631 F.Supp.3d 573
N.D. Ill.2022Background:
- Between June and September 2020, Arthur J. Gallagher (AJG) and Gallagher Bassett Services (GBS) suffered a ransomware attack that accessed records of over three million individuals, including PII and PHI; defendants began some notices around June 30, 2021.
- Plaintiffs are former clients and employees who allege exposure of names, SSNs, medical records, and other sensitive data and claim harms including identity theft, fraudulent charges, credit impacts, increased spam, time spent mitigating, and emotional distress.
- Plaintiffs filed a consolidated amended complaint asserting negligence, breach of implied and express contract, unjust enrichment, invasion of privacy, and numerous state statutory claims (including CCPA, CCRA, CMIA, UCL, ICFA, state notification laws, Maryland and Colorado statutes); a separate May complaint asserts CCPA, UCL, and breach of express contract under California law.
- Defendants moved to dismiss under Rule 12(b)(6); the court evaluated duty, causation, damages, statutory standing, and whether particular statutes create private rights of action.
- Ruling: the court granted in part and denied in part—dismissing certain claims (e.g., unjust enrichment, CMIA, some state statutory claims, UCL counts, invasion of privacy, select plaintiffs from implied-contract/CCRA claims), permitted amendment on an omitted CCPA plaintiff, and left most claims to proceed.
Issues:
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Existence of a legal duty / adequacy of breach allegations (negligence and related claims) | Defendants failed to implement recommended ransomware security measures; plaintiffs allege specific security controls defendants omitted. | Plaintiffs did not plead a cognizable legal duty or particular security failures. | Court declined to dismiss on duty grounds at pleadings stage; plaintiffs alleged government-recommended measures that defendants failed to implement. |
| Causation and plausibility of harms | Plaintiffs allege concrete harms (time, anxiety, fraud, credit impacts) tied to the breach and notices. | Many alleged harms (e.g., increased spam) implausible where contact data not alleged stolen; overall causation insufficient. | Court found many pleaded harms plausible (lost time, anxiety, identity theft), though some specific spam allegations strain plausibility but did not warrant blanket dismissal. |
| Damages / economic injury for statutory and contract claims | Time spent, remediation costs, fraudulent charges, credit impacts and subscription purchases amount to compensable injury/economic loss. | Several plaintiffs lack cognizable pecuniary injury for certain statutory claims. | Court held time and remediation expenses can constitute economic injury for many claims (Illinois implied contract, ICFA, California UCL/CCRA, Maryland MCPA); dismissed Louisiana breach-notification claim for lack of actual use. |
| Data-breach notification statutes — incremental harm from delayed notice | Plaintiffs allege ~9-month delay in notices prevented earlier mitigation and caused further injury. | Plaintiffs fail to plead incremental injury from delay separate from the breach itself. | Court found 9-month delay plausibly unreasonable and that post-disclosure mitigation allegations suffice to plead incremental harm. |
| Breach of implied contract — class members without direct relationships | Plaintiffs point to privacy policies and general expectations of data protection. | Many putative class members lacked any direct dealings with defendants, so no meeting of the minds for an implied contract. | Court dismissed implied-contract claims for all but two plaintiffs (Parsons and Yeremian who had employment relationships and alleged privacy policy promises). |
| Unjust enrichment — whether defendants retained a benefit | Plaintiffs assert defendants retained monetary value of plaintiffs’ PII/PHI. | Personal identifying information lacks independent monetary value; plaintiffs did not allege defendants retained a benefit conferred by plaintiffs. | Court dismissed unjust-enrichment claim for failure to plausibly allege defendant retention of a benefit. |
| California statutes (CCPA, CCRA, CMIA, UCL) — standing and applicability | California plaintiffs assert statutory violations tied to compromised data and notice; May alleges contract and CCPA violations. | Defendants challenge CCPA pleading (missing individualized allegations), CCRA customer status for some plaintiffs, CMIA applicability, and extraterritorial application of UCL. | Court: granted leave to amend a deficient CCPA plaintiff claim; dismissed CCRA claims for two plaintiffs who were employees or unsure how data was provided; dismissed CMIA claim (defendants not "providers of health care" or organized to maintain medical info); dismissed UCL claims as impermissibly extraterritorial. |
| Maryland and Colorado statutes — private right of action | Plaintiffs assert violations of state data statutes. | Statutes either provide enforcement via the state AG or through other statutory schemes, and do not create standalone private causes of action. | Court dismissed standalone MPIPA claim and Colorado statutory claims for lack of a private right of action; allowed Maryland MCPA claim to proceed. |
| Invasion of privacy (intrusion upon seclusion) | Plaintiffs argue the breach is an intentional intrusion into plaintiffs’ seclusion. | Plaintiffs voluntarily provided data to defendants (directly or via employer), so no unauthorized intrusion. | Court dismissed intrusion-upon-seclusion claim because plaintiffs alleged voluntary disclosure to defendants, not an unauthorized acquisition. |
Key Cases Cited
- Kuhns v. Scottrade, Inc., 868 F.3d 711 (Eighth Circuit 2017) (addressing pleading requirements for implied-contract/data-breach claims and limits of conclusory allegations)
- Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (Seventh Circuit 2018) (time spent mitigating a data breach can constitute economic injury supporting standing and damages)
- Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (Seventh Circuit 2015) (cautioning that abstract claims about value of personal data may not by themselves support standing)
- Community Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803 (Seventh Circuit 2018) (discussing whether Illinois recognizes a common-law data-security duty)
- Cooney v. Chicago Pub. Schs., 943 N.E.2d 23 (Ill. App. Ct. 2010) (rejecting a new common-law duty to safeguard information pre-PIPA amendment)
- Ponder v. Pfizer, Inc., 522 F. Supp. 2d 793 (M.D. La. 2007) (interpreting "actual damages" under Louisiana breach-notification law to require actual misuse of disclosed information)
- In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447 (D. Md. 2020) (analyzing breach-notification timing and statutory duties under state laws)
- Bonilla v. Ancestry.com Operations Inc., 574 F. Supp. 3d 582 (N.D. Ill. 2021) (dismissing intrusion claim where data collection was not alleged to be unauthorized)