Federal Court Holds Noodles & Co. Has No Independent Duty of Care to Card Issuers For Data Breach
A federal court has dismissed with prejudice a data-breach suit
filed by a group of credit unions against Noodles & Co., holding
that the restaurant had no independent duty of care to the unions
distinct from its contractual agreements with MasterCard and
Visa. SELCO Cmty. Credit Union v. Noodles & Co., No. 16-2247
(D. Colo., order entered July 21, 2017). The plaintiffs, four credit
unions whose cardholders’ information was compromised by the
data breach, sued for negligence, negligence per se and
declaratory relief, claiming they lost revenue due to decrease in
card usage after the breach was publicized and incurred costs
related to canceling and reissuing cards, responding to cardholder
inquiries and monitoring accounts. The court held that economic
loss rules in both Colorado and the unions’ home states barred
recovery in tort for purely financial losses caused by negligence.
Further, the court found, no independent duty exceptions to those
rules existed and any duty of care Noodles & Co. allegedly
breached arose from interrelated contracts coordinated by the
payment networks.
Issue 642