Green-Cooper et al v. Brinker International, Inc.
Filing
122
ORDER granting in part and denying in part 99 Defendant Brinker International, Inc.'s Motion to Dismiss. Counts III and IV are dismissed without prejudice for lack of standing; plaintiffs' requests for injunctive relief in Counts V, V I, and VII are dismissed without prejudice for lack of standing. In all other respects, the motion is denied. Not later than 8/23/2020, Brinker shall answer the Third Amended Consolidated Class Action Complaint. The parties shall mediate by 11/20/2020. See Order for details. Signed by Judge Timothy J. Corrigan on 7/27/2020. (JJB)
UNITED STATES DISTRICT COURT
MIDDLE DISTRICT OF FLORIDA
JACKSONVILLE DIVISION
In re Brinker Data Incident
Litigation
Case No. 3:18-cv-686-J-32MCR
ORDER
This class action again requires the Court to analyze standing in the data
breach context. This time, the Court must determine whether the threat of
future harm—that hackers will again steal Plaintiffs’ old debit card information
from Defendant and use it to acquire Plaintiffs’ new debit card information—is
substantially likely to occur such that Plaintiffs have Article III standing to
bring claims for prospective declaratory and injunctive relief.
The case is before the Court on Defendant Brinker International, Inc.’s
Motion to Dismiss Plaintiffs’ Third Amended Consolidated Class Action
Complaint (“Third Complaint”). (Doc. 99). Plaintiffs responded in opposition,
(Doc. 100), Brinker replied, (Doc. 111), and Plaintiffs filed a sur-reply, (Doc.
115).
I. BACKGROUND
Most of the facts alleged in Plaintiffs’ prior complaint remain, and the
Court detailed them in its prior orders. (Docs. 65, 92). In short, Plaintiffs allege
that Brinker—the parent company of Chili’s Grill and Bar—maintained
inadequate IT security systems that resulted in hackers stealing Plaintiffs’
payment card information. (Doc. 95).
In its last motion to dismiss, Brinker sought dismissal on the basis that
the named plaintiffs had not suffered an injury in fact for Article III standing
and that each count failed to state a claim upon which relief could be granted.
The Court divided these issues, publishing one Order on standing (Doc. 65) and
one on the sufficiency of the complaint (Doc. 92). The Order on standing
analyzed both the allegations of an actual injury and those of a future
threatened injury. (Doc. 65). The Court held that several of the named plaintiffs
had alleged an actual injury in fact based on past harms, but that two
plaintiffs—who had alleged only the threat of future injuries—did not have
standing because their “minimal allegations assert[ed] only speculative future
harm that does not rise to an Article III injury in fact.” (Doc. 65 at 18).
In its Order on the Rule 12(b)(6) portion of Brinker’s last motion to
dismiss, the Court found that three of Plaintiffs’ fourteen causes of action were
sufficiently alleged—breach of implied contract, negligence, and violation of
California’s Unfair Competition Law (“UCL”) for unfair business practices—but
dismissed the other claims either in whole or in part. (Doc. 92 at 59). The Court
permitted Plaintiffs to replead, but it also required Plaintiffs to file a brief in
support with their Third Complaint if they decided to reassert their declaratory
2
judgment claim or their claims under Florida’s Deceptive and Unfair Trade
Practices Act (“FDUTPA”). Id. at 31 n.13, 36 n.14.
Plaintiffs filed their Third Complaint, the operative complaint, alleging
seven causes of action: Breach of Implied Contract (Count I); Negligence (Count
II); Declaratory Judgment (Count III); violations of FDUTPA (Count IV);
violations of California’s UCL – unlawful business practices (Count V);
violations of California’s UCL – unfair business practices (Count VI); and
violations of California’s UCL – fraudulent/deceptive business practices (Count
VII). (Doc. 95). Counts I, II, and III are on behalf of Plaintiffs and the proposed
Nationwide Class (all individuals residing in the United States who made
payment card purchases at a Chili’s during the data breach period), or
alternatively the Statewide Classes (all persons residing in California or
Florida who made payment card purchases at a Chili’s during the data breach
period). (Doc. 95 ¶¶ 135–36). Count IV, the FDUTPA count, is on behalf of the
Florida Statewide class, and Counts V, VI, and VII, the UCL counts, are on
behalf of the California Statewide class. The named Plaintiffs, originally
numbering eight and representing five statewide classes, are down to four—
Marlene
Green-Cooper,
Shenika
Theus,
Michael
Franklin,
and
Eric
Steinmetz—with only two statewide classes.
Acknowledging that the Court permitted certain claims to go forward,
Brinker moves to dismiss only the declaratory judgment claim (Count III), the
3
FDUTPA claim (Count IV), and portions of each of the California UCL claims
(Counts V, VI, and VII). (Doc. 99). Brinker asserts that Plaintiffs have still not
alleged a sufficient future injury for Article III standing to permit declaratory
or injunctive relief. Id. at 4–13. Thus, Brinker argues Counts III and IV, which
seek only prospective relief, should be dismissed entirely. Id. at 4–12.
Additionally, Brinker seeks dismissal of the requests for injunctive relief in
each of the UCL claims based on a lack of standing. Id. at 12–13. Moreover,
Brinker contends that the portion of Plaintiffs’ UCL unlawful business practices
claim (Count V) predicated on California Civil Code § 1798.82 and their entire
UCL fraudulent business practices claim (Count VI) should be dismissed under
Rule 12(b)(6). Id. at 14–18.
II. DISCUSSION
A. Threatened Future Injury for Article III Standing
To satisfy the “‘irreducible constitutional minimum’ of standing,” the
“plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to
the challenged conduct of the defendant, and (3) that is likely to be redressed
by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547
(2016) (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992)). “To
establish injury in fact, a plaintiff must show that he or she suffered ‘an
invasion of a legally protected interest’ that is ‘concrete and particularized’ and
‘actual or imminent, not conjectural or hypothetical.’” Id. at 1548 (quoting
4
Lujan, 504 U.S. at 560). “[A] plaintiff must establish standing for each type of
relief sought . . . .” Tokyo Gwinnett, LLC v. Gwinnett Cty., 940 F.3d 1254, 1262
(11th Cir. 2019) (citing Summers v. Earth Island Inst., 555 U.S. 488, 493
(2009)). Here, Brinker only challenges Plaintiffs’ allegations of future injury
related to the declaratory and injunctive relief they seek.
“[T]o demonstrate that a case or controversy exists to meet the Article III
standing requirement when a plaintiff is seeking injunctive or declaratory
relief, a plaintiff must allege facts from which it appears there is a substantial
likelihood that he will suffer injury in the future.” AA Suncoast Chiropractic
Clinic, P.A. v. Progressive Am. Ins. Co., 938 F.3d 1170, 1179 (11th Cir. 2019)
(quotation marks omitted) (quoting Malowney v. Fed. Collection Deposit Grp.,
193 F.3d 1342, 1346–47 (11th Cir. 1999)). “An allegation of future injury may
suffice if the threatened injury is ‘certainly impending,’ or there is a ‘substantial
risk that the harm will occur.’” Susan B. Anthony List v. Driehaus, 573 U.S.
149, 158 (2014) (internal quotation marks omitted) (quoting Clapper v. Amnesty
Int’l USA, 568 U.S. 398, 409 (2013)). “The controversy between the parties
cannot be ‘conjectural, hypothetical, or contingent; it must be real and
immediate, and create a definite, rather than speculative threat of future
injury.’” A&M Gerber Chiropractic LLC v. GEICO Gen. Ins. Co., 925 F.3d 1205,
1210 (11th Cir. 2019) (quoting Emory v. Peeler, 756 F.2d 1547, 1552 (11th Cir.
1985)). “The remote possibility that a future injury may happen is not sufficient
5
to satisfy the ‘actual controversy’ requirement for declaratory judgments.”
Emory, 756 F.2d at 1552.
In its prior order on standing, the Court found that the threat of future
harm was insufficient. (Doc. 65 at 17). The Court looked at three factors in
making this determination: the motive of the hackers, the type of information
stolen, and whether the information stolen had been misused. Id. at 17–18
(citing In re 21st Century Oncology Customer Data Sec. Breach Litig., No. 8:16MD-2737-MSS-AEP, 2019 WL 2151095, at *6 (M.D. Fla. Mar. 11, 2019)). The
Court concluded that the two plaintiffs who had alleged only future harm had
failed to demonstrate that the risk of that harm was “substantial” or
“heightened” as opposed to merely hypothetical or speculative. Id. at 17.
Additionally, specific to Plaintiffs’ claim for declaratory judgment, the Court
found that because Plaintiffs had obtained new payment cards, they did not face
a substantial risk of future harm because Brinker maintained only their old
card data. (Doc. 92 at 31).
In their prior complaint, Plaintiffs alleged that they faced a substantial
likelihood of future injury because their payment card information remained on
Brinker’s insecure systems. (Doc. 39 ¶¶ 201–04). The Court, noting an apparent
split on this issue, found Plaintiffs’ threat of future harm insufficient because
Plaintiffs had alleged they obtained new cards; thus, a subsequent breach of
Brinker’s systems would pose no threat to Plaintiffs. (Doc. 92 at 31). Now,
6
Plaintiffs allege that despite cancelling the cards that remain on Brinker’s
systems, hackers can steal the old card information from Brinker and use that
to gain the replacement card information. (Doc. 100 at 3–6). Plaintiffs’
argument is this:
Although Plaintiffs have alleged their compromised
payment cards have been replaced as a result of the Data Breach,
their Customer Data, which includes names, account numbers,
expiration dates, CVV/CSC/CAV/CVC authorization codes and
PIN verification data, remains stored on Brinker’s data systems.
The mere fact that this data may not be current does not render it
useless for identity theft.
Some merchants have arrangements with credit card
processors, such as Visa and Mastercard, to allow authorization for
expired payment cards. See, Lifehacker, How Scammers Can Use
Your Old Credit Card Numbers (Jan. 6, 2020). As noted in this
article, the credit card companies will allow charges to expired
cards and cards “no longer technically considered valid” in order to
maintain good relationships will [sic] large retail merchants. Id.
Additionally, some merchants have arrangements with
credit card processors to update credit card information within the
merchant account automatically when a new card is issued by the
processor. Credit.com, How Companies Know Your New Credit
Card Number Before You Give It To Them (July 15, 2016). The
credit card companies provide a service of updating account
numbers so that the merchants can continue recurring charges
without any disruption in payment. Thus, if a scammer has added
a stolen payment card to a merchant account, such as Amazon and
Netflix, using the cardholder’s name, the card information in the
fraudulent account may be updated automatically when the card
is reissued after a data breach.
(Doc. 96 at 5–6 (footnotes omitted)).
Plaintiffs do not allege that their compromised cards are issued through
card processors that offer “account updating services” or have arrangements
7
with merchants to automatically update card information.
1
Plaintiffs’
requested prospective relief only seeks to have Brinker “implement and
maintain reasonable [information technology] security measures . . . .” (Doc. 95
¶¶ 212, 220, 245, 259, 265). The information stolen previously is not at issue as
the Court cannot fashion prospective relief to remedy that past alleged harm.
Thus, the question is: is it substantially likely that hackers will again
steal Plaintiffs’ payment card information from Brinker and then utilize that
information to acquire Plaintiffs’ new payment card information? Although
such a scenario is possible, it is too speculative to confer standing for declaratory
and injunctive relief. See Driehaus, 573 U.S. at 158 (2014); AA Suncoast, 938
F.3d at 1179. Plaintiffs’ alleged future harm rests on a series of contingencies.
First, Brinker would have to be hacked again. Second, Plaintiffs’ stolen card
information—all debit cards—would have to be serviced by a processor that
automatically updates new card information with certain merchants. 2 Third,
the hackers would have to find a merchant with an agreement with the stolen
Plaintiffs allege that Marlene Green-Cooper’s VyStar debit card’s
information was stolen; Shenika Theus’s GreenDot Visa card’s information was
stolen; Michael Franklin’s Chase Visa debit card’s information was stolen; and
Eric Steinmetz’s Wells Fargo debit card’s information was stolen. (Doc. 95
¶¶ 28–44).
1
Both Theus and Franklin allege to have used Visa cards, and Plaintiffs
have alleged that Visa offers “automatic updating.” Plaintiffs did not allege the
card processor for Green-Cooper or Steimetz. (Doc. 95 ¶¶ 31, 36, 121–22).
2
8
card’s processor. Fourth, the processor, instead of recognizing that the card
recently added with the merchant was cancelled more than two years earlier,
would have to send the replacement card information to the merchant. This
string of contingencies is too speculative to satisfy Article III standing
requirements; moreover, it has not happened in the more than two years since
the original breach. See Gerber, 925 F.3d at 1210–11; AA Suncoast, 938 F.3d at
1179.
Plaintiffs also argue that their FDUTPA claims for injunctive relief can
nonetheless survive because the statute provides that “anyone aggrieved by a
violation of this part may bring an action to obtain a declaratory judgment that
an act or practice violates this part and to enjoin a person who has violated, is
violating, or is otherwise likely to violate this part.” (Doc. 100 at 14–15 (quoting
§ 501.211(1), Fla. Stat.)). Further, Plaintiffs contend that “although injunctive
or declaratory relief under federal statutes requires a showing of imminent
harm, there is no such requirement under FDUTPA . . . .” Id. at 18. Plaintiffs
are incorrect.
Article III standing, as its name implies, is a constitutional requirement
to bring any claim in federal court. It makes no difference whether such claim
is brought under state or federal law or is based on a statute or the Constitution.
Cf. Spokeo, 136 S. Ct. at 1549 (“Congress’ role in identifying and elevating
intangible harms does not mean that a plaintiff automatically satisfies the
9
injury-in-fact requirement whenever a statute grants a person a statutory right
and purports to authorize that person to sue to vindicate that right. Article III
standing requires a concrete injury even in the context of a statutory
violation.”). Thus, the future injury requirement applies to all of Plaintiffs’
claims seeking declaratory or injunctive relief. See, e.g., Snyder v. Green Roads
of Fla. LLC, 430 F. Supp. 3d 1297, 1304 (S.D. Fla. 2020) (finding that plaintiffs
seeking injunctive relief under FDUTPA failed to allege a likelihood of a future
injury sufficient for Article III standing); Dapeer v. Neutrogena Corp., 95 F.
Supp. 3d 1366, 1373 (S.D. Fla. 2015) (“Although the FDUTPA allows a plaintiff
to pursue injunctive relief even where the individual plaintiff will not benefit
from an injunction, it cannot supplant Constitutional standing requirements.”
(citation omitted)); see also, e.g., Davidson v. Kimberly-Clark Corp., 889 F.3d
956, 967 (9th Cir.) (analyzing whether plaintiffs had alleged a sufficient Article
III injury in fact based on future harm to seek injunctive relief under
California’s UCL), cert. denied, 139 S. Ct. 640 (2018).
As Plaintiffs have failed to allege a threat of future harm beyond a
speculative level, the declaratory judgment, FDUTPA, and injunctive relief
portions of the UCL claims are due to be dismissed.
B. Plaintiff’s UCL Claims
Brinker moves to dismiss other portions of Plaintiffs’ UCL claims under
Rule 12(b)(6). While Brinker’s arguments have force, they are not properly
10
raised via a motion to dismiss. Brinker can re-raise these arguments after the
record has been developed.
Accordingly, it is hereby
ORDERED:
1.
Defendant Brinker International, Inc.’s Motion to Dismiss (Doc. 99)
is GRANTED in part and DENIED in part.
2.
Counts III (Declaratory Judgment) and IV (FDUTPA) are
DISMISSED without prejudice for lack of standing.
3.
Plaintiffs’ requests for injunctive relief in their UCL claims (Counts
V, VI, and VII) are DISMISSED without prejudice for lack of standing.
4.
In all other respects, the motion (Doc. 99) is DENIED.
5.
Not later than August 23, 2020, Brinker shall answer the Third
Amended Consolidated Class Action Complaint.
6.
Upon review, the Court believes mediating before the class
certification hearing would be beneficial. Thus, the parties shall conduct their
first mediation by November 20, 2020.
7.
In all other respects, the Case Management and Scheduling Order
(Doc. 102), as amended (Doc. 114) continues to govern the case.
11
DONE AND ORDERED in Jacksonville, Florida this 27th day of July,
2020.
TIMOTHY J. CORRIGAN
United States District Judge
jjb
Copies to:
Counsel of record
12
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?