In In Re Arby's Restaurant Gp. Inc. Litigation, No. 1:17-cv-0514-AT, 2018 WL 2128441 (N.D. Ga. March 5, 2018), the district court refused to dismiss several counts filed by financial institutions and a group of consumers after the defendant disclosed that third-party hackers had breached its credit card point of sale machines and retrieved the personal information of hundreds of thousands of consumers. The defendant argued that it owed no common law duty to the plaintiffs to protect their personal credit card data, but the court ruled that a company's knowledge of a foreseeable risk to its data security system is sufficient to establish the existence of a plausible legal duty as a basis for negligence. For negligence per se, the court agreed with the plaintiffs that it could be premised upon an alleged violation of Section 5 of the Federal Trade Commission Act. The court concluded that plaintiffs also pled the remaining elements of negligence and negligence per se and that the economic loss doctrine did not prohibit them because they are not based on the breach of a duty owed under any express contract between plaintiffs and defendant. The court also ruled that the consumer plaintiffs adequately alleged breach of an implied-in-fact contract or, in the alternative, unjust enrichment. For the former, they argued that the implied contract was that the defendant agreed to safeguard and protect their financial information in exchange for their purchases. The court did dismiss the consumer plaintiffs' Georgia Fair Business Practices Act and violation of other state consumer laws count.