In a recent case involving hackers that stole "payment card data" from Chipotle, Judge William J. Martinez in the United States District Court for the District of Colorado found on an issue of first impression that payment card data was not a trade secret and dismissed the claims brought under the Defend Trade Secrets Act (DTSA). Bellwether Community Credit Union v. Chipotle Mexican Grill, Inc., Case No. 1:17-cv-01102 (D. Colo. Oct. 24, 2018).
Plaintiffs Bellwether Community Credit Union and Alcoa Community Federal Credit Union, individually and on behalf of a putative class of similarly situated financial institutions, sued Chipotle Mexican Grill, Inc. (Chipotle) seeking to hold Chipotle responsible for allegedly inadequate protective measures that allowed hackers to steal customers' payment card data. The dispute stemmed from a 2017 data breach in over 2,200 restaurants wherein hackers infiltrated and installed malware on Chipotle's computer systems and point of service terminals to steal the payment card data. The hackers stole payment data encoded on each card (e.g., customer names, card numbers, expiration dates, CVVs, and service codes) to sell on the black market.
Among its eleven causes of action, the financial institutions alleged that Chipotle misappropriated their trade secrets under the DTSA because the payment card data is trade secret information, Chipotle had a duty to maintain the secrecy of the data, and Chipotle allowed the unauthorized disclosure. Per the DTSA, a trade secret must "derive independent economic value, actual or potential, from not being generally known." 18 U.S.C. § 1839(3). In granting Chipotle's motion to dismiss as to the misappropriation of trade secrets claim, Judge Martinez found that the payment card data was not a trade secret because it had no independent economic value and because it derives economic value solely from its authorized disclosure.
Judge Martinez analogized the payment card data to passwords and usernames "that provide access to something of value," but are not themselves something of value. Thus, the payment card data is not a trade secret because the information itself has no independent economic value because it derives economic value solely from its authorized disclosure. While the financial institutions argued that unauthorized disclosure of the payment card data could lead to fraud, the court acknowledged that authorized disclosure of the payment card data, giving access to a line of credit or money in an account, is how the payment card data actually derives economic value. "While disclosure to unauthorized third parties may make the underlying data susceptible to fraud, disclosure to authorized third parties (such as merchants) is the raison d'être of payment cards. In other words, disclosure to authorized parties is what makes the payment card valuable because it provides access to a line of credit or money in an account." The court found that payment card data is, therefore, not a trade secret.
This case of first impression exemplifies the apparent trend of attempted expansion of misappropriation claims under the DTSA, and federal courts' careful scrutiny of those DTSA claims. Alas, at least in the District Court of Colorado, such claims will not be found to include theft of payment card data.