On May 26, 2017, Alcoa Community Federal Credit Union (“Alcoa”), on behalf of itself, credit unions, banks and other financial institutions, filed a nationwide class action against Chipotle Mexican Grill, Inc. (“Chipotle”). The case arises from a breach of customer payment card data. The putative class consists of all such financial institutions that issued payment cards, or were involved with card-issuing services, for customers who made purchases at Chipotle from March 1, 2017, to the present. Plaintiffs allege a number of “inadequate data security measures,” including Chipotle’s decision not to implement EMV technology.

Alcoa asserts claims for negligence and negligence per se. Both claims rest on, among other bases, a purported violation of Section 5 of the FTC Act. Alcoa also requests declaratory and injunctive relief. The alleged damages include the costs of providing replacement cards, costs for consumer fraud monitoring, reimbursement of fraudulent charges, and costs due to lost interest and transaction fees due to reduced card usage.

Very few financial institution cases have been filed in the wake of consumer data breaches. However, such cases have been increasing due to a number of payment card data breaches in fairly rapid succession, including many massive breaches. These circumstances can create added costs for financial institutions that may not be fully recoverable through their direct relationships with the card brands. Additionally, because the financial institutions typically do not have contractual relationships with the breached merchants, some have chosen to leapfrog the various recovery processes established by the card brands by alleging non-contractual common law tort claims such as negligence and negligence per se.