First Choice Federal Credit Union v. The Wendy's Company et alBRIEF in Support re Motion to Dismiss re: 32 Consolidated Amnended Class Action ComplaintW.D. Pa.August 22, 2016 LEGAL02/36568420v12 IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF PENNSYLVANIA Civil Action No. 2:16-cv-00506-NBF-MPK MEMORANDUM OF LAW IN SUPPORT OF DEFENDANTS’ MOTION TO DISMISS THE PLAINTIFFS’ CONSOLIDATED AMENDED CLASS ACTION COMPLAINT v. THE WENDY’S COMPANY, WENDY’S RESTAURANTS, LLC, and WENDY’S INTERNATIONAL, LLC, Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 1 of 47 i LEGAL02/36568420v12 TABLE OF CONTENTS I. INTRODUCTION ............................................................................................... 1 II. BACKGROUND ................................................................................................. 2 III. LEGAL STANDARD ......................................................................................... 4 IV. ARGUMENT AND CITATION TO AUTHORITIES ......................................... 5 A. Pennsylvania’s Choice of Law Rules Determine the Law Governing The FI Plaintiffs’ Negligence-Based Claims .......................... 5 B. The ELR Bars Eleven FI Plaintiffs’ Negligence-Based Claims ................. 7 C. The FI Plaintiffs Fail to State a Claim for Negligence............................. 12 1. There is No Common Law Duty to Protect against a Criminal Data Breach ................................................................................ 12 2. Wendy’s Does Not Have a Special Relationship with the FI Plaintiff’s That Gives Rise to a Duty to Protect Them From Data Breaches ..................................................................................... 17 3. Industry Standards Do Not Give Rise to a Duty .......................... 19 4. The FTC Act Cannot Form the Basis of the FI Plaintiffs’ Common Law Negligence Claim ................................................ 20 D. The FI Plaintiffs’ Negligence Per Se Claims Fail.................................... 21 1. Arkansas, Louisiana, and Massachusetts Do Not Recognize Negligence Per Se As An Independent Cause of Action .............. 21 2. Section 5 of the FTC Act Does Not Support a Claim for Negligence Per Se ...................................................................... 23 Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 2 of 47 ii LEGAL02/36568420v12 a. Section 5 Does Not Impose a Clear and Concrete Duty or Standard of Conduct ......................................................... 24 b. The FI Plaintiffs Do Not Fall Within the Class of Persons Congress Intended to Protect Under the “Unfair Practices” Prong of the FTC Act............................................................ 25 3. FTC Publications and Orders Do Not Carry the Force of Law and Fail to Support a Claim for Negligence Per Se ..................... 26 4. Industry Standards Cannot Support a Negligence Per Se Claim .. 28 E. Plaintiffs Fail to State a Claim Under Ohio’s Deceptive Trade Practices Act .......................................................................................... 28 F. Plaintiffs’ Claim for Injunctive and Declaratory Relief Should Be Dismissed .............................................................................................. 31 1. Plaintiffs Fail to State a Claim for Injunctive Relief .................... 31 a. There is No Cognizable Claim for “Injunctive Relief” .......... 31 b. Plaintiffs are Not Entitled to the Remedy of Injunctive Relief .................................................................................... 31 2. Plaintiffs Fail to State a Claim for Declaratory Relief ................. 32 a. Plaintiffs Improperly Seek a Determination of Past Liability ................................................................................ 32 b. The Association Plaintiffs Do Not Have Standing to Pursue a Claim for Declaratory Relief ................................... 33 V. CONCLUSION ................................................................................................. 34 Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 3 of 47 iii LEGAL02/36568420v12 TABLE OF AUTHORITIES Page(s) CASES Alabama v. U.S. Army Corps of Eng’rs, 424 F.3d 1117 (11th Cir. 2005)............................................................................................ 31 Am. Chiropractic Ass’n v. Am. Specialty Health, Inc., 625 F. App’x 169 (3d Cir. 2015) ......................................................................................... 33 Am. Fin. Servs. Ass’n v. F.T.C., 767 F.2d 957 (D.C. Cir. 1985) ............................................................................................. 24 Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046 (E.D. Mo. 2009) ................................................................................ 13 Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011) ................................................................................................ 18 Annett Holdings, Inc. v. Kum & Go, L.C., 801 N.W.2d 499 (Iowa 2011) .............................................................................................. 11 Ashcroft v. Iqbal, 556 U.S. 662 (2009) .......................................................................................................... 3, 5 Atl. Ref. Co. v. F.T.C., 381 U.S. 357 (1965) ............................................................................................................ 24 Banknorth, N.A. v. BJ’s Wholesale Club, Inc. 442 F. Supp. 2d 206 (M.D. Pa. 2006) .............................................................................. 9, 11 Bans Pasta, LLC v. Mirko Franchising, LLC, No. 7:13-cv-00360, 2014 WL 637762 (W.D. Va. Feb. 12, 2014) ......................................... 23 Bearden v. Wyeth, 482 F. Supp. (E.D. Pa. 2006) ............................................................................................... 22 Beatrice Foods Co. v F.T.C., 540 F.2d 303 (7th Cir. 1976) ............................................................................................... 27 Beaver Valley Power Co. v. Nat’l Eng’g & Contracting Co., 883 F.2d 1210 (3d Cir. 1989)............................................................................................... 24 Bedford Auto Dealers Ass’n v. Mercedes Benz of N. Olmstead, 2012 WL 760626 (Ohio Ct. App. Mar. 8, 2012 and collecting cases) ................................... 29 Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) .............................................................................................................. 4 Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 4 of 47 iv LEGAL02/36568420v12 Bennett v. Eagle Brook Country Store, Inc., 557 N.E.2d 1166 (Mass. 1990) ............................................................................................ 21 Boudreaux v. State DOTD, 49 So. 3d 1041 (La. Ct. App. 2010) ..................................................................................... 22 Boutilier ex rel. Boutilier v. Chrysler Ins. Co., No. 8:99-cv-2270T26MAP, 2001 WL 220159 (M.D. Fla. Jan. 31, 2001) ............................. 20 Boyd v. Moore, 919 N.E.2d 283 (Ohio Ct. App. 2009) ................................................................................. 24 Boyd v. Racine Currency Exch., Inc., 306 N.E.2d 39 (Ill. 1973) ..................................................................................................... 15 Braxton v. Commonwealth Dep’t of Transp., 634 A.2d 1150 (Pa. Commw. Ct. 1993) ............................................................................... 28 Broadus v. Chevron USA, Inc., 677 So. 2d 199 (Ala. 1996) .................................................................................................. 15 Cabiroy v. Scipione, 767 A.2d 1078 (Pa. Super. Ct. 2001) ................................................................................... 26 Carpenter v. Kloptoski, No. 1:08-CV-2233, 2010 WL 891825 (M.D. Pa. Mar.10, 2010) .......................................... 20 CAT Internet Servs., Inc. v. Magazines.com Inc., Civ. No. 00-2135, 2001 WL 8858 (E.D. Pa. Jan. 4, 2001) ...................................................... 6 Celec v. Edinboro Univ., 132 F. Supp. 3d 651, 669 ..................................................................................................... 32 Cent. Okla. Pipeline, Inc. v. Hawk Field Servs., LLC, 400 S.W.3d 701 (Ark. 2012) ................................................................................................ 21 Chamber of Commerce v. United States Dep’t of Labor, 174 F.3d 206 (D.C. Cir. 1999) ............................................................................................. 27 Chambers v. St. Mary’s Sch., 697 N.E.2d 198 (Ohio 1998) ......................................................................................... 21, 26 Citizens Bank of Pa. v. Reimbursement Techs., Inc., No. 12-1169, 2014 WL 2738220 (E.D. Pa. June 17, 2014) .................................................. 12 City of Atlanta v. Benator, 714 S.E.2d 109 (Ga. Ct. App. 2011) .................................................................................... 12 Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 5 of 47 v LEGAL02/36568420v12 CMR D.N. Corp. v. City of Phila., 703 F.3d 612 (3d Cir. 2013) ................................................................................................ 32 Corliss v. O’Brien, 200 F. App’x 80 (3d Cir. 2006) ........................................................................................... 32 Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc., 835 N.E.2d 701 (Ohio 2005) ........................................................................................... 8, 11 Cumis Ins. Soc’y v. BJ’s Wholesale Club, No. 20051158J, 2008 WL 2345864 (Mass. Sup. Ct. June 4, 2008) ......................................... 4 Cumis Insurance Society, Inc. v. BJ's Wholesale Club, Inc., 918 N.E.2d 36 (Mass. 2009) ...................................................................................... 9, 10, 11 Dawson v. Blockbuster, Inc., No. 86451, 2006 WL 1061769 (Ohio Ct. App. Mar. 16, 2006) ............................................ 28 De Pree v. Nutone, Inc., 422 F.2d 534 (6th Cir. 1970) ............................................................................................... 28 Deitrick v. Costa, No. 4:06-cv-01556, 2015 WL 1606714 (M.D. Pa. Apr. 9, 2015) .......................................... 21 Die-Mension Corp. v. Dun & Bradstreet Credibility Corp., No. C14-855, 2015 WL 5307472 (W.D. Wash. Sept. 10, 2015) ........................................... 29 Dish Network, LLC v. Fun Dish, Inc., No. 1:08-cv-1540, 2015 WL 3650190 (N.D. Ohio 2015) ..................................................... 29 Dittman v. UPMC, No. GD-14-003285, 2015 WL 4945713 (Pa. Com. Pl. May 28, 2015) .......................... passim Douglas v. Edgewater Park Co., 199 N.W.2d 567 (Mich. 1963) ............................................................................................. 26 eBay Inc. v. MercExchange, L.L.C., 547 U.S. 388 (2006) ............................................................................................................ 32 Edmunds v. Cowan, 386 S.E.2d 39 (Ga. Ct. App. 1989) ...................................................................................... 15 Eisenhuth v. Moneyhon, 119 N.E.2d 440 (Ohio 1954) ............................................................................................... 22 Elend v. Basham, 471 F.3d 1199 (11th Cir. 2006)............................................................................................ 32 Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 6 of 47 vi LEGAL02/36568420v12 Estate of Kundert ex rel. Kundert v. Ill. Valley Cmty. Hosp., 964 N.E.2d 670 (Ill. App. Ct. 2012) ..................................................................................... 18 F.T.C. v. Colgate-Palmolive Co., 380 U.S. 374 (1965) ............................................................................................................ 25 F.T.C. v. Sperry & Hutchison Co., 405 U.S. 233 (1972) ............................................................................................................ 25 Fed. Steel & Wire Corp. v. Ruhlin Constr. Co., 543 N.E.2d 769 (Ohio 1989) ............................................................................................... 15 Flickinger v. Toys R Us, Inc., No. 3:10-CV-305, 2011 WL 2160493 (M.D. Pa. May 31, 2011) .......................................... 16 FPI Atlanta, L.P. v. Seaton, 524 S.E.2d 524 (Ga. Ct. App. 1999) .................................................................................... 15 Frank’s GMC Truck Ctr., Inc. v. Gen. Motors Corp., 847 F.2d 100 (3d Cir. 1988) ................................................................................................ 32 Galloway v. State ex rel. Dep’t of Transp. & Dev., 654 So. 2d 1345 (La. 1995) ................................................................................................. 21 Great-West Life & Annuity Ins. Co. v. Knudson, 534 U.S. 204 (2002) ............................................................................................................ 31 Griglione v. Martin, 525 N.W.2d 810 (Iowa 1994) .............................................................................................. 28 Hammersmith v. TIG Ins. Co., 480 F.3d 220 (3d Cir. 2007) ...................................................................................... 5, 6, 7, 8 Hammond v. The Bank of New York Mellon Corp., No. 08 CIV. 6060 RMB RLE, 2010 WL 2643307 (S.D.N.Y. June 25, 2010) ....................... 18 Heath v. La Mariana Apts., 180 P.3d 664 (N.M. 2008) ................................................................................................... 24 Hodinka v. Del. Cty., 759 F. Supp. 2d 603 (E.D. Pa. 2011).................................................................................... 33 Holler v. Cinemark USA, Inc., 185 F. Supp. 2d 1242 (D. Kan. 2002) .................................................................................. 21 Hower v. Wal-Mart Stores, Inc., No. 08-1736, 2009 WL 1688474 (E.D. Pa. June 16, 2009) .................................................. 19 Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 7 of 47 vii LEGAL02/36568420v12 In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108 (D. Me. 2009)...................................................................................... 13 In re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig., No. H-10-171, 2011 WL 1232352 (S.D. Tex. Mar. 31, 2011) ................................................ 9 In re The Home Depot, Inc. Customer Data Security Breach Litig. (“Home Depot”), No. 14-md-2583-TWT, 2016 WL 2897520 (N.D. Ga. May 18, 2016) . 13, 14, 23, 32 In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518 ...................................................................................................... 10, 12 In re Shop-Vac Marketing & Sales Practices Litig., 964 F. Supp. 2d 355 (M.D. Pa. 2013) .................................................................................. 31 In re TJX Companies Retail Sec. Breach Litig., 524 F. Supp. 2d 83 (D. Mass. 2007), aff’d in part, 564 F.3d 489 (1st Cir. 2009), as amended on reh’g in part (May 5, 2009) .............................................................. 10 Inman v. Technicolor USA, Inc., No. CIV.A. 11-666, 2011 WL 5829024 (W.D. Pa. Nov. 18, 2011) ........................................ 6 Jeter v. Credit Bureau, Inc., 760 F.2d 1168 (11th Cir. 1985)............................................................................................ 20 Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S. 487 (1941) .............................................................................................................. 5 Knight v. Merhige, 133 So. 3d 1140 (Fla. Dist. Ct. App. 2014) .......................................................................... 15 Koppers Co., Inc. v. Aetna Cas. & Sur. Co., 98 F.3d 1440 (3d Cir. 1996) ................................................................................................ 15 Leal v. Hobbs, 538 S.E.2d 89 (Ga. Ct. App. 2000) ...................................................................................... 20 Legacy Academy, Inc. v. Mamilove, LLC, 761 S.E.2d 880 (Ga. Ct. App. 2014), vacated on other grounds, 777 S.E.2d 731 (Ga. Ct. App. 2015) ...................................................................................................... 23 Lexmark International Inc. v. Static Control Components, Inc., 134 S. Ct. 1377 (2014) .................................................................................................. 28, 29 Longenecker-Wells v. Benecard Servs., Inc., No. 1:15-cv-00422, 2015 WL 5576753 (M.D. Pa. Sept. 22, 2015) ................................... 8, 19 Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 8 of 47 viii LEGAL02/36568420v12 Lowdermilk v. Vescovo Bldg. & Realty Co., Inc., 91 S.W.3d 617 (Mo. Ct. App. 2002) .................................................................................... 24 Marion Healthcare LLC v. S. Ill. Healthcare, No. 12-cv-00871-DRH-PMF, 2013 WL 451068 (S.D. Ill. Aug. 26, 2013) ........................... 27 McCann v. Foster Wheeler LLC, 225 P.3d 516 (Cal. 2010) ....................................................................................................... 8 McCarty v. Covol Fuels No. 2, LLC, 978 F. Supp. 2d 799 (W.D. Ky. 2013) ................................................................................. 20 McConnell v. Department of Labor, No. A16A0655, 2016 WL 3361735 (Ga. Ct. App. June 16, 2016) ................................. 14, 15 Minard Run Oil Co. v. U.S. Forest Serv., 894 F. Supp. 2d 642 (W.D. Pa. 2012) .................................................................................. 31 Morello v. Kenco Toyota Lift, No. 09-4412, 2015 WL 1400582 (E.D. Pa. Mar. 26, 2015) .................................................. 19 Murphy v. Penn Fruit Co., 418 A.2d 480 (Pa. Ct. App. 1980)........................................................................................ 16 Neil v. Holyoke St. Ry. Co., 109 N.E.2d 831 (Mass. 1952) .............................................................................................. 22 Newman v. J.P. Morgan Chase Bank, N.A., 81 F. Supp. 3d 735, 746 (D. Minn. 2015)............................................................................. 31 O’Neill v. Dunham, 203 P.3d 68 (Kan. Ct. App. 2009)........................................................................................ 26 Orkin Exterminating Co. v. F.T.C., 849 F.2d 1354 (11th Cir. 1988)............................................................................................ 25 Osti v. Saylors, 991 S.W.2d 322 (Tex. App. 1999) ....................................................................................... 26 PA. Psychiatric Soc. v. Green Spring Health Servs., Inc., 280 F.3d 278 (3d Cir. 2002) ................................................................................................ 33 Packard v. Provident Nat’l Bank, 994 F.2d 1039 (3d Cir. 1993)............................................................................................... 15 Panthera Rail Car LLC v. Kasgro Rail Corp., 985 F. Supp. 2d 677 (W.D. Pa. 2013) (Fischer, J.) ......................................................... 5, 6, 8 Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 9 of 47 ix LEGAL02/36568420v12 Patterson v. Deeb, 472 So.2d 1210 (Fla. 1st DCA 1985) ................................................................................... 15 Pennsylvania State Employees Credit Union v. Fifth Third Bank 398 F. Supp. 2d 317 (M.D. Pa. 2005) .................................................................................... 9 Pittway Corp. v. Lockheed Aircraft Corp., 641 F.2d 524 (7th Cir. 1981) ................................................................................................. 8 Potts v. Safeco Ins. Co., No. 2009-CA-0083, 2010 WL 1839738 (Ohio App. Ct. May 3, 2010) ................................... 8 Royal Park Investments SA/NV v. HSBC Bank USA, Nat’l Ass’n, 109 F. Supp. 3d 587, 598 (S.D.N.Y. 2015) ............................................................................ 8 Ruder v. Pequea Valley Sch. Dist., 790 F. Supp. 2d 377 (E.D. Pa. 2011).................................................................................... 28 S. Ry. Co. v. Allen, 77 S.E.2d 277 (Ga. Ct. App. 1953) ...................................................................................... 28 Sovereign Bank v. BJ’s Wholesale Club, Inc., 395 F. Supp. 2d 183 (M.D. Pa. 2005) .................................................................................. 13 Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162 (3d Cir. 2008) ............................................................................................ 4, 11 Struve v. Payvandi, 740 N.W.2d 436 (Iowa 2007) .............................................................................................. 24 Tiller v. State Farm Mut. Auto. Ins. Co., No. 1:12-cv-3432, 2013 WL 451309 (N.D. Ga. Feb. 5, 2013) .............................................. 32 Trans Union Corp. v. F.T.C., 245 F.3d 809 (D.C. Cir. 2001) ............................................................................................. 27 Tri-M Grp., L.L.C. v. Univ. of Cincinnati, No. 10AP-486, 2010 WL5544016 (Ohio Ct. App. Dec. 28, 2010) ....................................... 12 United States v. E.I. du Pont de Nemours & Co., 366 U.S. 316 (1961) ............................................................................................................ 27 Waldo v. N. Am. Van Lines, Inc., 669 F. Supp. 722 (W.D. Pa. 1987) ....................................................................................... 20 Walker v. First Comm. Bank, N.A., 880 S.W.2d 316 (Ark. 1994) ................................................................................................ 22 Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 10 of 47 x LEGAL02/36568420v12 Wendland v. Ridgefield Constr. Servs., Inc., 439 A.2d 954 (Conn. 1981) ................................................................................................. 22 Willingham v. Glob. Payments, Inc., 1:12-CV-01157-RWS, 2013 WL 440702 (N.D. Ga. Feb. 5, 2013) ....................................... 19 Wolfe v. McNeil-PPC, Inc., 703 F. Supp. 2d 487 (E.D. Pa. 2010)...................................................................................... 6 Worix v. MedAssets, Inc., 869 F. Supp. 2d 893 (N.D. Ill. 2012).................................................................................... 12 RULES Rule 12(b)(6) .............................................................................................................................. 4 STATUTES Administrative Procedure Act, 5 U.S.C. § 551(4) ...................................................................... 27 Lanham Act ........................................................................................................................ 28, 29 Federal Trade Commission Act, 15 U.S.C. § 45 ................................................................. passim FTC Act, Section 18(b) 15 U.S.C. § 57a(a)-(b) .......................................................................... 27 La. Rev. Stat. § 51:3075 ............................................................................................................ 14 Ohio Deceptive Trade Practices Act ................................................................................... passim Pennsylvania’s Data Breach Act ................................................................................................ 14 OTHER AUTHORITIES 16 C.F.R. § 436.5(s)(3)-(5) ........................................................................................................ 23 Constitution of Arkansas ........................................................................................................... 22 Restatement (Third) of Torts ............................................................................................... 24, 25 S. Rep. No. 63-597 (1914)......................................................................................................... 25 Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 11 of 47 LEGAL02/36568420v12 Plaintiffs’ Consolidated Amended Class Action Complaint, ECF No. 32 (“Complaint”) fails to state a single plausible claim for relief against The Wendy’s Company, Wendy’s Restaurants, LLC, and Wendy’s International, LLC (collectively, “Wendy’s”). Accordingly, the Court should grant Wendy’s Motion to Dismiss (“Motion”) and dismiss the Complaint with prejudice.1 I. INTRODUCTION Plaintiffs are twenty-two financial institutions that issued payment cards (the “FI Plaintiffs”) and five associations of financial institutions (the “Association Plaintiffs”). The FI Plaintiffs made commercial decisions to join the card brand networks, such as Visa and MasterCard, and issue payment cards to their customers. As a condition of entering into this business, the FI Plaintiffs agreed to abide by the comprehensive, contractual frameworks established by the card brands (the “Operating Regulations”). These Operating Regulations expressly contemplate data breaches and include a mechanism for payment card issuers like the FI Plaintiffs to recover losses in the event of a data breach. Notwithstanding this efficient contractual process for extra-judicial recovery, Plaintiffs filed this lawsuit, attempting to shift liability to Wendy’s for purported harm caused by third-party criminal “hackers” that attacked the point of sale systems of some of Wendy’s independently owned and operated franchisees. Compl. ¶¶ 1-2. The Complaint should be dismissed because Plaintiffs fail to plausibly allege one single substantive claim against Wendy’s. In particular: • The economic loss rule (“ELR”) bars the negligence-based claims of eleven of the FI Plaintiffs because they seek to recover in tort purely economic damages unaccompanied 1 The Complaint improperly names The Wendy’s Company as a defendant. The Wendy’s Company is the parent company of Wendy’s International, LLC, which operates Wendy’s restaurants and is the proper defendant for Plaintiffs’ claims. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 12 of 47 2 LEGAL02/36568420v12 by physical injury or property damage. In fact, multiple courts have applied the ELR in this exact context, holding that the ELR bars financial institutions from pursuing negligence-based claims against hacked merchants; • The FI Plaintiffs’ negligence claim should be dismissed because Wendy’s does not owe the FI Plaintiffs a common law duty to safeguard customer information against criminal attack or to notify them in the event of a data breach under any of the applicable states’ laws; • Neither the FTC Act’s amorphous “reasonableness” standard nor unidentified “similar state statutes” provide a basis for the FI Plaintiffs’ negligence per se claim; • The FI Plaintiffs’ claim for an alleged violation of the Ohio Deceptive Trade Practices Act should be dismissed because the FI Plaintiffs fail to allege any misrepresentation by Wendy’s much less that any misrepresentation was the proximate cause of their alleged injuries; • Plaintiffs’ request for equitable relief fails because, among other reasons, the remedies sought are designed to protect against future harm while Plaintiffs only allege harm from past conduct; and • Finally, the Association Plaintiffs do not have standing to pursue a claim for declaratory relief because the participation of their members is required. Accordingly, for these reasons and the reasons set out below, the Court should grant Wendy’s Motion and dismiss Plaintiffs’ Complaint with prejudice. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 13 of 47 3 LEGAL02/36568420v12 II. BACKGROUND2 Wendy’s operates, develops, and/or franchises quick-service restaurants with franchise and company restaurants located in the United States and around the world, including in each state in which a named Plaintiff has its principal place of business. See Compl. ¶ 46. Wendy’s and its independently owned and operated franchisees accept a variety of different payment methods, including payment cards. Id. ¶¶ 46, 55. On January 27, 2016, Wendy’s announced publicly that it was investigating unusual activity involving payment cards at some of its restaurants. Id. ¶ 65. In the months that followed, Wendy’s continued to update the public on the status of its investigation. Id. ¶¶ 66, 71-72. In these announcements, Wendy’s explained that malware had been found on the point of sale systems of certain restaurants. Id. ¶ 66. Wendy’s also stated that its investigation was ongoing and that it was “continuing to work closely with cybersecurity experts and law enforcement officials” to address the breach. Id. ¶ 68. On June 9, 2016, Wendy’s issued a press release that it had discovered and disabled a variant of the malware but that the number of impacted franchise restaurants was considerably higher than its previous estimates. Id. ¶¶ 72, 74. The FI Plaintiffs’ only purported connection to Wendy’s is their commercial decision to join the card brand networks and issue payment cards to their customers who, in turn, allegedly used those cards at Wendy’s franchise restaurants across the country. See, e.g., id. ¶¶ 1, 55, 186. The FI Plaintiffs describe the connection as follows: When a customer uses a credit card or debit card, the transaction involves four primary parties: (1) the “merchant” (e.g., Wendy’s) where the purchase is made; (2) an “acquiring bank” (which is typically a financial institution that contracts with the merchant to 2 Wendy’s summarizes the Complaint’s allegations because they must be taken as true for purposes of this Motion. See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Wendy’s does not concede the veracity of the Complaint’s allegations. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 14 of 47 4 LEGAL02/36568420v12 process its payment card transactions); (3) a “card network” or “payment processor” (such as Visa or MasterCard); and (4) the “issuer” (which is a financial institution – such as Plaintiffs – that issues credit and debit cards to its customers). Compl. ¶ 55. As payment card issuers, the FI Plaintiffs have agreed to be bound by the card brand networks’ “extensive set of ‘Operating Regulations’” that govern “virtually every aspect of the . . . payment system, and impose both general and specific requirements on participants in the network.” Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162, 165 (3d Cir. 2008); see Cumis Ins. Soc’y v. BJ’s Wholesale Club, No. 20051158J, 2008 WL 2345864, *4 (Mass. Sup. Ct. June 4, 2008) (observing that Visa’s and MasterCard’s Operating Regulations “provide for an elaborate dispute resolution procedure and for fines for non-compliance.”); see also Compl. ¶ 186 (relying on Wendy’s participation in the “payment card network” to assert a claim under the Ohio Deceptive Trade Practices Act). These Operating Regulations expressly contemplate data breaches and provide mechanisms for financial institutions to recover losses in the event of a breach. Despite these mechanisms, the FI Plaintiffs filed these lawsuits against Wendy’s, asserting claims for negligence, negligence per se, violation of the Ohio Deceptive Trade Practices Act, and for declaratory and injunctive relief. Id. ¶¶ 164-208.3 III. LEGAL STANDARD Wendy’s moves to dismiss the Complaint for failure to state a claim under Rule 12(b)(6). To survive a motion to dismiss under Rule 12(b)(6), Plaintiffs must plead sufficient allegations “to raise [their] right to relief above the speculative level.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). This requires “more than labels and conclusions, and a formulaic recitation of the 3 The Association Plaintiffs assert a single claim for declaratory and injunctive relief. See Compl. ¶¶ 200-08. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 15 of 47 5 LEGAL02/36568420v12 elements of a cause of action will not do.” Id.; see Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (“Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.”). Although the Court should take the Complaint’s factual allegations as true in reviewing Wendy’s Motion, it need not accept legal conclusions as true. Iqbal, 556 U.S. at 678. IV. ARGUMENT AND CITATION TO AUTHORITIES A. Pennsylvania’s Choice of Law Rules Determine the Law Governing The FI Plaintiffs’ Negligence-Based Claims.4 Plaintiffs are wrong that Ohio law applies globally to their claims. See Compl. ¶¶ 158-63. A federal court sitting in diversity must apply the choice of law rules of the forum state. See Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S. 487, 496-97 (1941). Pennsylvania uses a “hybrid choice of law approach that combines the governmental interest analysis with the Second Restatement of Conflict’s most significant relationship test.” Panthera Rail Car LLC v. Kasgro Rail Corp., 985 F. Supp. 2d 677, 696 (W.D. Pa. 2013) (Fischer, J.) (internal quotation marks and citation omitted). Here, as described in the Sections that follow, the analysis is simplified because the potentially applicable laws are generally consistent on many on the issues relevant to this Motion – the ELR, negligence, and negligence per se. See Hammersmith v. TIG Ins. Co., 480 F.3d 220, 229-30 (3d Cir. 2007) (noting that if there is no conflict, then a choice of law analysis is unnecessary). 4 The choice of law analysis is limited to the FI Plaintiffs because the Association Plaintiffs only assert a claim for declaratory and injunctive relief under federal law. See Compl. ¶¶ 200-08. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 16 of 47 6 LEGAL02/36568420v12 To the extent there is a conflict, the law of the state in which each FI Plaintiff has its principal place of business should apply.5 Under Pennsylvania’s choice of law rules, it is necessary to “weigh each state’s contacts on a qualitative scale according to their relation to the policies and interests underlying the particular issue.” Panthera Rail Car LLC, 985 F. Supp. 2d at 696 (citing Hammersmith, 480 F.3d at 231).6 In performing this analysis, a court considers the four contacts set out in Section 145(2) of the Restatement (Second) of Conflict of Law. Id.7 But it is the first contact – the place of the injury – that generally takes precedence. See Inman v. Technicolor USA, Inc., No. CIV.A. 11-666, 2011 WL 5829024, at *4 (W.D. Pa. Nov. 18, 2011); Panthera Rail Car LLC, 985 F. Supp. 2d at 700 (place of injury “represents a contact of substantial significance”). As a result, the applicable law will “usually be the local law of the state where the injury occurred.” Panthera Rail Car LLC, 985 F. Supp. 2d at 700.8 Here, the FI Plaintiffs allege they were injured because they incurred the “costs to cancel and reissue cards compromised by the breach, costs to refund fraudulent charges, costs to investigate fraudulent charges, and costs due to lost interest and transaction fees due to reduced 5 As described in more detail in the Sections that follow, these conflicts are true conflicts (with the exception of the false conflict analysis described in the negligence section) because both jurisdictions’ interests would be impaired by the application of the other’s laws. See Panthera Rail Car LLC, 985 F. Supp. 2d at 696. 6 See Wolfe v. McNeil-PPC, Inc., 703 F. Supp. 2d 487, 492 (E.D. Pa. 2010) (“Choice of law analysis is issue specific. This means that in some cases, different states’ laws may apply to different issues in a single case, a principle known as ‘depecage.’”). 7 For tort actions, the relevant contacts are “(a) the place where the injury occurred, (b) the place where the conduct causing the injury occurred, (c) the domicile, residence, nationality, place of incorporation and place of business of the parties, and (d) the place where the relationship, if any, between the parties is centered.” See Panthera Rail Car LLC, 985 F. Supp. 2d at 700. 8 Where the “injury is pecuniary in nature, the plaintiff’s principal place of business is generally considered the place of injury . . . .” Panthera Rail Car LLC, 985 F. Supp. 2d at 700 (citing CAT Internet Servs., Inc. v. Magazines.com Inc., Civ. No. 00-2135, 2001 WL 8858, at *4 (E.D. Pa. Jan. 4, 2001) (citation omitted)). Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 17 of 47 7 LEGAL02/36568420v12 card usage.” Compl. ¶¶ 13-35. These injuries were suffered or incurred, if at all, in the states where the FI Plaintiffs operate, namely, their principal places of business. There are no allegations even suggesting a different location. And the location of the FI Plaintiffs’ alleged injuries is not fortuitous. See Compl. ¶ 163. Rather, it is entirely predictable that, regardless of where the FI Plaintiffs’ customers use their payment cards, the effects of any payment card breach on the FI Plaintiffs, including the injuries alleged here, would be felt by the FI Plaintiffs in the states in which they have their principal places of business.9 Accordingly, where there is a conflict, the law of the state in which each FI Plaintiff has its principal place of business applies. B. The ELR Bars Eleven FI Plaintiffs’ Negligence and Negligence Per Se Claims. The FI Plaintiffs with principal places of business in Georgia, Illinois, Iowa, Massachusetts, Missouri, Nevada, Ohio, Pennsylvania, and Texas, stumble out of the gate by running headlong into the ELR. For these FI Plaintiffs, no choice of law analysis is required because the law of the states that potentially apply to their claims is consistent. See Hammersmith, 480 F.3d at 229-30.10 Each state’s ELR bars negligence-based claims seeking to recover purely 9 The three remaining contacts are neutral as to which state’s law should apply and do not counsel in favor of the global application of Ohio law. Specifically, the place where the conduct causing the injury occurred is neutral because the cause in fact of the FI Plaintiffs’ alleged injuries was the malicious installation of malware by third-party criminals on the point of sale systems of franchise restaurants located across the country. The third Restatement contact – the domicile, residence, nationality, place of incorporation and place of business of the parties – is also neutral because Wendy’s operates in the states in which the named FI Plaintiffs have their principal places of business. Its operations are not confined to Ohio. The fourth and final Restatement contact is the place where the relationship, if any, between the parties is centered. Here, to the extent there is any relationship between the parties, it centered in the states in which the FI Plaintiffs’ customers used their payment cards at Wendy’s restaurants. This occurred throughout the country and is not concentrated in Ohio. 10 As set out in Exhibit A, the law of Ohio and the state in which each FI Plaintiff has its principal place of business potentially apply. Though Ohio would apply the ELR to the FI Plaintiffs’ claims, if Ohio law were found not to recognize the doctrine here, a true conflict would exist between Ohio Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 18 of 47 8 LEGAL02/36568420v12 economic damages unaccompanied by physical injury or property damage. See Exhibit A; see also Longenecker-Wells v. Benecard Servs., Inc., No. 1:15-cv-00422, 2015 WL 5576753, at *6 (M.D. Pa. Sept. 22, 2015) (ELR bars negligence claims for economic damages absent physical injury or property damages); Cumis Ins. Soc’y, Inc., 918 N.E.2d at 47 (Massachusetts ELR barred negligence claim based on data breach because “[w]e are persuaded that the damages the plaintiff credit unions seek in this case for the costs of reissuing credit cards for all their compromised accounts are likewise economic losses”); Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc., 835 N.E.2d 701, 704 (Ohio 2005) (“The economic-loss rule generally prevents recovery in tort of damages for purely economic loss. The well-established general rule is that a plaintiff who has suffered only economic loss due to another’s negligence has not been injured in a manner which is legally cognizable or compensable.”); Potts v. Safeco Ins. Co., No. 2009-CA-0083, 2010 WL law and the eight states referenced above whose ELRs bar the FI Plaintiffs’ negligence claims. These eight states have adopted defendant-friendly ELRs. See Panthera, 985 F. Supp. 2d at 699. Applying Ohio law in these circumstances would contravene these states’ defendant-friendly policies by allowing the FI Plaintiffs to recover against a business operating in these states and would also impinge the states’ interests in keeping tort and contract claims distinct. See Pittway Corp. v. Lockheed Aircraft Corp., 641 F.2d 524, 528-29 (7th Cir. 1981) (noting the policy justification for applying the ELR is to protect defendants who conduct business in a jurisdiction from suffering purely economic loss in tort); Royal Park Investments SA/NV v. HSBC Bank USA, Nat’l Ass’n, 109 F. Supp. 3d 587, 598 (S.D.N.Y. 2015) (ELR “disentangles contract and tort law by restricting plaintiffs who suffer economic losses to the benefits of their bargains”) (internal quotation marks omitted). And Courts have recognized that states have an interest in regulating businesses operating in their states, not just businesses headquartered in their states. Hammersmith, 480 F.3d at 232 (New York’s interest in protecting insurers from fraud was implicated even though insurer was not a New York resident because “[t]here is no evidence that New York intended its . . . rule to protect only resident insurers, rather than all insurers doing business in the state of New York.”) (emphasis in original); see also McCann v. Foster Wheeler LLC, 225 P.3d 516, 530 (Cal. 2010) (“[A]s a practical and realistic matter the state’s interest in having [its] law applied to the activities of out-of-state companies within the jurisdiction is equal to its interest in the application of [its] law to comparable activities engaged in by local businesses.”). Conversely, applying these eight states’ ELRs would contravene Ohio’s interest in applying its law to businesses operating within its borders generally and in applying its tort law to deter alleged wrongful conduct of businesses operating in the state. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 19 of 47 9 LEGAL02/36568420v12 1839738, at *2-*3 (Ohio App. Ct. May 3, 2010) (barring negligence claims under ELR); In re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig., No. H-10-171, 2011 WL 1232352, at *21 (S.D. Tex. Mar. 31, 2011) (dismissing negligence claim arising out of a data breach because “Texas and Ohio law preclude tort recovery for economic losses.”). Thus, courts have applied the ELR in this exact context and held that it bars negligence- based claims arising out of a data breach, including claims brought by financial institution plaintiffs. For instance: • Pennsylvania ELR: In Pennsylvania State Employees Credit Union v. Fifth Third Bank, Pennsylvania State Employees Credit Union (“PSECU”) – a financial institution plaintiff like the FI Plaintiffs here – sued merchant BJ’s Wholesale Club after BJ’s Wholesale Club suffered a third-party data breach that allegedly compromised payment cards issued by PSECU. 398 F. Supp. 2d 317, 319 (M.D. Pa. 2005). The district court held that Pennsylvania’s ELR barred PSECU’s negligence claim, through which the bank sought to recover the cost of reissuing payment cards, because “[PSECU] is not claiming compensation for any physical damage to person or property.” Id. at 326; see Dittman v. UPMC, No. GD-14-003285, 2015 WL 4945713, at *2 (Pa. Com. Pl. May 28, 2015) (negligence claim based on “third-party criminal activity” of stealing employees’ personal data barred because “the only losses . . . sustained are economic losses”). • Maine ELR: In Banknorth, N.A. v. BJ’s Wholesale Club, Inc., the plaintiff bank asserted a negligence claim against BJ’s Wholesale Club arising out of a criminal third-party data breach. The bank alleged it incurred significant expenses “issuing new debit cards to replace ones that had been compromised” and “reimbursing those cardholders who had suffered unauthorized charges on their accounts.” 442 F. Supp. 2d 206, 207 (M.D. Pa. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 20 of 47 10 LEGAL02/36568420v12 2006). The district court dismissed the bank’s negligence claim, finding it barred by Maine’s ELR. Id. at 214. • Massachusetts ELR: In Cumis Insurance Society, Inc. v. BJ's Wholesale Club, Inc., 918 N.E.2d 36 (Mass. 2009), credit unions sued a merchant for losses they allegedly incurred after a criminal third-party data breach. Id. at 39-40. The trial court dismissed the plaintiffs’ negligence claims seeking to recover the costs of card reissuance because they were barred by Massachusetts’s ELR, and the Massachusetts Supreme Judicial Court affirmed the dismissal on appeal. Id. at 47; see In re TJX Companies Retail Sec. Breach Litig., 524 F. Supp. 2d 83, 90 (D. Mass. 2007), aff’d in part, 564 F.3d 489 (1st Cir. 2009), as amended on reh’g in part (May 5, 2009) (Massachusetts’s ELR bars an issuing bank’s negligence claim seeking to recover economic losses arising from a data breach). • Illinois ELR: In In re Michaels Stores Pin Pad Litigation, the plaintiffs asserted claims for negligence and negligence per se against Michaels based on a criminal third-party data breach. The district court dismissed these claims, finding them barred by Illinois’s ELR. 830 F. Supp. 2d 518, 521-22 & 531 (N.D. Ill. 2011). This authority requires dismissal of the eleven FI Plaintiffs’ negligence-based claims here. Each FI Plaintiff alleges tort-based claims seeking economic damages arising from a criminal third-party data breach (Compl. ¶¶ 13-35). The FI Plaintiffs’ claims and alleged damages are virtually identical to the claims and alleged damages asserted by the financial institution plaintiffs in the cases cited above. None alleges physical injury or harm – nor could they as commercial entities.11 11 There are exceptions to the ELR, but none applies here. For instance, some states, including Georgia, decline to apply the ELR where the tort claim is based on a duty independent of any Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 21 of 47 11 LEGAL02/36568420v12 Moreover, the FI Plaintiffs’ claims for negligence and negligence per se are precisely the types of claims that the ELR seeks to prohibit. A core rationale of the ELR is that “[p]arties to a commercial transaction should remain free to govern their own affairs,” Corporex Dev. & Constr. Mgt., Inc., 835 N.E.2d at 704 (Ohio 2005), and should not be permitted to evade a bargained for allocation of risks by pursuing a “tort remedy.” See Banknorth, N.A., 442 F. Supp. 2d at 213. As payment card issuers, the FI Plaintiffs agreed to be bound by the card brand networks’ “extensive set of ‘Operating Regulations’” that govern “virtually every aspect of the . . . payment system, and impose both general and specific requirements on participants in the network.” Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162, 165 (3d Cir. 2008) (internal citation omitted); see Cumis, 918 N.E.2d at 42. Just as in Banknorth, N.A., because the FI Plaintiffs had the opportunity to allocate risks, they should not be permitted to circumvent the very network processes they voluntarily accepted by suing in tort. See Banknorth, N.A., 442 F. Supp. 2d at 213 (dismissing financial institution plaintiff’s negligence claim in data breach case as barred by ELR despite lack of contractual privity because it had the opportunity to allocate the risk of fraudulent transactions); Annett Holdings, Inc. v. Kum & Go, L.C., 801 N.W.2d 499, 504 (Iowa 2011) (“When parties enter into a chain of contracts, even if the two parties at issue have not actually entered into an agreement with each other, courts have applied the ‘contractual economic loss rule’ to bar tort claims for contractual duties. But as detailed in Section IV.C, there is no controlling authority recognizing a common law duty owed by merchants to financial institutions to safeguard customer information from a criminal attack. Likewise, some states have recognized an exception where a special relationship exists between the plaintiff and defendant, but here there is no direct relationship between Wendy’s and the FI Plaintiffs, much less a special relationship giving rise to an independent legal duty. In fact, here there is no direct relationship whatsoever because the FI Plaintiffs’ alleged injuries arose from their customers’ use of payment cards at independently owned and operated franchisee restaurants – not Wendy’s corporate restaurants. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 22 of 47 12 LEGAL02/36568420v12 economic loss, on the theory that tort law should not supplant a consensual network of contracts.”).12 Accordingly, for the eleven FI Plaintiffs with principal places of business in Georgia, Illinois, Iowa, Massachusetts, Missouri, Nevada, Ohio, Pennsylvania, and Texas, their negligence and negligence per se claims are barred by the ELR and should be dismissed.13 C. The FI Plaintiffs Fail to State a Claim for Negligence. All of the FI Plaintiffs’ claims for negligence should also be dismissed because Wendy’s does not owe them a common law duty of care. The FI Plaintiffs lob a number of allegations in an effort to create such a duty where none exists, but each one misses its mark. 1. There is No Common Law Duty to Protect against a Criminal Data Breach. The Court should dismiss the FI Plaintiffs’ negligence claims because a merchant does not owe a financial institution a common law duty to “safeguard[] Payment Card Data” against a criminal attack. Compl. ¶ 165; see Exhibit A; see also Worix v. MedAssets, Inc., 869 F. Supp. 2d 893, 897 (N.D. Ill. 2012) (no common law duty to safeguard sensitive information); Citizens Bank of Pa. v. Reimbursement Techs., Inc., No. 12-1169, 2014 WL 2738220, at *2 (E.D. Pa. June 17, 12 Direct contractual privity is not a requirement for the ELR to apply. See Tri-M Grp., L.L.C. v. Univ. of Cincinnati, No. 10AP-486, 2010 WL5544016, at *4 (Ohio Ct. App. Dec. 28, 2010) (“The [economic loss] rule applies primarily in the absence of contractual privity when a plaintiff seeks to recover in tort for a purely economic loss.”) (emphasis added); City of Atlanta v. Benator, 714 S.E.2d 109, 116 (Ga. Ct. App. 2011) (affirming dismissal under the ELR despite lack of privity); In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d at 531 (holding that Illinois’s ELR barred plaintiffs’ claims for negligence and negligence per se despite any suggestion of contractual privity). 13 The eleven FI Plaintiffs are First Choice Federal Credit Union (Pennsylvania), Veridian Credit Union (Iowa), Associated Credit Union (Georgia), Centrue Bank (Illinois), Align Credit Union (Massachusetts), The Seymour Bank (Missouri), Financial Horizons Credit Union (Nevada), Greater Cincinnati Credit Union (Ohio), KEMBA Financial Credit Union (Ohio), Wright-Patt Credit Union (Ohio), and Members Choice Credit Union (Texas). See Compl. ¶ 13, 16, 20-21, 24, 26-27, 30-32, 34; see also Exhibit A. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 23 of 47 13 LEGAL02/36568420v12 2014) (no common law duty “to properly secure and to protect customers’ personal banking information and other information” or “to implement procedures and practices to prevent access and/or have in place appropriate data privacy and security safeguards to prevent disclosure to unauthorized third parties”). Similarly, a merchant does not owe a financial institution a common law duty to provide notice of a data breach. See, e.g., In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 124 (D. Me. 2009) (no common law duty to “advise customers of the theft of their data once it occurred. . . .”); Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1055 (E.D. Mo. 2009) (no negligence claim exists for the failure to provide adequate and timely notice of a data breach).14 The only cases in any of the implicated states to hold otherwise are two federal cases that found such a duty in Pennsylvania and Georgia. Sovereign Bank v. BJ’s Wholesale Club, Inc., 395 F. Supp. 2d 183 (M.D. Pa. 2005); In re The Home Depot, Inc. Customer Data Security Breach Litig. (“Home Depot”), No. 14-md-2583-TWT, 2016 WL 2897520 (N.D. Ga. May 18, 2016). However, both of these cases have been rejected by subsequent rulings of state courts and should be given no weight in this diversity action.15 In Dittman, the Pennsylvania Court of Common Pleas held that there is no duty to safeguard private information from the criminal acts of a third party. 2015 WL 4945713, at *3. 14 See footnote 16, infra (noting that the legislature in each state implicated here has considered data breaches). To the extent a limited number of states have enacted data breach statutes providing for a private right of action, the private right of action is limited to individuals whose information has been disclosed to recover for harm caused by delayed notification under the statute. No data breach statute creates a common law duty to notify all entities that have potentially been impacted by a data breach. 15 In the best case scenario for Plaintiffs, these two cases would save the negligence claims of only two of the twenty-two FI Plaintiffs – Pennsylvania-based First Choice Federal Credit Union and Georgia-based Associated Credit Union. As discussed below, however, Georgia and Pennsylvania do not recognize a duty in this circumstance. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 24 of 47 14 LEGAL02/36568420v12 In reaching this conclusion, the court found it significant that the Pennsylvania General Assembly “extensively considered data breaches and the issues related thereto” and chose not to “enact legislation establishing a duty of protection or providing individuals with a private cause of action in the event of a data breach.” Id. at *4.16 As the Court explained, “the legislative history of Pennsylvania’s Data Breach Act reveals that the General Assembly considered incorporating an expansive civil liability provision, which would have permitted a person to recover ‘actual damages,’” but that provision was removed before the Act was passed and, in “its current form, only a failure to notify [customers of a data breach] is actionable and only the Attorney General may assert the claim.” Id. at *5. Likewise, in McConnell v. Department of Labor, the Georgia Court of Appeals rejected the Home Depot court’s finding of a duty in this circumstance and confirmed that there is “no legal duty to safeguard personal information” in Georgia. No. A16A0655, 2016 WL 3361735, at *3 n.4 (Ga. Ct. App. June 16, 2016). The Court reasoned that the Georgia legislature “has so far not acted to establish a standard of conduct intended to protect the security of personal information,” and that it was “beyond the scope of judicial authority” to create such a duty in the courts. Id. Neither the Georgia Supreme Court nor the Pennsylvania Supreme Court have addressed whether state law recognizes the duty that the FI Plaintiffs assert. For that reason, this Court must 16 Notably, the legislature of every state in which an FI Plaintiff has a principal place of business has recently considered data breaches and the state’s response thereto. All but two of the states have enacted legislation on the issue, but not one state’s data breach statute grants a private right of action in the event of a data breach like the one alleged in the Complaint. To the extent these statutes provide a private right of action, such right is limited to granting the person whose information was taken a right to maintain an action for actual damages resulting from delayed notification under the statute. See, e.g., S.C. § 39-1-90(g) (providing a resident whose personal identifying information was acquired but was injured by the failure to receive notification with the right to institute “a civil action”); La. Rev. Stat. § 51:3075 (same). They do not create a common law duty to notify any and all individuals who may be potentially impacted by the breach. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 25 of 47 15 LEGAL02/36568420v12 predict how they would decide that issue. Koppers Co., Inc. v. Aetna Cas. & Sur. Co., 98 F.3d 1440, 1445 (3d Cir. 1996). And “a decision of a lower state court on a point of state law is generally more predictive of what the state supreme court would hold than is a conflicting opinion of a federal court on the same point.” Packard v. Provident Nat’l Bank, 994 F.2d 1039, 1046-47 (3d Cir. 1993). Thus, this Court should adopt the reasoning of Dittman and McConnell and hold that neither Pennsylvania nor Georgia law would recognize the duty alleged by the FI Plaintiffs. The FI Plaintiffs are asking this Court to create a new legal duty in twenty-one different states and overturn the well-established law that there is no legal duty to anticipate criminal acts of a third-party or to control their conduct. See Exhibit A; see also Broadus v. Chevron USA, Inc., 677 So. 2d 199, 202 (Ala. 1996) (“[A]bsent special relationships or circumstances, a person has no duty to protect another from criminal acts of a third person”); Knight v. Merhige, 133 So. 3d 1140, 1145 (Fla. Dist. Ct. App. 2014) (no general duty to control the conduct of third parties to prevent them from causing harm to others); Boyd v. Racine Currency Exch., Inc., 306 N.E.2d 39, 40 (Ill. 1973) (“[A] person has no duty to anticipate the criminal acts of third parties”); Edmunds v. Cowan, 386 S.E.2d 39, 41 (Ga. Ct. App. 1989) (“[O]ne is not generally required to anticipate criminal acts”). The only exception is where the specific criminal conduct is reasonably foreseeable, which requires the plaintiff to prove that the defendant “had actual or constructive knowledge of prior similar acts committed” on the same premises. Patterson v. Deeb, 472 So.2d 1210, 1214 (Fla. 1st DCA 1985); see Fed. Steel & Wire Corp. v. Ruhlin Constr. Co., 543 N.E.2d 769, 772 (Ohio 1989); FPI Atlanta, L.P. v. Seaton, 524 S.E.2d 524, 528 (Ga. Ct. App. 1999); Murphy v. Penn Fruit Co., 418 A.2d 480, 483 (Pa. Ct. App. 1980); Exhibit A.17 For a data breach 17 Though Ohio recognizes no duty to safeguard customers’ personal information from a data breach, if it were to recognize such a duty, a choice of law analysis would be necessary because Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 26 of 47 16 LEGAL02/36568420v12 to be reasonably foreseeable, therefore, the defendant’s knowledge of the risk must be greater than the general knowledge that virtually all consumers and companies have of the omnipresent risk of a data breach. And here that is all Plaintiffs allege. For instance, Plaintiffs cite: (i) Visa alerts sent to all Visa merchants regarding the risk of a data breach applicable to all merchants; and (ii) Wendy’s public securities filings identifying a data breach as a business risk because Wendy’s uses computer systems and information technology (a risk identified in the securities filings of virtually every publicly traded merchant). Compl. ¶¶ 85-88. Plaintiffs tack on allegations from a lawsuit by a Wendy’s franchisee and a ComputerWorld article to assert that Wendy’s ignored that the Aloha point of sale system used by some franchisees was vulnerable to a security breach. Id. ¶¶ 95-96. But the lawsuit alleges only that Aloha suffered from unidentified “technical and operational problems,” not that Aloha was vulnerable to data breaches, and the article does not even suggest that it analyzed the Aloha configuration utilized by Wendy’s franchisees. Id. Noticeably absent are any allegations that Wendy’s or its franchisees previously suffered a breach of their point of sale systems or that they had reason to know that the particular criminal intrusion that is the subject of the Complaint would occur. Thus, any finding here that the Wendy’s franchisee data breach was reasonably foreseeable would eviscerate the rule that a party is not required to anticipate third-party criminal conduct. there would be a conflict between Ohio law and the remaining states that do not recognize such a duty. This is a false conflict. Ohio’s interest in recognizing such a duty would be to protect its citizens who are harmed. Flickinger v. Toys R Us, Inc., No. 3:10-CV-305, 2011 WL 2160493, at *3 (M.D. Pa. May 31, 2011). But the FI Plaintiffs that operate in other states are not Ohio residents. There is therefore no interest in applying Ohio law, and the law of the state in which each FI Plaintiff has its principal place of business would apply to that FI Plaintiff’s negligence claims. See supra Section IV.A; see also Flickinger, 2011 WL 206043, at *3 (states that do not recognize a duty have an interest in “limit[ing] liability for individuals and companies transacting business within [their] borders”). Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 27 of 47 17 LEGAL02/36568420v12 Strong policy reasons also counsel against recognizing the duty that the FI Plaintiffs urge. In a data breach, merchants are also victims of the same criminal activity as the plaintiff and suffer significant economic (and reputational) consequences. See Arvind Malhotra and Claudia Kubowicz Malhotra, Evaluating Customer Information Breaches as Service Failures: An Event Study Approach, 14 J. Serv. Res. 44, 53 (2011) (“[R]eports of a customer information breach negatively impact the market value of firms in the immediate (short) window as well as the long window.”). As a result, merchants such as Wendy’s are fully incentivized to protect and defend against these criminal attacks. Recognizing a legal duty to prevent criminal cyber-attacks would unnecessarily magnify the already significant adverse impact of a data breach and “could even put these entities out of business.” Dittman, 2015 WL 4945713, at *4. Additionally, recognizing a duty of care ignores the reality that these attacks are carried out by sophisticated cybercriminals (sometimes state sponsored). There is “not a safe harbor for entities storing confidential information,” and the idea that a duty should exist because merchants are in the best position to ensure that data breaches do not occur is simply incorrect. See id. at *3. This is particularly true given that here, Plaintiffs allege only that Wendy’s franchise restaurants were subject to the alleged data breach. Compl. ¶ 72. Thus, Wendy’s ability to mitigate against the risk of such a breach is even more attenuated than if the breach had impacted Wendy’s own systems. 2. Wendy’s Does Not Have a Special Relationship with the FI Plaintiffs That Gives Rise to a Duty to Protect Them From Data Breaches. The FI Plaintiffs’ allegation that they have a “special relationship” with Wendy’s that supports the existence of a common law duty of care falls flat. Compl. ¶ 168. Even if potentially applicable state law recognizes that a special relationship can give rise to a duty of care, it cannot save the FI Plaintiffs’ negligence claims because Wendy’s had no direct relationship with the FI Plaintiffs. Wendy’s and the FI Plaintiffs were not even in an arm’s length commercial relationship Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 28 of 47 18 LEGAL02/36568420v12 – their dealings were much further removed than that. Their only connection is through the series of contracts and Operating Regulations that make up the card brand networks, which the FI Plaintiffs – sophisticated commercial entities – knowingly and voluntarily joined. Compl. ¶ 56. Indeed, the FI Plaintiffs all but disclaim any direct relationship with Wendy’s. They allege that “Wendy’s didn’t know which banks Wendy’s customers used and the location of these banks’ headquarters, or principal places of business, at the time of the breach.” Compl. ¶ 163. The FI Plaintiffs’ affirmative allegations disclaiming a direct relationship with Wendy’s alone preclude the finding of a special relationship under all the potentially applicable states’ laws. See Hammond v. The Bank of New York Mellon Corp., No. 08 CIV. 6060 RMB RLE, 2010 WL 2643307, at *9 (S.D.N.Y. June 25, 2010) (no duty owed by defendant to plaintiffs where “[n]one of the named Plaintiffs had any direct dealings with Defendant”); Estate of Kundert ex rel. Kundert v. Ill. Valley Cmty. Hosp., 964 N.E.2d 670, 673-74 (Ill. App. Ct. 2012) (no direct relationship, thus no special relationship and no duty as a matter of law, between hospital and caller who spoke to unknown individual at hospital who dispensed medical advice over the phone). The FI Plaintiffs’ sole allegation in support of a special relationship is that they “entrusted” Wendy’s with customer payment card data. But this argument rings hollow because it was Wendy’s customers (not the FI Plaintiffs) who provided Wendy’s franchisees (not Wendy’s) with the payment card information in question. See Compl. ¶¶ 55-57. The FI Plaintiffs cannot get around this commonsense fact and, indeed, they acknowledge it in their Complaint. See id. ¶ 55. Moreover, even in litigation brought by consumers that actually provided the hacked retailer with their payment card information, courts have rejected the argument that this amounts to an entrustment giving rise to a special relationship. See, e.g., Anderson v. Hannaford Bros. Co., 659 F.3d 151, 157-58 (1st Cir. 2011) (no fiduciary or confidential relationship between merchant and Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 29 of 47 19 LEGAL02/36568420v12 customers in a credit or debit card transaction). Finally, the FI Plaintiffs’ allegation that only Wendy’s was in a position to protect them fails because the FI Plaintiffs voluntarily joined the card brand networks for commercial reasons with full knowledge of the “omnipresent” threat of data breaches. See Longenecker-Wells, 2015 WL 5576753, at *6. Compl. ¶ 61; see Section IV.C.1(c), supra (discussing that there are no safe harbors for companies storing sensitive information and the idea that a duty should exist because merchants are in the best position to prevent breaches is simply not correct). Accordingly, there is no special relationship between Wendy’s and the FI Plaintiffs that could support the finding of a legal duty of care. 3. Industry Standards Do Not Give Rise to a Duty. The FI Plaintiffs also allege Wendy’s owed a duty to them “because it was bound by” industry standards like PCI-DSS. See Compl. ¶ 170. There is no support for this argument regardless of which state’s law applies. See Exhibit A. Courts repeatedly have rejected the argument that “commercial standards or general industry standards such as PCI-DSS” create a legal duty. Willingham v. Glob. Payments, Inc., 1:12-CV-01157-RWS, 2013 WL 440702, at *19 (N.D. Ga. Feb. 5, 2013) (no legal duty flowing from payment processor to payment card holder); see also Morello v. Kenco Toyota Lift, No. 09-4412, 2015 WL 1400582, at *3 (E.D. Pa. Mar. 26, 2015) (“Industry standards cannot be used to create a duty when none would otherwise be owed.”). This is especially true here given the attenuated nature of the (lack of) relationship between Wendy’s and the FI Plaintiffs – which is based on nothing more than the decision of the FI Plaintiffs’ customers to purchase food using a payment card at a Wendy’s franchise restaurant. The FI Plaintiffs’ allegation that Wendy’s assumed a duty because it “had committed to comply with” industry standards, including PCI-DSS, is also without merit. See Compl. ¶ 170. A company’s adoption of an internal guideline or policy and subsequent procedure to follow that guideline or policy does not create a duty. See, e.g., Hower v. Wal-Mart Stores, Inc., No. 08-1736, Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 30 of 47 20 LEGAL02/36568420v12 2009 WL 1688474, at *6 (E.D. Pa. June 16, 2009) (“Defendant’s policies are not the equivalent of a duty of care . . . .”); McCarty v. Covol Fuels No. 2, LLC, 978 F. Supp. 2d 799, 812-13 (W.D. Ky. 2013) (defendant did not assume duty of care by establishing internal policies and procedures and allegedly failing to follow them); Boutilier ex rel. Boutilier v. Chrysler Ins. Co., No. 8:99-cv- 2270T26MAP, 2001 WL 220159, at *1 (M.D. Fla. Jan. 31, 2001) (adoption of internal corporate policy does not create a legal duty or cause of action for violation of the policy); Leal v. Hobbs, 538 S.E.2d 89, 92 (Ga. Ct. App. 2000) (“We find no authority for the proposition that violation of an internal policy can constitute negligence per se.”). Accordingly, an alleged violation of industries standards cannot support the FI Plaintiffs’ negligence claim. 4. The FTC Act Cannot Form the Basis of the FI Plaintiffs’ Common Law Negligence Claim. There is no private right of action under Section 5 of the FTC Act. See Carpenter v. Kloptoski, No. 1:08-CV-2233, 2010 WL 891825, at * 11 (M.D. Pa. Mar.10, 2010) (“[S]ection 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, does not provide for a private right of action.”); Waldo v. N. Am. Van Lines, Inc., 669 F. Supp. 722, 726 (W.D. Pa. 1987) (same); Jeter v. Credit Bureau, Inc., 760 F.2d 1168, 1174 (11th Cir. 1985) (same). Yet, the FI Plaintiffs attempt to make an end-run around their inability to sue under the FTC Act by arguing that the statute imposes on Wendy’s a common law “duty to use reasonable data security measures.” Compl. ¶ 169. There is not a single case in any jurisdiction that has recognized a common law negligence claim based on a “breach” of a defendant’s duty to comply with Section 5 of the FTC Act, or held that “FTC publications and data breach security orders” may give rise to a duty between parties that are not subject to such orders. Id.18 The Court should not create a cause of action where 18 Plaintiffs also allege that unidentified state statutes allegedly based upon the FTC Act create a duty. See Compl. ¶¶ 176-80. Not only is there no support for this claim, but the Complaint’s Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 31 of 47 21 LEGAL02/36568420v12 Congress declined to do so, and the FI Plaintiffs’ negligence claim, accordingly, should be dismissed.19 D. The FI Plaintiffs’ Negligence Per Se Claims Fail. 1. Arkansas, Louisiana, and Massachusetts Do Not Recognize Negligence Per Se As An Independent Cause of Action. Three FI Plaintiffs have their principal places of business in Arkansas, Louisiana, and Massachusetts – Alcoa Community Federal Credit Union, First NBC Bank, and Align Credit Union. But those states do not recognize the doctrine of negligence per se as an independent cause of action. See Cent. Okla. Pipeline, Inc. v. Hawk Field Servs., LLC, 400 S.W.3d 701, 712 (Ark. 2012); Galloway v. State ex rel. Dep’t of Transp. & Dev., 654 So. 2d 1345, 1347 (La. 1995); Bennett v. Eagle Brook Country Store, Inc., 557 N.E.2d 1166, 1168 (Mass. 1990). By contrast, Ohio does recognize negligence per se in certain limited circumstances. See, e.g., Chambers v. St. Mary’s Sch., 697 N.E.2d 198, 201 (Ohio 1998). Thus, there is a conflict between the laws of Arkansas, Louisiana, and Massachusetts (which would require the dismissal of the FI Plaintiffs’ negligence per se claims) and the law of Ohio (which recognizes negligence per se as an independent cause of action). This is a true conflict. Arkansas, Louisiana, and Massachusetts, which have all refused to adopt the negligence per se doctrine, have determined that their citizens should have the benefit of vague reference to unidentified “state statutes” fails to support their claims as a basic matter of pleading. See, e.g., Deitrick v. Costa, No. 4:06-cv-01556, 2015 WL 1606714, at *9 (M.D. Pa. Apr. 9, 2015) (dismissing negligence per se claim because “[t]he complaint fails to identify any specific statutes Defendant . . . violated); Holler v. Cinemark USA, Inc., 185 F. Supp. 2d 1242, 1244 (D. Kan. 2002) (“[P]laintiff must plead the specific statute on which he bases his claim for negligence per se.”) (emphasis added). 19 Even if the FTC Act imposed a common law duty to act in accordance with its provisions, a breach of that duty must be analyzed under a claim for negligence per se, not negligence. As discussed in Section IV.D, the FTC Act fails to support the FI Plaintiffs’ negligence per se claim. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 32 of 47 22 LEGAL02/36568420v12 having a jury assess whether conduct is actionable, considering all of the facts and circumstances of each individual case. See, e.g., Neil v. Holyoke St. Ry. Co., 109 N.E.2d 831, 833 (Mass. 1952) (“A finding that there was a violation of law is not always decisive on the issue of negligence, for a jury may properly find that it did not constitute negligence in the circumstances attending the accident.”) (emphasis added); Wendland v. Ridgefield Constr. Servs., Inc., 439 A.2d 954, 956-57 (Conn. 1981) (“[N]egligence per se . . . transforms the character of the factfinder’s inquiry” and “affects common law rights, duties and liabilities”); Walker v. First Comm. Bank, N.A., 880 S.W.2d 316, 319 (Ark. 1994) (“The right to jury trial is a fundamental constitutional right that is protected by the Constitution of Arkansas . . . .”); Boudreaux v. State DOTD, 49 So. 3d 1041, 1046 (La. Ct. App. 2010) (rejecting application of negligence per se because “[i]t was for the jury to determine the facts from the evidence and testimony presented”). Applying Ohio law to the FI Plaintiffs with principal places of business in Arkansas, Louisiana, and Massachusetts, would impinge the interests of those states by usurping the ability of the jury to assess whether the residents of those states are entitled to recover given all of the relevant facts and circumstances. On the other hand, Ohio, which has adopted the doctrine of negligence per se, has made a policy determination that there are certain circumstances in which it will defer to the legislature’s judgment about permissible standards of conduct. See Eisenhuth v. Moneyhon, 119 N.E.2d 440, 443 (Ohio 1954) (“The violation of any specific legislative enactment enacted for the protection of private persons is of itself such a breach of duty as to constitute negligence.”). If the laws of Arkansas, Louisiana, and Massachusetts were to apply, then Ohio’s interest in deferring to its legislature’s judgment about permissible standards of conduct would be hampered because there could be circumstances in which the finding of a jury deviates from legislative intent. See, e.g., Bearden v. Wyeth, 482 F. Supp., 2d 614, 618 & n.5 (E.D. Pa. 2006) (concluding that a true conflict Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 33 of 47 23 LEGAL02/36568420v12 exists between the laws of Pennsylvania and Arkansas, in part because Pennsylvania recognizes negligence per se, but Arkansas does not). Because there is a true conflict, the Court must examine which of the states has the greater interest in applying its laws. As discussed above, the state in which each named FI Plaintiff has its principal place of business has a greater interest in the application of its law than Ohio. See Section IV.A, supra. As a result, the negligence per se claims of FI Plaintiffs Alcoa Community Federal Credit Union, First NBC Bank, and Align Credit Union should be dismissed because the applicable state law does not recognize negligence per se as an independent cause of action. 2. Section 5 of the FTC Act Does Not Support a Claim for Negligence Per Se. Even in those states that recognize negligence per se, the FI Plaintiffs’ claims fail. The FI Plaintiffs claim that Wendy’s violated Section 5’s prohibition on “unfair . . . practices in or affecting commerce,” 15 U.S.C. § 45, and thus are liable for negligence per se. Compl. ¶ 175-77. The FI Plaintiffs are asking the Court to break new ground because no court has recognized a claim for negligence per se based on a violation of Section 5’s “unfair practices” prong.20 The Court should dismiss all of the FI Plaintiffs’ claims for negligence per se on that basis alone. Moreover, dismissal is warranted because Section 5 of the FTC Act does not articulate a sufficiently concrete duty or standard of care, and the FI Plaintiffs do not fall within the class of individuals that Section 20 In Home Depot the court stated that “one Georgia case and one case applying Georgia law both suggest that the FTC Act can serve as the basis of a negligence per se claim.” 2016 WL 2897520, at *4. Both of the cited cases, however, dealt with violations of specific regulations that were promulgated under the FTC Act, not a violation of Section 5 itself. See Bans Pasta, LLC v. Mirko Franchising, LLC, No. 7:13-cv-00360, 2014 WL 637762, at *8 (W.D. Va. Feb. 12, 2014) (violation of 16 C.F.R. § 436.5(s)(3)-(5)); Legacy Academy, Inc. v. Mamilove, LLC, 761 S.E.2d 880, 891 (Ga. Ct. App. 2014) (violation of 16 C.F.R. §§436.1-436.5), vacated on other grounds, 777 S.E.2d 731 (Ga. Ct. App. 2015). Accordingly, Home Depot does not support the assertion that a violation of Section 5 of the FTC Act constitutes negligence per se. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 34 of 47 24 LEGAL02/36568420v12 5 was intended to protect – both of which are independent requirements in all states that recognize a claim for negligence per se. a. Section 5 Does Not Impose a Clear and Concrete Duty or Standard of Conduct. Negligence per se is grounded in institutional comity: Where the legislature has determined that particular acts are unlawful, the “judgment of the legislature, as the authoritative representative of the community, takes precedence” over the determinations of individual juries. Restatement (Third) of Torts: Phys. & Emot. Harm § 14, cmt (c) (2010). Likewise, negligence per se promotes efficiency by eliminating the need for juries to deliberate repeatedly the propriety of “recurring conduct,” which provides clarity as to the status of the law. Id. But where a statute does not create standards of care that are more specific than the law of negligence generally, it cannot form the basis of a negligence per se claim. See Exhibit A; see, e.g., Beaver Valley Power Co. v. Nat’l Eng’g & Contracting Co., 883 F.2d 1210, 1222 (3d Cir. 1989); Struve v. Payvandi, 740 N.W.2d 436, 443 (Iowa 2007); Heath v. La Mariana Apts., 180 P.3d 664, 666 (N.M. 2008). Rather, for a statute or ordinance to give rise to a claim of negligence per se, the law must “set forth a positive and definite standard of care whereby a jury may determine whether there has been a violation thereof by finding a single issue of fact.” Boyd v. Moore, 919 N.E.2d 283, 287 (Ohio Ct. App. 2009) (emphasis added) (alterations and internal quotation marks omitted); see also Exhibit A; Lowdermilk v. Vescovo Bldg. & Realty Co., Inc., 91 S.W.3d 617, 629 (Mo. Ct. App. 2002). Section 5’s unfair practice prong falls far short of establishing a specific and ascertainable standard of conduct. Indeed, the statute’s prohibition is vague and amorphous by design. Congress “intentionally left development of the term ‘unfair’ to the [Federal Trade] Commission rather than attempting to define” any specific practices. See Atl. Ref. Co. v. F.T.C., 381 U.S. 357, 367 (1965) (quoting S. Rep. No. 63-597, at 13 (1914)); Am. Fin. Servs. Ass’n v. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 35 of 47 25 LEGAL02/36568420v12 F.T.C., 767 F.2d 957, 969 (D.C. Cir. 1985) (Congress “expressly declined to delineate” the “particular acts or practices” deemed unfair). “The Supreme Court has, on more than one occasion, recognized that the standard of unfairness is by necessity, an elusive one, which defies such a limitation.” Orkin Exterminating Co. v. F.T.C., 849 F.2d 1354, 1367 (11th Cir. 1988) (internal quotation marks and citations omitted); accord F.T.C. v. Colgate-Palmolive Co., 380 U.S. 374, 384-85 (1965). Because Section 5’s unfair practices prong is intentionally vague and amorphous, it does not delineate the requisite concrete wrong sufficient to support a claim for negligence per se. b. The FI Plaintiffs Do Not Fall Within the Class of Persons Congress Intended to Protect Under the “Unfair Practices” Prong of the FTC Act. Another universal element of a negligence per se claim is that the plaintiff must be a member of the class of persons that the statute is designed to protect. See Exhibit A; Restatement (Third) of Torts: Phys. & Emot. Harm § 14 (“An actor is negligent if, without excuse, the actor violates a statute that is designed to protect against the type of accident the actor’s conduct causes, and if the accident victim is within the class of persons the statute is designed to protect.”). The FTC Act, as originally enacted, did not proscribe “unfair practices,” only “unfair methods of competition.” The “unfair . . . practice” prong the FI Plaintiffs seek to travel under here was added through amendment in 1938 which “made it clear that Congress, through § 5, charged the FTC with protecting consumers as well as competitors.” F.T.C. v. Sperry & Hutchison Co., 405 U.S. 233, 244 (1972). The FI Plaintiffs are neither consumers nor competitors of Wendy’s but instead are sophisticated financial institutions. The FI Plaintiffs suggest that the Court should allow them to stand in the shoes of consumers because they “bear primary responsibility for directly reimbursing consumers for fraud losses.” Compl. ¶ 178. There is no support for this proposition and tellingly, Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 36 of 47 26 LEGAL02/36568420v12 the FI Plaintiffs do not allege that any recovery would be remitted to consumers. In fact, the FI Plaintiffs all but disclaim that consumers have been harmed at all. Id. ¶ 146. Because the FI Plaintiffs are not members of the class of persons the unfair practices prong of the FTC Act was designed to protect, their claims for negligence per se fail as a matter of law. Exhibit A; see, e.g., O’Neill v. Dunham, 203 P.3d 68, 73 (Kan. Ct. App. 2009); Osti v. Saylors, 991 S.W.2d 322, 327 (Tex. App. 1999); Cabiroy v. Scipione, 767 A.2d 1078, 1081 (Pa. Super. Ct. 2001). 3. FTC Publications and Orders Do Not Carry the Force of Law and Fail to Support a Claim for Negligence Per Se. The FI Plaintiffs’ negligence per se claims likewise fail to the extent premised on unidentified FTC publications, guidelines, and orders. Compl. ¶¶ 136-139. The FI Plaintiffs’ burden of establishing a plausible claim for relief requires them to identify the specific publications and orders that they claim give rise to negligence per se liability. The FI Plaintiffs fail to identify a single order Wendy’s allegedly violated or any specific publication or order that establishes a duty of care.21 Throughout the Complaint, the FI Plaintiffs do no more than reference general “guidelines” recommending that businesses establish “reasonable data security practices,” such as the admonition that businesses should “protect the personal customer information that they keep.” Compl. ¶ 136. Nothing alleged approaches the type of specific legislative duty necessary to support a negligence per se claim.22 21 The Complaint does not allege that the “FTC Facts for Business” publication that is referenced in Paragraph 137 creates any mandatory duties on merchants, or that Wendy’s breached any purported duties that it might create. 22 Several of the FI Plaintiffs are from jurisdictions that expressly prohibit the violation of administrative regulations from forming the basis of a negligence per se claim. See, e.g., Douglas v. Edgewater Park Co., 199 N.W.2d 567, 571 (Mich. 1963); Chambers v. St. Mary’s Sch., 697 N.E.2d 198, 203 (Ohio 1998). Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 37 of 47 27 LEGAL02/36568420v12 Moreover, neither FTC guidelines nor orders constitute legislative pronouncements carrying the force of law sufficient to serve as the basis for a negligence per se claim. Agency documents “designed to implement, interpret, or prescribe law” are considered to be “rules” under the Administrative Procedure Act. 5 U.S.C. § 551(4); accord Chamber of Commerce v. United States Dep’t of Labor, 174 F.3d 206, 211-12 (D.C. Cir. 1999) (describing a rule as an agency pronouncement that “has a substantial impact upon private parties and puts a stamp of agency approval or disapproval on a given type of behavior”) (internal quotation marks omitted). And “rules which define with specificity acts or practices which are unfair or deceptive acts or practices” can be promulgated by the FTC only pursuant to the procedural requirements of Section 18(b) of the FTC Act. 15 U.S.C. § 57a(a)-(b). The FI Plaintiffs fail to allege that any of the unspecified “guidelines” Wendy’s allegedly violated have been promulgated pursuant to Section 18(b) of the FTC Act such that they are accorded the weight of law. Likewise, FTC consent orders fail to establish a statutory duty for purposes of a negligence per se claim because, as the Supreme Court has explained, “[t]he circumstances surrounding . . . negotiated [consent] agreements are so different that they cannot be persuasively cited in a litigation context.” United States v. E.I. du Pont de Nemours & Co., 366 U.S. 316, 330 n.12 (1961); see Beatrice Foods Co. v F.T.C., 540 F.2d 303, 312 (7th Cir. 1976) (“The entering of a consent decree . . . is not a decision on the merits and therefore does not adjudicate the legality of any action by a party thereto. Nor is a consent decree a controlling precedent for later Commission action.”); Trans Union Corp. v. F.T.C., 245 F.3d 809, 816-17 (D.C. Cir. 2001); Marion Healthcare LLC v. S. Ill. Healthcare, No. 12-cv-00871-DRH-PMF, 2013 WL 451068, at *10 n.3 (S.D. Ill. Aug. 26, 2013). Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 38 of 47 28 LEGAL02/36568420v12 4. Industry Standards Cannot Support a Negligence Per Se Claim. The FI Plaintiffs’ claims for negligence per se also fail to the extent they are based on an alleged violation of “applicable industry standards, including PCI DSS.” Compl. ¶ 176. In every jurisdiction, a claim for negligence per se must be based on the violation of a law, not privately created standards or industry norms. See Braxton v. Commonwealth Dep’t of Transp., 634 A.2d 1150, 1157 (Pa. Commw. Ct. 1993) (negligence per se applies to “statute[s], ordinance[s], or regulation[s] designed to prevent a public harm.”). A violation of private rules does not give rise to a negligence per se claim. See Ruder v. Pequea Valley Sch. Dist., 790 F. Supp. 2d 377, 402 (E.D. Pa. 2011) (“Negligence per se cannot be found based on a plaintiff’s allegation that a defendant has breached its own policy.”); Griglione v. Martin, 525 N.W.2d 810, 812 (Iowa 1994) (violation of police operating procedures and private safety codes does not support a claim for negligence per se); S. Ry. Co. v. Allen, 77 S.E.2d 277, 286 (Ga. Ct. App. 1953) (noting that a violation of private rules does not give rise to a negligence per se claim under Georgia law); De Pree v. Nutone, Inc., 422 F.2d 534, 536 n.1 (6th Cir. 1970) (applying Michigan law). No court has ever held that a violation of PCI-DSS gives rise to a claim for negligence per se. Accordingly, the FI Plaintiffs’ claims for negligence per se fails as a matter of law and should be dismissed. E. Plaintiffs Fail to State a Claim Under Ohio’s Deceptive Trade Practices Act. The FI Plaintiffs allege Wendy’s violated the Ohio Deceptive Trade Practices Act (“ODTPA”), based on alleged misrepresentations Wendy’s made about the state of its data security. See Compl. ¶¶ 181-200. This claim fails, however, because Plaintiffs have not sufficiently alleged any misrepresentations by Wendy’s – much less misrepresentations that proximately caused their injuries. The ODTPA “is substantially similar to the federal Lanham Act, and it generally regulates trademarks, unfair competition, and false advertising.” Dawson v. Blockbuster, Inc., No. 86451, Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 39 of 47 29 LEGAL02/36568420v12 2006 WL 1061769, at *3 (Ohio Ct. App. Mar. 16, 2006). And Ohio courts “apply to the ODTPA the same analysis used by federal courts under the Lanham Act.” Die-Mension Corp. v. Dun & Bradstreet Credibility Corp., No. C14-855, 2015 WL 5307472, at *2 (W.D. Wash. Sept. 10, 2015) (citing Bedford Auto Dealers Ass’n v. Mercedes Benz of N. Olmstead, 2012 WL 760626, at *3 (Ohio Ct. App. Mar. 8, 2012 and collecting cases)). In Lexmark International Inc. v. Static Control Components, Inc., 134 S. Ct. 1377 (2014), the Supreme Court held that to bring a claim under the Lanham Act, a plaintiff (1) must allege an injury to a commercial interest in reputation or sales that brings the plaintiff within the “zone of interests” protected by the Lanham Act (the “zone of interests” inquiry) and (2) the alleged harm bear a “sufficiently close connection to the conduct the statute prohibits (the “proximate cause inquiry”). Id. at 1390-91. Thus, the FI Plaintiffs must satisfy this same two-part test to state a claim under the ODTPA. See Die-Mension Corp., 2015 WL 5307472, at *4 (“Given the similarities between the federal and state statutes, the Court is persuaded that the Ohio Supreme Court would adopt the two-part standard articulated in Lexmark in deciding who may pursue a claim under the ODTPA”); Dish Network, LLC v. Fun Dish, Inc., No. 1:08-cv-1540, 2015 WL 3650190, at *9 (N.D. Ohio 2015) (relying on Lexmark to find that the plaintiffs had not demonstrated that defendants’ deceptive acts proximately caused their injury). Here, the FI Plaintiffs’ ODTPA claim should be dismissed because they only allege – in conclusory fashion – that “Wendy’s misrepresented the security of its point of sale payment systems.” Compl. ¶ 185. Apart from this conclusory allegation, the FI Plaintiffs attempt to prop up their claim with allegations that Wendy’s “represented” it was PCI DSS compliant not through words but “by being an active participant in the payment card networks . . . .” Id. ¶ 186. The FI Plaintiffs also allege that Wendy’s somehow represented that its payment systems were secure “by Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 40 of 47 30 LEGAL02/36568420v12 and through its franchisees” in connection with a lawsuit but fail to identify any purported representation, much less a representation made by Wendy’s. Id. ¶ 188. These are not “misrepresentations,” and the FI Plaintiffs’ ODTPA claim should be dismissed for failure to plead an essential element of the claim. But even if the FI Plaintiffs did sufficiently allege a misrepresentation, their claim still fails because the Complaint contains no allegations of fact that support a proximate, causal link between an alleged misrepresentation and the FI Plaintiffs’ alleged harm (i.e., the cost of cancelling and reissuing cards, refunding fraudulent charges, and lost interest and transaction fees). Id. ¶ 196. The FI Plaintiffs do not allege that they could have prevented their customers from using their payment cards at Wendy’s franchise restaurants had they known that Wendy’s was allegedly not PCI DSS compliant or that they heard of or were aware of the unidentified representation made “by and through” Wendy’s franchisees regarding the state of compliance and data security. There are also no allegations that had Wendy’s representations been accurate (i.e., representations that Wendy’s had been PCI DSS compliant), the data breach and the FI Plaintiffs’ purported injuries would not have occurred. For these same reasons the FI Plaintiffs’ reliance on Wendy’s May 11, 2016, press release falls flat. Id. ¶ 189. Indeed, the FI Plaintiffs ignore that the press release was issued after Plaintiff First Choice Federal Credit Union filed its original complaint on April 25, 2016, and months after a consumer complaint was filed in Florida federal district court. It is not plausible that the FI Plaintiffs could have been “deceived” about the status of Wendy’s security at the time of the press release, much less that the representations in the press release proximately caused any of their alleged injuries. The FI Plaintiffs’ inability to plead the required proximate cause is not surprising because the alleged data breach was perpetrated by criminal third-parties – not Wendy’s. Accordingly, the FI Plaintiffs’ claim under the ODTPA should be dismissed. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 41 of 47 31 LEGAL02/36568420v12 F. Plaintiffs’ Claim for Injunctive and Declaratory Relief Should Be Dismissed. 1. Plaintiffs Fail to State a Claim for Injunctive Relief. a. There is No Cognizable Claim for “Injunctive Relief.” Plaintiffs may not pursue a standalone claim for “injunctive relief” because “injunctive relief is a remedy and not an independent cause of action.” In re Shop-Vac Marketing & Sales Practices Litig., 964 F. Supp. 2d 355, 367 (M.D. Pa. 2013); see Newman v. J.P. Morgan Chase Bank, N.A., 81 F. Supp. 3d 735, 746 (D. Minn. 2015) (citing Great-West Life & Annuity Ins. Co. v. Knudson, 534 U.S. 204, 211 n.1 (2002) (“[A]n injunction is inherently an equitable remedy.”)). “[A]ny motion or suit for either a preliminary or permanent injunction must be based upon a cause of action . . . . There is no such thing as a suit for a traditional injunction in the abstract.” Alabama v. U.S. Army Corps of Eng’rs, 424 F.3d 1117, 1127 (11th Cir. 2005) (internal quotation marks and citation omitted). Plaintiffs’ injunctive relief “claim” should therefore be dismissed. b. Plaintiffs are Not Entitled to the Remedy of Injunctive Relief. Plaintiffs’ count for injunctive relief also fails because Plaintiffs do not lack an adequate remedy at law. Minard Run Oil Co. v. U.S. Forest Serv., 894 F. Supp. 2d 642, 663 (W.D. Pa. 2012) (“It is well established that, before issuing a permanent injunction, a court must consider whether any other remedies at law are adequate.”). Even if Wendy’s were to fall victim to another future security breach, monetary damages would sufficiently compensate Plaintiffs for any losses as well as any losses allegedly already suffered as a result of the security breach that forms the basis of the Complaint. Plaintiffs’ allegation that “money damages . . . do not cover the full extent of injuries suffered by Plaintiffs and the Class” is vague and conclusory. See Compl. ¶ 205. Indeed, this allegation is not plausible given Plaintiffs’ insistence throughout the Complaint that they have been harmed because they have suffered specific categories of damages – e.g., the cost of cancelling and reissuing cards, refunding fraudulent charges, and lost interest and transaction Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 42 of 47 32 LEGAL02/36568420v12 fees – that they seek to recover under their negligence and statutory claims. See eBay Inc. v. MercExchange, L.L.C., 547 U.S. 388, 391 (2006) (to be entitled to a permanent injunction, “[a] Plaintiff must demonstrate . . . that remedies available at law, such as monetary damages, are inadequate to compensate for [the Plaintiff’s] injury”); Frank’s GMC Truck Ctr., Inc. v. Gen. Motors Corp., 847 F.2d 100, 102 (3d Cir. 1988) (“[A] purely economic injury, compensable in money, cannot satisfy the irreparable injury requirement” necessary to warrant injunctive relief.). Accordingly, Plaintiffs’ request for injunctive relief should be dismissed.23 2. Plaintiffs Fail to State a Claim for Declaratory Relief a. Plaintiffs Improperly Seek a Determination of Past Liability. Plaintiffs’ declaratory relief claim fails because it focuses on alleged past wrongs rather than the future relationship between the parties. As the Third Circuit has recognized, declaratory judgments are “prospective in nature.” CMR D.N. Corp. v. City of Phila., 703 F.3d 612, 628 (3d Cir. 2013); Corliss v. O’Brien, 200 F. App’x 80, 84 (3d Cir. 2006) (a “[d]eclaratory judgment is inappropriate solely to adjudicate past conduct”). It cannot be used as a “back-door method of attaining money damages for a past harm.” See Celec v. Edinboro Univ., 132 F. Supp. 3d 651, 669 n.9 (W.D. Pa. 2015). “At the motion to dismiss stage, a ‘prayer for . . . declaratory relief requires an assessment . . . of whether the plaintiff has sufficiently shown a real and immediate threat of future harm.’” Tiller v. State Farm Mut. Auto. Ins. Co., No. 1:12-cv-3432, 2013 WL 451309, at *3 (N.D. Ga. Feb. 5, 2013) (quoting Elend v. Basham, 471 F.3d 1199, 1207 (11th Cir. 2006)) (emphasis added). 23 Although the Home Depot court appropriately held that the plaintiffs’ claim for declaratory relief as to defendants’ past breach of any duty was subject to dismissal since it dealt with past liability, the court’s additional conclusion that plaintiffs’ claim for injunctive relief was properly supported was erroneous because the Home Depot plaintiffs, like the Plaintiffs here, possessed an adequate remedy at law. 2016 WL 2897520, at *4. Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 43 of 47 33 LEGAL02/36568420v12 Plaintiffs’ declaratory relief claim does not address a plausible immediate threat of future harm. In particular, Plaintiffs’ half-hearted claim that they will continue to incur fraudulent charges on payment cards issued to Wendy’s customers is not plausible given their extensive allegations that they have cancelled and reissued payment cards. See Compl. ¶¶ 13-34. And Plaintiffs cannot recast their allegations of past harm to support a declaratory judgment claim simply couching their alleged harm as continuing. Id. ¶ 203. Plaintiffs seek a declaration that (1) Wendy’s owed it a duty; (2) Wendy’s breached that duty; (3) the breach caused an injury to Plaintiffs; and (4) Plaintiffs suffered damage as a result of that breach. Id. In other words, Plaintiffs seek a declaration that their negligence claim is meritorious. This is not an appropriate declaratory relief claim because a declaratory judgment is not “meant simply to proclaim that one party is liable to another.” Hodinka v. Del. Cty., 759 F. Supp. 2d 603, 610 (E.D. Pa. 2011) (internal quotation marks omitted). b. The Association Plaintiffs Do Not Have Standing to Pursue a Claim for Declaratory Relief. In addition to other infirmities with their declaratory relief claim, the Association Plaintiffs do not have standing to assert this claim because individual participation of their members is required. To demonstrate associational standing, an entity must show that “neither the claim asserted nor the relief requested requires the participation of individual members in the lawsuit.” See Am. Chiropractic Ass’n v. Am. Specialty Health, Inc., 625 F. App’x 169, 176 (3d Cir. 2015). Consequently, when a claim requires “a fact-intensive-individual inquiry,” associational standing is improper. PA. Psychiatric Soc. v. Green Spring Health Servs., Inc., 280 F.3d 278, 286 (3d Cir. 2002). Here, among other individualized issues, the Association Plaintiffs ask the Court to rule that Wendy’s alleged breach caused an injury to all association members and will continue to cause Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 44 of 47 34 LEGAL02/36568420v12 the Association Plaintiffs harm. Compl. ¶ 203c. These findings simply cannot be made without an inquiry into the facts about each association member – specifically, whether they suffered any harm. As such, the Association Plaintiffs’ declaratory relief claim “requires the participation of individual members in the lawsuit” and should therefore be dismissed on standing grounds. V. CONCLUSION For the reasons set forth above, the Court should grant Wendy’s Motion and dismiss Plaintiffs’ Complaint with prejudice. Respectfully submitted this 22nd day of August, 2016. ALSTON & BIRD LLP By: /s/ Kristine McAlister Brown KRISTINE MCALISTER BROWN Admitted Pro Hac Vice CARI K. DAWSON Pro Hac Vice Application Forthcoming DONALD M. HOUSER Admitted Pro Hac Vice 1201 West Peachtree Street Atlanta, Georgia 30309-3424 Telephone: 404-881-7000 Facsimile: 404-881-7777 kristy.brown@alston.com cari.dawson@alston.com donald.houser@alston.com DOMINIQUE R. SHELTON Admitted Pro Hac Vice 333 South Hope Street, 16th Floor Los Angeles, California 90071-3004 Telephone: 213-576-1000 Facsimile: 213-576-1100 dominique.shelton@alston.com STEPHEN S. STALLINGS, ESQUIRE Stephen S. Stallings, Esquire Pa. ID #205131 attorney@stevestallingslaw.com Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 45 of 47 35 LEGAL02/36568420v12 The Osterling Building 228 Isabella Street Pittsburgh, PA 15212 Tel.: (412) 322-7777 Fax: (412) 322-7773 Counsel for Defendants Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 46 of 47 36 LEGAL02/36568420v12 CERTIFICATE OF SERVICE I hereby certify that on August 22, 2016, I electronically filed the foregoing Defendants’ Memorandum of Law in Support of Defendants’ Motion to Dismiss the Plaintiffs’ Consolidated Amended Class Action Complaint with the Clerk of Court using the CM/ECF system, which will send notice of filing to the email addresses for all counsel listed on the Electronic Mail Notice list. /s/ Kristine McAlister Brown Case 2:16-cv-00506-NBF-MPK Document 54 Filed 08/22/16 Page 47 of 47 Exhibit A to Memorandum in Support of Wendy’s Motion to Dismiss Amended Complaint 1 First Choice Federal Credit Union / Pennsylvania Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Pennsylvania • No conflict • Both states bar recovery in tort for purely economic damages; not limited to products liability; and direct contractual privity not required. See Pavlovich v. Nat’l City Bank, 435 F.3d 560, 569 (6th Cir. 2006) (quoting Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc., 106 Ohio St. 3d 412, 414, 835 N.E.2d 701, 704 (Ohio 2005)); Pennsylvania State Employees Credit Union v. Fifth Third Bank. 398 F. Supp. 2d 317, 319 (M.D. Pa. 2005) (“PSECU”). • None of the exceptions applies • Yes • Both Negligence and Negligence Per Se Claims Barred by ELR. See Pavlovich and PSECU. Negligence Ohio Pennsylvania • No conflict • None of the potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. The federal court opinion purporting to recognize a duty under Pennsylvania law is neither binding nor persuasive. See Memorandum § IV.C.1(a). • Absent special relationships or circumstances, there is no duty to protect another from the criminal acts of a third party. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); K.H. ex rel. H.S. v. Kumar, 122 A.3d 1080, 1095 (Pa. Super. Ct. 2015). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 1 of 29 2 Negligence Per Se Ohio Pennsylvania • No conflict • The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports claim under either state’s law. See, e.g., Hinckley v. Krantz, 658 N.E.2d 797, 799 (Ohio Ct. App. 1995) (industry standards do not support negligence per se); Beaver Valley Power Co. v. Nat’l Eng’g & Contracting Co., 883 F.2d 1210, 1212 (3d Cir. 1989) (under Pennsylvania law, statute must articulate a specific standard of care to form the basis of a negligence per se claim). • Yes • Negligence per se claim fails. See Memorandum § IV.D. AOD Federal Credit Union / Alabama Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Alabama • Yes, conflict exists o Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR would bar this Plaintiff’s negligence-based claims. See Memorandum, § IV.B.1. Alabama limits the ELR to the products liability context. See Pub. Bldg. Auth. of City of Huntsville v. St. Paul Fire & Marine Ins. Co., 80 So. 3d 171, 184 (Ala. 2010). • Alabama law applies but no further analysis is required because Wendy’s does not seek dismissal of AOD Federal Credit Union’s negligence claim under Alabama’s ELR in its Motion. • No Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 2 of 29 3 Negligence Ohio Alabama • No conflict • None of potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Broadus v. Chevron USA, Inc., 677 So. 2d 199, 202 (Ala. 1996). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Negligence Per Se Ohio Alabama • No conflict • The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports claim under either state’s law. See, e.g., Thomas Learning Ctr., Inc. v. McGuirk, 766 So. 2d 161, 171 (Ala. Civ. App. 1998). • Yes • Negligence per se claim fails. See Memorandum, § IV.D. Tech Credit Union / Indiana Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Indiana • Yes, conflict exists o Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR would bar this Plaintiff’s negligence-based claims. See Memorandum, § IV.B.1. Indiana recognizes the ELR only in the product liability context. See Am. United Life Ins. Co. v. Douglas, 808 N.E.2d 690, 705 (Ind. Ct. App. 2004). • Indiana law applies but no further analysis is required because Wendy’s does not seek dismissal of Tech Credit Union’s negligence claims under Indiana’s ELR. • No Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 3 of 29 4 Negligence Ohio Indiana • No conflict • None of the potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Fast Eddie’s v. Hall, 688 N.E.2d 1270, 1274 (Ind. Ct. App. 1997). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Negligence Per Se Ohio Indiana No conflict The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports claim under either state’s law. Wiles v. Mahan, 405 N.E.2d 591, 594 (Ind. Ct. App. 1980). • Yes • Negligence per se claim fails. See Memorandum § IV.D. Veridian Credit Union / Iowa Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Iowa • No conflict • Both states bar recovery in tort for purely economic damages; not limited to products liability; and direct contractual privity not required. See Annett Holdings, Inc. v. Kum & Go, L.C., 801 N.W.2d 499, 506 (Iowa 2011); Pavlovich v. Nat’l City Bank, 435 F.3d 560, 569 (6th Cir. 2006) (quoting Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc., 106 Ohio St. 3d 412, 414, 835 N.E.2d 701, 704 (Ohio 2005)). • No exception applies. • Yes. • Both Negligence and Negligence Per Se Claims Barred by ELR Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 4 of 29 5 Negligence Ohio Iowa • No conflict • None of the potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Davis v. Kwik-Shop, Inc., 504 N.W.2d 877, 878 (Iowa 1993). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Negligence Per Se Ohio Iowa • No conflict • The violation of a statute can establish duty and breach in each state • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports a claim under either state’s law. Struve v. Payvandi, 740 N.W.2d 436 (Iowa 2007); Jorgenson v. Horton, 206 N.W.2d 100, 103 (Iowa 1973). • Yes • Negligence per se claim fails. See Memorandum § IV.D. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 5 of 29 6 South Florida Educational Federal Credit Union / Florida Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Florida • Yes, conflict exists o Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR would bar this Plaintiff’s negligence-based claims. See Memorandum, § IV.B.1. Florida recognizes the ELR only in the product liability context. See Tiara Condo. Ass’n v. Marsh & McLennan Cos. Inc., 714 F.3d 1253, 1254 (11th Cir. 2013). • Florida law applies but no further analysis is required because Wendy’s does not seek to dismiss South Florida Educational Federal Credit Union’s negligence claims under Florida’s ELR in its Motion. • No Negligence Ohio Florida • No conflict • None of potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Knight v. Merhige, 133 So. 3d 1140, 1145 (Fla. Dist. Ct. App. 2014). • Additionally, under Florida law, the mere fact that a company has an internal corporate policy does not create a legal duty or cause of action for breach of that duty. Boutilier ex rel. Boutilier v. Chrysler Ins. Co., No. 8:99-CV-2270T26MAP, 2001 WL 220159, at *1 (M.D. Fla. Jan. 31, 2001); see also See Gunlock v. Gill Hotels Co., Inc., 622 So.2d 163, 164 (Fla. 4th DCA 1993) (an internal policy does not create a substantive duty to follow “the standard of conduct contained” within the policy). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 6 of 29 7 Negligence Per Se Ohio Florida • No conflict • The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. The negligence per se claim also fails under Florida law for the independent reason that “Florida courts have refused to recognize a private right of action for negligence per se based on an alleged violation of a federal statute that does not provide for a private right of action.” Weinberg v. Advanced Data Processing, Inc., No. 15-CV-61598, 2015 WL 8098555, at *4 (S.D. Fla. Nov. 17, 2015). • Yes • Negligence per se claim fails. See Memorandum § IV.D. Preferred Credit Union / Michigan Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Michigan • Yes, conflict exists o Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR would bar this Plaintiff’s negligence-based claims. See Memorandum, § IV.B.1. Michigan courts require direct contractual privity between the parties in order for the ELR to apply. Kemp v. Resurgent Capital Servs., No. 13-11794, 2013 WL 5707797, at *9 (E.D. Mich. Oct. 21, 2013), aff’d (June 18, 2014) (negligence claim barred by ELR where duties set forth in a contract). • Michigan law applies but no further analysis is required because Wendy’s does not seek to dismiss Preferred Credit Union’s negligence claims under Michigan’s ELR in its Motion. • No Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 7 of 29 8 Negligence Ohio Michigan • No conflict • None of potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Graves v. Warner Bros., 656 N.W.2d 195, 200 (Mich. Ct. App. 2002). • While a special relationship might exist between a union and its workers such that the union may have a duty to protect workers who had entrusted the union with their personal information, see Bell v. Michigan Council 25 of Am. Fed'n of State, Cnty., Mun. Employees, AFL-CIO, Local 1023, No. 246684, 2005 WL 356306, at *1 (Mich. Ct. App. Feb. 15, 2005), there is no such special relationship recognized between a merchant and payment card issuer to support such a duty in this case, much less a merchant’s franchisor and a payment card issuer). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Negligence Per Se Ohio Michigan • No conflict • The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports claim under either state’s law. See, e.g., Depree v. Nutone, Inc., 422 F.2d 534, 536 n.1 (6th Cir. 1970) (applying Michigan law and concluding that “[d]eparture from industry or other standards is not negligence per se”). • Yes • Negligence per se claim fails. See Memorandum § IV.D. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 8 of 29 9 Alcoa Community Federal Credit Union / Arkansas Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Arkansas • Yes, conflict exists o Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR would bar this Plaintiff’s negligence-based claims. See Memorandum, § IV.B.1. Arkansas courts do not recognize the ELR. Erdman Co. v. Phoenix Lnd & Acquisition, LLC, No. 2:10- CV-2045, 2013 U.S. Dist. LEXIS 26041, at *8 (W.D. Ark. Feb. 25, 2013) (“Arkansas stands among the three states that have not adopted the economic- loss rule.”) • Arkansas law applies but no further analysis is required because Wendy’s does not seek to dismiss Alcoa Community Federal Credit Union’s negligence claims under Arkansas’ ELR in its Motion. • No Negligence Ohio Arkansas • No conflict • None of the potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Bartley v. Sweetser, 890 S.W.2d 250, 251 (Ark. 1994). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 9 of 29 10 Negligence Per Se Ohio Arkansas • Yes, conflict exists. o Arkansas does not recognize negligence per se. In Ohio and Pennsylvania, the violation of a statute can establish duty and breach. • It is a true conflict. See Memorandum §§ IV.A, IV.D • Arkansas law applies. See Memorandum §§ IV.A, IV.D. o Alleged injuries occurred in Arkansas; Restatement contacts support application of Arkansas law. o Consistent with Arkansas’ governmental interests in having juries decide whether Arkansas citizens have actionable claims. See Walker v. First Comm. Bank, N.A., 880 S.W.2d 316, 319 (Ark. 1994). • Yes • Negligence per se claim fails. See Cent. Okla. Pipeline, Inc. v. Hawk Field Servs., LLC, 400 S.W.3d 701, 712 (Ark. 2012). Associated Credit Union/ Georgia Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Georgia • No conflict • Both states bar recovery in tort for purely economic damages; not limited to products liability; and direct contractual privity not required. See Gen. Elec. Co. v. Lowe’s Home Ctrs., 608 S.E.2d 636, 637 (Ga. 2005) (economic losses are recoverable in tort only if those losses “result[] from injury to his person or damage to his property”); Pavlovich v. Nat’l City Bank, 435 F.3d 560, 569 (6th Cir. 2006) (quoting Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc., 106 Ohio St. 3d 412, 414, 835 N.E.2d 701, 704 (Ohio 2005)); Pennsylvania State Employees Credit Union v. Fifth Third Bank. 398 F. Supp. 2d 317, 319 (M.D. Pa. 2005). • None of the exceptions applies. In particular, there is no independent, common law duty as addressed below and in the Memorandum § IV.C.1(b). • Yes. • Both Negligence and Negligence Per Se Claims Barred by ELR Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 10 of 29 11 Negligence Ohio Georgia • No conflict • None of potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. See Willingham v. Global Payments, Inc., 1:12-CV-01157-RWS, 2013 WL 440702, at *18 (N.D. Ga. Feb. 5, 2013) (credit card processor did not owe consumers duty of care to protect them from data breaches); McConnell v. Dep’t of Labor, 787 S.E.2d 794, 796 (Ga. Ct. App. 2016). • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Edmunds v. Cowan, 386 S.E.2d 39, 41 (Ga. Ct. App. 1989). • “[C]ommercial standard or industry standards such as PCI-DSS” do not “create a legal duty running form [the defendant] to Plaintiffs.” Willingham, 2013 WL 440702, at *19. • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Negligence Per Se Ohio Georgia • No conflict • The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. See discussion of Home Depot in Memorandum § IV.D.2. None of alternative bases supports claim under either state’s law. See, e.g., S. Ry. Co. v. Allen, 88 Ga. App. 435, 449 (1953). • Yes • Negligence per se claim fails. See Memorandum, § IV.D. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 11 of 29 12 Centrue Bank / Illinois Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Illinois • No conflict • Both states bar recovery in tort for purely economic damages; not limited to products liability; and direct contractual privity not required. See In re Michaels Stores Pin Pad Litigation, 830 F. Supp. 2d 518, 531 (N.D. Ill. 2011); Pavlovich v. Nat’l City Bank, 435 F.3d 560, 569 (6th Cir. 2006) (quoting Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc., 106 Ohio St. 3d 412, 414, 835 N.E.2d 701, 704 (Ohio 2005)). • None of the exceptions applies • Yes • Both Negligence and Negligence Per Se Claims Barred by ELR. See Memorandum § IV.B. Negligence Ohio Illinois • No conflict • None of potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. See Worix v. MedAssets, Inc., 869 F. Supp. 893, 897 (N.D. Ill. 2012) (declining to recognize a new common law duty to safeguard sensitive information). • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Morgan v. 253 E. Delaware Condo. Ass’n, 595 N.E.2d 36, 39 (Ill. Ct. App. 1992). • Yes • Negligence claim fails for lack of duty. See Worix, 869 F. Supp. At 897. Memorandum § IV.C. Negligence Per Se Ohio Illinois • No conflict • The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports a claim under either state’s law. • Yes • Negligence per se claim fails. See Memorandum, § IV.D. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 12 of 29 13 Envista Credit Union / Kansas Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Kansas • Yes, conflict exists o Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR would bar this Plaintiff’s negligence-based claims. See Memorandum, § IV.B.1. Kansas recognizes the ELR only in the context of product liability cases. See Rinehart v. Morton Bldgs., Inc., 305 P.3d 622, 630 (Kan. 2013). • Kansas law applies but no further analysis is required because Wendy’s does not seek to dismiss Envista Credit Union’s claims under Kansas’ ELR in its Motion. • No Negligence Ohio Kansas • No conflict • None of the potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); George v. Breising, 477 P.2d 983, 989 (Kan. 1970) (failure to anticipate criminal acts is not negligence). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Negligence Per Se Ohio Kansas • No conflict • The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports a claim under either state’s law. • Yes • Negligence per se claim fails. See Memorandum § IV.D. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 13 of 29 14 First NBC Bank / Louisiana Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Louisiana • Yes, conflict exists o Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR would bar this Plaintiff’s negligence-based claims. See Memorandum, § IV.B.1. Louisiana courts do not recognize the ELR. In re Chinese Manufactured Drywall Pros. Liab. Litig., 680 F. Supp. 2d 780 (E.D. La. 2010). • Louisiana law applies but no further analysis is required because Wendy’s does not seek to dismiss First NBC Bank’s negligence claims under Louisiana’s ELR in its Motion. • No Negligence Ohio Louisiana • No conflict • None of the potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer , much less a merchant’s franchisor and a payment card issuer. • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 14 of 29 15 Negligence Per Se Ohio Louisiana • Yes, conflict exists. o Louisiana does not recognize negligence per se. In Ohio, the violation of a statute can establish duty and breach. • It is a true conflict. See Memorandum §§ IV.A, IV.D. • Louisiana law applies. See Memorandum §§ IV.A, IV.D. o Alleged injuries occurred in Louisiana; Restatement contacts support application of Louisiana law. o Consistent with Louisiana’s governmental interests in having juries decide whether Louisiana citizens have actionable claims. See, e.g., Boudreaux v. State DOTD, 49 So. 3d 1041, 1046 (La. Ct. App. 2010). • Yes • Negligence per se claim fails. See Galloway v. State ex rel. Dep’t of Transp. & Dev., 654 So. 2d 1345, 1347 (La. 1995). Align Credit Union / Massachusetts Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Massachusetts • No conflict • Both states bar recovery in tort for purely economic damages; not limited to products liability; and direct contractual privity not required. See Cumis Ins. Soc’y, Inc. v. BJ’s Wholesale Club, Inc., 918 N.E.2d 36, 47 (Mass. 2009); Pavlovich v. Nat’l City Bank, 435 F.3d 560, 569 (6th Cir. 2006) (quoting Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc., 106 Ohio St. 3d 412, 414, 835 N.E.2d 701, 704 (Ohio 2005)). • None of the exceptions applies • Yes • Both Negligence and Negligence Per Se Claims Barred by ELR Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 15 of 29 16 Negligence Ohio Massachusetts • No conflict • None of the potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Husband v. Dubose, 531 N.E.2d 600 (Mass. Ct. App. 1988). • The Massachusetts Superior Court has twice refused to dismiss negligence actions involving claims that the defendant failed to safeguard personal data, but in neither case directly addressed whether a common law duty exists. In Walker v. Boston Med. Ctr. Corp., while the Massachusetts Superior Court refused to dismiss the plaintiffs’ complaint, which alleged several claims stemming from a data breach that exposed the plaintiffs’ personal information, the existence (or non-existence) of a duty was not discussed. In Adams v. Congress Auto Ins. Agency, Inc., 31 Mass. L. Rptr 473 (Mass. Sup. Ct. 2013), the court found the plaintiff’s negligence claim against an insurance company could withstand a motion to dismiss where unspecified “personal information” accessed by the defendant’s employee was used to commit certain criminal acts against the plaintiff. The Adams court also did not directly address the plaintiff’s allegation that the defendant owed him a duty. • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.D. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 16 of 29 17 Negligence Per Se Ohio Massachusetts • Yes, conflict exists. o Massachusetts does not recognize negligence per se. In Ohio and Pennsylvania, the violation of a statute can establish duty and breach. • It is a true conflict. See Memorandum §§ IV.A, IV.D. • Massachusetts law applies. See Memorandum, §§ IV.A, IV.D. o Alleged injuries occurred in Massachusetts; Restatement contacts support application of Massachusetts law. o Consistent with Massachusetts’ governmental interests in having juries decide whether Massachusetts citizens have actionable claims. See, e.g., Neil v. Holyoke St. Ry. Co., 109 N.E.2d 831, 833 (Mass. 1952). • Yes • Negligence per se claim fails. See Bennett v. Eagle Brook Country Store, Inc., 557 N.E.2d 1166, 1168 (Mass. 1990). Navigator Credit Union / Mississippi Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Mississippi • Yes, conflict exists o Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR would bar this Plaintiff’s negligence-based claims. See Memorandum § IV.B.1. The Mississippi Supreme Court has never recognized the ELR. • Mississippi law applies but no further analysis is required because Wendy’s does not seek to dismiss Navigator Credit Union’s claims under Mississippi’s ELR in its Motion. • No Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 17 of 29 18 Negligence Ohio Mississippi • No conflict • None of the potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Doe v. Hunter Oaks Apartments, L.P., 105 So. 3d 422, 426 (Miss. Ct. App. 2013) (“In Mississippi, only those who ‘take charge’ of a third party have the duty to control that third party’s criminal acts.”). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Negligence Per Se Ohio Mississippi • No conflict • The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports a claim under either state’s law. See, e.g., Cole v. Noble Drilling Corp., No. 1:05-cv-479, 2007 WL 2475944, at *8 (S.D. Miss. Aug. 28, 2007). • Yes • Negligence per se claim fails. See Memorandum § IV.D. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 18 of 29 19 The Seymour Bank / Missouri Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Missouri • No conflict • Both states bar recovery in tort for purely economic damages; not limited to products liability; and direct contractual privity not required. See Auto-Owners Ins. Co. v. Mid- Am. Piping, Inc., No. 4:07-CV-00394, 2008 WL 2859193, at *2 (E.D. Mo. Mar. 17, 2008); Pavlovich v. Nat’l City Bank, 435 F.3d 560, 569 (6th Cir. 2006) (quoting Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc., 106 Ohio St. 3d 412, 414, 835 N.E.2d 701, 704 (Ohio 2005)); Pennsylvania State Employees Credit Union v. Fifth Third Bank. 398 F. Supp. 2d 317, 319 (M.D. Pa. 2005). • None of the exceptions applies • Yes. • Both Negligence and Negligence Per Se Claims Barred by ELR Negligence Ohio Missouri • No conflict • None of the potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Phelps v. Bross, 73 S.W.3d 651, 657 (Mo. Ct. App. 2002) (holding that the special relationship except applies only if the “plaintiff entrusted himself or herself to the protection of the defendant and relied upon the defendant to provide a place of safety”). • In Amburgy, the Eastern District of Missouri dismissed Plaintiff’s negligence claim stemming from a data breach on standing grounds. It did not address the issue of duty. It did, however, note that there is no common law duty to provide notice of a data breach. Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1055 (E.D. Mo. 2009) (no cause of action in negligence exists for the failure to provide adequate and timely notice of a data breach, and “[t]he Court will not create a claim where one does not exist”). • Yes • Negligence claim fails for lack of duty. See Amburgy, 671 F. Supp. 2d at 1055; Memorandum § IV.C. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 19 of 29 20 Negligence Per Se Ohio Missouri • No conflict • The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports a claim under either state’s law. See, e.g., Lowdermilk v. Vescovo Bldg. & Realty Co., 91 S.W.3d 617, 629 (Mo. Ct. App. 2002). • Yes • Negligence per se claim fails. See Memorandum § IV.D. Financial Horizons Credit Union / Nevada Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Nevada • No conflict • Both states bar recovery in tort for purely economic damages; not limited to products liability; and direct contractual privity not required. See Terracon Consultants W., Inc. v. Mandalay Resort Grp., 206 P.3d 81, 88 (Nev. 2009); Pavlovich v. Nat’l City Bank, 435 F.3d 560, 569 (6th Cir. 2006) (quoting Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc., 106 Ohio St. 3d 412, 414, 835 N.E.2d 701, 704 (Ohio 2005)). • Yes. • Both Negligence and Negligence Per Se Claims Barred by ELR Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 20 of 29 21 Negligence Ohio Nevada • No conflict • None of the potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Mangeris v. Gordon, 580 P.2d 481, 483 (Nev. 1978) (“[U]nder common-law principles, no duty is owed to control the dangerous conduct of another or to warn others of the dangerous conduct.”). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Negligence Per Se Ohio Nevada • No conflict • The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports a claim under either state’s law. • Yes • Negligence per se claim fails. See Memorandum § IV.D. North Jersey Federal Credit Union / New Jersey Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio New Jersey • Yes, conflict exists. o Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR would bar this Plaintiff’s negligence-based claims. See Memorandum, § IV.B.1. It is a true conflict. See Panthera Rail Car LLC, 985 F. Supp. 2d at 696. • New Jersey law applies but no further analysis is required because Wendy’s does not seek to dismiss North Jersey Federal Credit Union’s claims under New Jersey’s ELR in its Motion. • No Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 21 of 29 22 Negligence Ohio New Jersey • No conflict • None of the potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Kuehn v. Pub Zone, 835 A.2d 692, 698 (N.J. Super. Ct. App. Div. 2003). • In Lone Star National Bank N.A. v. Heartland Payment Systems, the Fifth Circuit held only that New Jersey's economic loss doctrine could not be found applicable at the motion to dismiss stage. 729 F.3d 421, 426-27 (5th Cir. 2013). Thus, while the Heartland court did comment (in dicta) that a processor “may” have a negligence- based duty of care to issuers, it remanded that and all other unreached issues to be decided by the district court. Id. at 426. Because the case was subsequently dismissed by the FI Plaintiffs, the district court never opined on the duty issue. • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Negligence Per Se Ohio New Jersey • No conflict • The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports a claim under either state’s law. • Yes • Negligence per se claim fails. See Memorandum § IV.D. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 22 of 29 23 Nusenda Credit Union / New Mexico Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio New Mexico • Yes, conflict exists o Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR would bar this Plaintiff’s negligence-based claims. See Memorandum, § IV.B.1. New Mexico courts recognize the ELR only where there is contractual privity. See Wheeler Peak, LLC v. L.C.I.2, Inc., No. CIV 07-1117 JB/WDS, 2008 WL 6045576, at *8 (D.N.M. Oct. 29, 2008) • New Mexico law applies but no further analysis is required because Wendy’s does not seek to dismiss Nusenda Credit Union’s negligence claims under New Mexico’s ELR in its Motion. • No Negligence Ohio New Mexico • No conflict • None of the potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Ciup v. Chevron U.S.A., Inc., 928 P.2d 263, 265 (N.M. 1996). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Negligence Per Se Ohio New Mexico • No conflict • The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports a claim under either state’s law. • Yes • Negligence per se claim fails. See Memorandum § IV.D. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 23 of 29 24 Greater Cincinnati Credit Union / Ohio Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio • Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR bars this plaintiff’s negligence-based claims. See Memorandum, § IV.B.1. • Yes. • Both Negligence and Negligence Per Se Claims Barred by ELR Negligence Ohio • Ohio law does not recognize a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Negligence Per Se Ohio • The violation of a statute can establish duty and breach in Ohio. • Ohio has not recognized claims for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports a claim under Ohio law. See, e.g., Hinckley v. Krantz, 658 N.E.2d 797, 799 (Ohio Ct. App. 1995) (industry standards do not support negligence per se). • Yes • Negligence per se claim fails. See Memorandum § IV.D. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 24 of 29 25 KEMBA Financial Credit Union / Ohio Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio • Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR bars this Plaintiff’s negligence-based claims. See Memorandum, § IV.B.1. • Yes. • Both Negligence and Negligence Per Se Claims Barred by ELR Negligence Ohio • Ohio law does not recognize a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Negligence Per Se Ohio • The violation of a statute can establish duty and breach in Ohio. • Ohio has not recognized claims for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports a claim under Ohio law. See, e.g., Hinckley v. Krantz, 658 N.E.2d 797, 799 (Ohio Ct. App. 1995) (industry standards do not support negligence per se). • Yes • Negligence per se claim fails. See Memorandum § IV.D. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 25 of 29 26 Wright-Patt Credit Union / Ohio Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio • Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR would bar this Plaintiff’s negligence- based claims. See Memorandum, § IV.B.1. • Yes. • Both Negligence and Negligence Per Se Claims Barred by ELR Negligence Ohio • Ohio law does not recognize a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire. Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989). • Yes • Negligence claim fails for lack of duty. See Memorandum § IV.C. Negligence Per Se Ohio • The violation of a statute can establish duty and breach in Ohio. • Ohio has not recognized claims for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports a claim under Ohio law. See, e.g., Hinckley v. Krantz, 658 N.E.2d 797, 799 (Ohio Ct. App. 1995) (industry standards do not support negligence per se). • Yes • Negligence per se claim fails. See Memorandum § IV.D. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 26 of 29 27 Greenville Heritage Federal Credit Union / South Carolina Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio South Carolina • Yes, conflict exists o Ohio bars negligence-based claims seeking economic damages absent physical injury or property damage. As a result, the Ohio ELR would bar this Plaintiff’s negligence-based claims. See Memorandum, § IV.B.1. South Carolina courts recognize the ELR only where there is contractual privity. See King v. Carolina First Bank, 26 F. Supp. 3d 510, 519 (D.S.C. 2014) • South Carolina law applies but no further analysis is required because Wendy’s does not seek to dismiss Greenville Heritage Federal Credit Union’s negligence claims under South Carolina’s ELR in its Motion. • No Negligence Ohio South Carolina • No conflict • None of potentially applicable states’ laws recognizes a legal duty owed by merchant to payment card issuer, much less a merchant’s franchisor and a payment card issuer. See Huggins v. Citibank, N.A., 585 S.E.2d 275, 277-78 (S.C. 2003)(declining to recognize a duty on the part of credit card issuers to protect potential victims of identity theft, concluding that “the legislative arena is better equipped to assess and address the impact of credit card fraud on victims and financial institutions alike”). • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Bass v. Gopal, Inc., 680 S.E.2d 917, 920 (S.C. Ct. App. 2009), aff’d, 716 S.E.2d 910 (2011) (“[A] merchant is not charged with the duty of protecting its customer against criminal acts of third parties when it did not know or have reason to know such acts were occurring or about to occur.”). • Yes • Negligence claim fails for lack of duty. See Huggins, 585 S.E.2d at 277-78; Memorandum, § IV.C. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 27 of 29 28 Negligence Per Se Ohio South Carolina • No conflict • The violation of a statute can establish duty and breach in each state. • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports claim under either state’s law. See, e.g., Elledge v. Richland/Lexington Sch. Dist. Five, 534 S.E.2d 289, 291 (S.C. Ct. App. 2000). • Yes • Negligence per se claim fails. See Memorandum, § IV.D. Members Choice Credit Union / Texas Economic Loss Rule Potentially Applicable Laws? Conflict? If So, Governing Law? Negligence and/or Negligence Per Se Claims Dismissed? Ohio Texas • No conflict • Both states bar recovery in tort for purely economic damages; not limited to products liability; and direct contractual privity not required. Binder v. Bank of Am. Corp., No. 3:10-CV-770-B, 2010 WL 5017314, at *2 (N.D. Tex. Nov. 22, 2010); Pavlovich v. Nat’l City Bank, 435 F.3d 560, 569 (6th Cir. 2006) (quoting Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc., 106 Ohio St. 3d 412, 414, 835 N.E.2d 701, 704 (Ohio 2005)); Pennsylvania State Employees Credit Union v. Fifth Third Bank. 398 F. Supp. 2d 317, 319 (M.D. Pa. 2005). • None of the exceptions applies. • Yes. • Both Negligence and Negligence Per Se Claims Barred by ELR Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 28 of 29 29 Negligence Ohio Texas • No conflict • None of the potentially applicable states’ laws recognizes a legal duty owed by a merchant to a payment card issuer, much less a merchant’s franchisor and a payment card issuer. • Absent special relationships or circumstances, there is no duty to protect another from criminal acts of a third person. Fed. Steel & Wire Corp. v. Ruhlin Const. Co., 543 N.E.2d 769, 772 (Ohio 1989); Gibbs v. ShuttleKing, Inc., 162 S.W.3d 603, 609 (Tex. App. 2005). • Texas law does not recognize negligence claims that are outside of Texas common law except in very limited circumstances. See Chair King, Inc. v. GTE Mobilnet of Houston, Inc., 135 S.W.3d 365, 395–96 (Tex.App.2004) (holding that sending unsolicited faxes does not give rise to a common law claim of negligence). • Additionally, “[t]he Texas Supreme Court has refused to create a standard of care or duty based upon internal policies, and the failure to follow such policies does not give rise to a cause of action in favor of customers or others.” Owens v. Comerica Bank, 229 S.W.3d 544, 547 (Tex. App. 2007) (citing FFE Transp. Servs., Inc. v. Fulgham, 154 S.W.3d 84, 92 (Tex. 2006)). • Yes • Negligence claim fails for lack of duty. See Chair King, Inc., 135 S.W.3d at 395-96; Memorandum, § IV.C. Negligence Per Se Ohio Texas • No conflict • Neither state has recognized claim for negligence per se based on violation of Section 5 of FTC Act. None of alternative bases supports claim under either state’s law. See, e.g., Lyondell Petrochemical Co. v. Fluor Daniel, Inc., 888 S.W.2d 547, 556 (Tex. App. 1994). • Yes • Negligence per se claim fails. See Memorandum, § IV.D. Case 2:16-cv-00506-NBF-MPK Document 54-1 Filed 08/22/16 Page 29 of 29