Judge Trims Proposed Class Action Over Wendy’s Data Breach

ORDER

In this class action suit, Plaintiffs sue Wendy’s International, LLC (“Wendy’s”), on behalf of themselves and all others similarly situated, for failing to adequately secure and safeguard customers’ financial information. (Doc. 71). Wendy’s moves to dismiss with prejudice, arguing that Plaintiffs fail to demonstrate Article III standing, or alternatively, that Plaintiffs fail to state a claim upon which relief can be granted. (Doc. 74). Plaintiffs responded in opposition (Doc. 79), and Wendy’s replied (Doc. 88). For the reasons discussed herein, the Court will grant in part and deny in part Wendy’s Motion to Dismiss.

I. BACKGROUND

Plaintiff, Jonathan Torres (“Torres”), initiated this suit on February 8, 2016. (Doc. 1). In his original complaint, Torres alleged that hackers used malicious malware to gain access to the computer systems at Wendy’s locations throughout the United States and stole copies of Wendy’s customers’ private information, specifically their payment card data (“PCD”) and their personal identifiable information (“PII”). (Id. ¶ 2). Torres alleged that the hackers were able to gain access to Wendy’s computer systems because Wendy’s maintains an insufficient and inadequate system to protect its customers’ private information. (Id. ¶ 29). Specifically, Torres claimed that Wendy’s point of sale (“POS”) systems were outdated and vulnerable to attack; that Wendy’s failed to comply with industry standards and Federal Trade Commission requirements; and that Wendy’s failed to upgrade its payment systems to use the latest technology.

Torres claimed that, as a result of his private information being stolen during the alleged data breach, he was placed at an “imminent, immediate, and continuing risk of harm from identity theft and identity fraud, requiring [him and class members] to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives,” including having to alert their credit reporting agencies, contact their financial institutions, modify financial accounts, and closely review and monitor their credit reports and accounts for unauthorized activity. (Id. ¶ 41).

On July 15, 2016, the Court dismissed Torres’s complaint for failing to demonstrate Article III standing. (Doc. 70). The Court found that Torres had not alleged that he suffered an injury-in-fact sufficient to prove standing. As the Court explained, Torres had not alleged that the fraudulent charges on his credit cards went unreimbursed and, therefore, had not alleged any monetary harm. Further, the Court noted that the other “harms” that Torres alleged (i.e., a continuing risk of identity theft and the need to closely review and monitor credit reports) were “highly speculative” and did not appear “certainly impending.” The Court thus found that these “harms” were likewise insufficient to establish standing. Accordingly, the Court dismissed the complaint without prejudice, allowing Torres to file an amended complaint.

On July 29, 2016, Plaintiffs filed an Amended Complaint. (Doc. 71). In the Amended Complaint, Torres claims that, as a result of Wendy’s data breach, he was unable to make a timely payment for a utility bill, causing him to incur a $3 late fee. The Amended Complaint also added six new Plaintiffs. Each of the additional Plaintiffs had their PCD and PII exposed during Wendy’s data breach and, as a result, “experienced credit or debit card fraud, had their PII exposed and its value diminished, and spent valuable time remedying the consequences of the Data Breach.” (Doc. 79, p. 4). Moreover, the Amended Complaint alleges that Plaintiffs, Christine Jackson and Donald Jackson (the “Jacksons”), Roxanne Grant (“Grant”), and Gerald Thomas (“Thomas”), “were required to use alternative sources of funds to make purchases while awaiting their replacement cards, thereby foregoing credit card reward points and/or cash-back rewards and experiencing actual damages.” (Id.).

Wendy’s moves to dismiss the Amended Complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). In its motion, Wendy’s argues that the Amended Complaint again fails to allege an actual or imminent injury sufficient to confer Article III standing. In the alternative, Wendy’s argues that Plaintiffs’ claims should be dismissed for failing to state a claim upon which relief can be granted.

II. DISCUSSION

A. Article III Standing—12(b)(1)

Under Article III, section 2 of the United States Constitution, federal judicial power is limited to resolution of “cases” or “controversies.” U.S. Const. art. III, § 2. Thus, “[l]itigants must show that their claim presents the court with a case or controversy under the Constitution and meets the ‘irreducible constitutional minimum of standing.’” Resnick v. AvMed, Inc., 693 F.3d 1317, 1323 (11th Cir. 2012) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)). The plaintiff bears the burden of proving standing, which requires a three-part showing: (1) the plaintiff must have suffered an injury-in-fact; (2) the plaintiff’s injury must be fairly traceable to the actions of the defendant; and (3) the relief requested in the suit must redress the plaintiff’s injury. Allen v. Wright, 468 U.S. 737, 751 (1984) (reviewing the Supreme Court’s standing jurisprudence), abrogated on other grounds by Lexmark Int’l, Inc. v. Static Control Components, Inc., 134 S. Ct. 1377 (2014).

To establish injury-in-fact, the plaintiff must demonstrate that he holds “a legally cognizable interest that has been or is imminently at risk of being invaded.” Mulhall v. UNITE HERE Local 355, 618 F.3d 1279, 1286 (11th Cir. 2010). At the pleading stage, this requirement is not particularly onerous and will be satisfied by “general factual allegations of injury resulting from [Defendant’s] conduct.” Lujan, 504 U.S. at 561. However, such injury must be “certainly impending to constitute injury in fact” and “‘[a]llegations of possible future injury’ are not sufficient.” Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013). (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)).

In contrast to the original Complaint, the allegations in the Amended Complaint have been developed to allege particularized, concrete injuries to the named Plaintiffs in this case. For one, Torres has articulated a concrete economic harm by alleging that he incurred a $3 late fee as a result of the data breach in this case. Such an economic harm is sufficient to allege standing. See Resnick, 693 F.3d at 1323 (holding that an allegation of identity theft coupled with monetary damages “constitutes an injury in fact under the law”).1 Moreover, the new Plaintiffs have alleged additional theories of harm beyond the continuing risk of identity theft. In particular, Plaintiffs have alleged they have suffered actual injuries, including the loss of credit card reward points and loss of cash-back rewards. These allegations of injuries are sufficient at this stage to plead standing. See, e.g., In re Target Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1159 (D. Minn. 2014) (finding that allegations of restricted or blocked access to bank accounts was sufficient to plead standing at the motion to dismiss stage). The Court thus finds that Plaintiffs have met their burden of pleading “general factual allegations of injury resulting from [Defendant’s] conduct.” Lujan, 504 U.S. at 561. Wendy’s motion to dismiss the Amended Complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) will, therefore, be denied.

B. Failure to State a Claim—12(b)(6)

Federal Rule of Civil Procedure 12(b)(6) provides that a court may dismiss a complaint "for failure to state a claim upon which relief can be granted." To survive a motion to dismiss, a complaint must allege sufficient facts to show that the legal allegations are not simply possible, but plausible. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009); Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Iqbal, 556 U.S. at 678. When considering a Rule 12(b)(6) motion, the reviewing court must accept all allegations in the complaint as true and view them in the light most favorable to theplaintiff. Chaparro v. Carnival Corp., 693 F.3d 1333, 1335 (11th Cir. 2012) (per curiam). However, a complaint must do more than provide “[m]ere ‘labels and conclusions or a formulaic recitation of the elements of a cause of action . . . .’” Franklin v. Curry, 738 F.3d 1246, 1251 (11th Cir. 2013) (per curiam) (quoting Iqbal, 556 U.S. at 678).

1. Breach of Implied Contract

In Count I of the Amended Complaint, Plaintiffs allege that Wendy’s is liable for breach of implied contract. (Doc. 71, p. 31). Plaintiffs contend that by paying for purchases and services at Wendy’s, “Plaintiffs and Class members entered into implied contracts with Wendy’s pursuant to which Wendy’s agreed to safeguard and protect [their personal] information and to timely and accurately notify Plaintiffs and Class members if their data had been breached and compromised.” (Doc. 71, ¶ 100).

“A valid contract arises when the parties’ assent is manifested through written or spoken words, or inferred in whole or in part from the parties’ conduct.” Solnes v. Wallis & Wallis, P.A., 15 F. Supp. 3d 1258, 1267 (S.D. Fla. 2014), aff'd, 606 F. App'x 557 (11th Cir. 2015) (per curiam). “Contracts implied in fact are inferred from the facts and circumstances of the case.” Mercier v. Broadfoot, 584 So. 2d 159, 161 (Fla. 1st DCA 1991). The existence and validity of an implied contract is dependent upon the parties’ conduct and the factual circumstances surrounding the parties’ conduct. See, e.g., Commerce P'ship 8098 Ltd. P'ship v. Equity Contracting Co., 695 So. 2d 383, 385 (Fla. 4th DCA 1997) (en banc) (“[A] fact finder must examine and interpret the parties’ conduct to give definition to their unspoken agreement.”).

In this case, Plaintiffs have pled facts such that the Court can reasonably infer that the conduct of the parties created an implied-in-fact contract. According to Plaintiffs, Wendy’s invited its customers to pay for their purchases with credit cards containing confidential information. Implicit in that invitation, Plaintiffs claim, is an agreement that Wendy’s will protect its customers’ confidential information as a reasonable and prudent merchant would. Indeed, other courts have found that a reasonable fact-finder could conclude an implied contract exists between the merchant and its customer when the customer uses a credit card to purchase products. Included in that implied contract is an agreement that the merchant will safeguard its customers’ data. According to the First Circuit Court of Appeals:

When a customer uses a credit card in a commercial transaction, she intends to provide that data to the merchant only. Ordinarily, a customer does not expect—and certainly does not intend—the merchant to allow unauthorized third-parties to access that data. A jury could reasonably conclude, therefore, that an implicit agreement to safeguard the data is necessary to effectuate the contract.

Anderson v. Hannaford Bros. Co., 659 F.3d 151, 159 (1st Cir. 2011).

The Court thus finds that Plaintiffs have provided sufficient facts to plead a claim for breach of implied contract. The motion to dismiss as to Count I is, therefore, denied.

2. Negligence

In Count II of the Amended Complaint, Plaintiffs allege that Wendy’s owed a duty to exercise reasonable care to secure and safeguard its customers’ confidential information. Plaintiffs bring a common law claim of negligence based on Wendy’s alleged breach of that duty. Wendy’s moves to dismiss, arguing that Plaintiffs’ negligence claim fails as a matter of law because Wendy’s owed no duty to protect its customers’ confidential information.

To state a claim for negligence, a plaintiff must show that (1) the defendant owed a duty of reasonable care to the plaintiff, (2) the defendant breached that duty, and (3) the plaintiff suffered damages as a result of the defendant’s breach. Hasenfus v. Secord, 962 F.2d 1556, 1559–60 (11th Cir. 1992); Paterson v. Deeb, 472 So. 2d 1210, 1214 (Fla. 1st DCA 1985). Generally, “there is no common law duty to prevent the misconduct of third persons.” Trianon Park Condo. Ass’n, Inc. v. City of Hialeah, 468 So. 2d 912, 918 (Fla. 1985) (citing Restatement (Second) of Torts § 315 (1965)). However, “where a person’s conduct is such that it creates a ‘foreseeable zone of risk’ posing a general threat of harm to others, a legal duty will ordinarily be recognized.” United States v. Stevens, 994 So. 2d 1062, 1067 (Fla. 2008) (citing McCain v. Fla. Power Corp., 593 So. 2d 500, 503 (Fla. 1992)); see also Restatement (Second) of Torts § 302A (1965) (“An act or an omission may be negligent if the actor realizes or should realize that it involves an unreasonable risk of harm to another through the negligent or reckless conduct of the other or a third person.”).

Plaintiffs argue that Wendy’s was under a duty to protect its customer’s information because the risk of harm created by its actions was foreseeable. According to Plaintiffs, “Wendy’s had reason to know that its data security systems were inadequate and, thus, vulnerable to attack.” (Doc. 79, p. 21). Plaintiffs have alleged facts that suggest that Wendy’s was aware that its POS systems were outdated and vulnerable to attack, yet failed to take any precautions to prevent the data breach. Plaintiffs also claim that Wendy’s failed to comply with industry standards for protecting payment card data, and failed to update its payment systems to use the latest protective technology. Accordingly, Plaintiffs assert that Wendy’s had ample reasons to anticipate the hack, but failed to take action to prevent it and chose not to warn its customers. Moreover, Plaintiffs allege that the data breach persisted for several months, beginning in Fall 2015. Although Wendy’swas aware of the problem in January 2016, Plaintiffs claim that the breach continued for an additional six months until June 2016. Plaintiffs claim that by failing to timely notify its customers of the data breach, Wendy’s violated several state data security breach statutes. Such statutory violations, Plaintiffs argue, constitute prima facie evidence of negligence. (Doc. 79, p. 30).

Based on these facts, which the Court accepts as true at this state of litigation, Plaintiffs have advanced a plausible claim that Wendy’s actions and omissions created a “foreseeable zone of risk” such that a duty could be recognized. Accordingly, the Motion to Dismiss will be denied as to Count II.

3. Violations of State Consumer Protection Laws

In Count III, Plaintiffs allege violations of six state consumer protection statutes:

1. Florida Deceptive and Unfair Trade Practices Act (“FDUTPA”), Fla. Stat. § 501.204(1);
2. New York Business Law, N.Y. Bus. Law § 349(a);
3. New Jersey Consumer Fraud Act (“NJCFA”), N.J. Stat. § 56:8-2;
4. Mississippi Consumer Protection Act (“MCPA”), Miss. Code Ann. §§ 75-24- 5(1), 2(e), 2(g);
5. Tennessee Consumer Protection Act (“TCPA”), Tenn. Code Ann. §§ 47-18- 104(a) & (b)(5); and
6. Texas Deceptive Trade Practices Act (“TDTPA”), Tex. Bus. & Com. Code Ann. §§ 17.46(a), (b)(5), (7);

(collectively, the “Consumer Protection Claims”).

Wendy’s moves to dismiss Count III, arguing—among other things—that Plaintiffs Consumer Protection Claims fall short of basic federal pleading requirements.

Rules 8 and 10 of the Federal Rules of Civil Procedure set forth minimum requirements for complaints filed in this Court. At a minimum: (1) pleadings must include“short and plain” statements of the pleader’s claims set forth in “numbered paragraphs each limited as far as practicable to a single set of circumstances”; and (2) pleadings must not include mere labels, legal conclusions, or formulaic recitation of the elements of a claim. See Fed. R. Civ. P. 8(a), 8(d), 10(b); see also M.D. Fla. R. 1.05, 1.06. Shotgun pleadings result when a party “fails to follow Rules 8 and 10.” See Hickman v. Hickman, 563 F. App’x 742, 744 (11th Cir. 2014) (per curiam). When confronted with a shotgun complaint, district courts must require repleader. See Paylor v. Hartford Fire Ins., 748 F.3d 1117, 1127–28 (11th Cir. 2014).

The Eleventh Circuit has repeatedly condemned shotgun pleadings. In fact, the Eleventh Circuit recently acknowledged its “thirty-year salvo of criticism aimed at shotgun pleadings” and identified four categories of shotgun pleadings. See Weiland v. Palm Beach Cty. Sheriff’s Office, 792 F.3d 1313, 1321–23 (11th Cir. 2015). One type of impermissible shotgun pleading is “one that commits the sin of not separating into a different count each cause of action or claim for relief.” Id. at 1323.

In Count III, Plaintiffs raise claims under six different state consumer protection laws. Although these laws share similarities, they are distinct causes of actions with unique requirements and defenses. For example, the MCPA requires that, prior to bringing a private action, the plaintiff must first attempt to resolve the claim through an information dispute settlement program—a requirement that is absent from the other state’s consumer protection laws. By lumping all six causes of action into one count in the Amended Complaint, Wendy’s and this Court face the onerous task of sifting through the Amended Complaint to determine whether the facts alleged sufficiently state a claim for relief under the six different state consumer protection laws. This manner of pleading contravenes the mandate of Federal Rule of Civil Procedure 8(a). Because Count III does not meet Rule 8’s pleading standards, the Court will require Plaintiffs to replead its Consumer Protection Claims. Accordingly, Count III will be dismissed without prejudice.

4. Violations of State Data Breach Statutes

In Count IV, Plaintiffs bring claims for violations of the following state data breach statutes:

1. Fla. Stat. Ann. § 501.171(4), et seq.;
2. New York Business Law, N.Y. Gen. Bus. Law § 899-aa;
3. New Jersey Stat. Ann. 56:8-163(a), et seq.;
4. Tenn. Code Ann. § 47-18-2107(b), et seq.; and,
5. Tex. Bus. & Com. Code Ann. § 521.053(b), et seq.

The Court notes that Count IV suffers from the same pleading deficiencies as Count III. Accordingly, the Court will require Plaintiffs to replead Count IV as well.

In the interest of judicial economy, however, the Court will address some of Wendy’s substantive arguments regarding Count IV. Wendy’s moves to dismiss several of the state data breach claims, arguing that the statutes do not create a private right of action. (Doc. 74, p. 34). Plaintiffs do not dispute that the statutes do not create a private right of action. Instead, Plaintiffs contend that even though there is no private right of action, the “statute[s] can set forth a relevant duty of care for a common law tort claim.” (Doc. 79, p. 30).

Plaintiffs misconstrue the basic legal principles of statutory law. A statute does not give rise to a civil cause of action unless the language of the statute explicitly so provides, or it can be determined by clear implication. Alexander v. Sandoval, 532 U.S. 275, 286–87 (2001) (holding that without statutory intent, “a cause of action does not exist and courts may not create one”). Simply put, where a statute does not provide for a private right of action, one cannot recover for the violation of that statute.

Plaintiffs’ argument that “a statute can set forth a relevant duty for a common law tort” does nothing to change this basic principle of statutory law. Indeed, in their response to Wendy’s Motion to Dismiss, Plaintiffs simply restate the well-established principle that violation of a statute is prima facie evidence of negligence. See, e.g., deJesus v. Seaboard Coast Line R. Co., 281 So. 2d 198, 201 (Fla. 1973). While this may support Plaintiffs negligence claim, it does not create a separate cause of action for which Plaintiffs can recover.

Four of the five state data breach statutes in this case do not provide for a private right of action. See Fla. Stat. § 501.171(10) (“This section does not establish a private cause of action.”); N.Y. Gen. Bus. Law § 899-aa(6)(a) (providing that the attorney general “may bring an action in the name and on behalf of the people of the state of New York”); Holmes v. Countrywide Fin. Corp., No. 5:08-CV-00205-R, 2012 WL 2873892, at *13 (W.D. Ky. July 12, 2012) (holding that the New Jersey data breach statute, N.J. Stat. § 56:8-163, “does not create a private right of action for citizens to enforce its provisions”); Tex. Bus. & Com. Code Ann. § 521.151(a) (providing that the “attorney general may bring an action to recover the civil penalty imposed under this subsection”). Plaintiffs are, therefore, unable to recover directly for a violation of these statutes.

Accordingly, the Motion to Dismiss Count IV will be granted and Plaintiffs will be granted leave to amend. Plaintiffs are directed, however, to only replead claims for statutes that provide a private right of action.

III. CONCLUSION

It is therefore ORDERED AND ADJUDGED as follows:

1. Wendy’s Motion to Dismiss (Doc. 74) is GRANTED IN PART AND DENIED IN PART. The Motion is GRANTED as to Counts III and IV. The Motion is DENIED as to Counts I and II.
2. Counts III and IV are DISMISSED WITHOUT PREJUDICE.
3. Plaintiffs may file an amended complaint, consistent with the directives of this Order, on or before April 3, 2017.

DONE AND ORDERED in Orlando, Florida, on March 21, 2017.

1 Although the amount of alleged monetary damages in the Amended Complaint is relatively insignificant, the Court notes that one purpose of the class action mechanism is to provide an opportunity for meaningful redress to plaintiffs with claims too small to justify individual litigation. See, e.g., Thorogood v. Sears, Roebuck & Co., 547 F.3d 742, 744 (7th Cir. 2008).