ALEXIS DOUGHERTY; DENNIS CALABRESE; LILY NICOLE PORTEE; JESSIE RUIZ-JACOBS; PETER BUNGERT; CHRISTIE STARNES; KASSANDRA BLANKENSHIP; JAMES HIGGINS; and LEONARDO YON, on behalf of themselves and others similarly situated v. BOJANGLES RESTAURANTS, INC.
25CV046572-910
STATE OF NORTH CAROLINA, WAKE COUNTY, IN THE GENERAL COURT OF JUSTICE, SUPERIOR COURT DIVISION
June 3, 2026
2026 NCBC 60
Earp, Judge.
ORDER AND OPINION ON DEFENDANT’S MOTION TO DISMISS
1. This action arises from a data breach that occurred between 19 February and 12 March 2024 at Bojangles Restaurants, Inc. (Bojangles). The data breach allegedly included the personal identifying information and protected health information (PII/PHI) of current and former Bojangles employees, including information belonging to Plaintiffs. The case is before the Court on Defendant’s Motion to Dismiss Plaintiffs’ Class Action Complaint (the Motion), (ECF No. 11).
2. The Court, having considered the Motion, the related briefing, other relevant matters of record, and the arguments of counsel at a hearing on the Motion held 3 June 2026, concludes for the reasons stated below that the Motion should be GRANTED in part and DENIED in part.
Bryson Harris Suciu & DeMay, PLLC, by Scott C. Harris, for Plaintiffs Alexis Dougherty, Dennis Calabrese, Jessie Ruiz-Jacobs, Peter Bungert, Christie Starnes, Kassandra Blankenship, and James Higgins.
Bryson Harris Suciu & DeMay, PLLC, by Scott C. Harris, and Stranch, Jennings, & Garvey, PLLC, by Robert Bruce Grayson Kent Wells, for Plaintiff Leonardo Yon.
Robinson, Bradshaw & Hinson P.A., by Charles E. Johnson and Caroline Reinwald and Mullen Coughlin LLC, by Richard M. Haggerty and Kayleigh Watson, for Defendant Bojangles Restaurants, Inc.
Earp, Judge.
I. FACTUAL BACKGROUND
3. The Court does not make findings of fact when deciding a motion to dismiss pursuant to
4. Bojangles is a fast-food chain incorporated in Delaware that maintains a principal place of business in North Carolina. It has approximately 800 locations across 17 states. (Compl. ¶¶ 2, 18, 20, ECF No. 3.)
5. Plaintiffs Alexis Dougherty (Dougherty), Dennis Calabrese (Calabrese), Jessie Ruiz-Jacobs (Ruiz-Jacobs), Christie Starnes (Starnes), James Higgins (Higgins), and Leonardo Yon (Yon) are citizens of North Carolina. (Compl. ¶¶ 9–10, 12, 14, 16–17.) Plaintiff Lily Nicole Portee (Portee) is a citizen of South Carolina.
6. Plaintiffs are all former employees of Bojangles. (Compl. ¶¶ 45, 63, 75, 93, 107, 116, 134, 154, 160.)
7. As a condition of their employment, Bojangles required Plaintiffs to provide their PII/PHI, which Bojangles used for payroll and other employment-related purposes. (Compl. ¶¶ 48, 64, 78, 94, 119, 137, 154.)
8. Bojangles’ privacy policy states: “Bojangles has security policies and practices in place designed to protect your Personal Information against unauthorized access or disclosure, theft, misuse, and loss.” It promises that Bojangles will “make commercially reasonable efforts for secure handling of this information[.]” (Compl. ¶ 26.)
9. Plaintiffs allege that Bojangles agreed to safeguard their data in accordance with its internal policies, state law, and federal law. (Compl. ¶ 24.) Plaintiffs Dougherty, Calabrese, Portee, Ruiz-Jacobs, Starnes, and Blankenship specifically allege that they provided their personal information to Bojangles trusting that the company would use reasonable measures to protect it according to Bojangles’ internal policies, as well as state and federal law. (Compl. ¶¶ 49, 71, 79, 101, 120, 138.) Plaintiffs Calabrese and Ruiz-Jacobs state that they would not have provided their PII to Bojangles had they known that Bojangles “would not utilize standard measures to reasonably secure” it. (Compl. ¶¶ 68, 98.)
11. From 19 February 2024 to 12 March 2024, the security of Bojangles’ computer systems was breached (the Data Breach). (Compl. ¶ 27.)
12. Plaintiffs contend that over one hundred current or former employees’ names, addresses, Social Security numbers, driver‘s license numbers, government-issued ID numbers, passport numbers, state ID numbers, financial information, financial account numbers, credit card numbers, debit card numbers, health insurance information, and medical information were compromised in the Data Breach. (Compl. ¶¶ 29–30.)
13. Plaintiffs allege that the Data Breach appears to have been the work of Hunters International (Hunters), an “infamous Russian Ransomware-as-a-Service” entity. (Compl. ¶¶ 38–39.) On 15 March 2024, Bojangles was listed on Hunters’ dedicated “leak site” on the dark web. (Compl. ¶ 40.) Hunters posted that it had exfiltrated 294.8 GB of data from Bojangles. (Compl. ¶ 41.) Plaintiffs allege that the data included their PII/ PHI. (Compl. ¶¶ 42, 52, 82, 109, 123, 141, 153, 163.)
14. Plaintiffs allege that Hunters’ modus operandi includes giving its affiliates access to its storage server containing stolen files, which can then be downloaded and stored by the affiliate. Because the stolen data is often stored on the affiliate‘s infrastructure and there are hundreds of affiliates who contract with Hunters, it is often difficult to track stolen data and to prove whether it has been deleted. (Compl.
15. Plaintiffs also complain that Bojangles “kept [them] in the dark” until 19 November 2024, when it began notifying them of the Data Breach. (Compl. ¶¶ 31–32, 51, 65, 81, 95, 108, 122, 140, 152, 160.)
16. In the Notice Bojangles sent Plaintiffs, it recognized that Plaintiffs were at a “present, continuing, and significant risk” of identity theft and recommended that Plaintiffs “remain vigilant against incidents of identity theft by reviewing account statements and credit reports for unusual activity and to detect errors.” (Compl. ¶ 33a.) Bojangles recommended that “[c]onsumers . . . further educate themselves regarding identity theft, fraud alerts, credit freezes, and the steps consumers can take to protect personal information by contacting the consumer reporting bureaus, the Federal Trade Commission [FTC], or their state attorney general.” (Compl. ¶ 33c.)
17. Plaintiffs allege that Bojangles was negligent as evidenced by its failure to prevent the Data Breach. (Compl. ¶ 34.) Plaintiffs further allege that Bojangles acted with a “knowing state of mind” by failing to implement adequate and reasonable cybersecurity measures. (Compl. ¶¶ 270–71.) They allege that Bojangles’ failure to promptly and properly notify them of the Data Breach exacerbated their injuries by depriving them of the earliest ability to take appropriate measures to protect their PII/PHI and mitigate their damages. (Compl. ¶ 179.)
19. As far as remedies, Plaintiffs acknowledge that Bojangles has “offered some victims credit monitoring and identity-related services[,]” but they complain that the services provided are “wholly insufficient” to compensate Plaintiffs for their alleged injuries. (Compl. ¶ 36.) Plaintiffs allege that their actual damages include the lost value of their PII/PHI, lost time and money to mitigate and remediate the effects of the Data Breach, and lost “benefit of the bargain.” (Compl. ¶¶ 71, 171, 234.) In addition to monetary damages, Plaintiffs allege that they suffer from an increased risk of future harm, embarrassment, humiliation, frustration and emotional distress. (Compl. ¶¶ 57, 87, 128, 146, 171, 232.)
20. Since February 2024, Plaintiffs Dougherty, Portee, Starnes, and Blankenship have experienced a spike in spam and scam phone calls. (Compl. ¶¶ 55, 85, 126, 144.) While telephone numbers were not included in the PII/PHI allegedly stolen, Plaintiffs claim that the information that was stolen could be used to create dossiers called “Fullz” packages by cross-referencing and combining it with information about Plaintiffs found generally on the internet (like telephone numbers). (Compl. ¶¶ 175–77.)
22. Plaintiffs allege that their PII/PHI continues to be at risk of theft and that Bojangles has a continuing legal duty to protect it from unauthorized access and disclosure. (Compl. ¶¶ 49, 79, 120, 138.) They allege that there has been a “substantial increase in cyberattacks and/or data breaches in recent years[,]” (Compl. ¶ 180), and that the risk of attacks “was widely known to the public and to anyone in [Bojangles‘] industry, including [Bojangles].” (Compl. ¶ 183.)
23. The FTC has established guidelines for the data security practices businesses must use, including: (a) protecting personal customer information that they keep, (b) properly disposing of personal information that is no longer needed, (c) encrypting information stored on computer networks, (d) understanding their network‘s vulnerabilities, and (e) implementing policies to correct security problems. (Compl. ¶ 185.) The guidelines caution “not [to] maintain information longer than is needed to authorize a transaction[.]” (Compl. ¶ 187a.)
24. Plaintiffs allege that Bojangles’ failure to use reasonable and appropriate measures to protect against the unauthorized access of its current and former employees’ personal information constitutes an unfair act or practice prohibited by
25. Plaintiffs further allege that Bojangles failed to follow industry best practices, such as educating all employees, using strong passwords, implementing multi-layer security (including firewalls, anti-virus, and anti-malware software), using encryption, implementing multi-factor authentication, backing up data, and limiting employees’ access to sensitive data. (Compl. ¶ 190.)
26. In addition, Plaintiffs maintain that Bojangles failed to implement industry standard cybersecurity measures, including both the NIST Cybersecurity Framework Version 2.0 and the Center for Internet Security‘s Critical Security Controls. (Compl. ¶ 192.) Plaintiffs argue that by failing to comply with these accepted standards, Bojangles’ stored PII/PHI was vulnerable to the Data Breach. (Compl. ¶ 193.)
27. Plaintiffs also allege the Data Breach resulted from Bojangles’ failure to safeguard PHI in compliance with the Health Insurance Portability and Accountability Act‘s (HIPAA) mandated security standards. (Compl. ¶ 196.) Specifically, Plaintiffs allege that Bojangles failed to: (a) implement policies and procedures to prevent, detect, contain, and correct security violations; (b) identify and respond to suspected or known security incidents; (c) mitigate harmful effects of known security incidents; and (d) train all staff members on policies and procedures related to PHI. (Compl. ¶ 196f–h.)
28. As a result of the Data Breach, Plaintiffs allege that they have spent, and will continue to spend, significant time and effort monitoring their accounts to protect
29. Stolen PII/PHI is a valuable commodity that reportedly can be worth up to $1,000.00 depending on the type of information obtained. (Compl. ¶ 172.)
II. PROCEDURAL BACKGROUND
30. Plaintiffs filed this action on 23 December 2025 in Wake County Superior Court, asserting causes of action for (1) negligence; (2) negligence per se; (3) breach of implied contract; (4) invasion of privacy; (5) unjust enrichment; (6) violation of the North Carolina Unfair and Deceptive Trade Practices Act (UDTPA); and (7) declaratory judgment against Bojangles. (See generally Compl.)
31. On 5 February 2026, the case was designated to the Business Court and assigned to the undersigned. (ECF Nos. 1–2.)
32. On 9 March 2026, Bojangles filed the Motion. (ECF No. 11.) Plaintiffs filed their response on 30 March 2026. (ECF No. 15.) Bojangles replied on 9 April 2026. (ECF No. 17.)
III. LEGAL STANDARD
34. As an initial matter, the Court must decide which state‘s law to apply. Both Plaintiffs and Bojangles argue that North Carolina law applies. (Def.‘s Br. 7; Pls.’ Mem. L. Opp‘n Def. Bojangles Restaurants, Inc.‘s Mot. Dismiss [Pls.’ Opp‘n] 6 n.1, ECF No. 15.) Because Plaintiffs allege that “a substantial part of the events and omissions giving rise to this action” occurred in North Carolina, (Compl. ¶ 20), the Court agrees for purposes of the Motion.1
35. “A motion to dismiss under
37. North Carolina is a notice pleading state. See, e.g., Cadieu Tree Experts, Inc. v. Wiedner, 2026 NCBC LEXIS 86, at *10 (N.C. Super. Ct. Apr. 15, 2026) (“North Carolina remains a notice-pleading state, meaning a pleading filed in this state must contain a short and plain statement of the claim sufficiently particular to give the court and the parties notice of the transactions, occurrences intended to be proved showing that the pleader is entitled to relief.” (citation modified)); PJC Mgmt. Grp., LLC v. Maaco Franchisor SPV LLC, 2026 NCBC LEXIS 92, at *8 (N.C. Super. Ct. Apr. 22, 2026) (“North Carolina remains a notice pleading jurisdiction[.]“). With the exception of specific causes of action such as fraud, which requires the pleading to be particular in its facts, notice pleading affords “a sufficiently liberal construction of complaints so that few fail to survive a motion to dismiss.” Jones v. J. Kim Hatcher Ins. Agencies, Inc., 387 N.C. 489, 496 (2025) (citations omitted).
38. Nevertheless, the Court is not required “to accept as true allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” Good Hope Hosp., Inc. v. N.C. HHS, Div. of Facility Servs., 174 N.C. App. 266, 274 (2005) (citation and internal quotation marks omitted); see also PJC Mgmt. Grp., 2026 NCBC LEXIS 92, at *9 (distinguishing causes of action that are pled sufficiently from those that are not and holding that “threadbare allegations are insufficient even under a simple notice-pleading standard“).
IV. ANALYSIS
39. Bojangles requests dismissal of all causes of action alleged against it. The Court addresses each one below.
A. Negligence Per Se
40. Since the Motion was filed, Plaintiffs abandoned their claim for negligence per se, (see Pls.’ Opp‘n 14); accordingly, the Motion with respect to that claim is uncontested. See BCR 7.6.
41. Plaintiffs allege that Bojangles committed negligence per se by “violat[ing] its duty under Section 5 of the FTC[A]” and “its duty under HIPAA[.]” (Compl. ¶¶ 239, 244–45.) This Court previously determined that neither the FTCA nor HIPAA is a public safety law and therefore neither can form the basis of a negligence per se claim. See Weddle v. WakeMed Health, 2023 NCBC LEXIS 162, at *6–7 (N.C. Super. Ct. Dec. 4, 2023) (“The negligence per se claim is untenable because neither the FTC[A] . . . nor the HIPAA regulations are public safety laws. . . . Because Plaintiffs have not alleged a violation of a public safety statute, they have failed to state a claim for negligence per se.“).
42. Accordingly, the negligence per se claim shall be DISMISSED with prejudice.2
B. Negligence
43. Bojangles contends that Plaintiffs’ negligence claim fails for three reasons: (1) Plaintiffs have not pled a legally recognized duty of care; (2) Plaintiffs have not alleged facts to support conclusory allegations of causation; and (3) Plaintiffs have not alleged any actual damages but instead have engaged in speculation about what might occur in the future. (Def.‘s Br. 7–12.)
44. On the latter point, Bojangles highlights the speculative nature of the damages, given that the Data Breach occurred more than two years ago, and only one Plaintiff, Ruiz-Jacobs, has experienced a loss (an $80 charge to his debit card). With respect to that loss, Bojangles contends the complaint is devoid of facts to support causation. (Def.‘s Br. 10–12.)
45. With respect to the increase in spam and scam calls that some Plaintiffs claim to have experienced, Bojangles argues that Plaintiffs have not alleged that telephone numbers were included in the list of PII/PHI involved in the Data Breach. It concludes, therefore, that any increase in spamming or scamming that Plaintiffs experienced could not have been caused by the Data Breach. (Def.‘s Br. 10.)
46. Bojangles further argues that no North Carolina court has ever recognized the time and expense of credit monitoring or the diminished value of PII/PHI as sufficient injuries to support a negligence claim. (Def.‘s Br. 11.) It contends that Plaintiffs’ allegations of emotional harm are also insufficient under North Carolina law. (Def.‘s Br. 12.)
48. Plaintiffs likewise argue that they have sufficiently alleged causation by stating both that “[a]s a direct and traceable result” of Bojangles’ negligence, they have suffered damages, and that Bojangles’ breach of its duty to exercise reasonable care “actually and proximately caused” Plaintiffs damages. (Compl. ¶¶ 232, 234.) The rest, they contend, is a question of fact to be decided by a jury. (Pls.’ Opp‘n 11 n.5.)
49. Specifically referencing Ruiz-Jacobs’ $80 loss, Plaintiffs argue that causation is adequately pled because the loss happened close in time to the Data Breach, and a temporal relationship is enough to plead causation. (Compl. ¶ 102.) In response to Bojangles’ assertion that Ruiz-Jacobs complains only about the theft of his Social Security number and not his debit card number, Plaintiffs point to paragraph 29 of the Complaint, which includes debit card numbers among the types of PII/PHI that were compromised in the Data Breach.
51. Moving to damages, Plaintiffs respond that they have more than satisfied their pleading obligation. In addition to Ruiz-Jacobs’ $80 loss, Plaintiffs point to their allegations that their PII/PHI was posted on the dark web, making it readily accessible to criminals and diminishing its value; that after the incident some of them experienced an increase in spam and scam calls; that they have spent time and money on mitigation efforts to protect their PII/PHI; and that they have suffered emotional injury in the form of fear, anxiety, sleep disruption, stress, and frustration. (Pls.’ Opp‘n 12–14; Compl. ¶¶ 171, 234.)
52. Negligence is defined as the “failure to exercise proper care in the performance of some legal duty which the defendant owed the plaintiff, under the circumstances in which they were placed.” Wood v. Guilford Cnty., 355 N.C. 161, 166 (2002) (citation modified). “To state a common law negligence claim, plaintiff must show (1) a legal duty; (2) a breach thereof; and (3) injury proximately caused by the breach.” Bridges v. Parrish, 366 N.C. 539, 541 (2013) (citation modified).
54. In this case, Plaintiffs adequately allege that Bojangles had a legal duty to protect their data. They allege that it was foreseeable that cybercriminals like Hunters would attempt a data breach and that they would be successful given Bojangles’ inadequate security measures. (Compl. ¶¶ 180–83, 216, 218, 222, 224–25.) They further allege that Bojangles had a duty to notify them of the Data Breach within a reasonable timeframe. (Compl. ¶ 219d.)
55. Courts applying North Carolina law in data breach cases have found that one in possession of another‘s PII/PHI has a duty of care to safeguard and protect that information. See Curry v. Schletter Inc., No. 1:17-cv-0001-MR-DLH, 2018 U.S. Dist. LEXIS 49442, at *9–10 (W.D.N.C. Mar. 26, 2018) (declining to dismiss a negligence claim in an employer-employee data breach case when the plaintiffs alleged that “Defendant had a duty to exercise reasonable care to protect [plaintiffs‘] confidential information“); see also Weddle, 2023 NCBC LEXIS 162, at *8–9 (finding
This Court also concludes that Plaintiffs have adequately alleged a duty on the part of Bojangles to exercise reasonable care to protect their PII/PHI and to inform them of the Data Breach in a reasonable time period after its occurrence.
56. As for causation, Plaintiffs have again satisfied their pleading obligation. They allege that Bojangles’ breach of its duty to them resulted in the Data Breach that harmed them. (Compl. ¶¶ 229, 234.) Plaintiffs further allege that by failing to provide timely notice of the Data Breach, Bojangles exacerbated that harm. (Compl. ¶ 230.) Plaintiffs add that they have or will suffer damages “[a]s a direct and traceable result of [Bojangles‘] negligence[.]” (Compl. ¶ 232.) Nothing more is required at this stage. Demarco v. Charlotte-Mecklenburg Hosp. Auth., 268 N.C. App. 334, 341 (2019) (“Because the complaint adequately recites the element of causation, an issue of fact for the jury to decide, plaintiff has made a sufficient pleading of causation under
57. Lastly, Plaintiffs are required to allege damages in order to plead a claim for negligence. See Comm. to Elect Forest v. Employees PAC, 376 N.C. 558, 596 (2021) (“[T]he proper disposition for failure to allege actual injury or damages is . . . dismissal for failure to state a claim upon which relief can be granted.” (citing Hansley v. Jamesville & W.R. Co., 115 N.C. 602, 613 (1894) (“Neither negligence without damage nor damage without negligence will constitute any cause of action.“))).4
58. In Rodriguez, a case involving technology that collected and transmitted the plaintiff‘s confidential information to a third party without her consent, the plaintiff brought a negligence claim and alleged emotional damages similar to those alleged here. In rejecting the defendant‘s contention that the plaintiff‘s description of her damages as “embarrassment, humiliation, emotional harm, and distress” was insufficient at the pleading stage, this Court held that the plaintiff‘s allegations cleared the “low bar” of notice pleading. Rodriguez, 2025 NCBC LEXIS 33, at *12–13 (citing Royster v. McNamara, 218 N.C. App. 520, 530–33 (2012) (determining allegation that plaintiff “[was] forced to undergo humiliation and emotional damage” were sufficient in connection with a negligence claim)).
Defendant also argues that plaintiff cannot recover general damages for pain and suffering without proof of “severe emotional distress.” This argument confuses the “severe emotional distress” that is an essential element of a claim for negligent or intentional infliction of emotional distress, with the emotional suffering that may be part of a claim seeking damages for general “pain and suffering.” Defendant cites no cases in support of the proposition that the psychological component of damages for “pain and suffering” must meet the same standard as the element of “severe emotional distress” that is part of claims for infliction of emotional distress, and we find none. Accordingly, we reject defendant‘s argument.
Iadanza v. Harper, 169 N.C. App. 776, 780 (2005).
60. Plaintiffs also allege economic damages in the form of diminished value of their PII/PHI, the costs they have incurred and will continue to incur to monitor for fraud and mitigate its effects, and the lost “benefit of the bargain.” (Compl. ¶¶ 71, 171, 234.) Contrary to Bojangles’ argument that these are damages that Plaintiffs might incur in the future and are, therefore, too speculative to state a claim, Plaintiffs allege that these damages currently exist.
61. In Capiau v. Ascendum Mach., Inc., No. 3:24-cv-00142-MOC-SCR, 2024 U.S. Dist. LEXIS 142393 (W.D.N.C. Aug. 8, 2024), the United States District Court for the Western District of North Carolina held that allegations of damages stemming from “([1]) actual mis-use of [plaintiff‘s] PII; (2) an intangible harm fairly analogous to common law invasion of privacy; (3) the substantial risk that Plaintiff‘s PII will
62. In sum, Plaintiffs have adequately alleged that Bojangles breached a duty it owed them and that the breach caused them damage. Accordingly, Bojangles’ Motion with respect to Plaintiffs’ negligence claim shall be DENIED.
C. Breach of Implied Contract
63. Bojangles contends that Plaintiffs have not stated a claim for breach of implied contract because there are no allegations of mutual assent or meeting of the minds and because, as with the negligence claim, Plaintiffs have failed to allege any damages. (Def.‘s Br. 14–16.) Specifically, Bojangles argues that Plaintiffs’ reliance on Bojangles’ privacy policy fails because (a) Bojangles did not promise to be contractually bound to any privacy standards,6 and (b) Plaintiffs do not allege that
64. Plaintiffs respond that implied contracts do not require an express agreement, and whether there was a meeting of the minds is one for the trier of fact. (Pls.’ Opp’n 15.) Plaintiffs further contend that federal courts applying North Carolina law have recognized that the promise to safeguard private information is inherent in any transaction in which one is required to entrust their confidential information, especially when the relationship is that of employer and employee. (Pls.’ Opp’n 16–18.) Finally, Plaintiffs argue that their allegation that Bojangles’ privacy policy imposes a commitment on Bojangles to safeguard its employees’ PII/PHI is sufficient to state a claim. (Pls.’ Opp’n 18–19.)
65. “The elements of a claim for breach of contract are (1) existence of a valid contract and (2) breach of the terms of that contract.” Johnson v. Colonial Life & Accident Ins. Co., 173 N.C. App. 365, 369 (2005) (quoting Poor v. Hill, 138 N.C. App. 19, 26 (2000)). “[A] valid contract requires (1) assent; (2) mutuality of obligation; and (3) definite terms.” Charlotte Motor Speedway, LLC v. Cnty. of Cabarrus, 230 N.C. App. 1, 7 (2013) (citing Schlieper v. Johnson, 195 N.C. App. 257, 265 (2009)).
66. “[A] contract implied in fact arises where the intent of the parties is not expressed, but an agreement in fact, creating an obligation, is implied or presumed from their acts.” Creech v. Melnik, 347 N.C. 520, 526 (1998) (citing Snyder v. Freeman, 300 N.C. 204, 217 (1980)). “An implied contract is as valid and enforceable measures.” Privacy Policy, BOJANGLES, https://www.bojangles.com/privacy-policy/ (last visited June 23, 2026) (emphasis added).
67. The Capiau decision from the Western District of North Carolina and the recent decision in Midkiff v. Shoe Show, Inc., No. 1:24-cv-858, 2026 U.S. Dist. LEXIS 66944 (M.D.N.C. Mar. 30, 2026), both applying North Carolina law, are instructive. Both cases involved plaintiffs who were required to provide their personal confidential information to their employers. Both courts held that in such a scenario, the employer has an implicit obligation to adequately safeguard the information it receives. See Capiau, 2024 U.S. Dist. LEXIS 142393, at *30 (“As a condition of Plaintiff’s employment, Defendant required Plaintiff to provide to Defendant his PII. The requirement that Plaintiff provide Defendant his PII vested in Defendant an implicit obligation to adequately safeguard Plaintiff’s PII.” (citation omitted)); Midkiff, 2026 U.S. Dist. LEXIS 66944, at *40 (“Plaintiffs have alleged an employment relationship between [plaintiff] and Defendant, a condition of which was [plaintiff]’s provision of her PII to Defendant. . . . Such a factual allegation creates the reasonable inference that an implied contract to protect that PII exists.” (citation omitted)).
69. Bojangles’ argument that Plaintiffs have failed to allege damages is also not persuasive. “In a suit for damages for breach of contract, proof of the breach would entitle[] the plaintiff to nominal damages at least.” Bryan Builders Supply v. Midyette, 274 N.C. 264, 271 (1968) (quoting Bowen v. Fid. Bank, 209 N.C. 140, 144 (1936)).
70. Accordingly, Plaintiffs’ claim for breach of implied contract survives. Bojangles’ Motion with respect to this claim shall be DENIED.
D. Invasion of Privacy
71. Bojangles contends that Plaintiffs’ invasion of privacy claim fails because (1) North Carolina does not recognize a cause of action for public disclosure of private
72. Plaintiffs respond that they have sufficiently alleged a claim for intrusion into seclusion. (Pls.’ Opp’n 19.) Citing Toomer v. Garrett, 155 N.C. App. 462 (2002), they contend that the North Carolina Court of Appeals allowed a claim for intrusion into seclusion in a similar factual situation. (Pls.’ Opp’n 20–21.)
73. The Supreme Court of North Carolina has held that “claims for invasions of privacy by publication of true but ‘private’ facts are not cognizable at law in this State.” Hall v. Post, 323 N.C. 259, 265 (1988) (emphasis in original). Accordingly, to the extent Plaintiffs attempt that claim, the Motion shall be GRANTED.
74. However, “[t]he tort of invasion of privacy by intrusion into seclusion has been recognized in North Carolina and is defined as the intentional intrusion ‘physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns . . . [where] the intrusion would be highly offensive to a reasonable person.’ ” Toomer, 155 N.C. App. at 479 (quoting Miller v. Brooks, 123 N.C. App. 20, 26–27 (1996)). “Generally, there must be a physical or sensory intrusion or an unauthorized prying into confidential personal records to support a claim for invasion of privacy by intrusion.” Broughton v. McClatchy Newspapers, Inc., 161 N.C. App. 20, 29 (2003) (citations omitted). “The kinds of intrusions that have been recognized under this tort include ‘physically invading a person’s home or other private place, eavesdropping by wiretapping or microphones, peering through windows, persistent
75. Invasion of privacy by intrusion into seclusion is an intentional tort. See Capiau, 2024 U.S. Dist. LEXIS 142393, at *33 (“Defendant’s intent is . . . an essential element of Plaintiff’s invasion of privacy claim.”). In this case, Plaintiffs allege that Bojangles acted with “a knowing state of mind when it permitted the Data Breach because it knew its information security practices were inadequate” and also when it failed to give Plaintiffs timely notice of the Data Breach. (Compl. ¶¶ 270–71.) Nowhere, however, do Plaintiffs allege that Bojangles intentionally intruded into their affairs. To the contrary, they allege that they willingly provided their PII/PHI to Bojangles. See, e.g., Weddle, 2023 NCBC LEXIS 162, at *10–11 (granting a motion to dismiss on an invasion of privacy claim when plaintiffs alleged “that they voluntarily shared sensitive information with [defendant] and that [defendant] then gave Meta unauthorized access to that information”); Fisher v. Commc’n. Workers of Am., 2008 NCBC LEXIS 19, at *16 (N.C. Super. Ct. Oct. 30, 2008) (finding no claim for invasion of privacy when the defendants properly received the plaintiffs’ Social Security numbers and then posted them on a public bulletin board); Alexander v. City of Greensboro, 762 F. Supp. 2d 764, 816 (M.D.N.C. 2011) (“Because [Defendant] properly received this information, her disclosure of it did not constitute intrusion into seclusion, so Plaintiffs cannot rely upon this disclosure for their invasion of privacy claim.”); Sabrowski v. Albani-Bayeux, Inc., No. 1:02CV00728, 2003 U.S. Dist. LEXIS 23242, at *38 (M.D.N.C. Dec. 19, 2003)
76. In contrast, the court in Toomer allowed a claim for intrusion into seclusion to proceed past the motion to dismiss stage because the plaintiff alleged that the defendant undertook the “unauthorized examination of the contents of one’s personnel file[.]” 155 N.C. App. at 480. Missing here are allegations of that unauthorized examination on Bojangles’ part. See Weddle, 2023 NCBC LEXIS 162, at *11–12 (collecting cases distinguishing Toomer on this point).
77. Because Plaintiffs have not alleged a claim against Bojangles for invasion of privacy based on a theory of intrusion into seclusion, Bojangles’ Motion with respect to this claim shall be GRANTED.
E. Unjust Enrichment
78. Bojangles argues that this claim fails because Plaintiffs received compensation in exchange for their employment and have not pled that they expected Bojangles to provide any other benefit. (Def.’s Br. 19.) Plaintiffs respond that unjust enrichment claims are routinely permitted in data breach cases where the allegations are that the defendant accepted the benefit of the plaintiff’s confidential information but did not implement proper safety measures to protect that information. (Pls.’ Opp’n 21–23.)
79. “[W]here services are rendered and expenditures made by one party to or for the benefit of another, without an express contract to pay, the law will imply a
80. Bojangles relies on Weddle for the proposition that when plaintiffs do not expect to receive a benefit that is specific to the provision of their personal information, an unjust enrichment claim fails. 2023 NCBC LEXIS 162, at *14 (plaintiffs “do not allege that they expected to receive any other compensation or benefit, apart from medical services, in return for their personal information”). In this case, however, Plaintiffs do allege that they expected to receive a benefit. Plaintiffs allege that they reasonably understood that, in exchange for receiving their PII/PHI, Bojangles “would use adequate cybersecurity measures to protect the PII/PHI[.]” (Compl. ¶ 282.) They further allege that Bojangles avoided “its data security obligations at the expense of Plaintiffs . . . by utilizing cheaper, ineffective security measures.” (Compl. ¶ 284.) These allegations are sufficient to survive a motion to dismiss. See, e.g., Capiau, 2024 U.S. Dist. LEXIS 142393, at *35 (unjust enrichment adequately pled where “Defendant allegedly accepted the benefits accompanying Plaintiff’s data without implementing adequate safeguards to protect Plaintiff’s PII”); Midkiff, 2026 U.S. Dist. LEXIS 66944, at *42 (“In the data breach context, courts have held that an unjust enrichment claim can lie even where the
81. Plaintiffs’ allegations are sufficient to plead a claim for unjust enrichment. Accordingly, Bojangles’ Motion with respect to this claim shall be DENIED.
F. Unfair and Deceptive Trade Practices
82. To establish a claim under the UDTPA, a complaint must allege that “(1) defendant committed an unfair or deceptive act or practice, (2) the action in question was in or affecting commerce, and (3) the act proximately caused injury to the plaintiff.” Value Health Sols., Inc. v. Pharm. Rsch. Assocs., Inc., 385 N.C. 250, 277 (2023) (quoting SciGrip, Inc. v. Osae, 373 N.C. 409, 426 (2020)); see also
83. “A practice is unfair when it offends established public policy as well as when the practice is immoral, unethical, oppressive, unscrupulous, or substantially injurious to consumers[.]” Bumpers v. Cmty. Bank of N. Va., 367 N.C. 81, 91 (2013) (quoting Walker v. Fleetwood Homes of N.C., Inc., 362 N.C. 63, 72 (2007)). “A practice is deceptive if it has the capacity or tendency to deceive.” Id. (citation modified) (quoting Walker, 362 N.C. at 72).
84. Alleging that the defendant merely breached a contract is not enough. Birtha v. Stonemor, N.C., LLC, 220 N.C. App. 286, 298 (2012) (“It is well recognized that . . . a mere breach of contract, even if intentional, is not sufficiently unfair or deceptive to sustain an action under [the UDTPA].” (citation modified)). Instead, “a
85. A UDTPA plaintiff also must show that he or she suffered actual harm. Jackson v. Home Depot U.S.A., Inc., 388 N.C. 109, 120 (2025). “[S]peculative allegations of possible harm in the future are simply insufficient to establish the actual injury necessary to support a claim under the UDTPA.” Precision Links Inc. v. USA Prods. Grp., No. 3:08cv576, 2009 U.S. Dist. LEXIS 23926, at *7–8 (W.D.N.C. Mar. 25, 2009) (collecting cases).
86. Bojangles first argues that, to the extent Plaintiffs try to frame their UDTPA allegations as fraudulent omissions, the allegations must meet Rule 9(b)’s particularity requirements. (Def.’s Br. 22–23.) Plaintiffs respond that their allegations are premised on unfair conduct, not fraud, so they do not need to be alleged with particularity. (Pls.’ Opp’n 24.)
87. Bojangles is correct that when a UDTPA claim is premised on fraudulent conduct, Rule 9(b) requires that it be pled with particularity. See Botanisol Holdings II, LLC v. Propheter, 2021 NCBC LEXIS 94, at *24–25 (N.C. Super. Ct. Oct. 18, 2021) (“With respect to the Rule 9(b) standard, because the Chapter 75 claim is premised on deceptive conduct, the heightened pleading standard of Rule 9(b) applies.”); see also Topshelf Mgmt., Inc. v. Campbell-Ewald Co., 117 F. Supp. 3d 722, 731 (M.D.N.C. 2015) (“Rule 9(b) applies to [UDTPA] claims alleging detrimental reliance on false or deceptive representations.”). However, “Rule 9(b) does not apply to [UDTPA] claims
88. In this case, some of the allegations underlying Plaintiffs’ UDTPA claim sound in fraud. For example, Plaintiffs specifically allege that Bojangles violated the UDTPA by “omitting, suppressing, and concealing the material fact that it did not reasonably or adequately secure Plaintiffs’ . . . PII/PHI[.]” (Compl. ¶ 290d.) However, at the hearing on the Motion, Plaintiffs’ counsel conceded that Plaintiffs were not pursuing a claim for deceptive conduct; rather, Plaintiffs’ counsel argued, Plaintiffs’ claim is limited to Bojangles’ alleged unfair conduct. Given this concession, the Court does not analyze the claim as one for deception. That does not end the inquiry, however.
89. A recent decision from the United States District Court for the Western District of North Carolina, applying North Carolina law, held that failure to implement and maintain reasonable data security measures may be unfair conduct that amounts to a violation of the North Carolina UDTPA. The court allowed a claim with similar facts to this one to survive a motion to dismiss. See Capiau, 2024 U.S. Dist. LEXIS 142393, at *37 (“To the extent that Plaintiff’s [UDTPA] claim pertains to Defendant’s allegedly unfair business practices–i.e., Defendant’s failure to implement and maintain adequate cybersecurity measures and to warn Plaintiff of the breach–Defendant’s motion will be denied.”); cf. Midkiff, 2026 U.S. Dist. LEXIS 66944, at *46 (deferring resolution of the UDTPA claim until further discovery because “the factual record is relatively sparse as to Defendant’s practices in
90. In the instant case, Plaintiffs likewise allege that Bojangles failed to “implement and maintain reasonable security and privacy measures[,]” and that it “fail[ed] to comply with common law and statutory duties pertaining to the security and privacy of Plaintiffs’ . . . PII/PHI[.]” (Compl. ¶ 290a, c.) These allegations satisfy the notice pleading standard. Accordingly, the Motion shall be DENIED.8 See Hilco Transp., Inc. v. Atkins, 2016 NCBC LEXIS 5, at *24 n.5 (N.C. Super. Ct. Jan. 15, 2016) (concluding that a UDTPA claim based on unfair practices was sufficiently pled even though “[m]ore-detailed allegations may be required for a [UDTPA] claim to survive dismissal under Rule 12(b)(6) when the claim is predicated on allegations of deceptive conduct.” (citations omitted)).
G. Declaratory Judgment and Injunctive Relief
91. Plaintiffs allege upon information and belief that Bojangles’ security procedures were “and still are” inadequate. (Compl. ¶ 300.) They request that the Court enter a judgment declaring that: (1) Bojangles owed, and continues to owe, a legal duty to use reasonable data security measures to secure data entrusted to it; (2) Bojangles has a duty to notify impacted individuals of the Data Breach; (3) Bojangles breached, and continues to breach, its duties by failing to use reasonable measures to
92. Bojangles responds that there is no actual controversy in this case because Plaintiffs have suffered no loss even though more than two years have passed since the Data Breach. It contends that Plaintiffs’ alleged harms are hypothetical and cannot be the basis for a declaratory judgment. (Def.’s Br. 24.) As for Plaintiffs’ request for injunctive relief, Bojangles contends that their allegations of imminent harm are unwarranted based on the facts. (Def.’s Br. 24.)
93. The Declaratory Judgment Act provides:
Any person interested under a deed, will, written contract or other writings constituting a contract, or whose rights, status or other legal relations are affected by a statute, municipal ordinance, contract or franchise, may have determined any question of construction or validity arising under the instrument, statute, ordinance, contract, or franchise, and obtain a declaration of rights, status, or other legal relations thereunder. A contract may be construed either before or after there has been a breach thereof.
94. Here, Plaintiffs allege that an actual controversy exists because Bojangles maintains possession of their PII/PHI and, they believe, continues to fail to implement appropriate and adequate security measures. (Compl. ¶¶ 71, 101, 300.) These allegations are enough to state a claim for declaratory judgment. See, e.g., In re
95. Accordingly, Bojangles’ Motion with respect to Plaintiffs’ claim for declaratory judgment shall be DENIED.9
V. CONCLUSION
96. WHEREFORE, the Court ORDERS as follows:
- With respect to the First Cause of Action (Negligence), the Third Cause of Action (Breach of Implied Contract), the Fifth Cause of Action (Unjust Enrichment), the Sixth Cause of Action (Violation of North Carolina Unfair and Deceptive Trade Practices Act), and the
- With respect to the Second Cause of Action (Negligence per se) and the Fourth Cause of Action (Invasion of Privacy), the Motion is GRANTED, and those claims are DISMISSED WITH PREJUDICE.
SO ORDERED, this the 29th day of June, 2026.
/s/ Julianna T. Earp
Julianna T. Earp
Special Superior Court Judge for Complex Business Cases
