Irwin v. Jimmy John's Franchise, LLC
175 F. Supp. 3d 1064
C.D. Ill.2016Background
- Plaintiff Barbara Irwin, an Arizona resident, used debit/credit cards at Jimmy John’s; the chain experienced a July 2014 data breach disclosed Sept. 24, 2014. Irwin’s card had at least five fraudulent charges shortly after use at Jimmy John’s.
- Irwin filed a nine-count putative class action alleging claims including data-breach notice violations, breach of implied contract, negligence, unjust enrichment, Arizona Consumer Fraud Act (ACFA) and declaratory relief.
- Defendants moved to dismiss under Fed. R. Civ. P. 12(b)(1) and 12(b)(6); Irwin did not oppose dismissal of certain claims.
- The court dismissed Counts I (Arizona data-breach statute claim) and IV (bailment) for lack of opposition, and dismissed Counts II (Illinois PIPA) and VIII (Illinois Consumer Fraud Act) on statutory and territorial grounds.
- The court allowed Count III (breach of implied contract under Illinois law) and Count VII (ACFA) to proceed, but dismissed Count V (negligence), Count VI (unjust enrichment), and Count IX (declaratory judgment for lack of Article III standing as to future-risk relief).
- Defendants were ordered to answer Counts III and VII within 21 days.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Applicability of Illinois PIPA notice provision (Count II) | PIPA requires immediate notice to owners/licensees; Irwin claims she is an "owner" entitled to relief | PIPA §10(b) applies to owners of computerized data; nonresident consumers are covered differently; Irwin did not own computerized records | Dismissed — §10(b) does not cover Irwin as a nonresident consumer; statutory structure treats residents and owners differently |
| Illinois Consumer Fraud Act standing for nonresident (Count VIII) | Violation of PIPA gives rise to Consumer Fraud Act claim | Nonresident lacks standing unless conduct occurred primarily and substantially in Illinois | Dismissed — facts insufficient to show the conduct occurred primarily in Illinois |
| Breach of implied contract (Count III) | Payment by card implies defendant promised to safeguard payment data and notify on breach | Defendant says terms are too indefinite to form an implied contract | Allowed — court finds plausible implied contract allegations (offer, acceptance, consideration, meeting of minds) under governing law |
| Negligence duty (Count V) | Jimmy John’s had a duty to safeguard data; breach created foreseeable risk of harm | Defendant: Illinois law applies; economic loss rule and lack of duty bar claim | Dismissed — plaintiff failed to establish a cognizable duty under either Arizona or Illinois law at pleading stage |
| Unjust enrichment (Count VI) | Card payments included an implicit payment for data security; Jimmy John’s was unjustly enriched by not providing security | Defendant: plaintiff paid no more than cash customers; no discrete benefit retained tied to alleged loss | Dismissed — plaintiff didn’t plausibly allege enrichment tied to overpayment or absence of other remedies |
| Arizona Consumer Fraud Act (Count VII) | Jimmy John’s misrepresented that customers’ financial data were secure; ACFA permits consumer protection claims despite data-breach statute enforcement by AG | Defendant: Arizona’s data-breach statute shows no private right of action; only AG can enforce | Allowed to proceed — court finds plausible ACFA claim and permits reliance on FTC data-security guidance |
| Declaratory judgment — standing for prospective security remedies (Count IX) | Seeks declaration that Jimmy John’s security is inadequate and specific remedial measures are required | Defendant: injury is past; no imminent future injury; lacks Article III standing | Dismissed — plaintiff’s asserted future risk is speculative and not sufficiently imminent |
Key Cases Cited
- Perkins v. Silverstein, 939 F.2d 463 (7th Cir.) (pleading standard and inferences on motion to dismiss)
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility standard for dismissal)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (pleading framework: separate facts from legal conclusions)
- Crichton v. Golden Rule Ins. Co., 576 F.3d 392 (7th Cir.) (nonresident standing under Illinois Consumer Fraud Act)
- In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518 (N.D. Ill.) (implied contract and merchant-card transaction duties to safeguard data)
- Anderson v. Hannaford Bros., 659 F.3d 151 (1st Cir.) (merchant obligations implied in card-present transactions)
- Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334 (2014) (Article III standing framework)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) (future-injury must be certainly impending or present substantial risk)
- Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir.) (standing principles in data-breach context)