BancFirst v. Dixie Restaurants Inc
Filing
37
ORDER granting 33 Defendant's Motion to Dismiss Plaintiff BancFirst's Second Amended Complaint. Judgment dismissing this action with prejudice will issue accordingly. Plaintiff's request that the court certify questions to the Oklahoma Supreme Court is denied. Signed by Honorable Tim Leonard on 01/04/2012. (jy)
<![CDATA[
IN THE UNITED STATES DISTRICT COURT FOR THE
WESTERN DISTRICT OF OKLAHOMA
BANCFIRST, an Oklahoma state
banking corporation,
)
)
)
Plaintiff,
)
)
v.
)
)
DIXIE RESTAURANTS, INC., an
)
Arkansas corporation,
)
)
Defendant. )
No. CIV-11-174-L
ORDER
Plaintiff, BancFirst, is an Oklahoma state banking corporation that issues debit
cards to its customers. On February 18, 2011, BancFirst filed this action seeking
actual and punitive damages against defendant, Dixie Restaurants, Inc. (“Dixie”),
based on Dixie’s alleged negligence1 in handling debit card information. After Dixie
filed a motion to dismiss, BancFirst filed a First Amended Complaint on April 25,
2011. Thereafter, Dixie renewed its motion to dismiss, arguing that the negligence
claims were subject to dismissal because it owed no duty to BancFirst. In the
alternative, Dixie argued dismissal was appropriate because the negligence claims
were barred by the economic loss doctrine. On August 29, 2011, the court issued
an order dismissing the First Amended Complaint. Order at 6 (Doc. No. 30). The
1
BancFirst presents two claims for relief – negligence and willful and wanton negligence.
For purposes of ruling on Dixie’s motion, the court makes no distinction between the two claims
because at this point in the litigation the analysis for both claims is identical.
court reasoned that BancFirst had not alleged sufficient facts to support a finding
that Dixie owed it a duty of care. Id. In light of this ruling, the court did not address
Dixie’s economic loss argument. The court granted BancFirst leave to amend its
complaint, which it did on September 6, 2011. See Second Amended Complaint
(Doc. No. 31). This matter is now before the court on Dixie’s motion to dismiss the
Second Amended Complaint. Dixie contends the Second Amended Complaint
suffers from the same infirmities as the first two complaints. It therefore seeks
dismissal of this action with prejudice.
Rule 8 of the Federal Rules of Civil Procedure requires “a short and plain
statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P.
8(a)(2). Nonetheless, a complaint must also be specific enough to “give defendants
notice of the theory under which their claim is made.” Robins v. Oklahoma, 519 F.3d
1242, 1249 (10th Cir. 2008). A motion to dismiss under Rule 12(b)(6) tests the legal
sufficiency of a complaint. “The court’s function on a Rule 12(b)(6) motion is not to
weigh potential evidence that the parties might present at trial, but to assess whether
the plaintiff’s complaint alone is legally sufficient to state a claim for which relief may
be granted.”2 A complaint should not be dismissed for failure to state a claim unless
it fails to contain sufficient factual allegations “to state a claim to relief that is
plausible on its face.” Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007). In
2
Sutton v. Utah State Sch. for Deaf & Blind, 173 F.3d 1226, 1236 (10th Cir. 1999) (quoted
with approval in Smith v. United States, 561 F.3d 1090, 1098 (10th Cir. 2009), cert. denied, 130 S.
Ct. 1142 (2010)).
2
assessing whether a claim is plausible, the court must construe the complaint in the
light most favorable to the plaintiff and must presume all factual allegations to be
true. Id. at 1965; Scheuer v. Rhodes, 416 U.S. 232, 236 (1974).
As the Court held in Twombly, the pleading standard Rule
8 announces does not require “detailed factual
allegations,” but it demands more than an unadorned, thedefendant-unlawfully-harmed-me accusation. A pleading
that offers “labels and conclusions” or “a formulaic
recitation of the elements of a cause of action will not do.”
Nor does a complaint suffice if it tenders “naked
assertion[s]” devoid of “further factual enhancement.”
Ashcroft v. Iqbal, 129 S. Ct. 1937, 1949 (2009) (citations omitted). In analyzing the
sufficiency of a claim, the court is not limited to the four corners of the complaint.
Rather, the court may also consider documents referred to in the complaint if those
documents are central to plaintiff’s claims and the parties do not dispute their
authenticity. Alvarado v. KOB-TV, L.L.C., 493 F.3d 1210, 1215 (10th Cir. 2007).
The Second Amended Complaint alleges that as part of its banking services
BancFirst issues Visa debit cards to certain account holders. Merchants who
choose to accept Visa debit cards as payment for services must obtain Visa’s
authorization to do so. Dixie, which operates a number of restaurants in Oklahoma,
Arkansas and Tennessee, has chosen to accept Visa debit and credit cards.
According to the Second Amended Complaint, there is a two-step process that
occurs whenever a customer uses a Visa card to make a purchase.
authorization step, a merchant such as Dixie
3
In the
swipes the card, enters the dollar amount into its computer
system, and transmits an authorization request to its
acquirer bank.3 The acquirer bank then seeks authorization from Visa, which in turn seeks authorization from
BancFirst. If BancFirst approves the transaction, Visa
forwards this authorization to the acquirer bank, which
then notifies Dixie Restaurants. Dixie Restaurants then
completes the transaction with the customer accordingly.
Second Amended Complaint at ¶ 13 (footnote added). During the clearing and
settlement step, the merchant deposits a transaction receipt with its bank, which
then credits the merchant’s account and submits the transaction to Visa for payment.
Visa pays the merchant’s bank and then sends the transaction to the bank that
issued the debit card for debiting the cardholder’s account. Id. at ¶ 14. By choosing
to accept Visa cards, Dixie is subject to security obligations adopted by the Payment
Card Industry Security Standards Council. Id. at ¶ 15. BancFirst alleges these
security standards, which are known as PCI Data Security Standards, require
merchants to:
a)
Install and maintain firewall configurations sufficient
to protect cardholder data;
b)
Refrain from using vendor-approved defaults for
system passwords and other security parameters;
c)
Store cardholder data only when necessary;
3
Acquirer banks “are the financial institutions that initiate and maintain the relationships with
merchants that accept payment cards.” PCI Quick Reference Guide at 4 (cited in Second Amended
Complaint at ¶ 16) https://www.pcisecuritystandards.org/documents/pci_ssc_quick_
guide.pdf.
4
d)
Ensure that any legitimately stored cardholder data
is adequately protected;
e)
Encrypt any transmission of cardholder data across
open, public networks;
f)
Use, and regularly update, effective anti-virus
software on the computers and networks used to process
customer payment card transactions;
g)
Develop and maintain secure systems and software
applications for processing customer payment card
transactions;
h)
Implement reasonable access control measures, by
restricting access to critical payment card data to those
employees with a business to know;
i)
Assign a unique identification number or code to
each person with computer access to customer payment
card information;
j)
Restrict physical access to payment card data;
k)
Track and monitor all access to network resources
and cardholder data;
l)
Regularly test their security systems and the
processes used to process customer payment
transactions; and
m)
Maintain a reasonably effective policy of information
security for the processing of customer payment card
transactions[; and]
n)
Undergo periodic on-site data security assessments
or to complete self-assessment questionnaires to attest to
their compliance with the PCI Data Security Standards.
Second Amended Complaint at ¶ 17.
5
BancFirst alleges that, notwithstanding these security requirements, Dixie
failed to take “adequate measures to secure critical payment information on
BancFirst-issued Visa debit cards, as well as other payment cards, while that
information was being processed and held by its computer system and files. Dixie
Restaurants thereby compromised the security of confidential account data held by
BancFirst and by numerous BancFirst account holders.” Id. at ¶ 21. The Second
Amended Complaint alleges that security breaches occurred during the period
March 20, 2010 through June 9, 2010, but that Dixie did not disclose the breaches
to either BancFirst or its cardholders until August 2010. Id. at ¶¶ 23-26.
BancFirst alleges that following these security breaches, and before Dixie
informed its customers or the issuing banks of the breaches, unauthorized and
fraudulent transactions were charged to debit cards issued by BancFirst. It claims
that Dixie was negligent in processing, retaining or storing payment card
transactions and account information, and as a result, BancFirst had to reissue
replacement debit cards and reimburse its customers for amounts fraudulently
charged to their accounts. It seeks damages for Dixie’s alleged negligence and
willful and wanton negligence.
To state a negligence claim under Oklahoma law, a plaintiff must allege
sufficient facts to show (1) the defendant owed a duty to plaintiff, (2) the defendant
breached that duty, and (3) defendant’s breach was the proximate cause of plaintiff’s
injury. See Consolidated Grain & Barge Co. v. Structural Sys., Inc., 212 P.3d 1168,
6
1171 n.8 (Okla. 2009). There can be no negligence if the defendant does not owe
a duty to the plaintiff,4 and whether such a duty exists is a question of law for the
court. Lowery v. Echostar Satellite Corp., 160 P.3d 959, 964 (Okla. 2007).
Absent a special relationship, a defendant has no duty of
care to the plaintiff for the intentional and criminal acts of
a third person against that plaintiff. “Just because the
defendant has created a risk which harmed the plaintiff
that does not mean that, in the absence of some duty to
the plaintiff, the defendant will be held liable.”
Oklahoma follows the common law principle of negligence
that generally no duty is owed to aid or protect another.
Nor does a person have a duty to anticipate and prevent
the intentional or criminal acts of a third party, absent
special circumstances. The types of special circumstances recognized in Oklahoma are: (1) where the actor
is under a special responsibility toward the person
harmed; and (2) “where the actor’s own affirmative act has
created or exposed the other to a recognizable high
degree of risk of harm through such misconduct, which a
reasonable [person] would have taken into account.”
J.S., 227 P.3d at 1092 (emphasis in original) (citations omitted). Oklahoma law also
imposes a duty where the defendant has a special relationship with the person
causing the injury “either because [the defendant] has special knowledge about the
third person and control over that third person; or [the defendant] has control over
some matter relative to that third person; or because of special circumstances that
reasonably give notice to [the defendant] relative to a third person.” Id. at 1094.
4
J.S. v. Harris, 227 P.3d 1089, 1092 (Okla. Civ. App. 2009).
7
As the court noted in its order dismissing the First Amended Complaint,
BancFirst seeks to hold Dixie liable for harm caused by the intentional and unlawful
acts of third parties who capitalized on Dixie’s asserted negligence. As a result,
BancFirst must allege sufficient facts to make a plausible assertion that Dixie had a
special responsibility to BancFirst, that Dixie’s affirmative acts created the risk of
harm, or that Dixie had a special relationship with the third parties who caused the
harm to BancFirst. The Second Amended Complaint, however, fails to allege any
facts that would support a finding that Dixie had a special responsibility to BancFirst.
Rather, the allegations regarding Dixie’s responsibilities under the PCI Data Security
Standards reflect that these are general obligations that apply to all cardholders and
banks, whether issuing or acquirer. The obligations are not specific to BancFirst and
do not create a special responsibility by Dixie to BancFirst. Likewise, the Second
Amended Complaint contains only conclusory allegations of a relationship between
BancFirst and Dixie,5 and the factual allegations that are in the complaint reflect that
any relationship between BancFirst and Dixie is attenuated at best.6 These factual
5
See Second Amended Complaint at ¶ 20 (“relationship between BancFirst and Dixie
Restaurants is a direct one”); ¶ 44 (“The continuous and significant relationships between and
among the banks and merchants in the payment card industry . . . create duties of care owed by
various participants toward others.”); ¶ 45 (“In addition, Dixie Restaurants had a direct relationship
with BancFirst and knowingly accepted and processed BancFirst-issued Visa debit cards.”).
6
BancFirst’s allegations that Dixie knew it was processing debit cards issued by BancFirst
because BancFirst’s logo was on the cards would hold true for any other issuing bank. Those
allegations are therefore insufficient to demonstrate that Dixie owed a special responsibility to
BancFirst. Moreover, the factual allegations reflect that the relationship between Dixie – as a
merchant – and BancFirst – as an issuing bank – is attenuated. Dixie did not interact with BancFirst
directly; rather, all transactions were routed from Dixie through two other entities to BancFirst.
Second Amended Complaint at ¶¶ 13-14.
8
allegations are not sufficient to establish the special relationship required by
Oklahoma law. Likewise, there are no factual allegations that Dixie had any
relationship, much less a special relationship,7 with the individuals who unlawfully
accessed the debit card data. Indeed, the complaint makes clear that the persons
who unlawfully accessed the data are unknown. See Second Amended Complaint
at ¶¶ 23, 38(a)(v); 42; 43. Finally, the Second Amended Complaint once again fails
to allege any affirmative acts by Dixie that created or increased the risk of harm to
BancFirst.8 Rather, the Second Amended Complaint, like the prior complaints,
complains of Dixie’s failures to act. See, e.g., Second Amended Complaint at ¶¶ 21,
24, 39, 40, 41, 43, 47. The court, thus, once again finds that BancFirst has failed to
allege sufficient facts to support a finding that Dixie owed a duty of care to BancFirst.
This is fatal to BancFirst’s negligence claims.9
Defendant Dixie Restaurants, Inc.’s Motion to Dismiss Plaintiff BancFirst’s
Second Amended Complaint (Doc. No. 33) is therefore GRANTED. Judgment
7
Oklahoma courts have found special relationships in limited circumstances, such as
between a psychiatrist and patient. See Wofford v. Easter State Hospital, 795 P.2d 516, 520 (Okla.
1990).
8
The only affirmative acts alleged to have occurred are all necessary steps to complete a
transaction using a debit or credit card. See, e.g., Second Amended Complaint at ¶ 36 (Dixie
“affirmatively acted by soliciting, accepting and processing payment via BancFirst-issued Visa debit
cards”); ¶ 38(a)(ii) (“accepting and swiping the BancFirst-issued Visa debit cards through use of its
payment card equipment”); ¶ 38(a)(v) (“transmitting vulnerable and sensitive cardholder information
to its acquirer bank and possibly to other unknown entities”).
9
In light of this ruling, the court expresses no opinion on Dixie’s alternative argument that
BancFirst’s negligence claims are barred by the economic loss doctrine.
9
dismissing this action with prejudice will issue accordingly. Plaintiff’s request that
the court certify questions to the Oklahoma Supreme Court is DENIED.
It is so ordered this 4th day of January, 2012.
10
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
