A federal district court in Colorado recently ruled that customer credit card information was not a “trade secret” under the federal Defend Trade Secrets Act (DTSA).
This case arose out of a 2017 data breach of Chipotle Mexican Grill, Inc.’s computer system and point of service (POS) terminals which resulted in the theft of customers’ credit card and debit card data. As the result of the breach, several financial institutions had to replace their members’ credit and debit cards and refund fraudulent payments. Consequently, they sued Chipotle for negligence, unfair competition, and a violation of the DTSA, on behalf of themselves and other financial institutions.
Plaintiffs argued that the credit card information of their members was a “trade secret” under the DTSA because: (1) it was plaintiffs’ financial data; (2) they had taken reasonable measure to keep it secret; and (3) the data had independent economic value, and that Chipotle misappropriated it in violation of the federal statute.
The district court noted that the question of whether the credit card information was a trade secret was a question of first impression as neither plaintiffs not Chipotle cited any authority clearly addressing this issue. However, it concluded that because the credit card information simply created an access mechanism for the members’ accounts, it had no independent value. In other words, the value of the credit card information derived from the thing that it was intended to protect – a bank account. See N. Star Media, LLC v. Winogradsky-Sobel, 2011 WL 13220157, at *10-11 (C.D. Cal. May 23, 2011); State Analysis, Inc. v. Am. Fin. Servs. Assoc., 621 F. Supp. 2d 309, 321 (E.D. Va. 2009); see also MicroStrategy Inc. v. Bus. Objects, S.A., 331 F. Supp. 2d 396, 429 (E.D. Va. 2004)(expressing skepticism that a CD key is a trade secret); Tryco, Inc. v. U.S. Med. Source, L.L.C., 80 Va. Cir. 619 (2010) (“Courts have repeatedly held that collections of numbers and/or letters, whose only value is to access other potentially valuable information, do not by themselves have independent economic value.”).
The court reasoned that the payment card data (including cardholder names, credit or debit card numbers, and corresponding CVVs) was similar to passwords and usernames that provided access to something of value, i.e. an individual’s line of credit with a financial institution or money in an account with a financial institution. Absent a connection to either a line of credit or a bank account, payment card data was simply a string of alpha or numeric (or indeed other typographical) symbols, and, thus, had no independent economic value.
Because the court concluded that the credit card information was not a trade secret, it did not address whether a misappropriation occurred during the breach or whether Chipotle could be liable under the DTSA.
Leiza Dolghih is the founder of Dolghih Law Group PLLC. She is board certified in labor and employment law and has 16+ years of experience in commercial and employment litigation, including trade secrets and non-compete disputes. You can contact her directly at leiza@dlg-legal.com or (214) 531-2403.