
    Todd GORDON, Marc Mercer, Kristen Mercer, Kristin Baker Michelle Fowler, Greg Lawson and Judy Conard, Plaintiffs, v. CHIPOTLE MEXICAN GRILL, INC., Defendant.
    Civil Action No. 17-cv-01415-CMA-SKC
    United States District Court, D. Colorado.
    Signed September 26, 2018
    Benjamin F. Johns, Jessica L. Titler-Lingle, Chimicles & Tikellis, LLP, One Haverford Centre, Haverford, PA, Jean Sutton Martin, Jean Sutton Martin, PLLC, Wilmington, NC, Justin Daniel Blum, Kevin Scott Hannon, Hannon Law Firm, LLC, Denver, CO, Tina Wolfson, Ahdoot & Wolfson, PC, Los Angeles, CA, for Plaintiffs.
    Ann Yackshaw, Baker & Hostetler, LLP, Columbus, OH, Carrie Dettmer Slye, Baker & Hostetler, LLP, Cincinnati, OH, Paul Gregory Karlsgodt, Xakema Henderson, Baker & Hostetler, LLP, Denver, CO, Sam Anthony Camardo, Baker & Hostetler, LLP, Cleveland, OH, for Defendant.
    ORDER AFFIRMING IN PART AND REJECTING IN PART THE AUGUST 1, 2018 RECOMMENDATION OF UNITED STATES MAGISTRATE JUDGE AND GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS
   CHRISTINE M. ARGUELLO, United States District Judge

This matter is before the Court on the August 1, 2018 Recommendation by United States Magistrate Judge Mark L. Carman (Doc. # 73), in which he recommended that the Court grant in part and deny in part Defendant Chipotle Mexican Grill, Inc.'s Motion to Dismiss (Doc. # 43). Plaintiffs, a putative class of Defendant's customers, and Defendant object to portions to the Recommendation. (Doc. ## 76, 77.) For the reasons described below, the Court adopts in part and rejects in part the Recommendation and grants in part and denies in part Defendant's Motion to Dismiss.

I. BACKGROUND

Defendant operates more than 2,000 fast-casual Chipotle burrito restaurants across the United States and two quick-serve Pizzeria Locale pizza locations in Colorado. (Doc. # 36 at 11.) It is incorporated in Delaware and maintains its principal place of business in Denver, Colorado. (Id. ) Defendant experienced a data breach in early 2017, see (Doc. # 43 at 2); between March 24, 2017, and April 18, 2017, hackers utilized malicious software to access the point-of-sale systems at Defendant's locations and stole customers' payment card information and other personal information (the "Chipotle Data Breach") (id. ). Defendant issued a security notice on April 25, 2017, to alert its customers to the Chipotle Data Breach:

We want to make our customers aware that we recently detected unauthorized activity on the network that supports payment processing for purchases made in our restaurants.... We anticipate providing notification to any affected customers as we get further clarity about the specific timeframes and restaurant locations that may have been affected. Consistent with good practices, consumers should closely monitor their payment card statements. If anyone sees an unauthorized charge, they should immediately notify the bank that issued the card. Payment card network rules generally state that cardholders are not responsible for such charges.

(Doc. # 36 at 13-14.)

Plaintiffs allege that they used payment cards at Defendant's restaurants in the states in which they reside during the Chipotle Data Breach and that their personally identifiable information ("PII") was compromised by the breach. (Id. at 1-2.) Plaintiffs bring this action "individually and on behalf of others similarly situated" and seek to recover damages for their alleged loss of time and money "resolving fraudulent charges ... [and] obtaining protections against future identity theft," loss of control "over the value of personal information, and financial losses "related to purchases made at Chipotle that Plaintiffs ... would have never made," to "fraudulent charges," and to "exceeding credit and debit card limits and balances." (Id. at 29.) They bring several tort, contract, statutory, and equitable claims, apparently under the laws of the states in which they reside and made their purchases:

1. Negligence (id. at 40-42);
2. Negligence per se (id. at 42-44);
3. Violation of the Colorado Consumer Protection Act, C.R.S. § 6-1-105(1)(I), et seq., (id. at 45-50);
4. Breach of implied contract (id. at 50-52);
5. Unjust enrichment (id. at 52-53);
6. Violation of the Arizona Consumer Fraud Act, Ariz. Rev. Stat. §§ 44-1521, et seq., by Plaintiff Gordon (id. at 53-56);
7. Violation of the California Customer Records Act, Cal. Civ. Code § 1798.80, et seq, by Plaintiffs Baker and Conard and the Mercer Plaintiffs (id. at 57-59);
8. Violation of the California Unfair Competition Law, Cal Bus. & Prof. Code § 17200, et seq, by Plaintiffs Baker and Conard and the Mercer Plaintiffs (id. at 59-63);
9. Violation of the California Consumers Legal Remedies Act, Cal. Civ. Code §§ 1750, et seq., by Plaintiffs Baker and Conard and the Mercer Plaintiffs (id. at 63-66);
10. Violation of the Illinois Consumer Fraud and Deceptive Practices Act, 815 Ill. Comp. Stat. §§ 505/1, et seq., by Plaintiff Fowler (id. at 66-70);
11. Violations of the Illinois Uniform Deceptive Trade Practices Act, 815 Ill. Comp. Stat. §§ 510/1, et seq., by Plaintiff Fowler (id. at 70-71); and
12. Violation of the Missouri Merchandising Practices Act, Mo. Ann. Stat. § 407.020(1), et seq., by Plaintiff Lawson (id. at 71-73).

Plaintiffs will presumably seek class certification pursuant to Federal Rule of Civil Procedure 23. See (id. at 34-35.)

Defendant filed its Motion to Dismiss on January 22, 2018. (Doc. # 43.) First, Defendant asserts that Plaintiffs Baker and Lawson do not have standing because they have not alleged an injury in fact and must be dismissed pursuant to Rule 12(b)(1). (Id. at 3-8.) Second, it asserts that the remaining Plaintiffs' claims fail to state a claim for relief and must be dismissed pursuant to Rule 12(b)(6). (Id. at 8-26.) Plaintiffs filed their Response on February 21, 2018 (Doc. # 57), to which Defendant replied on March 14, 2018 (Doc. # 64.)

Magistrate Judge Carman issued his Recommendation on Defendant's Motion to Dismiss on August 1, 2018. (Doc. # 73.) As the Court will discuss in further detail, Magistrate Judge Carman recommended:

• Granting in part and denying in part the motion to dismiss Plaintiffs Baker and Lawson for lack of standing, to dismiss only the allegations of independent value in Plaintiffs' stolen PII and overpayment;
• Granting the motion to dismiss Counts 1, 2, 3, and 11;
• Denying the motion to dismiss Counts 4, 6, 9, 10, and 12, and
• Granting in part and denying in part the motion to dismiss Counts 5, 7, and 8.

(Id. at 60.) Both Plaintiffs and Defendant filed Objections to the Recommendation on August 15, 2018. (Doc. ## 76, 77.) They timely responded to one another's Objections on August 29, 2018. (Doc. ## 80, 81.)

II. APPLICABLE LEGAL PRINCIPLES

A. STANDARD OF REVIEW: REVIEW OF A RECOMMENDATION

When a magistrate judge issues a recommendation on a dispositive matter, Federal Rule of Civil Procedure 72(b)(3) requires that the district judge "determine de novo any part of the magistrate judge's [recommended] disposition that has been properly objected to." An objection is properly made if it is both timely and specific. United States v. One Parcel of Real Property Known As 2121 East 30th Street , 73 F.3d 1057, 1059 (10th Cir. 1996). In conducting its review, "[t]he district judge may accept, reject, or modify the recommended disposition; receive further evidence; or return the matter to the magistrate judge with instructions." Fed. R. Civ. P. 72(b)(3).

B. RULE 12(B)(1)

Dismissal pursuant to Rule 12(b)(1) is appropriate if the Court lacks subject matter jurisdiction over claims for relief asserted in the complaint. "The burden of establishing subject matter jurisdiction is on the party asserting jurisdiction." Port City Props. v. Union Pac. R.R. Co. , 518 F.3d 1186, 1189 (10th Cir. 2008). Rule 12(b)(1) challenges are generally presented in one of two forms: "[t]he moving party may (1) facially attack the complaint's allegations as to the existence of subject matter jurisdiction, or (2) go beyond allegations contained in the complaint by presenting evidence to challenge the factual basis upon which subject matter jurisdiction rests." Merrill Lynch Bus. Fin. Servs., Inc. v. Nudell , 363 F.3d 1072, 1074 (10th Cir. 2004) (quoting Maestas v. Lujan , 351 F.3d 1001, 1013 (10th Cir. 2003) ); See Ruiz v. McDonnell , 299 F.3d 1173, 1180 (10th Cir. 2002). When reviewing a facial attack, a court takes the allegations in the complaint as true, but when in reviewing a factual attack, the court does not presume the truthfulness of the complaint's factual allegations and may consider affidavits or other documents to resolve jurisdictional facts. Holt v. United States , 46 F.3d 1000, 1002-03 (10th Cir. 1995). Defendant's Motion to Dismiss launches a facial attack on this Court's subject matter jurisdiction. See (Doc. # 73 at 4.)

Defendant takes issue with the standing of Plaintiffs Baker and Lawson. (Doc. # 43 at 3.) Article III of the United States Constitution restricts the federal courts to the adjudication of "Cases" and "Controversies." U.S. Const. art. III, § 2, cl. 1 ; Steel Co. v. Citizens for a Better Env't , 523 U.S. 83, 102, 118 S.Ct. 1003, 140 L.Ed.2d 210 (1998). The standing inquiry ensures that a plaintiff has a sufficient personal stake in the dispute to ensure the existence of a live case or controversy that renders judicial resolution appropriate. See Allen v. Wright , 468 U.S. 737, 750-51, 104 S.Ct. 3315, 82 L.Ed.2d 556 (1984). To establish Article III standing, a plaintiff must show that: (1) he has suffered an "injury in fact"; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by the relief requested. Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., Inc. , 528 U.S. 167, 180, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000). Defendant contends that Plaintiffs Baker and Lawson cannot satisfy the first element of standing-injury in fact. See (Doc. # 43 at 3.)

To establish injury in fact, a plaintiff is required to show an injury that is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical. Tandy v. City of Wichita , 380 F.3d 1277, 1283 (10th Cir. 2004). The plaintiff must be suffering a continuing injury or be under a real and immediate threat of being injured in the future. City of Los Angeles v. Lyons , 461 U.S. 95, 101-02, 107 n.8, 103 S.Ct. 1660, 75 L.Ed.2d 675 (1983). A threatened injury must be "certainly impending" or "likely"-not merely speculative. See Tandy , 380 F.3d at 1283 ; see also Clinton v. City of New York , 524 U.S. 417, 433, 118 S.Ct. 2091, 141 L.Ed.2d 393 (1998). While general factual allegations of injury may suffice, Lujan v. Defenders of Wildlife , 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992), conclusory allegations are insufficient; the plaintiff "must adequately allege a plausible claim of injury," COPE v. Kan. State Bd. of Educ. , 821 F.3d 1215, 1221 (10th Cir. 2016).

C. RULE 12(B)(6)

The Court may dismiss a complaint for failure to state a claim upon which relief can be granted. Fed. R. Civ. Pro. 12(b)(6). To withstand a Rule 12(b)(6) motion to dismiss, "a complaint must contain sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face.' "

Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Bell Atl. Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ). A claim is facially plausible "when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. (citing Twombly , 550 U.S. at 556, 127 S.Ct. 1955 ). The scope of the allegations may not be "so general that they encompass a wide swath of conduct, much of it innocent" or else the plaintiff has " 'not nudged [his] claims across the line from conceivable to plausible.' " Robbins v. Oklahoma , 519 F.3d 1242, 1247 (10th Cir. 2008) (quoting Twombly , 550 U.S. at 570, 127 S.Ct. 1955 ). A plaintiff may not rely on mere labels or conclusions, "and a formulaic recitation of the elements of a cause of action will not do." Twombly , 550 U.S. at 555, 127 S.Ct. 1955. The ultimate duty of the court is to "determine whether the complaint sufficiently alleges facts supporting all the elements necessary to establish an entitlement to relief under the legal theory proposed." Forest Guardians v. Forsgren , 478 F.3d 1149, 1160 (10th Cir. 2007).

III. ANALYSIS

Between Plaintiffs' Objections (Doc. # 76) and Defendant's Objections (Doc. # 77), the parties object to Magistrate Judge Carman's analysis of nine of the twelve claims. The Court will begin by addressing the standing of Plaintiffs Baker and Lawson under Rule 12(b)(1) and will then address each claim under Rule 12(b)(6) in the order that Plaintiffs assert them.

A. RULE 12(B)(1) MOTION: STANDING OF PLAINTIFFS BAKER AND LAWSON

Plaintiff Baker alleges in the Complaint that a few days after she used her debit card to purchase food at a Chipotle restaurant, "fraudulent activity appeared on the same debit card account." (Doc. # 36 at 7.) She states:

On April 3, 2017, three unauthorized charges were attempted on Plaintiff [Baker]'s debit card. She learned about the attempts via email alerts from her bank, for online purchases of $69.99, $19.99, and $49.99, respectively. The charge of $49.99 went through, but the others were declined. Ultimately, Plaintiff [Baker]'s bank refunded the unauthorized charge.

(Id. )

Plaintiff Lawson similarly alleges that he used his debit card, "the primary card [he] uses for daily expenditures because of the cash back rewards program," to purchase food at a Chipotle restaurant. (Id. at 9.) He explains:

Within a few weeks of this visit, Plaintiff Lawson was contacted by the issuing bank and advised that his debit card had been compromised as a result of the Chipotle Data Breach. The bank informed Plaintiff Lawson that it would be closing the account, opening a new account, and re-issuing a new debit card. Because Plaintiff Lawson had upcoming travel plans, he paid $45 to have the new debit card expedited to him. Unfortunately, despite the attempt to expedite and the money expenditure, a new card did not arrive before he left town. Therefore, Plaintiff Lawson did not have his debit card to use for his travel expenses as he planned. As a result of having been victimized by the Chipotle Data Breach, Plaintiff Lawson has been required to spend time communicating with his bank regarding his compromised card, account transfer, and replacement card.

(Id. at 9-10.)

Additionally, all Plaintiffs allege losses "[a]s a direct and proximate result" of the Chipotle Data Breach, including:

loss of time and money resolving fraudulent charges; loss of time and money obtaining protections against future identity theft; financial losses related to the purchases made at Chipotle that Plaintiffs and Class members would have never made had they known of Chipotle's careless approach to cybersecurity; lost control over the value of personal information; unreimbursed losses relating to fraudulent charges; losses and fees relating to exceeding credit and debit card limits and balances, and bounced transactions; harm resulting from damaged credit scores and information; and other harm resulting from the unauthorized use or threat of unauthorized use of stolen Card Information.

(Id. at 29-30.)

Defendant argues in its Motion to Dismiss that Plaintiffs Baker and Lawson "have not suffered an injury in fact that is fairly traceable to [Defendant's] actions" and therefore lack standing. (Doc. # 43 at 3-8.)

1. Magistrate Judge's Analysis

Magistrate Judge Carman largely rejected Defendants' arguments that Plaintiffs Baker and Lawson lack standing, concluding that they allege injuries in fact. (Doc. # 73 at 16.) Because Defendants challenge whether Plaintiffs Baker and Lawson's harms are sufficiently concrete, the Magistrate Judge assessed whether Plaintiffs Baker and Lawson plausibly alleged "an actual harm, or ... a future harm that is 'certainly impending' or ... for which there is 'a substantial risk that the harm will occur.' " (Id. at 7-8) (quoting Engl v. Nat. Grocers by Vitamin Cottage, Inc. , No. 15-cv-020129-MSK, 2016 WL 8578096, *10-11 (D. Colo. June 20, 2016), aff' d and adopted , 2016 WL 8578252 at *3 (quoting Clapper v. Amnesty Int'l USA , 568 U.S. 398, 409, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) ) ).

First, Magistrate Judge Carman concluded that Plaintiff Lawson sufficiently alleges an actual harm. (Doc. # 73 at 8-12.) The Magistrate Judge inferred from Plaintiff Lawson's allegations that he suffered misuse of his debit card, an actual injury, as "his issuing bank went to the trouble of closing and reissuing a new payment card because there was some attempted misuse of his payment card." (Id. at 11.) Magistrate Judge Carman also accepted Plaintiff Lawson's allegation that he suffered actual harm in not obtaining his cash back rewards on his travel expenses because Defendant did not "explain why the [C]ourt should consider cash back rewards as having no monetary value as a matter of law." (Id. ) Similarly, he accepted Plaintiff Lawson's allegation that he suffered actual harm in time spent addressing the theft of his debit card information and obtaining a new card. (Id. at 11-12.) As to Plaintiff Lawson's expenditure of $45.00 to expedite delivery of his new card, Magistrate Judge Carman stated that "plausibly alleges an actual harm for standing" if Plaintiff Lawson did so "in the attempt to not lose the cash back rewards he expected on his travel expenses." (Id. at 12.)

Second, Magistrate Judge Carman concluded that Plaintiff Baker "plausibly alleges a certainly impending harm or substantial risk thereof." (Id. at 12-16.) The Magistrate Judge detailed case law from consumer data breach cases, with a particular focus on the Court's explanation in Engl :

[A] plaintiff demonstrates a cognizable Art. III injury, based on the risk of exposure to future fraudulent purchases or identity theft, by showing that: (i) his or her credit card or other financial or personal data was exposed to hackers in a data breach, and (ii) that there is reason to believe that the hackers or others are making actual fraudulent use of the purloined data.

2016 WL 8578252 at *6. He noted, however, that in cases where allegations showed no ongoing potential for harm-where, for example, the information stolen could not enable identify theft-the allegations were held to be too speculative. (Doc. # 73 at 13- 14) (citing, e.g. , In re SuperValu, Inc. , 870 F.3d 763, 769-70 (8th Cir. 2017) ). With respect to Plaintiff Baker's allegations, he determined there was "a fact issue regarding whether more than just [her] name and credit card account number were stolen." (Id. at 16.) Presumably because Defendant's Motion to Dismiss was before him, Magistrate Judge Carman "infer[ed] from the allegations ... [the] personal information taken in the Chipotle breach ... could enable fraudulent accounts to be opened in Ms. Baker's name." (Id. ) He therefore concluded that Plaintiff Baker alleges facts sufficient to demonstrate "a certainly impending harm or substantial risk thereof." (Id. )

For these reasons, Magistrate Judge Carman recommended denying Defendant's Motion to Dismiss Under Rule 12(b)(1) as to Plaintiffs Baker and Lawson. (Id. )

Magistrate Judge Carman's Recommendation as to standing was nuanced though; he recommended that the Court dismiss "allegations of 'lost control over the value of personal information' and overpayment" because these allegations do not demonstrate injury in fact. (Id. ) However, Plaintiffs do not make independent claims that they lost value in controlling their personal information or that they overpaid Defendant by an indeterminate amount they believed Defendant would spend to make transactions secure. See generally (Doc. # 36.) One could, as Defendant apparently has, infer from Plaintiffs' Complaint that Plaintiffs have these beliefs, but nowhere in the Complaint do Plaintiffs assert claims based solely on them. There is therefore nothing for the Court to dismiss as to "allegations of 'lost control over the value of personal information' and overpayment." See (Doc. # 73 at 16.) The Court rejects that portion of the Recommendation.

2. Plaintiffs' Objection

Plaintiffs object only to Magistrate Judge Carman's analysis of Plaintiff Baker's standing. (Doc. # 76 at 3-8.) They argue that Magistrate Judge Carman erred by determining that Plaintiff Baker does not allege an actual injury, only that she alleges a substantial risk that she will be harmed. (Id. ) Magistrate Judge Carman briefly stated that Plaintiff Baker "does not allege actual harm" because "she does not allege she spent time or money addressing the fraudulent charges, whether she was deprived of use of her account for a time, nor any expenses incurred from the need to (apparently) close and reopen a new account with a new card number." (Doc. # 73 at 10.) Plaintiffs contend that the Magistrate Judge "overlooked certain allegations" in the Complaint, such as the allegation that all Plaintiffs suffered "significant costs associated with ... closing out and opening new credit or debit card accounts or ordering replacement cards," and that such allegations "sufficiently establish injury-in-fact." (Doc. # 76 at 3- 4); See (Doc. # 36 at 4.)

Plaintiffs also argue that Magistrate Judge Carman's statement that payment card data alone is not among the types of PII that can enable identify theft is inaccurate. (Doc. # 76 at 4.) They reject his citation to In re SuperValu, Inc. , 870 F.3d at 769-70, because he "misapplied [its] reasoning," and assert that Dieffenbach v. Barnes & Noble, Inc. , 887 F.3d 826, 827-28 (7th Cir. 2018), is more persuasive. (Doc. # 76 at 5.) In Dieffenbach , "scoundrels" had compromised some of Barnes & Noble's PIN pads and "acquired details such as customers' names, card numbers and expiration dates, and PINs." 887 F.3d at 827. The Seventh Circuit held that the plaintiffs, Barnes & Noble's customers affected by the breach, alleged an injury in fact and had standing "because the data theft may have led them to pay money for credit-monitoring services, because unauthorized withdrawals from their accounts cause a loss (the time value of money) even when banks later restore the principal, and because the value of one's own time needed to set things straight is a loss from an opportunity cost perspective." Id. at 828. Plaintiffs urge this Court to therefore find that Plaintiff Baker alleges an actual injury.

The Court is not persuaded by Plaintiffs' objection. First, as to the allegations Plaintiffs contend Magistrate Judge Carman overlooked, the Court agrees with the Magistrate Judge's decision to not address the general allegations all Plaintiffs allege, as they contain no detail and are not plaintiff-specific. Magistrate Judge Carman did not err by considering only Plaintiff Baker's unique allegations. Second, Dieffenbach did not address whether the plaintiffs alleged an actual injury or that they faced a real and immediate threat of being injured in the future. It therefore does not stand for the proposition that the theft of customers' names, card numbers and expiration dates, and PINs alone constitutes an actual injury. Third, the Magistrate Judge accurately described that a number of courts have reasoned that "a risk of future identity theft is sufficient for standing only if the data breach exposed the types of PII that can enable identity theft." See (Doc. # 73 at 14-6.) The Court therefore affirms Magistrate Judge Carman's determination that Plaintiff does not allege an actual injury but does sufficiently allege a substantial risk of future injury.

B. RULE 12(B)(6) MOTION: CLAIMS FOR RELIEF

1. Claim 1: Negligence

Plaintiffs assert a claim for negligence "individually and on behalf of the class" but do not identify under which state's laws each of them and the class pursues their negligence claim. See (Doc. # 36 at 40-42.) Defendant contends in its Motion to Dismiss that because Plaintiffs' negligence claim fails under all the relevant states' laws pursuant to the economic loss doctrine, no choice of law analysis is necessary. (Doc. # 43 at 8.) In their Response to the Motion to Dismiss, Plaintiffs do not address whether a choice of law analysis is necessary. (Doc. # 57.)

a. Magistrate Judge's Analysis

Magistrate Judge Carman conducted a lengthy examination to determine whether a choice of law analysis is required, looking for outcome-determinative differences between the five applicable states' economic loss doctrines. (Doc. # 73 at 18-35.) After detailing his understanding of each state's economic loss doctrine, he concluded that there were outcome-determinative differences between Colorado, Illinois, and Missouri on one hand, where he predicted the economic loss doctrine would bar Plaintiffs' negligence claim, "and Arizona and California on the other," where he predicted the economic loss doctrine would not bar Plaintiffs' negligence claim. (Id. at 18, 35.)

Because he found outcome-determinative differences, Magistrate Judge Carman therefore applied the choice of law rules of Colorado, the forum state, which in turn follows the Restatement (Second) of Conflict of Laws. (Id. at 35); See Kipling v. State Farm Mut. Auto. Ins. Co. , 774 F.3d 1306, 1310 (10th Cir. 2014). He was persuaded by the Court's dicta in SELCO Community Credit Union v. Noodles & Company , another data breach case, that

Several Restatement factors support applying Colorado law over the laws of plaintiffs' home states. In particular, plaintiffs allege that Noodles & Company's tortious conduct occurred at the company's headquarters in Colorado; more weight is accorded to the location of this conduct than normal because the resulting injuries occurred in multiple states; and the location of these injuries is fortuitous because the Noodles & Company customers whose information was compromised could have belonged to banks located anywhere in the world.

See (Doc. # 73 at 35) (quoting SELCO Community Credit Union v. Noodles & Company , 267 F.Supp.3d 1288, 1292 n.1 (D. Colo. 2017), appeal dismissed , No. 17-1289, 2017 WL 7668565 (10th Cir. Nov. 20, 2017) ). Because "[t]he same is true of Plaintiffs' allegations in this case," the Magistrate Judge concluded that Colorado law governs Plaintiffs' negligence claim. (Id. )

Under the Magistrate Judge's understanding of Colorado law, Colorado's economic loss doctrine would bar Plaintiffs' negligence claim: "[I]n the absence of reasoned argument from Plaintiff that Colorado would recognize an independent duty in this case, the [C]ourt concludes Colorado's economic loss doctrine would bar the negligence claim based on the implied contract, the [Payment Card Industry] contracts, or both." (Id. ) He therefore recommended "dismissing the negligence claim in Count 1 as to all Plaintiffs." (Id. )

b. Plaintiffs' Objection: Choice of Law

Plaintiffs agree that "there are outcome-determinative differences between California and Arizona law, on one hand, and Colorado law on the other" and that Colorado's choice of law rules therefore apply. (Doc. # 76 at 6.) Plaintiffs object, however, to Magistrate Judge Carman's determination that Colorado has the most significant relationship to the occurrence and the parties. (Id. at 9-13.) Plaintiffs argue that "Plaintiffs' home states have the most significant relationship" because the situs of the injury-their home states, where they used their payment cards to buy food at Chipotle-should be afforded the most weight amongst the Restatement factors. (Id. at 9-10); See Restatement (Second) of Conflict of Laws § 6(2). Plaintiffs conclude that "Arizona and California law should apply to those Plaintiffs' respective negligence claims." (Id. at 9-10.)

The Court affirms the Magistrate Judge's choice of law analysis and his conclusion that for Plaintiffs in Arizona, Colorado law governs their negligence claim. See (Doc. # 73 at 35.) For tort claims, Colorado follows the Restatement and applies the law of the state with the most significant relationship to the occurrence and the parties. AE, Inc. v. Goodyear Tire & Rubber Co. , 168 P.3d 507, 509-10 (Colo. 2007). The determination of which state has the most significant relationship is informed by:

(a) the place where the injury occurred,
(b) the place where the conduct causing the injury occurred,
(c) the domicile, residence, nationality, place of incorporation and place of business of the parties, and
(d) the place where the relationship, if any, between the parties is centered. Restatement (Second) Conflict of Laws § 145 ; AE, Inc. , 168 P.3d at 510.

The Court agrees with Magistrate Judge Carman's determination that Colorado has the most significant relationship to the occurrence and the parties. Plaintiffs overstate the importance of the first factor, the place where the injury occurred (their home states). See (Doc. # 76 at 10.) As Defendant asserts in its Response, the location of the injuries "is not so localized." (Doc. # 81 at 5.) The location of the injuries is fortuitous, as it was in SELCO Community Credit , 267 F.Supp.3d at 1292 n.1, because Plaintiffs (and potential class members) could have had transactions at any Chipotle location in the country and because third parties may have used Plaintiffs' PII anywhere in the world. The first factor is therefore of little weight. See Restatement (Second) of Conflict of Laws § 145, cmt. e ("[T]he place of injury will not play an important role of the selection of the state of the applicable law ... when the place of the injury can be said to be fortuitous ... [or when] injury has occurred in two or more states.").

Rather, the second factor is more significant in determining what state has the most significant relationship to this action. "When the injury occurred in two or more states, or when the place of injury ... is fortuitous and ... bears little relation to the occurrence and the parties, the place where the defendant's conduct occurred will usually be given particular weight in determining the state of the applicable law." Id. It is undisputed that Defendant's alleged conduct occurred in Denver, Colorado. See (Doc. # 36 at 19.) Colorado law therefore governs the Arizona Plaintiffs' negligence claim. And, as Magistrate Judge Carman accurately explained, Colorado's economic loss doctrine "would bar the negligence claim." See (Doc. # 73 at 35.)

The Court therefore rejects Plaintiffs' objection as to choice of law.

c. Defendant's Objection: California's Economic Loss Doctrine

Defendant does not take issue with the Magistrate Judge's ultimate recommendation that the negligence claim should be dismissed. (Doc. # 77 at 1.) It objects only to the Magistrate Judge's analysis of California's economic loss doctrine; in its view, "[t]he California economic loss rules bars the negligence claims of [Plaintiffs] Mercers, Baker, and Conard" because the special relationship exception does not apply. (Id. at 3-5.) Defendant states that California's special relationship exception is only applicable to third-party relationships, which Plaintiffs and Defendant do not have in this case. (Id. at 4) (citing Resnick v. Hyundai Motor America, Inc. , No. CV 16-00593-BRO, 2017 WL 1531192, *11 (C.D. Cal. Apr. 13, 2017) ; Body Jewelz, Inc. v. Valley Forge Ins. Co. , 241 F.Supp.3d 1084, 1092-93 (C.D. Cal. Mar. 14, 2017) ).

The Court agrees with Defendant's objection and therefore disagrees with Magistrate Judge Carman's determination, made in the context of determining whether there are outcome-determinative differences between the relevant states' laws, that California's economic loss doctrine does not bar Plaintiffs' negligence claim because it falls within the state's special relationship exception. See (Doc. # 73 at 27.) The case law to which Defendant cites clearly provides that the special relationship exception is not applicable where, unlike in J'Aire , the parties are in privity of contract, such as where the plaintiff has bought goods from the defendant. See Resnick , 2017 WL 1531192 at *11 (where the plaintiffs had purchased cars with allegedly defective paint from the defendant, holding that "the special relationship exception does not apply" because "the plaintiff is not a third party to a transaction but has a direct contractual relationship with the defendant").

The Court therefore concludes that California's economic loss doctrine does bar Plaintiffs' negligence claim. There is not an outcome-determinative difference between Colorado law and California law, just as there are not outcome-determinative differences between Colorado law and Illinois and Missouri laws. However, this does not affect Magistrate Judge Carman's ultimate recommendation that the Court dismiss Plaintiffs' negligence claim.

For these reasons, the Court affirms the Magistrate Judge's recommendation that Claim 1 be dismissed en toto . (Doc. # 73 at 60.)

2. Claims 2 and 3: Negligence Per Se and Violation of the Colorado Consumer Protection Act

Magistrate Judge Carman recommended that the Court dismiss Plaintiffs' second and third claims pursuant to Rule 12(b)(6). (Id. at 40, 42.) Neither party objects to these recommendations. The Court has reviewed the Magistrate Judge's thorough examination and is satisfied that recommendations on Claims 2 and 3 are sound and not contrary to law. See Fed. R. Civ. P. 72(a). It affirms the Recommendation as to the dismissal of Claims 2 and 3. (Doc. # 73 at 60.)

3. Claim 4: Breach of Implied Contract

Plaintiffs assert that they and class members had implied contracts with Defendant: "Defendant invited Plaintiffs ... to purchase food at [its] restaurants using their credit or debit cards," Plaintiffs accepted the offer by "using their credit or debit cards to purchase food" and, "in connection with those transactions, provided [Defendant] with their Card Information." (Doc. # 36 at 50.) Plaintiffs allege that "[i]n exchange, [Defendant] agreed, among other things:

(1) to provide food products to Plaintiffs and Class Members; (2) to take reasonable measures to protect the security and confidentiality of Plaintiffs' and Class Members' Card Information; (3) to protect Plaintiffs' and Class Members' personal information in compliance with federal and state laws and regulations and industry standards, and (4) to accurately and promptly notify Plaintiffs and Class Members if their data had been breached or compromised.

(Id. ) The "[p]rotection of personal information is a material term of the contracts," Plaintiffs contend. (Id. )

Defendant moves for dismissal of Plaintiffs' claim for breach of implied contract on the ground that "Plaintiffs fail to allege conduct on [Defendant's] part that would support an offer [by Defendant] to provide them data security." (Doc. # 43 at 16.)

a. Magistrate Judge's Analysis

Magistrate Judge Carman determined that "Plaintiffs state enough facts to plausibly allege the elements for an implied contract regarding the security of their PII that [Defendant] obtained in their transactions." (Doc. # 73 at 42) (citing Engl , 2016 WL 8578096 at *10-11 ). He rejected Defendant's citation to cases "holding that a transaction does not imply an agreement regarding data security" and Defendant's argument "that data security is not necessary to purchase or sell a burrito using a payment card," stating that "the alleged implied contract regards the means of payment (and security of the PII involved therein), not the purchase of goods." (Id. ) Magistrate Judge Carman recognized conflicting decisions from various jurisdictions as to whether a seller's offer to accept payment cards implies that it will take reasonable measures to ensure that the PII involved remains secure, but he concluded that "on the allegations Plaintiffs present here, it is a factual issue that cannot be resolved" at the motion to dismiss stage. (Id. at 42-43.) He therefore recommended that the Court deny Defendant's Motion to Dismiss as to Claim 4. (Id. at 43.)

b. Defendant's Objection

Defendant objects to Magistrate Judge Carman's discussion of Plaintiffs' breach of implied contract claim primarily because the "implied contract [Plaintiffs] pleaded" was not a standalone contract regarding data security but was a contract for the purchase of food in which data security was a term. (Doc. # 77 at 5.) It faults the Magistrate Judge for interpreting Plaintiffs' allegation as an "alleged implied contract regard[ing] the means of payment (and security of the PII involved there.)" (Id. ) (quoting Doc. # 73 at 42.) Defendant also urges the Court to "follow the persuasive authority" it cited to the Magistrate Judge, such as Lovell v. P.F. Chang's China Bistro, Inc. , No. C14-1152RSL, 2015 WL 4940371, *3 (W.D. Wash. Mar. 27, 2015). (Doc. # 77 at 6.)

The Court is not persuaded by Defendant's objection regarding Claim 4. The Court need not look to Defendant's authority from other jurisdictions, as its decision in Engl v. Natural Grocers by Vitamin Cottage, Inc. , 2016 WL 8578096 at *10-11, addressed an analogous situation. In Engl , the plaintiff alleged that the defendant, a grocery store chain, failed to secure and safeguard its customers' personal financial data, including payment card information, resulting in a data breach. Id. at *1. The plaintiff asserted a claim for breach of implied contract, alleging that by providing personal and financial data during payment, he entered into an implied contract with the defendant, "whereby [the defendant] became obligated to reasonably safeguard [his] ... sensitive, non-public information." Id. at *10. Magistrate Judge Wang recommended, and the Court affirmed, see 2016 WL 8578252, that the Court "should not determine, at the motion to dismiss phase, whether [the defendant's] sales to [the plaintiff] included an implied term that [the defendant] would take reasonable measures to protect [the plaintiff's] private information." 2016 WL 8578096 at *11 (citing In re Hannaford Bros. Co. Customer Data Breach Litig. , 613 F.Supp.2d 108, 118-19 (D. Me. 2009), aff'd in relevant part , 659 F.3d 151 (1st Cir. 2011) ). The Court agrees. Defendant's objection does not address the persuasive value of Engl ; it merely cites to other jurisdictions instead.

For this reason, the Court finds that whether Defendant's sales to Plaintiffs included an implied term about data security cannot be decided at this juncture. The Court affirms the Magistrate Judge's recommendation that it deny Defendant's Motion to Dismiss as to Claim 4. (Doc. # 73 at 43.)

4. Claim 5: Unjust enrichment

Plaintiffs premise their claim for unjust enrichment on the theory that they "conferred a monetary benefit upon [Defendant] in the form of monies paid for the purchase of food services" and that "[t]he monies for food and food services that [they] paid to [Defendant] were supposed to be used by [Defendant], in part, to pay for the administrative costs of reasonable data privacy and security practices and procedures." (Doc. # 36 at 52.) Defendant argues that Plaintiffs' unjust enrichment claim should be dismissed because Plaintiffs "paid [Defendant] for food ... and do not allege that they did not receive this food." (Doc. # 43 at 18.) It asserts that there was no understanding between the parties that some portion of the purchase prices was specifically intended for data security, noting that "cash and card customers pay the same price." (Id. at 19.)

Plaintiffs clarify in response that they do not assert unjust enrichment by overpayment; rather, they assert unjust enrichment by the entire amount of their purchases, as "they would never have made purchases at Chipotle had they know about [Defendant's] failure to implement adequate card information protection." (Doc. # 57 at 17.)

a. Magistrate Judge's Analysis

Magistrate Judge Carman decided that Plaintiffs' allegations suffice to plausibly allege unjust enrichment and recommended "denying the motion in part as to Count 5's allegation that Plaintiffs would not have made purchases from [Defendant], had it disclosed it was not using reasonable data security measures." (Doc. # 73 at 44-45.) However, Magistrate Judge Carman recommended "granting the motion in part as to Count 5's overpayment theory." (Id. at 45.)

b. Defendant's Objection

Defendant rejects Plaintiffs' contention that their unjust enrichment claim is premised on a 'would not have shopped' theory, as opposed to an overpayment theory. (Doc. # 77 at 6.) Defendant observes that Plaintiffs do not ask for a refund of the entirety of their payments, rather, they allege in their Complaint that they suffered "actual damages in an amount equal to the difference in value between food services with the reasonable data privacy and security practices and procedures that [they] paid for, and the inadequate food services without reasonable data privacy and security practices and procedures that they received." (Id. at 8) (quoting Doc.

# 36 at 52.) Defendant states that "[t]his is a request for overpayment damages, which the Magistrate Judge appropriately recommended dismissing." (Id. ) (citing Irwin v. Jimmy John's Franchise, LLC , 175 F.Supp.3d 1064, 1071 (C.D. Ill. 2016) ).

The Court agrees with Defendant that Plaintiffs' unjust enrichment claim must be dismissed. As Defendant stated in its Motion to Dismiss, "unjust enrichment requires [P]laintiffs to allege that they conferred a benefit on Chipotle, and that it would be unjust for Chipotle to keep this benefit." (Doc. # 43 at 18) (collecting cases). Plaintiffs admit that they "conferred a monetary benefit upon Chipotle in the form of monies paid for the purchase of food services ." (Doc. # 36 at 52) (emphasis added). It is undisputed that Plaintiffs received the food services for which they paid. Defendant was therefore not unjustly enriched by retaining Plaintiffs' payments. Plaintiffs' contorted 'would not have shopped' theory does not change this elementary analysis: Plaintiffs paid for burritos; Plaintiffs received burritos. Plaintiffs' unjust enrichment claim fails to state a claim for which relief may be granted and must be dismissed. The Court therefore affirms in part (though on different grounds) and rejects in part Magistrate Judge Carman's Recommendation as to Claim 5.

5. Claims 6, 8, 9, and 10: Fraudulent Omission Claims

In its Objection to the Recommendation, Defendant jointly addresses Claims 6, 8, 9, and 10, all of which are based on state consumer protection statutes, arguing that "Plaintiffs do not plead facts supporting a fraudulent omission theory" in each of these Claims. (Doc. # 77 at 9-12.) The Court therefore discusses these claims together.

a. Magistrate Judge's Analysis

In Claim 6 for Violation of the Arizona Consumer Fraud Act, Plaintiffs assert that Defendant engaged in "deceptive and unfair acts and practices, ... and the ... omission of material facts" and specifically asserts that Defendant's "failure to disclose that its computer systems were not well-protected" and that Plaintiffs' "sensitive information was vulnerable ... constitutes deceptive and/or unfair acts or practices." (Doc. # 36 at 54.) As the Magistrate Judge explained (Doc. # 73 at 45), Plaintiffs "do not point to a specific representation or statement ... in which Defendant omitted this fact, which [Plaintiff] Gordon saw and replied upon." Magistrate Judge Carman rejected Defendant's argument that Plaintiffs are required to allege a specific representation by Defendant in which Defendant should have disclosed flaws in its data security systems, finding that the case law does not support such a requirement in the Arizona Consumer Fraud Act. (Id. at 45-46.)

In Claim 8 for Violation of the California Unfair Competition Law, Plaintiffs plead in part that "[b]y failing to disclose that it does not enlist industry standard security practices," Defendant engaged in a fraudulent and "unfair business practice" under California law. (Doc. # 36 at 61.) Defendant argues in its Motion to Dismiss that "the California [P]laintiffs fail to allege they ever saw, read, or otherwise were exposed to [Defendant's] claimed omissions or misrepresentations" and that they therefore cannot satisfy the reliance element of a claim brought under the California Unfair Competition Law. (Doc. # 43 at 21-22.) Magistrate Judge Carman explored case law concerning "what standard of causation applies for [California Unfair Competition Law] claims based on fraudulent omissions" and was persuaded by two cases in which California courts declined to dismiss the plaintiffs' fraudulent omission claims because the plaintiffs had sufficiently plead an omission of facts the defendants were obliged to disclose, In re Sony Gaming Networks and Customer Data Security Breach Litigation , 996 F.Supp.2d 942, 991 (S.D. Cal. 2014), and In re Adobe Systems, Inc. Privacy Litigation , 66 F.Supp.3d 1197, 1229-31 (N.D. Cal. 2014). (Doc. # 73 at 50-51.) In view of these cases, Magistrate Judge Carman concluded that Plaintiffs "plausibly allege causation or reliance on Defendant's omission that it was not providing reasonable data security" and that Defendant "has not shown that the [law's] reliance element requires pleading any further." (Id. at 51.)

In Claim 9 for Violation of the California Consumers Legal Remedies Act, Plaintiffs repeats its arguments from Claim 8 that Defendant's "failure to disclose that its computer systems were not well-protected ... constitutes deceptive and/or unfair practices" and that they would not have made purchases at Defendant's locations had they known about this non-disclosed fact. (Doc. # 36 at 64-66.) Defendant reprises its argument from Claim 8 too: Plaintiffs cannot meet the reliance element of a claim under the California Consumers Legal Remedies Act because they "do not allege that they saw and relied upon any statement made by [Defendant] regarding data security." (Doc. # 43 at 23.) The Magistrate Judge again rejected Defendant's argument, stating, "Much as with the UCL claim [Claim 8], Defendant does not show the [California Consumers Legal Remedies Act] claim requires the California Plaintiffs to allege more facts to plausibly suggest they relied on Defendant's omission." (Doc. # 72 at 53) (quoting, e.g. , Mass. Mut. Life Ins. Co. v. Superior Ct. , 97 Cal.App.4th 1282, 119 Cal. Rptr. 2d 190, 198 (Cal. Ct. App. 2002) ).

Finally, in Claim 10 for Violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, Plaintiffs assert that Defendant "engaged in deceptive and unfair acts and practices, misrepresentation, and the concealment, suppression, and omission of material facts." (Doc. # 36 at 67.) Plaintiffs repeat their previous claim that Defendant "fail[ed] to disclose that its computer systems were not well-protected." (Id. at 68.) Defendant argues that Illinois law is clear that "a plaintiff pursuing a fraud-based Illinois Consumer Fraud Act claim must allege that he or she 'actually saw and was deceived by the statements in question' " and that Plaintiff Fowler does not allege that she saw and was deceived by any statement. (Doc. # 43 at 24.) Magistrate Judge Carman again determined that the case law Defendant cites do not address deceptive omissions and found Plaintiffs' citations to authority more persuasive. (Doc. # 73 at 57.) He concluded that "Plaintiffs plausibly allege reliance" sufficient to survive Defendant's Motion to Dismiss. (Id. )

b. Defendant's Objection

Defendant objects to Magistrate Judge Carman's recommendation that the Court allow "Plaintiffs' Arizona, California, and Illinois consumer fraud claims to proceed based on an alleged fraudulent omission theory," arguing that Plaintiffs "do not plead facts supporting a fraudulent omission theory." (Doc. # 77 at 9.) Defendant describes the Magistrate Judge's analysis as "flawed," as he did not hold that Defendant had a duty to disclose information to Plaintiffs and "the relevant law would not support that holding for any of the state laws at issue." (Id. ) Defendant is correct that under these states' consumer protection statutes, a plaintiff alleging a fraud-based omission claim must show that the defendant omitted a fact the defendant had a duty to disclose. See, e.g. , In re Sony , 996 F.Supp.2d at 991 ("To be actionable under all three California consumer protections statutes, an omission must be 'contrary to a representation actually made by the defendant, or an omission of a fact the defendant was obliged to disclose.' ")

The Court is not persuaded by Defendant's objection however. A duty to disclose arises "when the defendant actively conceals a material fact from the plaintiff." Id. (emphasis added.) In California, for example, "[i]n order for non-disclosed information to be material, a plaintiff must show that 'had the omitted information been disclosed, one would have been aware of it and behaved differently." Falk v. Gen. Motors Corp. , 496 F.Supp.2d 1088, 1095 (N.D. Cal. 2007) (quoting Mirkin v. Wasserman , 5 Cal.4th 1082, 23 Cal.Rptr.2d 101, 858 P.2d 568 (1993) ). Materiality is judged by the effect on a reasonable consumer. Id.

Throughout their Complaint, Plaintiffs assert that Defendant failed "to disclose to its customers the material facts that it did not have adequate computer systems and security practices to safeguard customers' Card Information." (Doc. # 36 at 22) (emphasis added.) These facts were material, in Plaintiffs' view, because Plaintiffs "never would have allowed their sensitive and personal data ... to be provided to [Defendant] if they had been told or knew that [Defendant] failed to maintain sufficient security to keep such data from being hacked and taken by others." (Id. at 65.) In short, Plaintiffs allege that Defendant omitted material facts, thereby violating several states' consumer protection statutes. Implicit in their argument is that Defendant had a duty to disclose these material facts. That Magistrate Judge Carman did not explicitly discuss Defendant's duty to disclose does not undermine the adequacy of Plaintiffs' Complaint or the accuracy of the Magistrate Judge's conclusion.

The Court agrees with the Magistrate Judge's conclusion that Plaintiffs have sufficiently alleged fraudulent omission claims under Arizona's, California's, and Illinois's consumer protection statutes in Claims 6, 8, 9, and 10. (Doc. # 73 at 46, 51, 55, 57.)

6. Claim 8: Violation of the California Unfair Competition Law

In Claim 8, Plaintiffs allege that Defendant violated California's Unfair Competition Law and request injunctive relief and equitable relief, including restitution. (Doc. # 36 at 62-63.) Plaintiffs' request reflects the limited remedies available under the Unfair Competition Law. See Korea Supply Co. v. Lockheed Martin Corp. , 29 Cal.4th 1134, 131 Cal.Rptr.2d 29, 63 P.3d 937 (2003). "Prevailing plaintiffs are generally limited to injunctive relief and restitution." Cel-Tech Commc'ns, Inc. v. Los Angeles Cellular Tel. Co. , 20 Cal.4th 163, 83 Cal.Rptr.2d 548, 973 P.2d 527 (1999).

Defendant asserts in its Motion to Dismiss that Claim 8 should be dismissed because neither an injunction nor restitution is appropriate and Plaintiffs therefore have no remedy available under the Unfair Competition Law. (Doc. # 43 at 22.) As to injunctive relief, Defendant states that Plaintiffs lack standing to seek injunctive relief because they fail to show a sufficient likelihood of suffering another data breach. (Id. at 23.)

In their Response to Defendant's Motion to Dismiss, Plaintiffs explain that one way in which a plaintiff can show that an injury is likely to recur is to "demonstrate that the harm is part of a pattern of officially sanctioned behavior, violative of the plaintiffs' rights." (Doc. # 57 at 25) (citing Armstrong v. Davis , 275 F.3d 849, 861 (9th Cir. 2001) ).

a. Magistrate Judge's Analysis

After summarizing the parties' arguments regarding the availability of injunctive relief, Magistrate Judge Carman noted that while Plaintiffs' authority, Armstrong , 275 F.3d at 861, "addresses federal anti-discrimination claims, not [Unfair Competition Law] claims," Defendant "[does] not dispute that California would apply the same standards for injunctive relief under the [Unfair Competition Law]." (Doc. # 73 at 52.) The Magistrate Judge explained:

In the absence of Defendant citing any cases to support the [Unfair Competition Law] does not permit injunctive relief based on a pattern of officially sanctioned behavior, in light of Plaintiffs alleging Defendant experienced a significant data security breach in 2004 and nonetheless chose not to upgrade its [point-of-sale] system to keep pace with data security, if Plaintiffs prove their allegations they could be entitled to injunctive relief. It may be Plaintiffs will have difficulty proving that they would make payment card purchases again at Chipotle, but that appears to be a fact issue.

(Id. ) Magistrate Judge Carman therefore recommended denying Defendant's Motion to Dismiss as to Claim 8. (Id. )

b. Defendant's Objection

Defendant objects that "the fact that Chipotle encountered a data security incident over ten years ago [does not] support these [P]laintiffs' entitlement to injunctive relief." (Doc. # 77 at 13.) Defendant argues that Plaintiffs must personally be at risk of future harm to obtain injunctive relief and that it is "implausible" that Plaintiffs will be "required to go back to Chipotle and purchase a meal with a credit or debit card." (Id. )

The Court agrees with Plaintiffs that Defendant's objection "misses the mark," as Plaintiffs do not allege a realistic threat of future harm if or when they make another purchase at a Chipotle location with a payment card. See (Doc. # 80 at 12.) Rather, Plaintiffs allege that they "remain at imminent risk of suffering additional damages in the future" because their PII "remains on [Defendant's] insufficiently secured computer systems." (Doc. # 36 at 51, 48.) Plaintiffs' belief that they face a continuing risk of data breaches is reflected in their request that the Court order "the Defendant purge, delete, and destroy in a reasonable secure manner customer data not necessary for its provisions of services." (Id. at 62.)

In the Court's view, these allegations sufficiently show that Plaintiffs may again be injured by a data breach, due to Defendant's alleged pattern of neglecting its data security systems and its alleged retention of Plaintiffs' PII. The Court agrees with Magistrate Judge Carman that if Plaintiffs prove a realistic threat of future harm, they could be entitled to injunctive relief under California's Unfair Competition Law. (Doc. # 72 at 52.)

7. Claims 7, 9, 10, and 12: Claims for Damages

Finally, Defendant jointly addresses Claims 7, 9, 10, and 12 in its Objection to the Recommendation on the ground that Plaintiffs fail to satisfy the damages element of each of these claims. (Doc. # 77 at 13.) The Court also addresses these claims together.

a. Magistrate Judge's Analysis

In Claim 7 for Violation of California's Customer Records Act and Claim 9 for Violation of that state's Consumers Legal Remedies Act, Plaintiff Baker, Plaintiff Conard, and the Mercer Plaintiffs allege that they "were (and continue to be) injured and have suffered (and will continue to suffer) damages" as a direct or proximate result of Defendant's violations. (Doc. # 36 at 57, 66.) Plaintiff Baker asserts that one unauthorized charge of $49.99 was taken from her account but was ultimately refunded by her bank. (Id. at 7.) Plaintiff Conard claims that after her bank had determined her credit card-"the primary card Plaintiff Conard uses for daily expenditures because of the rewards benefit"-had been compromised, she spent approximately twenty hours communicating with her bank and various businesses, "lost the opportunity to accrue points for purchases" made on her credit card while she awaited a replacement card, and now spends $131.93 annually on identity theft monitoring services. (Id. at 10.) The Mercer Plaintiffs report finding a number of pending and posted fraudulent transactions, which their bank ultimately reimbursed; they allege that "it took a number of weeks and roughly six hours' of [their] personal time to obtain the reversal" of these charges. (Id. at 7.) The Mercer Plaintiffs also claim that while they awaited a new debit card from their bank, "many of their normal services had been disrupted [and] automated orders ... were delayed and cancelled due to nonpayment." (Id. at 6-7.)

Defendant asserts in its Motion to Dismiss that to state claims under these California statutes, a customer must have suffered damages. (Doc. # 43 at 20, 24.) It argues that Plaintiff Baker, Plaintiff Conard, and the Mercer Plaintiffs cannot satisfy the damages element of the two claims because Plaintiffs acknowledge the unauthorized charges to their accounts were reimbursed by their banks and that any "alleged time and effort [does not] qualify as actual damages." (Id. at 20) (citing In re Hannaford Bros. Co. Customer Data Breach Litig. , 4 A.3d 492, 497 (Me. 2010) ).

Magistrate Judge Carman considered Defendant's argument in great detail. He first noted that Plaintiffs' seventh claim, for violation of California's Customer Records Act, can stand either on Section 1798.81.5(b) of that act for failing to implement and maintain reasonable security procedures and practices or on Section 1798.82 for failing to promptly notify customers. (Doc. # 73 at 46.) As to Section 1798.81.5(b), the Magistrate Judge recommended denying Defendant's Motion to Dismiss. (Id. at 48.) He rejected Defendant's argument that time and effort are not actionable damages, as Defendant's citations to authority did not address claims under the California statutes at issue. (Id. at 47.) However, as to an alleged violation of Section 1798.82 for failure to promptly notify customers, Magistrate Judge Carman recommended granting the motion in part "to dismiss only that part of the claim alleging a violation of Section 1798.82 brought by [Plaintiff Baker and Plaintiff Conard.]" (Id. at 48.) He determined that these two Plaintiffs had learned of and taken action regarding fraudulent charges before Defendant became aware of the Chipotle Data Breach and that they therefore cannot plausibly allege harm from Defendant's delay in notice. (Id. ) Second, as to Claim 9 for violation of California's Consumers Legal Remedies Act, Magistrate Judge Carman observed that Defendant "did not attempt to rebut" Plaintiffs' argument that "any damage" under the act "includes pecuniary and non-pecuniary damages alike, including transaction costs and opportunity costs." (Id. at 56.) He therefore concluded that Plaintiffs' allegations of time and effort spent addressing fraud on their accounts "plausibly allege actionable damages under the [Consumers Legal Remedies Act]" and recommended denying Defendant's Motion to Dismiss with respect to Claim 9. (Id. )

In Claim 10 for Violation of Illinois's Consumer Fraud and Deceptive Business Practices Act, Plaintiff Fowler alleges that as a result of the data breach,

[she] was required to spend a significant amount of time - at least 30 hours total - making phone calls, monitoring her card transactions, and addressing the unauthorized transactions and account openings/related activity. Plaintiff was also forced to switch over all of her recurring charges from her cancelled card and missed a couple of payments due to this issue. Furthermore, Plaintiff has had to place security freezes with all 3 credit bureaus at her own cost, which will result in difficulty for her opening legitimate accounts under her name when she desires to do so.

(Doc. # 36 at 8-9.) Defendant asserts in its Motion to Dismiss that Plaintiff Fowler cannot satisfy the statute's requirement of actual damages because she "acknowledges that the fraudulent charges on the card she used at Chipotle were reimbursed after two brief phone calls" and that such "de minimis time and effort is insufficient" to establish a claim. (Doc. # 43 at 25.) Defendant also argues that Plaintiff Fowler's allegations about fraudulently opened credit cards could not have been caused by Defendant, as "the alleged compromise of her existing MasterCard at Chipotle ... did not involve her social security number, address, or other personal information necessary to commit that type of fraud." (Id. ) Magistrate Judge Carman concluded that because "there is a fact issue whether the data breach involved more PII than payment card information," the Court should not dismiss on a motion to dismiss Plaintiff Fowler's allegations about unauthorized accounts being opened in her name. (Doc. # 72 at 57.) He explicitly declined to reach whether Plaintiff Fowler's time and effort is sufficient in itself to satisfy the damages element. (Id. at 57-58.) He therefore recommended that the Court deny the Motion to Dismiss as to Claim 10. (Id. )

In Claim 12 for Violation of Missouri's Merchandising Practices Act, Plaintiff Lawson alleges his debit card-"the primary card [he] uses for daily expenditures because the cash back rewards benefit"-was compromised. (Doc. # 36 at 9.) He posits:

The bank informed Plaintiff Lawson that it would be closing the account, opening a new account, and re-issuing a new debit card. Because Plaintiff Lawson had upcoming travel plans, he paid $45 to have the new debit card expedited to him. Unfortunately, despite the attempt to expedite and the money expenditure, a new card did not arrive before he left town. Therefore, Plaintiff Lawson did not have his debit card to use for his travel expenses as he planned. As a result of having been victimized by the Chipotle Data Breach, Plaintiff Lawson has been required to spend time communicating with his bank regarding his compromised card, account transfer, and replacement card.

(Id. ) Defendant argues that "[t]ime and effort spent addressing an alleged data compromise is insufficient" to state a claim under Missouri's law. (Doc. # 43 at 26.) It also states that it did not inflict the $45.00 fee on Plaintiff Lawson, as Plaintiff Lawson's "decision to expedite the card was his own choice." (Id. ) Magistrate Judge Carman stated that there is "a fact issue regarding whether [Plaintiff] Lawson's out of pocket expense should be deemed a damage resulting from the data breach." (Doc. # 73 at 59.) Because that issue cannot be resolved on Defendant's Motion to Dismiss, the Magistrate Judge recommended that the Court deny dismissal of Claim 12 and explicitly declined to reach whether Plaintiff Lawson's "time and effort would in themselves plausibly allege the damages element for this claim." (Id. )

b. Defendant's Objection

Defendant objects to Magistrate Judge Carman's determination that Plaintiffs sufficiently plead actual damages in Claims 7, 9, 10, and 12. (Doc. # 77 at 13.) It argues that "[n]one of the California, Illinois, or Missouri [P]laintiffs allege any unreimbursed fraudulent charges were made on their accounts." (Id. ) Defendant also urges to Court to reject Magistrate Judge Carman's determination that Plaintiffs' alleged time and effort constitute actual damages, reprising its reliance on In re Hannaford Brothers Co. , 4 A.3d at 497. (Doc. #77 at 14.)

The Court is not persuaded by Defendant's insistence that time and effort cannot constitute actual damages under these statutes. With respect to the California statutes at issue in Claims 7 and 9, the Seventh Circuit explained in another data breach case that "California's judiciary ... tells us that 'there are innumerable ways in which economic injury ... may be shown" and that "[a]n 'identifiable trifle of economic injury' suffices." Dieffenbach , 887 F.3d at 829 (internal citations omitted). The Seventh Circuit also observed that California state courts "have said that significant time and paperwork costs incurred to rectify violations also can qualify as economic losses." ( Id. ) As to Illinois's Consumer Fraud and Deceptive Business Practices Act at issue in Claim 10, Illinois does not require more than a "real and measurable" injury, and "if the plaintiff has suffered an economic loss, noneconomic losses are also compensable." (Id. at 30) (internal citations omitted). Finally, with respect to Missouri's Merchandising Practices Act at issue in Claim 12, In re Sony Gaming Networks , 996 F.Supp.2d at 1000, guides the Court. There, the plaintiffs asserted a claim under the Missouri statute, alleging that Sony made material omissions about the security of its network, "omissions that allegedly induced Plaintiffs to purchase their consoles." Id. Rejecting Sony's argument that the plaintiffs had not alleged an ascertainable loss of money or property, the Court held that "because [the plaintiffs] have alleged that ... Sony misled customers into believing that their Personal Information was secure, the Court finds that [the plaintiffs] have sufficiently alleged a loss of money or property as a result of an act or practice declared unlawful under the [Missouri Merchandising Practices Act." Id. This Court finds these holdings as to the California, Illinois, and Missouri statutes persuasive and therefore affirms the Magistrate Judge's recommendation that it deny Defendant's Motion to Dismiss Claims 7, 9, 10, and 12. (Doc. # 73 at 60.)

8. Claim 11: Violation of the Illinois Uniform Deceptive Trade Practices Act

Magistrate Judge Carman recommended that the Court dismiss Plaintiffs' eleventh claim pursuant to Rule 12(b)(6) because Plaintiff Fowler fails to allege that she is at risk of the same harm in the future. (Id. at 59.) Neither party objects to this recommendation. The Court has reviewed the Magistrate Judge's thorough examination and is satisfied that his recommendation on Claims 11 is sound and not contrary to law. See Fed. R. Civ. P. 72(a). It affirms the Recommendation as to the dismissal of Claim 11. (Doc. # 73 at 60.)

IV. CONCLUSION

For the foregoing reasons, the Court ORDERS:

1. The Magistrate Judge's August 1, 2018 Recommendation (Doc. # 73) is AFFIRMED IN PART and REJECTED IN PART;
2. Defendant's Motion to Dismiss (Doc. # 43) is GRANTED IN PART as to Claims 1, 2, 3, 5, and 11. These claims are dismissed from the action; and
3. Defendant's Motion to Dismiss (Doc. # 43) is DENIED IN PART as to Claims 4, 6, 7, 8, 9, 10, and 12. These claims remain. 
      
      Plaintiffs allege that they used their payment cards at Chipotle locations in the states in which they live: Arizona (Plaintiff Todd Gordon), California (Plaintiffs Marc and Kristen Mercer (the "Mercer Plaintiffs"); Plaintiff Kristin Baker; Plaintiff Judy Conard), Illinois (Plaintiff Michelle Fowler), and Missouri (Plaintiff Greg Lawson). (Doc. # 36 at 4-11.) No Plaintiffs live in Colorado.
     
      
      In their Complaint, Plaintiffs define the following class:
      All persons residing in the United States who made a credit or debit card purchase at any Chipotle or Pizzeria Locale location affected by the Chipotle Data Breach between March 24, 2017 and April 18, 2017.
      (Doc. # 36 at 34.) They also define four subclasses: an "Arizona Class," a "California Class," an "Illinois Class," and a "Missouri Class." (Id. at 34-35.)
     
      
      The Court also observes that Plaintiffs' objection as to standing does not take issue with Magistrate Judge Carman's ultimate conclusions that Plaintiffs Baker and Lawson have standing and that the Court should deny Defendant's 12(b)(1) argument. Plaintiffs only object to how Magistrate Judge Carman reached those conclusions.
     
      
      Generally, the economic loss doctrine provides that "a party suffering only economic loss from the breach of an express or implied contractual duty may not assert a tort claim for such a breach absent an independent duty of care under tort law." Spring Creek Exploration & Prod. Co., LLC v. Hess Bakken Investment, II, LLC , 887 F.3d 1003, 1020 (10th Cir. 2018) (quoting Town of Alma v. AZCO Const., Inc. , 10 P.3d 1256, 1264 (Colo. 2000) ).
     
      
      The Magistrate Judge could have stopped his analysis here, without reaching Colorado's economic loss doctrine. Generally, the elements of a negligence claim are that (1) the defendant owed a duty to the plaintiff, (2) the defendant breached that duty, and (3) the breach proximately caused the plaintiff's injury. See, e.g. , Ayala v. United States , 49 F.3d 607, 611 (10th Cir. 1995). "The threshold question in any negligence actions is therefore 'whether the defendant owed a legal duty to protect the plaintiff against injury.' " Id. (quoting Connes v. Molalla Transp. Sys. Inc. , 831 P.2d 1316, 1320 (Colo. 1992) ). The source of a legal duty "may be either a legislative enactment or the common law." Id. (citing Bd. of Cty. Comm'rs v. Moreland , 764 P.2d 812, 816 (Colo. 1988) ). It is a question of law for the Court whether a legal duty exists. Id. In the Court's view, and as Magistrate Judge Carman observed in passing, see (Doc. # 73 at 31), Plaintiffs fail to allege what state statutes or common law give rise to Defendant's legal duty to protect their PII. Their negligence claim fails on this ground. The Court declines to pursue this further however, as neither Defendant nor the Magistrate Judge discussed this and the conclusion that Plaintiffs' negligence claim must be dismissed remains the same.
     
      
      The Court rejects the Magistrate Judge's conclusion (and Plaintiffs' agreement) that there are outcome-determinative differences between Colorado law and California law, as it explains below. Because there are not such differences between Colorado and California law, Colorado law controls. See SELCO Community Credit Union v. Noodles & Company , 267 F.Supp.3d 1288, 1292 (D. Colo. 2017).
     
      
      Magistrate Judge Carman observed that California recognizes a "special relationship" exception to its economic loss doctrine. (Doc. # at 24) (citing J'Aire Corp. v. Gregory , 24 Cal.3d 799, 157 Cal.Rptr. 407, 598 P.2d 60, 63 (1979) ). He assessed the six factors that determine whether the special relationship exception applies and concluded that "[o]verall, the J'aire factors weigh in favor of excepting Plaintiffs' negligence claim from California's economic loss doctrine." (Id. at 25-26.)
     
      
      See also Demaree v. Wal-Mart Stores, Inc. , 511 F. App'x. 660, 661 (9th Cir. 2013) (quoting Haisch v. Allstate Ins. Co. , 197 Ariz. 606, 5 P.3d 940, 945 (Ariz. Ct. App. 2000) ) (under the Arizona Consumer Fraud Act, "an actionable omission 'must be logically related to the transaction in which it occurs and rationally significant to the parties in view of the nature and circumstances of the transaction' "); Blankenship v. Pushpin Holdings, LLC , No. 14 C 6636, 2015 WL 5895416, *8 (N.D. Ill. 2015) (quoting Capiccioni v. Brennan Naperville, Inc. , 339 Ill.App.3d 927, 274 Ill.Dec. 461, 791 N.E.2d 553, 558 (2003) ) (under the Illinois Consumer Fraud Act, "innocent misrepresentations or omissions intended to induce the plaintiff's reliance are actionable.").
     