Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Brinker Data Incident Litigation

United States District Court, M.D. Florida, Jacksonville Division

August 1, 2019

In re Brinker Data Incident Litigation

          ORDER

          TIMOTHY J. CORRIGAN UNITED STATES DISTRICT JUDGE

         This case requires the Court to determine what constitutes an injury in fact for Article III standing for individuals whose information was stolen in a data breach. Eight named plaintiffs bring this class action on behalf of themselves and all similarly situated customers whose payment card and other personal information were stolen by criminal hackers from Defendant Brinker International, Inc.—the company that owns, operates, and franchises Chili's Grill and Bar.

         I. BACKGROUND

         A. Facts

         According to the Second Amended Consolidated Complaint (“the complaint”), beginning in March 2018, hackers accessed Brinker's data network and installed malware on point-of-sale (“POS”) systems[1] at many Chili's restaurants, which Brinker owns, develops, operates, and franchises. (complaint, Doc. 39 ¶¶ 25, 101). Brinker publicly announced the breach on May 12, 2018, stating:

On May 11th, 2018, we learned that payment card information of some of our Guests who visited certain Chili's® Grill & Bar corporate-owned restaurants have been compromised in a data incident. Currently, we believe the data incident was limited to between March - April 2018; however, we continue to assess the scope of the incident.
Upon learning of this incident, we immediately activated our response plan. We are working with third-party forensic experts to conduct a thorough investigation to determine the details of what happened. Law enforcement has been notified of this incident and we will continue to fully cooperate.
While the investigation is still ongoing, we believe that malware was used to gather payment card information, including credit or debit card numbers and cardholder names, from our payment-related systems for in-restaurant purchases at certain Chili's restaurants.
We deeply value our relationships with our Guests and our priority remains doing what is right for them. We are committed to sharing additional information on this ongoing investigation. More details can be found at: http://brinker.mediaroom.com/ChilisDataIncident.

(Id. ¶ 102).

         Brinker acknowledges that it relies on information systems, and “Chili's has long touted its technological innovation . . . .” (Id. ¶¶ 60, 62). Chili's daily payment card transactions are in the “tens of thousands . . . .” (Id. ¶ 72). When Brinker processes payment card transactions, it collects “the cardholder name, the account number, expiration date, card verification value (“CVV”), and PIN data for debit cards. Brinker stores th[is] Customer Data in its POS system and transmits this information to a third party for processing and completion of the payment.” (Id. ¶ 64).

         The amount of data breaches involving the theft of retail payment card information has been rising over the past several years, and “[m]ost of the massive data breaches occurring within the last several years involved malware placed on POS systems used by merchants.” (Id. ¶¶ 74-75). These breaches include other national restaurant chains, such as P.F. Chang's, Arby's, Chipotle, and Wendy's. (Id. ¶ 103). “Given the numerous reports indicating the susceptibility of POS systems and consequences of a breach, Brinker was well-aware, or should have been aware, of the need to safeguard its POS systems.” (Id. ¶ 80). Plaintiffs allege that despite this knowledge, Brinker failed to comply with industry standards for information security, including the Payment Card Industry Data Security Standard (“PCI DSS”). (Id. ¶¶ 81-90). And, “Brinker failed to implement adequate data security measures to protect its POS networks from the potential danger of a data breach and failed to implement and maintain reasonable security procedures and practices . . . .” (Id. ¶ 106). Specifically, “Brinker operated POS systems with outdated operating systems and software; failed to enable point-to-point and end-to-end encryption; and, failed to take other measures necessary to protect its data network.” (Id. ¶ 98).

         During the data breach, each of the named plaintiffs paid for food and services at a Chili's restaurant with their credit or debit card. Marlene Green-Cooper dined at a Chili's in Florida in April 2018, and “[w]ithin days thereafter” noticed three unauthorized charges on the credit card she had used at Chili's. (Id. ¶¶ 28(1)-29(1)). Green-Cooper was issued a new credit card and during the time she waited for a new card she lost the ability to accrue cash back rewards. (Id. ¶¶ 28(1)-28(2)).[2] Green-Cooper continues to monitor her account daily for unauthorized charges. (Id. ¶ 29(1)).

         In April 2018, Shenika Thomas used her debit card at a Chili's in Texas. (Id. ¶ 29(2)). In early May 2018, Thomas incurred three fraudulent charges totaling more than $100 on her debit card. (Id. ¶ 30). Thomas was issued a new debit card, and she, too, continues to monitor her account to prevent further misuse. (Id.).

         Fred Sanders used his credit card at a Chili's in Virginia in mid-April 2018, and roughly one month later he discovered fraudulent charges totaling $3, 300. (Id. ¶ 32). Sanders spent time disputing the charges with his bank, lost the opportunity to accrue cash back rewards while awaiting a replacement card, and placed fraud alerts with all three credit reporting agencies. (Id. ¶¶ 32-33).

         Between March and April 2018, Daniel Summers, Christopher Lang, Peter Alamillo, and Michael Franklin all used credit or debit cards at various Chili's locations in California. (Id. ¶¶ 34-44). One month after using his debit card at Chili's, Summers incurred a fraudulent charge of $1, 093.91, spent time disputing the charge with his bank, and was notified by Brinker that his personally identifiable information (“PII”) might have been compromised. (Id. ¶¶ 34-36). After Lang used his debit card at Chili's, Chili's notified him that his PII was at risk because of the data breach. (Id. ¶¶ 37-38). Alamillo used his debit card at Chili's, which subsequently sent him a notice of the data breach, and he has spent time monitoring his accounts for fraudulent activity. (Id. ¶¶ 39-41). After using a payment card three times in two months at Chili's, Franklin experienced fraudulent charges on his account, spent time speaking with his bank, and lost the chance to accrue rewards points while awaiting a replacement card. (Id. ¶¶ 44-46).

         In April 2018, Eric Steinmetz used his debit card at a Chili's in Nevada. After learning of the breach, Steinmetz “procured his consumer disclosures from all three credit reporting agencies, ” “incurred transportation costs of gasoline in driving to Wells Fargo to cancel his debit card and obtain a temporary card[, ]” and “lost time dealing with issues related to the [data breach] . . . .” (Id. ¶¶ 47- 49).

         Plaintiffs allege that they would not have dined at Chili's had they known “it lacked adequate computer systems and data security practices to safeguard” customers' information. (Id. ¶ 50). Plaintiffs further allege that the value of their customer data has diminished, they lost time, have been inconvenienced, and “have concerns for the loss of their privacy.” (Id. ¶¶ 53-54). Additionally, Plaintiffs face a ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.