumers and competition,
Chipotle maintained inadequate data security measures, which in turn undermined
Arkansas’s public policy that businesses protect personal and financial information.
(ECF No. 44 ¶¶ 187–88, 191; ECF No. 60 at 28.) See Ark. Code Ann. §§ 4-110-102 to
-103 (encouraging businesses that acquire personal information about Arkansas
citizens to “provide reasonable security” for individual’s names when combined with
payment card numbers, security or access codes, or passwords).
The Court concludes that Alcoa has not stated a claim for relief on the facts
alleged. As explained in Universal Cooperatives, the violations of public policy and the
complained-of conduct must relate to, among other things, the improper application of
economic leverage in a trade transaction. Thus, Chipotle’s alleged violation of
Arkansas public policy set forth in Ark. Code Ann. §§ 4-100-102 and -103 is not, w ithout
more, sufficient to state a claim for relief under ADTPA. Alcoa has also not alleged
facts to support a claim that Chipotle used improper “economic leverage in a trade
transaction.” See Universal Cooperatives, 710 F.3d at 795. W hile Alcoa alleges that
28
“Chipotle cut corners and saved money,” Alcoa does not address how Chipotle’s
decisions improperly used economic leverage. Nor does Alcoa tie any improper
leverage to a trade transaction. Moreover, Alcoa has not alleged facts to support that
Chipotle’s choices were “misleading in a material respect.” See Apprentice Info. Sys.,
544 S.W.3d at 539. The Court thus dismisses Alcoa’s ADTPA claim.
3.
California Unfair Competition Law
(Claim 5)
California’s Unfair Competition Law (“UCL”) provides a cause of action for
unlawful, unfair, or fraudulent business practices. Cal. Bus. & Prof. Code §§ 17200 et
seq. Under the UCL, standing is expansive and remedies are limited. Korea Supply
Co. v. Lockheed Martin Corp., 63 P.3d 937, 943 (Cal. 2003). Unfair competition claims
may be brought “by any person acting for the interests of itself, its members or the
general public,” to obtain equitable relief. Id. (quoting Cal. Bus. & Prof. Code § 17204).
Private individuals may seek restitution or injunctive relief. In re Anthem, Inc. Data
Breach Litig., 162 F. Supp. 3d 953, 984 (N.D. Cal. 2016). Notably , “[d]amages cannot
be recovered.” Korea Supply Co., 29 Cal. 4th at 1143.
The theory of harm alleged by Bellwether is similar to the harm alleged in a
consumer action pending against Chipotle in this District. In Gordon v. Chipotle, the
plaintiffs did not allege a threat of future harm if or when they make another purchase at
Chipotle with a payment card. 2018 WL 4620342, at *15 (D. Colo. Sept. 26, 2018).
Instead, another judge of this District Court allowed the plaintiffs’ UCL claim to proceed
because the plaintiffs there had alleged that they remained at risk of future damages
because their personal information remained on Chipotle’s insufficiently secured
29
servers. Id. (“[I]f Plaintiff prove a realistic threat of future harm, they could be entitle to
injunctive relief under California’s Unfair Competition Law.”).
In the instant proceeding, Bellwether contends that it “continue[s] to suffer injury
as additional fraudulent charges are being made on payment cards issued to Chipotle
customers.” (ECF No. 44 ¶ 277.) 9 Like the plaintiffs in Gordon, Bellwether plausibly
claims that it could be injured in the future as a result of the breach. Thus, Bellwether
has stated a claim for relief under the UCL. The Court thus denies Chipotle’s Motion
with respect to Claim 5.
4.
Florida Deceptive and Unfair Trade Practices Act
(Claim 6)
Bellwether also claims that Chipotle violated the Florida Deceptive and Unfair
Trade Practices Act, Fla. Stat. §§ 501.201 et seq. (“FDUTPA”). (ECF No. 44
¶¶ 211–23.)
Florida appellate courts have conflicting views on whether the FDUTPA extends
to out-of-state consumers, and the Florida Supreme Court has not resolved this issue.
Ohio State Troopers Ass’n, Inc. v. Point Blank Enters., Inc., 2018 WL 3109632, at *4
(S.D. Fla. Apr. 5, 2018). Compare Oce Printing Sys. USA, Inc. v. Mailers Data Servs.,
Inc., 760 So. 2d 1037, 1042 (Fla. 2d Dist. Ct. App. 2000) (“[O]nly in-state consumers
9
Bellwether also argues that the risk of another data breach is “real, immediate, and
substantial,” such that Bellwether is entitled to injunctive relief. (ECF No. 60 at 22.) Allegations
based solely on speculation that Chipotle’s systems would again be breached are likely
insufficient to state a claim for future harm, particularly where only names, credit and debit card
numbers, expiration dates, CVVs, service codes and “other information” are at alleged risk. In
re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942, 965–66
(S.D. Cal. 2012) (“Plaintiffs’ allegations that the heightened risk of identity theft, time and money
spent on mitigation of that risk, and property value in one’s information, do not suffice as injury
under the UCL. . . .”).
30
can pursue a valid claim under the Unfair Trade Act.”) with Millennium Commc’ns &
Fulfillment, Inc. v. Office of Attorney Gen., Dep’t of Legal Affairs, State of Fla., 761 So.
2d 1256, 1262 (Fla. Dist. Ct. App. 2000) (“[W ]e can discern no legislative intent for the
Department to be precluded from taking corrective measures under FDUTPA even
where those persons affected by the conduct reside outside of the state.”). “Most
federal courts in the Southern District of Florida that have considered the issue have
followed Millennium,” which permits out-of-state consumers to sue under certain
circumstances. Ohio State Troopers, 2018 WL 3109632, at *4 (citation omitted).
“Federal courts in the Middle District of Florida agree.” Bank of Am., N.A. v. Zaskey,
2016 WL 2897410, at *9 (S.D. Fla. May 18, 2016) (citing cases). Federal courts in
Florida generally allow out-of-state consumers to pursue a claim under FDUTPA “if the
offending conduct took place predominantly or entirely in Florida.” Karhu v. Vital
Pharm., Inc., 2013 WL 4047016, at *10 (S.D. Fla. Aug. 9, 2013). The Court will apply
the standard applied by most Florida federal courts.
Chipotle contends that Bellwether fails to state a claim under FDUTPA because
the law “does not apply to a New Hampshire bank’s claim against a Colorado company
where few, if any, of the allegations in the complaint actually occurred in Florida.” (ECF
No. 57 at 27.) In response, Bellwether states that Chipotle’s “lax data security extended
to its Florida restaurants where the inadequately protected POS systems were located,”
the allegedly breached data “belonged to Florida consumers,” and “Florida-based
financial institutions suffered damages [in Florida] when they reimbursed consumers
. . . and incurred additional operational costs.” (ECF No. 60 at 23; see ECF No. 44
31
¶ 221.) Bellwether notes that the putative Florida class is limited to financial institutions
with Florida-based customers or Florida-based financial institutions. (ECF No. 60 at
23.) Bellwether also alleges in its venue statement that a “substantial part of the events
giving rise to the action” arose in Colorado. (ECF No. 44 ¶ 15.)
Bellwether’s allegations do not state a claim under FDUTPA because they do not
plausibly establish that the offending conduct took place “predominantly or entirely” in
Florida. See Karhu, 2013 WL 4047016, at *10. W hile Bellwether pleads that it has
members located in Florida whose payment cards were impacted by the breach (see
ECF No. 44 ¶ 221), this allegation alone is not sufficient to plausibly establish that the
conduct occurred predominantly or entirely in Florida. This is particularly so in light of
Bellwether’s competing and indeed conflicting allegation—for purposes of establishing
venue in the District of Colorado in the first instance—that the events at issue in this
litigation substantially occurred in Colorado. Cf. Amjad Ltd. v. Ocean Marine Eng’g,
2017 WL 1365580 (M.D. Fla. Apr. 14, 2017) (finding that allegations of venue that
supported personal jurisdiction over the defendant in Florida also “suffice[d] to establish
that a substantial part of events giving rise to the claims occurred in this district”).
Because claims can “substantially” occur only in one place, venue in Colorado and
venue for purposes of Bellwether’s FDUTPA claims are, in this context, mutually
exclusive.
In addition, Bellwether cannot rely on the alleged injuries of unnamed Florida
class members to support a claim for relief under FDUTPA. See Smith, 2011 WL
32
2791331, at *8; Clark, 2018 WL 3647922, at *5. Therefore, the Court grants Chipotle’s
motion as to Claim 6 with prejudice.
5.
Maine Unfair Trade Practices Act
(Claim 7)
The Maine Unfair Trade Practices Act (“MUTPA”) provides a private right of
action to “any person who purchases or leases goods, service or property, real or
personal, primarily for personal, family or household purposes and thereby suffers any
loss of money or property, real or personal” as the result of an unfair trade practice.
Me. Rev. Stat. tit. 5, § 213(1); Campbell v. First Am. Title Ins. Co., 644 F. Supp. 2d 126,
134 (D. Me. 2009); Enercon v. Global. Computer Supplies, Inc., 675 F. Supp. 2d 188,
193 (D. Me. 2009) (dismissing with prejudice a claim under the statute where the
plaintiff purchased a good primarily for resale purposes).
Chipotle argues that Bellwether did not purchase anything from it, and thus
cannot state a claim under Maine law. (ECF No 57 at 28.) Bellwether does not dispute
this statement. Instead, Bellwether urges the Court to “reject such a narrow
interpretation” of MUTPA. (ECF No. 60 at 25.) In support, Bellwether cites two cases
from the Northern District of California and Eastern District of Pennsylvania which, they
contend, support construing similar statutory language broadly and allowing “legal
entities to assert claims on behalf of personal users.” (Id.)
The Court declines to construe this provision broadly. The First Circuit observed
that “the Maine courts have consistently read the private right of action provision of the
[M]UTPA narrowly” and that “narrow application of the private right of action section is
consistent with the Maine legislature’s choice of statutory language, which is narrower
than that of other states.” Anderson v. Hannaford Bros. Co., 659 F.3d 151, 160 (1st
33
Cir. 2011). For example, one court dismissed the MUTPA claim of a minor because
“his parents, not he, purchased the defendant’s product.” Hoglund ex rel. Johnson v.
DiamlerChrysler Corp., 102 F. Supp. 2d 30, 31 (D. Me. 2000).
Bellwether has not alleged a plausible claim under the plain terms of the
MUTPA. Bellwether merely alleges that its members located in Maine used payment
cards “to purchase food for personal consumption from Chipotle” and that Bellwether
was injured because it had to reimburse members for fraudulent transactions and
reissue payment cards. (ECF No. 44 ¶ 234.) Notably, Bellwether does not allege that it
made a purchase from Chipotle “primarily for personal, family or household purposes.”
Indeed, such a claim would be inconsistent with Bellwether’s theory of the case. Given
that Bellwether has not and cannot make such a claim, the Court finds that Bellwether
has failed to state a claim for relief under MUTPA and dismisses the MUTPA claim with
prejudice. See Enercon, 675 F. Supp. 2d at 193.
6.
Massachusetts Consumer Protection Act
(Claim 8)
The Massachusetts Consumer Protection Act, Mass. Gen. Laws Ann. ch. 93A et
seq. (“Chapter 93A”), requires that “the alleged unfair method of competition or the
unfair or deceptive act or practice occur[ ] primarily and substantially within
[Massachusetts].” Mass. Gen. Laws Ann. ch. 93A, § 11. The statute allocates the
burden of proof to the party claiming that transactions or actions did not occur “primarily
and substantially” within Massachusetts. Id. “Section 11 suggests an approach in
which a judge should, after making findings of fact, and after considering those findings
in the context of the entire § 11 claim, determine whether the center of gravity of the
34
circumstances that give rise to the claim is primarily and substantially within the
Commonwealth.” Kuwaiti Danish Computer Co. v. Digital Equip. Corp., 781 N.E.2d
787, 799 (Mass. 2003). “The applicable standard is not ‘some acts,’ but rather, whether
in their totality, the facts establish” Massachusetts as the center of gravity for the
relevant conduct. Evergreen Partnering Grp., Inc. v. Pactiv Corp., 2014 WL 304070, at
*4 (D. Mass. Jan. 28, 2014). While Massachusetts courts have refused to create a list
of factors to be used in determining the center of gravity, courts consider the alleged
place of injury or loss, where the deceptive or unfair conduct occurred, the number of
instances of misconduct, and the severity of each instance of misconduct. Kuwaiti
Danish Computer Co., 781 N.E.2d at 798–99; Evergreen, 2014 WL 304070, at *4–5.
Chipotle argues that the alleged unfair practices did not primarily and
substantially occur in Massachusetts. (ECF No. 57 at 32.) In support of its argument,
and without citation to the complaint, Chipotle asserts that “Bellwether is headquartered
in New Hampshire” and that Bellwether “alleged that Chipotle harmed it through
conduct occurring in Colorado.” (Id.) While Chipotle recognizes that Bellwether issued
“some unidentified number of replacement cards” to Massachusetts customers, it
contends that fact alone is in insufficient to establish Massachusetts as the center of
gravity. (Id.) As a factual matter, Chipotle somewhat overstates Bellwether’s pleadings:
Bellwether did not allege that Chipotle’s conduct occurred in Colorado. Instead,
Bellwether states that Chipotle “conducts substantial business” in the District of
Colorado, has an executive office in Denver, Colorado, and that a “substantial part of
35
the events giving rise to this action arose in” the District of Colorado.” (ECF No. 44
¶¶ 11, 14.)
In response, Bellwether states that its complaint alleges that its claim “occurred
primarily and substantially” in Massachusetts because Chipotle’s unlawful conduct was
intended to and did impact transactions at its Massachusetts-based stores, cards used
by Massachusetts consumers were stolen in Massachusetts and used to commit fraud
there, and Chipotle’s unlawful conduct interfered with trade or commerce in
Massachusetts. (ECF No. 60 at 27; ECF No. 44 ¶¶ 246–47.) Bellw ether adds that
“members of the Massachusetts Class were located in Massachusetts and incurred
losses and suffered damages there.” (ECF No. 60 at 27; ECF No. 44 ¶ 246.)
The Court finds that Bellwether has not alleged the requisite facts to support a
claim for relief under Chapter 93A. Specifically, as discussed above in relation to the
FDUTPA claim, Bellwether’s own allegations state that a “substantial part of the events
giving rise to this action” arose in Colorado. (ECF No. 44 ¶ 15.) T his claim is at odds
with Bellwether’s claim that Chipotle’s acts “occurred primarily and substantially in
Massachusetts.” (Id. ¶ 246.) Again, both statements cannot factually be true and this
Court is not required to accept Plaintiff’s related legal contentions as valid.
As for Bellwether’s other allegations about activities in Massachusetts,
Bellwether cannot rely on the injuries of unidentified members of a proposed
Massachusetts Class to support Bellwether’s own claim for relief. See Smith, 2011 WL
2791331, at *8; Clark, 2018 WL 3647922, at *5. Bellwether’s remaining allegations
establish only that “some acts” took place in Massachusetts, not that Massachusetts
was the center of gravity of those facts. See Evergreen, 2014 WL 304070 at *5;
36
Fishman Transducers, Inc. v. Paul, 684 F.3d 187, 197 (1st Cir. 2012) (“W here
wrongdoing is not focused on Massachusetts but has relevant and substantial impact
across the country, the ‘primarily’ requirement of section 11 cannot be satisfied.”). Even
accepting Bellwether’s allegations as true, it has not plausibly alleged that a substantial
part of the conduct at issue occurred in Massachusetts. T herefore the Court finds that
Bellwether has not stated a claim for relief under Chapter 93A. See Ridge at Red
Hawk, LLC, 493 F.3d at 1177. 10
Moreover, as discussed in the context of Bellwether’s FDUTPA claim, claims
may “substantially” occur in only one place. Thus, venue in this District and a Chapter
93A claim are mutually exclusive. Compare 28 U.S.C. § 1391(b)(2) (allowing a civil
action to be brought in a judicial district where a “substantial part of the events or
omissions giving rise to the claim occurred”) with Mass. Gen. Laws Ann. ch. 93A, § 11
(requiring “the alleged unfair method of competition or the unfair or deceptive act or
practice [to occur] primarily and substantially within [Massachusetts]”). The Court
therefore grants Chipotle’s Motion as to Claim 8 with prejudice.
10
The Court also notes the inherent tension between the FDUTPA and Chapter 93A
claims. The unfair competition laws in Florida and Massachusetts each require that a
substantial action occur within the state. While these claim may be pled in the alternative at the
pleadings state, as a factual matter it simply cannot be that the claims occurred “predominantly
or entirely” in Florida and also “primarily and substantially” in Massachusetts. Even if this issue
is not predominant at the pleadings stage, it would arise either at the Rule 23 or Rule 56 stages
of these proceedings. Specifically, at the Rule 23 stage, a single plaintiff would have difficulty
establishing him or herself as a typical or adequate representative of both the Florida and
Massachusetts classes: a named plaintiff must personally have standing to be an adequate
representative, and a single plaintiff would likely not have standing under both Florida and
Massachusetts unfair competition laws. See Fed R. Civ. P. 23; Smith, 2011 WL 2791331, at
*8. At the Rule 56 stage, only one state could factually be the locus of the claims. Thus,
depending on the factual development of the case, the Court would likely be compelled to grant
summary judgment dismissing at least one of these two claims.
37
7.
New Hampshire Consumer Protection Act
(Claim 9)
The New Hampshire Consumer Protection Act (“NHCPA”) makes it unlawful “for
any person to use any unfair method of competition or any unfair or deceptive act or
practice in the conduct of any trade or commerce” and enumerates seventeen unlawful
types of unfairly competitive or deceptive acts. N.H. Rev. Stat. Ann. § 358-A:2.
However, the statutory list is not exhaustive, and other actions may constitute prohibited
conduct as long as they are “of the same type as proscribed by the enumerated
categories.” State v. Moran, 861 A.2d 763, 765 (N.H. 2004); see Roberts v. Gen.
Motors Corp., 643 A.2d 956, 960 (N.H. 1994). To determine whether an action is “of
the same type,” New Hampshire courts employ a “rascality test.” Moran, 861 A.2d at
765.11 “Under the rascality test, the objectionable conduct must attain a level of
11
Chipotle seemingly suggests that Bellwether must satisfy the “same type”
requirement under the NHCPA and the rascality test. (ECF No. 23–24; see ECF No. 60 at 20.)
This is not so. New Hampshire courts use the rascality test to determine whether a violation is
of the “same type” of act as the enumerated provision in the NHCPA. This is but one more
example of unforced errors by Defendant in briefing this Motion.
The Court is disappointed with the sloppy briefing with which it has had to contend in
support of and in opposition to the Motion on critical issues. The Court expects that
sophisticated parties, represented by sophisticated (and no doubt, expensive) counsel to make
reasonable, developed arguments based on correct statements of law. Both parties, but most
notably counsel for the Defendant, have repeatedly failed to do so. For instance, Defendant
argued that Bellwether failed to meet a notice requirement under Chapter 93A Section 9 even
though Bellwether pled a claim under Section 11, which does not have a notice requirement;
Defendant cited an ADTPA statute that was recently amended and did not apply retroactively,
and thus was inapplicable to the present dispute; and it also argued that Bellwether was
required to allege the “same type” of act under the NHCPA and meet the rascality test, when it
is clear from the caselaw that New Hampshire uses the rascality test to determine whether an
act qualifies as the “same type” as those enumerated under the NHCPA. Both parties also
briefed certain issues on a very cursory or superficial level, requiring the Court to undertake a
large part of the heavy lifting in regards to the necessary legal research needed to resolve the
large multitude of issues raised by the Defendant’s sprawling Motion. Counsel are on notice
that the Court will not further tolerate such sloppy lawyering, and that it will not hesitate to
summarily reject out of hand inadequately developed arguments, especially in the context of
anticipated future Rule 23 and Rule 56 briefing.
38
rascality that would raise an eyebrow of someone inured to the rough and tumble of the
world of commerce.” Id. (Internal quotations omitted). In addition, New Hampshire
courts look to the federal court’s interpretation of the FTCA for guidance in determining
“what actions are unlawful outside the enumerated categories.” Id. at 765–66.
It is “especially difficult” to show rascality in business-to-business transactions.
Animal Hosp. of Nashua, Inc. v. Antech Diagnostics, 2012 WL 1801742 (D.N.H. May
17, 2012). “[I]n the ‘rough and tumble’ of arms-length business transactions, common
disputes over broken promises ordinarily will not rise to a level sufficient to support a
claim under the Act.” Orion Seafood Int’l Inc. v. Supreme Grp. B.V., 2012 WL 3765172,
at *5 (D.N.H. Aug. 29, 2012). Thus, contractual breach alone does not satisf y the level
of rascality required. Beer v. Bennett, 993 A.2d 765, 769 (N.H. 2010). Similarly,
negligence claims are not generally cognizable under the NHCPA. Yost v. US Airways,
Inc., 2011 WL 1655714, at *3 (D.N.H. May 2, 2011). Instead, NHCPA claims require a
“degree of knowledge or intent,” although reckless disregard may also satisfy that
requirement. Kelton v. Hollis Ranch, LLC, 927 A.2d 1243, 1246 (N.H. 2007); Beer, 993
A.2d at 769. Often, whether a party has committed an unfair or deceptive act under the
NHCPA is a question of fact. Fin Brand Positioning, LLC v. Take 2 Dough Prods., Inc. ,
2012 WL 27917, at *9 (D.N.H. Jan. 5, 2012).
Chipotle argues that its conduct related to data security does not fall within
these enumerated prohibited practices, and thus the claim should be dismissed. (ECF
No. 57 at 27.) It also argues that Bellwether fails to satisfy the rascality test. In
39
response, Bellwether contends that Chipotle’s conduct meets the rascality standard.
(ECF No. 60 at 21.) The Court agrees with Bellwether on this issue.
Bellwether alleges that Chipotle was aware that it received payment card
information that could be used for nefarious purposes by unauthorized third parties, that
its stores a significant volume of payment card transactions, and that failure to
safeguard that data could result in significant harm. (ECF No. 44 ¶¶ 24–26.)
Bellwether adds that Chipotle ignored well-known data security risks thus allowing
deficiencies to persist, disregarded warnings that its POS system was incompatible with
antivirus software, and lacked adequate firewall protection. (Id. ¶ 39.) Bellwether also
contends that “Chipotle’s senior management . . . knowingly failed to upgrade POS
hardware and software and failed to maintain a system of accountability over data
security.” (Id. ¶ 40.) Taking Bellwether’s allegations in the light most favorable to it,
Bellwether has sufficiently alleged that Chipotle, at a minimum, recklessly disregarded
risks to its data security systems when it decided not to upgrade its POS systems.
Such a failure could “raise an eyebrow,” as required by New Hampshire’s rascality test.
Thus, the Court finds that Bellwether has stated a claim under NHCPA.
8.
Vermont Consumer Fraud Act
(Claim 10)
Vermont’s Consumer Fraud Act (“VCFA”) provides a private right of action to
“any consumer” who either contracts for goods or services in reliance on, or who
sustains damages or injury as a result of, fraudulent statements, unfair competition, or
deceptive trade practices may sue for equitable relief and may recover damages from
the “seller, solicitor, or other violator.” Vt. Stat. Ann. tit. 9, § 2461(b). The VCFA
defines “consumer” as, among other things,
40
a person who purchases, leases, contracts for, or otherwise
agrees to pay consideration for goods or services not for
resale in the ordinary course of his or her trade or business
but for the use or benefit of his or her business or in
connection with the operation of his or her business.
Vt. Stat. Ann. tit. 9, § 2451a(a); see Ascension Tech. Corp. v. McDonald Invs., Inc., 327
F. Supp. 2d 271, 276 (D. Vt. 2003) (construing “person” to include a corporation under
the VCFA).
While the statute does not impose a strict privity requirement, it does require the
purchase of some good or service. Maurice v. Fed. Ins. Co., 2009 WL 10679101, at *3
(D. Vt. Jan. 23, 2009) (“Although privity of contract is not required . . . the existence of a
relationship akin to that of buyer and seller is.” (internal citation omitted)). For example,
in Elkins v. Microsoft Corporation, the Vermont Supreme Court allowed an VCFA claim
by a consumer against a manufacturer who sold a product wholesale, who then sold the
product to the consumer. 817 A.2d 9, 13 (Vt. 2002). Nonetheless, the Verm ont
Supreme Court has insisted on some relationship between the parties. See Messier v.
Bushman, 2018 VT 93, ¶ 25 (Vt. Aug. 24, 2018). In Meissier, the court held that the
plaintiff had no VCPA claim because he was not a “consumer” where he “did not
purchase anything . . . he did not lease, contract, or otherwise agree to pay
consideration . . . for goods or services.” Id.
Bellwether alleges that it is a “consumer” within the meaning of the statute
because it agreed “to pay for services in connection with the operation of [its] business
to enable [its] members to purchase goods from Chipotle with [ ] payment cards.” (ECF
No. 44 ¶ 264.) Chipotle disputes this conclusion and contends that the VCFA applies
41
only to actual purchasers. (ECF No. 57 at 28.) In response, Bellwether asserts that it
falls within the portion of the definition of “a person who . . . agrees to pay consideration
for goods or services . . . in connection with the operation of his or her business.” (ECF
No. 60 at 24–25 (quoting Vt. Stat. Ann. tit. 9, §2451a).) Bellwether further adds that it
fits the definition of consumer because it was “an active participant in the payment card
transaction process.” (ECF No. 57 at 25.)
The Court concludes that Bellwether has not alleged facts to support a plausible
conclusion that it is a “consumer” within the meaning of the VCFA. See Robbins, 519
F.3d at 1247. Bellwether alleges that it “agree[d] to pay for services” but does not
assert that it paid Chipotle for those services. (ECF No. 44 ¶ 264.) Instead, it appears
that Bellwether agreed to pay an unidentified entity (likely, Visa or MasterCard) for the
benefit of its own members to allow them to make purchases from merchants (such as
Chipotle). Bellwether does not state that it is suing the parties that it paid for services.
See Vt. Stat. Ann. tit. 9, § 2461(b) (consumer may sue to recover damages from the
violator). Moreover, unlike Elkins, Bellwether does not suggest that Chipotle is merely a
company further up the supply chain, or that Bellwether’s members were a mere
intermediary in the purchase of a good or service that flowed from Chipotle to
Bellwether.
Bellwether also claims that it is an “active participant in the payment card
transaction process,” and thus is a consumer within the meaning of the VCTA, citing
Ascension. (ECF No. 60 at 25.) Ascension is distinguishable from the present case.
327 F. Supp. 2d at 276. In Ascension, the plaintiff sued its brokerage firm which had
allegedly provided bad advice on investments, which the plaintiff intended to use in its
42
own business. Unlike Bellwether, the plaintiff in Ascension actually purchased services
from the defendant. 327 F. Supp. 2d at 276. Here, Bellwether has not and cannot
make that same claim.
In sum, Bellwether made no purchase from Chipotle—directly or indirectly—for
use in Bellwether’s business. Bellwether cannot remedy this pleading defect by
amendment, and the Court thus dismisses Claim 10 with prejudice.
IV. CONCLUSION
For the reasons set forth above, the Court hereby ORDERS as follows:
1.
Plaintiffs’ Motion to Strike Exhibits A–C Attached to Defendant’s Motion to
Dismiss (ECF No. 59) is DENIED;
2.
Defendant’s Motion to Dismiss (ECF No. 57) is GRANTED IN PART as follows:
a.
Claim 1 (Negligence), Claim 3 (Misappropriation of Trade Secrets), Claim
6 (Florida Deceptive and Unfair Trade Practices Act), Claim 7 (Maine
Unfair Trade Practices Act), Claim 8 (Massachusetts Consumer
Protection Act), and Claim 10 (Vermont Consumer Fraud Act) are
DISMISSED WITH PREJUDICE;
b.
Claim 2 (Negligence per se) and Claim 4 (Arkansas Deceptive Trade
Practices) are DISMISSED WITHOUT PREJUDICE; and
3.
The remainder of Defendant’s Motion to Dismiss is DENIED.
43
Dated this 24th day of October, 2018.
BY THE COURT:
William J. Martínez
United States District Judge
44
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
