BancFirst v. Dixie Restaurants Inc

Filing 37

ORDER granting 33 Defendant's Motion to Dismiss Plaintiff BancFirst's Second Amended Complaint. Judgment dismissing this action with prejudice will issue accordingly. Plaintiff's request that the court certify questions to the Oklahoma Supreme Court is denied. Signed by Honorable Tim Leonard on 01/04/2012. (jy)

Download PDF
IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF OKLAHOMA BANCFIRST, an Oklahoma state banking corporation, ) ) ) Plaintiff, ) ) v. ) ) DIXIE RESTAURANTS, INC., an ) Arkansas corporation, ) ) Defendant. ) No. CIV-11-174-L ORDER Plaintiff, BancFirst, is an Oklahoma state banking corporation that issues debit cards to its customers. On February 18, 2011, BancFirst filed this action seeking actual and punitive damages against defendant, Dixie Restaurants, Inc. (“Dixie”), based on Dixie’s alleged negligence1 in handling debit card information. After Dixie filed a motion to dismiss, BancFirst filed a First Amended Complaint on April 25, 2011. Thereafter, Dixie renewed its motion to dismiss, arguing that the negligence claims were subject to dismissal because it owed no duty to BancFirst. In the alternative, Dixie argued dismissal was appropriate because the negligence claims were barred by the economic loss doctrine. On August 29, 2011, the court issued an order dismissing the First Amended Complaint. Order at 6 (Doc. No. 30). The 1 BancFirst presents two claims for relief – negligence and willful and wanton negligence. For purposes of ruling on Dixie’s motion, the court makes no distinction between the two claims because at this point in the litigation the analysis for both claims is identical. court reasoned that BancFirst had not alleged sufficient facts to support a finding that Dixie owed it a duty of care. Id. In light of this ruling, the court did not address Dixie’s economic loss argument. The court granted BancFirst leave to amend its complaint, which it did on September 6, 2011. See Second Amended Complaint (Doc. No. 31). This matter is now before the court on Dixie’s motion to dismiss the Second Amended Complaint. Dixie contends the Second Amended Complaint suffers from the same infirmities as the first two complaints. It therefore seeks dismissal of this action with prejudice. Rule 8 of the Federal Rules of Civil Procedure requires “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). Nonetheless, a complaint must also be specific enough to “give defendants notice of the theory under which their claim is made.” Robins v. Oklahoma, 519 F.3d 1242, 1249 (10th Cir. 2008). A motion to dismiss under Rule 12(b)(6) tests the legal sufficiency of a complaint. “The court’s function on a Rule 12(b)(6) motion is not to weigh potential evidence that the parties might present at trial, but to assess whether the plaintiff’s complaint alone is legally sufficient to state a claim for which relief may be granted.”2 A complaint should not be dismissed for failure to state a claim unless it fails to contain sufficient factual allegations “to state a claim to relief that is plausible on its face.” Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007). In 2 Sutton v. Utah State Sch. for Deaf & Blind, 173 F.3d 1226, 1236 (10th Cir. 1999) (quoted with approval in Smith v. United States, 561 F.3d 1090, 1098 (10th Cir. 2009), cert. denied, 130 S. Ct. 1142 (2010)). 2 assessing whether a claim is plausible, the court must construe the complaint in the light most favorable to the plaintiff and must presume all factual allegations to be true. Id. at 1965; Scheuer v. Rhodes, 416 U.S. 232, 236 (1974). As the Court held in Twombly, the pleading standard Rule 8 announces does not require “detailed factual allegations,” but it demands more than an unadorned, thedefendant-unlawfully-harmed-me accusation. A pleading that offers “labels and conclusions” or “a formulaic recitation of the elements of a cause of action will not do.” Nor does a complaint suffice if it tenders “naked assertion[s]” devoid of “further factual enhancement.” Ashcroft v. Iqbal, 129 S. Ct. 1937, 1949 (2009) (citations omitted). In analyzing the sufficiency of a claim, the court is not limited to the four corners of the complaint. Rather, the court may also consider documents referred to in the complaint if those documents are central to plaintiff’s claims and the parties do not dispute their authenticity. Alvarado v. KOB-TV, L.L.C., 493 F.3d 1210, 1215 (10th Cir. 2007). The Second Amended Complaint alleges that as part of its banking services BancFirst issues Visa debit cards to certain account holders. Merchants who choose to accept Visa debit cards as payment for services must obtain Visa’s authorization to do so. Dixie, which operates a number of restaurants in Oklahoma, Arkansas and Tennessee, has chosen to accept Visa debit and credit cards. According to the Second Amended Complaint, there is a two-step process that occurs whenever a customer uses a Visa card to make a purchase. authorization step, a merchant such as Dixie 3 In the swipes the card, enters the dollar amount into its computer system, and transmits an authorization request to its acquirer bank.3 The acquirer bank then seeks authorization from Visa, which in turn seeks authorization from BancFirst. If BancFirst approves the transaction, Visa forwards this authorization to the acquirer bank, which then notifies Dixie Restaurants. Dixie Restaurants then completes the transaction with the customer accordingly. Second Amended Complaint at ¶ 13 (footnote added). During the clearing and settlement step, the merchant deposits a transaction receipt with its bank, which then credits the merchant’s account and submits the transaction to Visa for payment. Visa pays the merchant’s bank and then sends the transaction to the bank that issued the debit card for debiting the cardholder’s account. Id. at ¶ 14. By choosing to accept Visa cards, Dixie is subject to security obligations adopted by the Payment Card Industry Security Standards Council. Id. at ¶ 15. BancFirst alleges these security standards, which are known as PCI Data Security Standards, require merchants to: a) Install and maintain firewall configurations sufficient to protect cardholder data; b) Refrain from using vendor-approved defaults for system passwords and other security parameters; c) Store cardholder data only when necessary; 3 Acquirer banks “are the financial institutions that initiate and maintain the relationships with merchants that accept payment cards.” PCI Quick Reference Guide at 4 (cited in Second Amended Complaint at ¶ 16) https://www.pcisecuritystandards.org/documents/pci_ssc_quick_ guide.pdf. 4 d) Ensure that any legitimately stored cardholder data is adequately protected; e) Encrypt any transmission of cardholder data across open, public networks; f) Use, and regularly update, effective anti-virus software on the computers and networks used to process customer payment card transactions; g) Develop and maintain secure systems and software applications for processing customer payment card transactions; h) Implement reasonable access control measures, by restricting access to critical payment card data to those employees with a business to know; i) Assign a unique identification number or code to each person with computer access to customer payment card information; j) Restrict physical access to payment card data; k) Track and monitor all access to network resources and cardholder data; l) Regularly test their security systems and the processes used to process customer payment transactions; and m) Maintain a reasonably effective policy of information security for the processing of customer payment card transactions[; and] n) Undergo periodic on-site data security assessments or to complete self-assessment questionnaires to attest to their compliance with the PCI Data Security Standards. Second Amended Complaint at ¶ 17. 5 BancFirst alleges that, notwithstanding these security requirements, Dixie failed to take “adequate measures to secure critical payment information on BancFirst-issued Visa debit cards, as well as other payment cards, while that information was being processed and held by its computer system and files. Dixie Restaurants thereby compromised the security of confidential account data held by BancFirst and by numerous BancFirst account holders.” Id. at ¶ 21. The Second Amended Complaint alleges that security breaches occurred during the period March 20, 2010 through June 9, 2010, but that Dixie did not disclose the breaches to either BancFirst or its cardholders until August 2010. Id. at ¶¶ 23-26. BancFirst alleges that following these security breaches, and before Dixie informed its customers or the issuing banks of the breaches, unauthorized and fraudulent transactions were charged to debit cards issued by BancFirst. It claims that Dixie was negligent in processing, retaining or storing payment card transactions and account information, and as a result, BancFirst had to reissue replacement debit cards and reimburse its customers for amounts fraudulently charged to their accounts. It seeks damages for Dixie’s alleged negligence and willful and wanton negligence. To state a negligence claim under Oklahoma law, a plaintiff must allege sufficient facts to show (1) the defendant owed a duty to plaintiff, (2) the defendant breached that duty, and (3) defendant’s breach was the proximate cause of plaintiff’s injury. See Consolidated Grain & Barge Co. v. Structural Sys., Inc., 212 P.3d 1168, 6 1171 n.8 (Okla. 2009). There can be no negligence if the defendant does not owe a duty to the plaintiff,4 and whether such a duty exists is a question of law for the court. Lowery v. Echostar Satellite Corp., 160 P.3d 959, 964 (Okla. 2007). Absent a special relationship, a defendant has no duty of care to the plaintiff for the intentional and criminal acts of a third person against that plaintiff. “Just because the defendant has created a risk which harmed the plaintiff that does not mean that, in the absence of some duty to the plaintiff, the defendant will be held liable.” Oklahoma follows the common law principle of negligence that generally no duty is owed to aid or protect another. Nor does a person have a duty to anticipate and prevent the intentional or criminal acts of a third party, absent special circumstances. The types of special circumstances recognized in Oklahoma are: (1) where the actor is under a special responsibility toward the person harmed; and (2) “where the actor’s own affirmative act has created or exposed the other to a recognizable high degree of risk of harm through such misconduct, which a reasonable [person] would have taken into account.” J.S., 227 P.3d at 1092 (emphasis in original) (citations omitted). Oklahoma law also imposes a duty where the defendant has a special relationship with the person causing the injury “either because [the defendant] has special knowledge about the third person and control over that third person; or [the defendant] has control over some matter relative to that third person; or because of special circumstances that reasonably give notice to [the defendant] relative to a third person.” Id. at 1094. 4 J.S. v. Harris, 227 P.3d 1089, 1092 (Okla. Civ. App. 2009). 7 As the court noted in its order dismissing the First Amended Complaint, BancFirst seeks to hold Dixie liable for harm caused by the intentional and unlawful acts of third parties who capitalized on Dixie’s asserted negligence. As a result, BancFirst must allege sufficient facts to make a plausible assertion that Dixie had a special responsibility to BancFirst, that Dixie’s affirmative acts created the risk of harm, or that Dixie had a special relationship with the third parties who caused the harm to BancFirst. The Second Amended Complaint, however, fails to allege any facts that would support a finding that Dixie had a special responsibility to BancFirst. Rather, the allegations regarding Dixie’s responsibilities under the PCI Data Security Standards reflect that these are general obligations that apply to all cardholders and banks, whether issuing or acquirer. The obligations are not specific to BancFirst and do not create a special responsibility by Dixie to BancFirst. Likewise, the Second Amended Complaint contains only conclusory allegations of a relationship between BancFirst and Dixie,5 and the factual allegations that are in the complaint reflect that any relationship between BancFirst and Dixie is attenuated at best.6 These factual 5 See Second Amended Complaint at ¶ 20 (“relationship between BancFirst and Dixie Restaurants is a direct one”); ¶ 44 (“The continuous and significant relationships between and among the banks and merchants in the payment card industry . . . create duties of care owed by various participants toward others.”); ¶ 45 (“In addition, Dixie Restaurants had a direct relationship with BancFirst and knowingly accepted and processed BancFirst-issued Visa debit cards.”). 6 BancFirst’s allegations that Dixie knew it was processing debit cards issued by BancFirst because BancFirst’s logo was on the cards would hold true for any other issuing bank. Those allegations are therefore insufficient to demonstrate that Dixie owed a special responsibility to BancFirst. Moreover, the factual allegations reflect that the relationship between Dixie – as a merchant – and BancFirst – as an issuing bank – is attenuated. Dixie did not interact with BancFirst directly; rather, all transactions were routed from Dixie through two other entities to BancFirst. Second Amended Complaint at ¶¶ 13-14. 8 allegations are not sufficient to establish the special relationship required by Oklahoma law. Likewise, there are no factual allegations that Dixie had any relationship, much less a special relationship,7 with the individuals who unlawfully accessed the debit card data. Indeed, the complaint makes clear that the persons who unlawfully accessed the data are unknown. See Second Amended Complaint at ¶¶ 23, 38(a)(v); 42; 43. Finally, the Second Amended Complaint once again fails to allege any affirmative acts by Dixie that created or increased the risk of harm to BancFirst.8 Rather, the Second Amended Complaint, like the prior complaints, complains of Dixie’s failures to act. See, e.g., Second Amended Complaint at ¶¶ 21, 24, 39, 40, 41, 43, 47. The court, thus, once again finds that BancFirst has failed to allege sufficient facts to support a finding that Dixie owed a duty of care to BancFirst. This is fatal to BancFirst’s negligence claims.9 Defendant Dixie Restaurants, Inc.’s Motion to Dismiss Plaintiff BancFirst’s Second Amended Complaint (Doc. No. 33) is therefore GRANTED. Judgment 7 Oklahoma courts have found special relationships in limited circumstances, such as between a psychiatrist and patient. See Wofford v. Easter State Hospital, 795 P.2d 516, 520 (Okla. 1990). 8 The only affirmative acts alleged to have occurred are all necessary steps to complete a transaction using a debit or credit card. See, e.g., Second Amended Complaint at ¶ 36 (Dixie “affirmatively acted by soliciting, accepting and processing payment via BancFirst-issued Visa debit cards”); ¶ 38(a)(ii) (“accepting and swiping the BancFirst-issued Visa debit cards through use of its payment card equipment”); ¶ 38(a)(v) (“transmitting vulnerable and sensitive cardholder information to its acquirer bank and possibly to other unknown entities”). 9 In light of this ruling, the court expresses no opinion on Dixie’s alternative argument that BancFirst’s negligence claims are barred by the economic loss doctrine. 9 dismissing this action with prejudice will issue accordingly. Plaintiff’s request that the court certify questions to the Oklahoma Supreme Court is DENIED. It is so ordered this 4th day of January, 2012. 10

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?