We’ve discussed before the challenges that a business might face if it files a lawsuit after a data breach.

This post focuses on one particular challenge: the economic-loss rule.  That rule prevents plaintiffs who suffer economic losses stemming from a contract from trying to recover those losses through non-contract claims.

Because business-to-business data-breach lawsuits are likely to involve some form of contractual relationship between the plaintiff and the defendant, the rule can be a powerful shield against tort claims—including and especially negligence.

In a recent decision from a federal court in Colorado involving my go-to burrito spot, the plaintiffs got especially creative in attempting to avoid the economic-loss rule.  This post examines the court’s handling of two of their claims.

Burrito, stolen payment-card data on the side.

Bellwether Community Credit Union v. Chipotle Mexican Grill concerned a cyberattack on point-of-sale systems in Chipotle restaurants that compromised customers’ credit- and debit-card information. The plaintiffs—credit unions who had to reissue payment cards and issue refunds for unauthorized purchases to the customers whose card data was stolen—sued Chipotle for failing to prevent the breach.

In addition to claims for negligence and violation of various states’ unfair and deceptive trade practices statutes, which are common in data breach lawsuits, the plaintiffs asserted two additional claims that are not: negligence per se and misappropriation of trade secrets under the federal Defend Trade Secrets Act (DTSA).

An independent duty?

Through both claims, it seems, the plaintiffs sought to avail themselves of the so-called “independent duty” exception to the economic-loss rule. Under that doctrine, the economic-loss rule does not bar a tort claim that alleges the breach of a duty that arose outside the scope of a contract.

As to the negligence per se claim, the plaintiffs alleged that Chipotle had a duty under Section 5 of the FTC Act to use reasonable measures to secure its customers’ payment card data.

The FTC, the plaintiffs observed, had issued guidance on data security for businesses, and brought enforcement actions under section 5 against other businesses that failed to protect payment card data.  Although section 5 includes no private right of action, the plaintiffs alleged that Chipotle’s violation of its requirement to employ reasonable data security measures constituted negligence per se.

As to the trade secret misappropriation claim, the plaintiffs alleged that data related to the payment cards they issued to Chipotle’s customers was a protectable trade secret under the DTSA.  To that end, the plaintiffs alleged (a) that they took reasonable measures to keep the card data secret, including limiting disclosure to unauthorized third parties; and (b) that card data derived independent economic value from not being generally known or readily ascertainable by others.  And Chipotle, alleged the plaintiffs, “misappropriated” this trade secret by improperly disclosing it to the hackers.

Chipotle moved to dismiss both claims under Rule 12(b)(6).

The court’s decision.

The court sided with Chipotle.

On the negligence per se claim, the court observed that, under Colorado law, the violation of a statute can only serve as the basis for that claim when the plaintiff is a member of the class that the statute was intended to protect.  The plaintiffs, the court held, could not satisfy that test as to section 5.

Congress enacted that statute, explained the court, to protect “consumers” and “competitors” against the destruction of competition.  The plaintiffs were neither consumers nor competitors of Chipotle, and hadn’t otherwise alleged that they were harmed by any destruction of competition arising from Chipotle’s acts.  The plaintiffs therefore failed to show that they fell within the scope of intended beneficiaries under section 5, and could not maintain a negligence per se claim.

The DTSA claim fared no better.  The court found that payment-card data did not constitute a “trade secret” for DTSA purposes.

To reach that conclusion, the court reasoned that payment-card data elements—such as cardholder names and card numbers—had no independent economic value.  Instead, those data elements were merely methods of access to something of value, namely, a line of credit or money in a bank account. Without a connection to a line of credit or a bank account, payment-card data were “simply a string of alpha or numeric symbols.”

The court also reasoned the plaintiffs could not show that payment-card data derived any value from being kept a secret.  To the contrary, disclosure to other parties, such as merchants, is what makes a payment card valuable. Deriving value solely from its authorized disclosure, concluded the court, also precluded a finding that payment card data was a trade secret under the DTSA.

Bellwether thus confirms that business plaintiffs in data-breach lawsuits face an uphill battle when it comes to most non-contract claims.  Like the recent return of chorizo to Chipotle’s menu, that’s music to data-breach defendants’ ears.

Author: Alex Pearce