Opinion
Case No. 3:18-cv-686-J-32MCR
07-27-2020
In re Brinker Data Incident Litigation
ORDER
This class action again requires the Court to analyze standing in the data breach context. This time, the Court must determine whether the threat of future harm—that hackers will again steal Plaintiffs' old debit card information from Defendant and use it to acquire Plaintiffs' new debit card information—is substantially likely to occur such that Plaintiffs have Article III standing to bring claims for prospective declaratory and injunctive relief.
The case is before the Court on Defendant Brinker International, Inc.'s Motion to Dismiss Plaintiffs' Third Amended Consolidated Class Action Complaint ("Third Complaint"). (Doc. 99). Plaintiffs responded in opposition, (Doc. 100), Brinker replied, (Doc. 111), and Plaintiffs filed a sur-reply, (Doc. 115).
I. BACKGROUND
Most of the facts alleged in Plaintiffs' prior complaint remain, and the Court detailed them in its prior orders. (Docs. 65, 92). In short, Plaintiffs allege that Brinker—the parent company of Chili's Grill and Bar—maintained inadequate IT security systems that resulted in hackers stealing Plaintiffs' payment card information. (Doc. 95).
In its last motion to dismiss, Brinker sought dismissal on the basis that the named plaintiffs had not suffered an injury in fact for Article III standing and that each count failed to state a claim upon which relief could be granted. The Court divided these issues, publishing one Order on standing (Doc. 65) and one on the sufficiency of the complaint (Doc. 92). The Order on standing analyzed both the allegations of an actual injury and those of a future threatened injury. (Doc. 65). The Court held that several of the named plaintiffs had alleged an actual injury in fact based on past harms, but that two plaintiffs—who had alleged only the threat of future injuries—did not have standing because their "minimal allegations assert[ed] only speculative future harm that does not rise to an Article III injury in fact." (Doc. 65 at 18).
In its Order on the Rule 12(b)(6) portion of Brinker's last motion to dismiss, the Court found that three of Plaintiffs' fourteen causes of action were sufficiently alleged—breach of implied contract, negligence, and violation of California's Unfair Competition Law ("UCL") for unfair business practices—but dismissed the other claims either in whole or in part. (Doc. 92 at 59). The Court permitted Plaintiffs to replead, but it also required Plaintiffs to file a brief in support with their Third Complaint if they decided to reassert their declaratory judgment claim or their claims under Florida's Deceptive and Unfair Trade Practices Act ("FDUTPA"). Id. at 31 n.13, 36 n.14.
Plaintiffs filed their Third Complaint, the operative complaint, alleging seven causes of action: Breach of Implied Contract (Count I); Negligence (Count II); Declaratory Judgment (Count III); violations of FDUTPA (Count IV); violations of California's UCL - unlawful business practices (Count V); violations of California's UCL - unfair business practices (Count VI); and violations of California's UCL - fraudulent/deceptive business practices (Count VII). (Doc. 95). Counts I, II, and III are on behalf of Plaintiffs and the proposed Nationwide Class (all individuals residing in the United States who made payment card purchases at a Chili's during the data breach period), or alternatively the Statewide Classes (all persons residing in California or Florida who made payment card purchases at a Chili's during the data breach period). (Doc. 95 ¶¶ 135-36). Count IV, the FDUTPA count, is on behalf of the Florida Statewide class, and Counts V, VI, and VII, the UCL counts, are on behalf of the California Statewide class. The named Plaintiffs, originally numbering eight and representing five statewide classes, are down to four—Marlene Green-Cooper, Shenika Theus, Michael Franklin, and Eric Steinmetz—with only two statewide classes.
Acknowledging that the Court permitted certain claims to go forward, Brinker moves to dismiss only the declaratory judgment claim (Count III), the FDUTPA claim (Count IV), and portions of each of the California UCL claims (Counts V, VI, and VII). (Doc. 99). Brinker asserts that Plaintiffs have still not alleged a sufficient future injury for Article III standing to permit declaratory or injunctive relief. Id. at 4-13. Thus, Brinker argues Counts III and IV, which seek only prospective relief, should be dismissed entirely. Id. at 4-12. Additionally, Brinker seeks dismissal of the requests for injunctive relief in each of the UCL claims based on a lack of standing. Id. at 12-13. Moreover, Brinker contends that the portion of Plaintiffs' UCL unlawful business practices claim (Count V) predicated on California Civil Code § 1798.82 and their entire UCL fraudulent business practices claim (Count VI) should be dismissed under Rule 12(b)(6). Id. at 14-18.
II. DISCUSSION
A. Threatened Future Injury for Article III Standing
To satisfy the "'irreducible constitutional minimum' of standing," the "plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016) (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992)). "To establish injury in fact, a plaintiff must show that he or she suffered 'an invasion of a legally protected interest' that is 'concrete and particularized' and 'actual or imminent, not conjectural or hypothetical.'" Id. at 1548 (quoting Lujan, 504 U.S. at 560). "[A] plaintiff must establish standing for each type of relief sought . . . ." Tokyo Gwinnett, LLC v. Gwinnett Cty., 940 F.3d 1254, 1262 (11th Cir. 2019) (citing Summers v. Earth Island Inst., 555 U.S. 488, 493 (2009)). Here, Brinker only challenges Plaintiffs' allegations of future injury related to the declaratory and injunctive relief they seek.
"[T]o demonstrate that a case or controversy exists to meet the Article III standing requirement when a plaintiff is seeking injunctive or declaratory relief, a plaintiff must allege facts from which it appears there is a substantial likelihood that he will suffer injury in the future." AA Suncoast Chiropractic Clinic, P.A. v. Progressive Am. Ins. Co., 938 F.3d 1170, 1179 (11th Cir. 2019) (quotation marks omitted) (quoting Malowney v. Fed. Collection Deposit Grp., 193 F.3d 1342, 1346-47 (11th Cir. 1999)). "An allegation of future injury may suffice if the threatened injury is 'certainly impending,' or there is a 'substantial risk that the harm will occur.'" Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (internal quotation marks omitted) (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409 (2013)). "The controversy between the parties cannot be 'conjectural, hypothetical, or contingent; it must be real and immediate, and create a definite, rather than speculative threat of future injury.'" A&M Gerber Chiropractic LLC v. GEICO Gen. Ins. Co., 925 F.3d 1205, 1210 (11th Cir. 2019) (quoting Emory v. Peeler, 756 F.2d 1547, 1552 (11th Cir. 1985)). "The remote possibility that a future injury may happen is not sufficient to satisfy the 'actual controversy' requirement for declaratory judgments." Emory, 756 F.2d at 1552.
In its prior order on standing, the Court found that the threat of future harm was insufficient. (Doc. 65 at 17). The Court looked at three factors in making this determination: the motive of the hackers, the type of information stolen, and whether the information stolen had been misused. Id. at 17-18 (citing In re 21st Century Oncology Customer Data Sec. Breach Litig., No. 8:16-MD-2737-MSS-AEP, 2019 WL 2151095, at *6 (M.D. Fla. Mar. 11, 2019)). The Court concluded that the two plaintiffs who had alleged only future harm had failed to demonstrate that the risk of that harm was "substantial" or "heightened" as opposed to merely hypothetical or speculative. Id. at 17. Additionally, specific to Plaintiffs' claim for declaratory judgment, the Court found that because Plaintiffs had obtained new payment cards, they did not face a substantial risk of future harm because Brinker maintained only their old card data. (Doc. 92 at 31).
In their prior complaint, Plaintiffs alleged that they faced a substantial likelihood of future injury because their payment card information remained on Brinker's insecure systems. (Doc. 39 ¶¶ 201-04). The Court, noting an apparent split on this issue, found Plaintiffs' threat of future harm insufficient because Plaintiffs had alleged they obtained new cards; thus, a subsequent breach of Brinker's systems would pose no threat to Plaintiffs. (Doc. 92 at 31). Now, Plaintiffs allege that despite cancelling the cards that remain on Brinker's systems, hackers can steal the old card information from Brinker and use that to gain the replacement card information. (Doc. 100 at 3-6). Plaintiffs' argument is this:
Although Plaintiffs have alleged their compromised payment cards have been replaced as a result of the Data Breach, their Customer Data, which includes names, account numbers, expiration dates, CVV/CSC/CAV/CVC authorization codes and PIN verification data, remains stored on Brinker's data systems. The mere fact that this data may not be current does not render it useless for identity theft.(Doc. 96 at 5-6 (footnotes omitted)).
Some merchants have arrangements with credit card processors, such as Visa and Mastercard, to allow authorization for expired payment cards. See, Lifehacker, How Scammers Can Use Your Old Credit Card Numbers (Jan. 6, 2020). As noted in this article, the credit card companies will allow charges to expired cards and cards "no longer technically considered valid" in order to maintain good relationships will [sic] large retail merchants. Id.
Additionally, some merchants have arrangements with credit card processors to update credit card information within the merchant account automatically when a new card is issued by the processor. Credit.com, How Companies Know Your New Credit Card Number Before You Give It To Them (July 15, 2016). The credit card companies provide a service of updating account numbers so that the merchants can continue recurring charges without any disruption in payment. Thus, if a scammer has added a stolen payment card to a merchant account, such as Amazon and Netflix, using the cardholder's name, the card information in the fraudulent account may be updated automatically when the card is reissued after a data breach.
Plaintiffs do not allege that their compromised cards are issued through card processors that offer "account updating services" or have arrangements with merchants to automatically update card information. Plaintiffs' requested prospective relief only seeks to have Brinker "implement and maintain reasonable [information technology] security measures . . . ." (Doc. 95 ¶¶ 212, 220, 245, 259, 265). The information stolen previously is not at issue as the Court cannot fashion prospective relief to remedy that past alleged harm.
Plaintiffs allege that Marlene Green-Cooper's VyStar debit card's information was stolen; Shenika Theus's GreenDot Visa card's information was stolen; Michael Franklin's Chase Visa debit card's information was stolen; and Eric Steinmetz's Wells Fargo debit card's information was stolen. (Doc. 95 ¶¶ 28-44).
Thus, the question is: is it substantially likely that hackers will again steal Plaintiffs' payment card information from Brinker and then utilize that information to acquire Plaintiffs' new payment card information? Although such a scenario is possible, it is too speculative to confer standing for declaratory and injunctive relief. See Driehaus, 573 U.S. at 158 (2014); AA Suncoast, 938 F.3d at 1179. Plaintiffs' alleged future harm rests on a series of contingencies. First, Brinker would have to be hacked again. Second, Plaintiffs' stolen card information—all debit cards—would have to be serviced by a processor that automatically updates new card information with certain merchants. Third, the hackers would have to find a merchant with an agreement with the stolen card's processor. Fourth, the processor, instead of recognizing that the card recently added with the merchant was cancelled more than two years earlier, would have to send the replacement card information to the merchant. This string of contingencies is too speculative to satisfy Article III standing requirements; moreover, it has not happened in the more than two years since the original breach. See Gerber, 925 F.3d at 1210-11; AA Suncoast, 938 F.3d at 1179.
Both Theus and Franklin allege to have used Visa cards, and Plaintiffs have alleged that Visa offers "automatic updating." Plaintiffs did not allege the card processor for Green-Cooper or Steimetz. (Doc. 95 ¶¶ 31, 36, 121-22).
Plaintiffs also argue that their FDUTPA claims for injunctive relief can nonetheless survive because the statute provides that "anyone aggrieved by a violation of this part may bring an action to obtain a declaratory judgment that an act or practice violates this part and to enjoin a person who has violated, is violating, or is otherwise likely to violate this part." (Doc. 100 at 14-15 (quoting § 501.211(1), Fla. Stat.)). Further, Plaintiffs contend that "although injunctive or declaratory relief under federal statutes requires a showing of imminent harm, there is no such requirement under FDUTPA . . . ." Id. at 18. Plaintiffs are incorrect.
Article III standing, as its name implies, is a constitutional requirement to bring any claim in federal court. It makes no difference whether such claim is brought under state or federal law or is based on a statute or the Constitution. Cf. Spokeo, 136 S. Ct. at 1549 ("Congress' role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right. Article III standing requires a concrete injury even in the context of a statutory violation."). Thus, the future injury requirement applies to all of Plaintiffs' claims seeking declaratory or injunctive relief. See, e.g., Snyder v. Green Roads of Fla. LLC, 430 F. Supp. 3d 1297, 1304 (S.D. Fla. 2020) (finding that plaintiffs seeking injunctive relief under FDUTPA failed to allege a likelihood of a future injury sufficient for Article III standing); Dapeer v. Neutrogena Corp., 95 F. Supp. 3d 1366, 1373 (S.D. Fla. 2015) ("Although the FDUTPA allows a plaintiff to pursue injunctive relief even where the individual plaintiff will not benefit from an injunction, it cannot supplant Constitutional standing requirements." (citation omitted)); see also, e.g., Davidson v. Kimberly-Clark Corp., 889 F.3d 956, 967 (9th Cir.) (analyzing whether plaintiffs had alleged a sufficient Article III injury in fact based on future harm to seek injunctive relief under California's UCL), cert. denied, 139 S. Ct. 640 (2018).
As Plaintiffs have failed to allege a threat of future harm beyond a speculative level, the declaratory judgment, FDUTPA, and injunctive relief portions of the UCL claims are due to be dismissed.
B. Plaintiff's UCL Claims
Brinker moves to dismiss other portions of Plaintiffs' UCL claims under Rule 12(b)(6). While Brinker's arguments have force, they are not properly raised via a motion to dismiss. Brinker can re-raise these arguments after the record has been developed.
Accordingly, it is hereby
ORDERED:
1. Defendant Brinker International, Inc.'s Motion to Dismiss (Doc. 99) is GRANTED in part and DENIED in part.
2. Counts III (Declaratory Judgment) and IV (FDUTPA) are DISMISSED without prejudice for lack of standing.
3. Plaintiffs' requests for injunctive relief in their UCL claims (Counts V, VI, and VII) are DISMISSED without prejudice for lack of standing.
4. In all other respects, the motion (Doc. 99) is DENIED.
5. Not later than August 23, 2020, Brinker shall answer the Third Amended Consolidated Class Action Complaint.
6. Upon review, the Court believes mediating before the class certification hearing would be beneficial. Thus, the parties shall conduct their first mediation by November 20, 2020.
7. In all other respects, the Case Management and Scheduling Order (Doc. 102), as amended (Doc. 114) continues to govern the case.
DONE AND ORDERED in Jacksonville, Florida this 27th day of July, 2020.
/s/_________
TIMOTHY J. CORRIGAN
United States District Judge jjb
Copies to: Counsel of record