455 F.Supp.3d 749
C.D. Ill.2020Background
- Hy‑Vee experienced a point‑of‑sale malware data breach affecting fuel pumps, drive‑thru coffee shops, and restaurants from Nov. 2018–Aug. 2019; Hy‑Vee detected the breach July 29, 2019 and notified customers Aug. 14, 2019.
- Plaintiffs are customers who used affected POS devices and allege harms including fraudulent charges, card cancellations/replacements, inability to access funds, time spent resolving issues, and purchase of credit‑monitoring.
- Plaintiffs filed a consolidated Second Amended Class Action Complaint asserting negligence, negligence per se, breach of implied contract, breach of contracts as intended third‑party beneficiaries, multiple state consumer‑protection and data‑breach statutory claims (IL, IA, KS, MN, MO, WI), and unjust enrichment.
- Hy‑Vee moved to dismiss under Rule 12(b)(6); key defenses included: no common‑law duty to safeguard data in some states, economic‑loss doctrine, failure to plead statutory bases, inadequately pleaded contracts/benefit, and Rule 9(b) heightened pleading for fraud‑like claims.
- Court exercised CAFA jurisdiction, applied Illinois choice‑of‑law rules, held that non‑forum plaintiffs’ claims are governed by their home states’ laws, and issued mixed rulings: several claims dismissed (in whole or as to particular state classes) and several claims survived.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Common‑law duty to safeguard data (negligence) | Hy‑Vee owed duty to protect payment data and notify customers; breach caused economic harms | No common‑law duty under Illinois and some other states; even if duty exists, economic‑loss doctrine bars recovery | Negligence claims dismissed for IL, MO, KS, and IA plaintiffs; negligence claims for MN and WI plaintiffs survive (Iowa claims conceded) |
| Negligence per se (FTC Act / state statutes) | Failure to follow FTC standards/state rules supports negligence per se | FTC Act doesn’t provide a clear private‑right standard; plaintiffs failed to identify a specific statute creating duty | Court held FTC Act can support negligence per se generally, but Illinois negligence per se barred by economic‑loss doctrine; MO/Kansas/Iowa negligence per se dismissed with negligence claims |
| Choice‑of‑law for state claims | Apply law where injury occurred | Apply Illinois law to all | Court applied Illinois choice‑of‑law rules and determined non‑forum plaintiffs’ home states govern their claims where outcome‑determinative |
| Implied contract and unjust enrichment | Plaintiffs allege implied promise that Hy‑Vee would secure payment data; alternatively unjust enrichment | No express contract pleaded; payments were for goods, not data security; unjust enrichment improper where plaintiff received product | Breach of implied contract claim survives under Illinois law; unjust enrichment dismissed; breach‑of‑contract as third‑party beneficiary dismissed without prejudice (repleadable) |
| Breach of third‑party beneficiary contract | Plaintiffs are intended beneficiaries of Hy‑Vee’s contracts with payment networks/banks | Plaintiffs failed to identify specific contracts or provisions | Dismissed without prejudice; plaintiffs given leave to amend within 21 days |
| State consumer‑protection/data‑breach statutes (notice, damages, causation) | Statutes (IA, KS, MN, MO, IL, WI) support claims for delayed notice, deceptive omissions, and ascertainable losses | Some statutes lack private right of action or are enforceable only by AG; plaintiffs failed to plead damages, causation, or misstatements; Rule 9(b) should apply | Iowa and Kansas data‑breach statute claims survive (courts find ambiguity re: private right of action); most consumer‑protection claims survived on factual pleading grounds except: WI DTPA dismissed (plaintiffs conceded); IL DTPA and MN DTPA dismissed for lack of likely future harm; IL CFA survives (with nexus limitation for one plaintiff), MO and MN consumer claims survive |
| Rule 9(b) applicability to UDAP claims | Claims are omission‑based unfair/deceptive practices and need only Rule 8 notice | Claims "sound in fraud" and require Rule 9(b) particularity | Court found statutory UDAP claims do not sound in fraud here and applied Rule 8; even under 9(b), plaintiffs pled who, what, when, where, how sufficiently |
Key Cases Cited
- Cooney v. Chicago Pub. Schs., 943 N.E.2d 23 (Ill. App. Ct. 2010) (no common‑law duty to safeguard personal information under Illinois PIPA)
- Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803 (7th Cir. 2018) (Seventh Circuit relied on Cooney to reject common‑law data‑security duty)
- Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018) (lost access to funds and time spent responding to fraud are economic losses)
- Moorman Mfg. Co. v. Nat'l Tank Co., 435 N.E.2d 443 (Ill. 1982) (Illinois economic‑loss doctrine bars tort recovery for pure economic loss)
- In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d 1154 (D. Minn. 2014) (denying dismissal of various state statutory and consumer‑protection claims in a data breach case)
- In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295 (N.D. Ga. 2019) (FTC unfair‑practice authority can support claims that inadequate data security is an unfair practice)
- Irwin v. Jimmy John's Franchise, LLC, 175 F. Supp. 3d 1064 (C.D. Ill. 2016) (recognized plausibility of implied contract to secure customer data; contrasted unjust enrichment limits)
- Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (unjust enrichment not available where plaintiff received nondefective goods)