Article by Lyle Washowich, Esq.
On January 5, 2021, the U.S. District Court for the Middle District of Pennsylvania issued an important decision impacting organizations that accept credit or debit card payments in the Commonwealth of Pennsylvania. In the case, Defendant CHR Corporation d/b/a Rutter’s (operator of Rutter’s-brand convenience stores and gas stations) is alleged to have failed to take adequate steps to protect its customers’ payment card data. While the Court partially granted the Defendant’s motion to dismiss, it permitted a number of putative class action claims to proceed, continuing the dispute against the company into the class-discovery and merit phases of the case.
Customers Allege that Rutter’s Failed to Adequately Protect Their Payment Card Data
The case arose out of a data breach in which cyber hackers gained access to the payment card data of Rutter’s customers. Plaintiffs alleged that the swipe system utilized at Rutter’s gas pumps during the relevant time was insufficient to prevent unauthorized access to the payment card data. In support of their Amended Complaint, Plaintiffs cited, among other sources, statements from Visa which explained that merchants that continue to use “magnetic stripe payment card” systems instead of chip readers are “attractive target[s]” for cyber hackers.
The lawsuit – a putative class action – represents a consolidation of four sets of individual Plaintiffs’ claims. The Court dismissed two of the Plaintiffs’ claims in their entirety based on the issue of standing. For those Plaintiffs, the Court determined they did not allege that their payment card data had been used by the cyber hackers to cause harm, but merely that they had “lost time” as a result of reviewing their credit card statements and credit reports with greater frequency.
The other two Named Plaintiffs alleged actual financial losses resulting from the data security breach. The Court held that this was sufficient to establish standing for purposes of overcoming the company’s motion to dismiss.
Negligence, Breach of Contract and Unjust Enrichment Claims Allowed to Move Forward
While the Court allowed the pertinent Named Plaintiffs’ negligence claims to move forward, it dismissed the claims for negligence per se. This dismissal was premised upon the notion that Plaintiffs had already, successfully alleged ordinary negligence. In considering the negligence count (to advance Plaintiffs’ data breach claims), the Court decided that it need not impose a new common law duty of care. Rather, as in Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018), consistent with Section 302 of the Restatement (Second) of Torts, in scenarios involving an actor’s affirmative conduct, that actor is generally under a duty to others to exercise reasonable care to protect them against an unreasonable risk of harm. Accordingly, the Court may apply pre-established duties to new factual situations as they arise in “our rapidly-evolving society.” Here, after evaluating the Amended Complaint to ascertain whether Plaintiffs sufficiently pled a duty of care based on Defendant’s affirmative conduct and the risk of foreseeable harm, the Court determined that Defendant’s “affirmative act of retaining credit and debit card information which created a risk of foreseeable harm from unscrupulous third parties is enough to recognize a legal duty here.”
The Court dismissed the claims under the Pennsylvania Unfair Trade Practices and Consumer Protection Law (UTPCPL), citing Plaintiffs’ failure to allege that Rutter’s engaged in fraudulent conduct under the statute, among other deficiencies. However, Plaintiffs will have the opportunity to revise and refile their UTPCPL claims if they can meet the pleading requirements under the statute.
In addition to Plaintiffs’ negligence claims, the Court permitted the breach of implied contract and unjust enrichment claims to proceed against Rutter’s. With regard to the breach of implied contract claims, the Court held that Plaintiffs sufficiently alleged the existence of an implied contract for Rutter’s to safeguard their payment card data based upon Plaintiffs’ purchase of goods and services.
In considering the unjust enrichment claims, the Court held that Plaintiffs sufficiently alleged the company used their credit and debit card payments, “in part, to pay for adequate data private infrastructure, practices, and procedures,” which it allegedly failed to do. Notably, in declining to dismiss Plaintiffs’ unjust enrichment claims, the Court decided that while Plaintiffs’ allegations were “certainly thin,” they had “plead in detail the security measures that merchants like Rutter’s are expected to maintain, and we struggle to see how else Rutter’s could support an adequate data security apparatus without profits derived from customer purchases.”