On May 4, Bellwether Community Credit Union filed a class action suit on behalf of a proposed class of financial institutions in Colorado federal court against Chipotle Mexican Grill, Inc., claiming that the chain’s recently announced data breach caused significant financial harm to the credit union.  Bellwether’s complaint alleges that Chipotle’s purportedly lax security standards violated Section 5 of the Federal Trade Commission Act.  Bellwether claims that it and other similarly situated financial institutions incurred substantial costs related to canceling and reissuing compromised cards as well as investigating and refunding fraudulent charges as a result of Chipotle’s alleged negligence. 

As we previously wrote here, Chipotle announced on April 26 that the restaurant detected a security breach in its electronic processing and transmission of confidential customer and employee information.  Chipotle has not disclosed the scope of the security breach.  However, the chain stated in its quarterly report to the U.S. Securities and Exchange Commission that 70% of its 2016 sales were attributable to debit and credit card transactions.

Less than two weeks after Chipotle’s disclosure, Bellwether filed its complaint against Chipotle, alleging that Chipotle failed to mitigate potential data damage and failed to comply with industry best practices.  Bellwether alleges that Chipotle “failed to ensure that it maintained adequate data security measures, failed to implement best practices, failed to upgrade security systems and failed to comply with industry standards by allowing its computer and point-of-sale systems to be hacked, causing financial institutions’ payment card and customer information to be stolen.” 

Bellwether alleges that Chipotle failed to mitigate potential risk by not implementing EMV technology, a global standard for debt and credit cards equipped with computer chips and technology used to authenticate chip card transactions.  The complaint further alleges that Chipotle failed to upgrade its payment terminals despite the payment card industry’s minimum EMV chip card and terminal requirements implemented in October 2015 because the upgrades would “slow down customer lines.”  According to the payment card industry’s Card Operating Regulations, businesses accepting payment cards that failed to meet the October 1, 2015 deadline agreed to be liable for damages from resulting data breaches. 

In its complaint, Bellwether also states that Chipotle’s security practices violated industry best practices by failing to comply with a payment card industry data security standard.  The Payment Card Industry Security Standards Council, a group established by American Express, Discover, JCB International, MasterCard and Visa Inc. in 2006, promulgated a standard of 12 requirements for all organizations involved in storing, processing, or transmitting cardholder data to follow in constructing and sustaining safe and secure networks. 

Interestingly, Bellwether’s complaint does not allege the extent of damages claimed to have been incurred by the credit union and other class action members.  The proposed class, as defined in the complaint, is all U.S. financial institutions that issue payment cards or support card-issuing services. 

Chipotle’s data breach is the latest in a series of large breaches targeting customer payment card data at restaurants and retailers nationwide.  Bellwether’s complaint highlighted the recent data breaches at Target, Neiman Marcus, Michaels, Kmart, and several other retailers.  According to the complaint, given the foreseeability of a data breach based on industry warnings from Visa and the U.S. Computer Emergency Readiness Team, as well as several well-documented and highly publicized data breaches, Chipotle was on notice of the security risks in its system and thereby negligently failed to use reasonable measures to protect customer and employee data. 

Chipotle has stated that it will share more information with affected customers as it becomes available.