On May 4, 2017, a class action lawsuit in the U.S. District Court for the District of Colorado on behalf of credit unions, banks, and other financial institutions was filed against a national restaurant chain seeking to recover damages incurred as a result of a data breach.
According to the allegations in the complaint, the defendant was the victim of a data breach where hackers stole the names and credit card information of defendant’s and plaintiffs’ customers. As a result, the plaintiff financial institutions incurred substantial losses when they were forced to take steps such as cancelling or reissuing affected debit and credit cards, closing affected accounts, refunding cardholders for unauthorized transactions, and increasing fraud monitoring. The plaintiffs allege that the data breach was both foreseeable and preventable, and was directly caused by the defendant’s failure to implement or maintain adequate data security measures for customer information.
Specifically, the plaintiffs point out that the defendant suffered a data breach in 2004. This prior breach, coupled with the string of high profile data breaches in recent years, should have put the defendant on notice that such breaches were occurring throughout the restaurant industry. Despite the threat, the defendant allegedly failed to implement a number of industry best practices. The plaintiffs claim that the defendant ignored industry standards for data security.
The plaintiffs’ in this case are suing for simple negligence and negligence per se under state law. The negligence claim is based on the argument that (1) the defendant owes a duty of care to the plaintiffs to provide adequate security to protect their mutual customers’ personal and financial information, (2) the defendant breached this duty by failing to maintain updated EMV card systems and POS terminals, and (3) as a result of the foreseeable data breach, the plaintiffs suffered substantial losses. The negligence per se claim additionally argues that the defendant violated § 5 of the FTC Act (and similar state statutes) by failing to use reasonable measures to protect credit and debit card information and not complying with applicable industry standards, which constitutes negligence per se.
The case is Bellwether Community Credit Union v. Chipotle Mexican Grill, Inc.