United States District Court, M.D. Florida, Jacksonville Division
TIMOTHY J. CORRIGAN UNITED STATES DISTRICT JUDGE
case requires the Court to determine what constitutes an
injury in fact for Article III standing for individuals whose
information was stolen in a data breach. Eight named
plaintiffs bring this class action on behalf of themselves
and all similarly situated customers whose payment card and
other personal information were stolen by criminal hackers
from Defendant Brinker International, Inc.âthe company that
owns, operates, and franchises Chili's Grill and Bar.
to the Second Amended Consolidated Complaint (“the
complaint”), beginning in March 2018, hackers accessed
Brinker's data network and installed malware on
point-of-sale (“POS”) systems at many
Chili's restaurants, which Brinker owns, develops,
operates, and franchises. (complaint, Doc. 39 ¶¶
25, 101). Brinker publicly announced the breach on May 12,
On May 11th, 2018, we learned that payment card information
of some of our Guests who visited certain Chili's®
Grill & Bar corporate-owned restaurants have been
compromised in a data incident. Currently, we believe the
data incident was limited to between March - April 2018;
however, we continue to assess the scope of the incident.
Upon learning of this incident, we immediately activated our
response plan. We are working with third-party forensic
experts to conduct a thorough investigation to determine the
details of what happened. Law enforcement has been notified
of this incident and we will continue to fully cooperate.
While the investigation is still ongoing, we believe that
malware was used to gather payment card information,
including credit or debit card numbers and cardholder names,
from our payment-related systems for in-restaurant purchases
at certain Chili's restaurants.
We deeply value our relationships with our Guests and our
priority remains doing what is right for them. We are
committed to sharing additional information on this ongoing
investigation. More details can be found at:
(Id. ¶ 102).
acknowledges that it relies on information systems, and
“Chili's has long touted its technological
innovation . . . .” (Id. ¶¶ 60, 62).
Chili's daily payment card transactions are in the
“tens of thousands . . . .” (Id. ¶
72). When Brinker processes payment card transactions, it
collects “the cardholder name, the account number,
expiration date, card verification value (“CVV”),
and PIN data for debit cards. Brinker stores th[is] Customer
Data in its POS system and transmits this information to a
third party for processing and completion of the
payment.” (Id. ¶ 64).
amount of data breaches involving the theft of retail payment
card information has been rising over the past several years,
and “[m]ost of the massive data breaches occurring
within the last several years involved malware placed on POS
systems used by merchants.” (Id. ¶¶
74-75). These breaches include other national restaurant
chains, such as P.F. Chang's, Arby's, Chipotle, and
Wendy's. (Id. ¶ 103). “Given the
numerous reports indicating the susceptibility of POS systems
and consequences of a breach, Brinker was well-aware, or
should have been aware, of the need to safeguard its POS
systems.” (Id. ¶ 80). Plaintiffs allege
that despite this knowledge, Brinker failed to comply with
industry standards for information security, including the
Payment Card Industry Data Security Standard (“PCI
DSS”). (Id. ¶¶ 81-90). And,
“Brinker failed to implement adequate data security
measures to protect its POS networks from the potential
danger of a data breach and failed to implement and maintain
reasonable security procedures and practices . . . .”
(Id. ¶ 106). Specifically, “Brinker
operated POS systems with outdated operating systems and
software; failed to enable point-to-point and end-to-end
encryption; and, failed to take other measures necessary to
protect its data network.” (Id. ¶ 98).
the data breach, each of the named plaintiffs paid for food
and services at a Chili's restaurant with their credit or
debit card. Marlene Green-Cooper dined at a Chili's in
Florida in April 2018, and “[w]ithin days
thereafter” noticed three unauthorized charges on the
credit card she had used at Chili's. (Id.
¶¶ 28(1)-29(1)). Green-Cooper was issued a new
credit card and during the time she waited for a new card she
lost the ability to accrue cash back rewards. (Id.
¶¶ 28(1)-28(2)). Green-Cooper continues to monitor her
account daily for unauthorized charges. (Id. ¶
April 2018, Shenika Thomas used her debit card at a
Chili's in Texas. (Id. ¶ 29(2)). In early
May 2018, Thomas incurred three fraudulent charges totaling
more than $100 on her debit card. (Id. ¶ 30).
Thomas was issued a new debit card, and she, too, continues
to monitor her account to prevent further misuse.
Sanders used his credit card at a Chili's in Virginia in
mid-April 2018, and roughly one month later he discovered
fraudulent charges totaling $3, 300. (Id. ¶
32). Sanders spent time disputing the charges with his bank,
lost the opportunity to accrue cash back rewards while
awaiting a replacement card, and placed fraud alerts with all
three credit reporting agencies. (Id. ¶¶
March and April 2018, Daniel Summers, Christopher Lang, Peter
Alamillo, and Michael Franklin all used credit or debit cards
at various Chili's locations in California. (Id.
¶¶ 34-44). One month after using his debit card at
Chili's, Summers incurred a fraudulent charge of $1,
093.91, spent time disputing the charge with his bank, and
was notified by Brinker that his personally identifiable
information (“PII”) might have been compromised.
(Id. ¶¶ 34-36). After Lang used his debit
card at Chili's, Chili's notified him that his PII
was at risk because of the data breach. (Id.
¶¶ 37-38). Alamillo used his debit card at
Chili's, which subsequently sent him a notice of the data
breach, and he has spent time monitoring his accounts for
fraudulent activity. (Id. ¶¶ 39-41). After
using a payment card three times in two months at
Chili's, Franklin experienced fraudulent charges on his
account, spent time speaking with his bank, and lost the
chance to accrue rewards points while awaiting a replacement
card. (Id. ¶¶ 44-46).
April 2018, Eric Steinmetz used his debit card at a
Chili's in Nevada. After learning of the breach,
Steinmetz “procured his consumer disclosures from all
three credit reporting agencies, ” “incurred
transportation costs of gasoline in driving to Wells Fargo to
cancel his debit card and obtain a temporary card[, ]”
and “lost time dealing with issues related to the [data
breach] . . . .” (Id. ¶¶ 47- 49).
allege that they would not have dined at Chili's had they
known “it lacked adequate computer systems and data
security practices to safeguard” customers'
information. (Id. ¶ 50). Plaintiffs further
allege that the value of their customer data has diminished,
they lost time, have been inconvenienced, and “have
concerns for the loss of their privacy.” (Id.
¶¶ 53-54). Additionally, Plaintiffs face a