In re Brinker Data Incident Litig.

In re Brinker Data Incident Litigation

Case No. 3:18-cv-686-J-32MCR

UNITED STATES DISTRICT COURT MIDDLE DISTRICT OF FLORIDA JACKSONVILLE DIVISION

January 27, 2020

ORDER

Customers of Chili's Grill & Bar learned their payment card information had been compromised by hackers. This class action against Chili's parent, Brinker, Inc., seeks redress for that incident. It is before the Court on Defendant Brinker, Inc.'s Rule 12(b)(6) Motion to Dismiss. (Doc. 48). Plaintiffs responded, (Doc. 53), Brinker replied, (Doc. 54), and Plaintiffs filed a sur-reply, (Doc. 57). On June 25, 2019, the Court held a hearing on the motion, the record of which is incorporated herein. (Doc. 63). Following the hearing, the parties filed supplemental briefing on choice of law. (Doc. 68).

I. BACKGROUND

A. Alleged Facts

According to the Second Amended Consolidated Complaint ("the complaint"), beginning in March 2018, hackers accessed Brinker's data network and installed malware on point-of-sale ("POS") systems¹ at many Chili's restaurants, which Brinker owns, develops, operates, and franchises. (complaint, Doc. 39 ¶¶ 25, 101). Brinker publicly announced the breach on May 12, 2018, stating:

On May 11th, 2018, we learned that payment card information of some of our Guests who visited certain Chili's® Grill & Bar corporate-owned restaurants have been compromised in a data incident. Currently, we believe the data incident was limited to between March - April 2018; however, we continue to assess the scope of the incident.

Upon learning of this incident, we immediately activated our response plan. We are working with third-party forensic experts to conduct a thorough investigation to determine the details of what happened. Law enforcement has been notified of this incident and we will continue to fully cooperate.

While the investigation is still ongoing, we believe that malware was used to gather payment card information, including credit or debit card numbers and cardholder names, from our payment-related systems for in-restaurant purchases at certain Chili's restaurants.

We deeply value our relationships with our Guests and our priority remains doing what is right for them. We are committed to sharing additional information on this ongoing investigation. More details can be found at: http://brinker.mediaroom.com/ChilisDataIncident.

(Id. ¶ 102).

Brinker acknowledges that it relies on information systems, and "Chili's has long touted its technological innovation . . . ." (Id. ¶¶ 60, 62). Chili's daily payment card transactions are in the "tens of thousands . . . ." (Id. ¶ 72). When Brinker processes payment card transactions, it collects "the cardholder name, the account number, expiration date, card verification value ("CVV"), and PIN data for debit cards. Brinker stores th[is] Customer Data in its POS system and transmits this information to a third party for processing and completion of the payment." (Id. ¶ 64).

The number of data breaches involving the theft of retail payment card information has been rising over the past several years, and "[m]ost of the massive data breaches occurring within the last several years involved malware placed on POS systems used by merchants." (Id. ¶¶ 74-75). These breaches include other national restaurant chains, such as P.F. Chang's, Arby's, Chipotle, and Wendy's. (Id. ¶ 103). "Given the numerous reports indicating thesusceptibility of POS systems and consequences of a breach, Brinker was well-aware, or should have been aware, of the need to safeguard its POS systems." (Id. ¶ 80). Plaintiffs allege that despite this knowledge, Brinker failed to comply with industry standards for information security, including the Payment Card Industry Data Security Standard ("PCI DSS"). (Id. ¶¶ 81-90). And, "Brinker failed to implement adequate data security measures to protect its POS networks from the potential danger of a data breach and failed to implement and maintain reasonable security procedures and practices . . . ." (Id. ¶ 106). Specifically, "Brinker operated POS systems with outdated operating systems and software; failed to enable point-to-point and end-to-end encryption; and, failed to take other measures necessary to protect its data network." (Id. ¶ 98).

During the data breach, each of the named plaintiffs paid for food and services at a Chili's restaurant with their credit or debit card. Marlene Green-Cooper dined at a Chili's in Florida in April 2018, and "[w]ithin days thereafter" noticed three unauthorized charges on the credit card she had used at Chili's. (Id. ¶¶ 28(1)-29(1)). Green-Cooper was issued a new credit card and during the time she waited for a new card she lost the ability to accrue cash back rewards. (Id. ¶¶ 28(1)-28(2)).² Green-Cooper continues to monitor her account daily for unauthorized charges. (Id. ¶ 29(1)).

In April 2018, Shenika Thomas used her debit card at a Chili's in Texas. (Id. ¶ 29(2)). In early May 2018, Thomas incurred three fraudulent charges totaling more than $100 on her debit card. (Id. ¶ 30). Thomas was issued a new debit card, and she, too, continues to monitor her account to prevent further misuse. (Id.).

Between March and April 2018, Michael Franklin used his payment cards at various Chili's locations in California. (Id. ¶¶ 34-44). After using a payment card three times in two months at Chili's, Franklin experienced fraudulent charges on his account, spent time speaking with his bank, and lost the chance to accrue rewards points while awaiting a replacement card. (Id. ¶¶ 44-46).

In April 2018, Eric Steinmetz used his debit card at a Chili's in Nevada. After learning of the breach, Steinmetz "procured his consumer disclosures from all three credit reporting agencies," "incurred transportation costs of gasoline in driving to Wells Fargo to cancel his debit card and obtain a temporary card[,]" and "lost time dealing with issues related to the [data breach] . . . ." (Id. ¶¶ 47-49).

Plaintiffs allege that they would not have dined at Chili's had they known "it lacked adequate computer systems and data security practices to safeguard" customers' information. (Id. ¶ 50). Plaintiffs further allege that the value of their customer data has diminished, they lost time, have been inconvenienced, and "have concerns for the loss of their privacy." (Id. ¶¶ 53-54). Additionally,Plaintiffs face a "substantially increased risk of fraud, identity theft, and misuse resulting from" the data breach. (Id. ¶ 55).

B. Procedural Posture

On October 30, 2018, the Court consolidated several related cases with this one, and directed Plaintiffs to file an amended consolidated complaint. (Doc. 31). Plaintiffs filed the operative Second Amended Consolidated Class Action Complaint, (Doc. 39), which alleges fourteen causes of action.³ The eight named plaintiffs seek certification of a Nationwide Class, which is defined as: "All persons residing in the United States who made a credit or debit card purchase at any affected Chili's location during the period of the Data Breach. . . ." (Id. ¶ 129). In the alternative, Plaintiffs propose separate Statewide classes, which are defined as: "All persons residing in [California, Florida, Virginia, Nevada, or Texas] who made a credit or debit card purchase at any affected Chili's location during the period of the Data Breach (the 'Statewide Classes')." (Id. ¶ 130).

The complaint charges six common law claims on behalf of the Nationwide Class, or in the alternative on behalf of each Statewide Class: breach of implied contract (Count I); negligence (Count II); negligence per se (Count III); unjust enrichment (Count IV); declaratory judgment (Count V); andbreach of confidence (Count XIII). Each Statewide Class also alleges state statutory violations: Florida Deceptive and Unfair Trade Practices Act ("FDUTPA") (Count VI); Texas Deceptive Trade Practices-Consumer Protection Act ("Texas DTPA") (Count VII); Virginia Customer Data Breach Notification Act ("Virginia Notification Act") (Count VIII); Virginia Consumer Protection Act ("VCPA") (Count IX); California's Unfair Competition Law ("UCL") - Unlawful Business Practices (Count X); California's UCL - Unfair Business Practices (Count XI); California's UCL - Fraudulent/Deceptive Business Practices (Count XII); and Nevada's Consumer Fraud Act ("CFA") (Count XII (b)).

Brinker moved to dismiss every count under Rule 12(b)(6) for failing to state a claim, and to dismiss the case under Rule 12(b)(1), arguing that the named plaintiffs lack standing. (Doc. 48). The Court ruled on Brinker's Rule 12(b)(1) motion to dismiss in a separate Order, (Doc. 65), finding that Plaintiffs, Christopher Lang and Peter Alamillo failed to allege an injury in fact, but that all other named plaintiffs had standing. In that Order, the Court deferred ruling on the Rule 12(b)(6) portion of Brinker's motion. The Court also requested that the parties file a joint notice indicating how they would like to proceed regarding the choice of law concerns the Court raised at the hearing. (Doc. 65). The parties filed their joint notice but could not agree on how to proceed. (Doc. 68). Plaintiffs subsequently dismissed two named plaintiffs: FredSanders and Daniel Summers. (Docs. 71, 72, 73).⁴ After the parties filed several discovery motions, (Docs. 77, 79, 80, 82, 84), the Court stayed all depositions and new discovery requests pending the Court's ruling on the motion to dismiss. (Doc. 85). Of those requests, only Brinker's Motion for Protective Order remains. (Doc. 84).

II. CHOICE OF LAW

The parties briefing on the motion to dismiss did not address choice of law. Many of the common law claims were analyzed under Florida law, but the parties also relied on data breach cases that applied different states' laws. Because the Court was unclear on which states' laws applied to the common law claims, it requested that the parties determine whether they wanted to brief choice of law now, or have the Court defer ruling on the Rule 12(b)(6) portion of the motion to...