On September 26, 2018, the U.S. District Court for the District of Colorado (“the Court”) refused to dismiss all putative class claims against Chipotle Mexican Grill, Inc. (“Chipotle”). This litigation arose from a 2017 data breach in which hackers stole customers’ payment card and other personal information by using malicious software to access the point-of-sale systems at Chipotle’s locations. 

Chipotle moved to dismiss all claims, arguing that two of the named plaintiffs – Plaintiff Lawson and Plaintiff Baker – lacked standing and that all other plaintiffs failed to state a claim. The motion was first considered by a United States Magistrate Judge, who recommended granting only part of Chipotle’s requested relief. Both Plaintiffs and Chipotle objected to portions of the recommendation. The District Court Judge agreed with the recommendation in part.

The Court first found that Plaintiff Lawson’s allegations of debit card misuse, time spent obtaining a new debit card, inability to receive cash back awards on certain purchases, and the cost to expedite delivery of a new card for impending travel all demonstrated injury in fact sufficient for standing. It also determined that more than just Plaintiff Baker’s name and payment card number may have been stolen, thus alleging facts sufficient to establish an impending injury.

The District Court Judge further found that certain allegations failed to state claims. Specifically, the Court dismissed claims for: (1) negligence; (2) negligence per se; (3) violation of the Colorado Consumer Protection Act; (4) unjust enrichment; and (5) violation of the Illinois Uniform Deceptive Trade Practices Act. However, the following claims survived Chipotle’s dismissal efforts: (1) breach of implied contract; (2) fraudulent omission claims (under Arizona, California, and Illinois consumer protection laws); (3) violation of California’s Unfair Competition Law; and (4) various damages claims (under California, Illinois, and Missouri consumer protection laws).

View Court’s Order.