The U.S. District Court for the District of Colorado has dismissed a consolidated lawsuit brought against Noodles & Company for failing to prevent a data breach of customer financial information, and one expert in cybersecurity says the dismissal could have future implications for contractual agreements between merchants and banks issuing debit and credit cards.
In SELCO Community Credit Union v. Noodles & Company, the financial institution sued the restaurant chain after Noodles was the target of a cyberattack in 2016, which compromised customers’ debit and credit card information. In November 2016 the case consolidated with two others, and the plaintiffs filed an amended class-action suit.
Four credit unions alleged on behalf of themselves and others that the data breach required them to take actions such as canceling and reissuing compromised cards, closing and reopening accounts, monitoring and investigating fraudulent charges and issuing refunds for such charges. They also alleged losses of revenue because cardholders decreased their use of debit and credit cards after the breach came to light. The suit brought claims for negligence, negligence per se, and declaratory relief.
Noodles & Company made a motion in January 2017 to dismiss the amended consolidated suit, which the district court granted July 21.