In re Arthur J. Gallagher Data Breach Ligation
Case No. 22-cv-137
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
09/28/22
Judge Mary M. Rowland
In 2020, insurance brokers Defendants Arthur J. Gallagher (AJG) and Gallagher Basset Services (GBS) experienced a cybersecurity attack to their internal systems. After receiving notices of the data breach from Defendants, Plaintiffs—former clients and employees—claim injuries under common law, consumer protection statutes, and data notification statutes. Plaintiffs bring putative class actions seeking to represent a nationwide class and state subclasses. Defendants move to dismiss the two complaints in this consolidated case. [2] [4]. For the reasons explained below, this Court grants in part and denies in part Defendants’ motions.
I. Background
This Court accepts as true the following facts from the consolidated amended complaint (CC) and the May complaint (MC).1
A. General Allegations
Plaintiffs John Parsons, Adrian Villalobos, Christopher Caswell, Robert Davie, Peter Horning, Julia Kroll, Amanda Marr, Brent McDonald, Jonathan Mitchell, Jason Myers, John Owens, Alan Wellikoff, Chandra Wilson, Arda Yeremian, Tracey Block, and Leslie May claim that Defendants injured them by failing to secure and safeguard their personally identifiable information and/or protected health information. See generally CC; MC. Defendant AJG is a leading insurance brokerage, risk management, and HR & benefits company. CC ¶ 2. AJG‘s global group of companies and partners includes Defendant GBS, a third-party administrator and claims manager. Id. ¶ 3.
Plaintiffs allege that, from June 3 to September 26, 2020, an unknown party accessed certain segments of AJG‘s network, including segments at GBS, during a ransomware event (the Data Breach). Id. ¶ 5. During the Data Breach, the attacker accessed records containing the personal information of more than three million individuals. Id. ¶ 6. On or around September 26, 2020, Defendants detected the ransomware event. Id. ¶ 7. Around June 30, 2021, Defendants began notifying some class members and various states’ Attorneys General of the Data Breach. Id. ¶¶ 8, 9.
Plaintiffs claim the Data Breach resulted from Defendants’ failure to properly secure and safeguard their personally identifiable information (PII), including names, social security numbers, tax ID numbers, driver‘s licenses, passport or other government identification numbers, dates of birth, usernames and passwords, employee ID numbers, financial or credit card information, and/or electronic signatures. Id. ¶ 1. Plaintiffs also claim that Defendants failed to safeguard their protected health information (PHI), such as medical records or account numbers and biometric information. Id. Plaintiffs allege that the Data Breach has resulted in the unencrypted PII and PHI of Plaintiffs and class members ending up for sale on the “dark web as that is the modus operandi of hackers.” Id. ¶ 59. Plaintiffs assert that Defendants should have implemented better measures that prevent and detect ransomware attacks. Id. ¶ 62.
B. Named Plaintiffs’ Experiences
Plaintiff Parsons worked for AJG in Louisiana from January 1996 through April 1999. Id. ¶ 96. Parsons trusted his PII and PHI to AJG, who retained Plaintiff‘s name and social security number in its system during the time of the Data Breach. Id. ¶ 97. Parsons received notice of the Data Breach on July 18, 2021; the notice stated that Parsons’ name and social security number were among the information accessed or acquired during the Data Breach. Id. ¶ 99. As a result, Parsons spent time verifying the legitimacy of the Data Breach notice and self-monitoring his accounts. Id. ¶ 100. Parsons experienced a “substantial increase” in suspicious calls, emails, and text messages which he believes is related to the Data Breach. Id. ¶ 106.
Plaintiff Villalobos worked for Prolacta Bioscience in California from September 2015 to August 2019. Id. ¶ 108. In connection with his employment, Villalobos entrusted his PHI and/or PII to Defendants, “possibly through a third-party that provided human resources services to Prolacta.”
Plaintiff Caswell worked for Saddle Creek Logistics Services from 2016 to December 2020. Id. ¶ 119. In connection with that employment and a workers compensation claim, Caswell entrusted his PII and/or PHI to Defendants. Id. ¶ 120. Caswell‘s notice of the Data Breach stated that his “personal information” was among the information accessed or acquired during the Data Breach. Id. ¶ 122.
Plaintiff Davie worked for Whirlpool Corporation in California from August 1998 to October 2008 and entrusted his PII and/or PHI to GBS as the third-party administrator for Whirlpool‘s workers compensation claims. Id. ¶¶ 130–31. The notice Davie received stated that his name, social security number, medical record number, medical diagnosis, medical treatment information, health insurance information, and medical claim information were accessed or acquired during the Data Breach. Id. ¶ 133. Davie also received a letter from Whirlpool stating that some of his employee information had been impacted during a ransomware attack affecting GBS. Id. Davie claims that, as a result of the Data Breach, he experienced an increase in suspicious phone calls and emails and purchased “Robokiller” for $4.99 per month from approximately July through September 2021 to address this problem. Id. ¶ 134. Davie also experienced a decline in his credit score that he believes is, at least in part, due to a “hard inquiry” by ADT on his credit report; because Davie has not used ADT‘s services, he believes this unauthorized inquiry is related to the Data Breach. Id. ¶ 135.
From 2001 to 2003 and 2014 to 2019, Plaintiff Horning worked for the Pinellas County Sheriff‘s Office in Florida; from 2003 to 2014, Plaintiff worked for the Gulf Port Police Department, also in Florida. Id. ¶ 143. In connection with his employments, Horning entrusted his PII and PHI to Defendants, “possibly through Defendant‘s provision of workers’ compensation insurance to either the Pinellas County Sheriff‘s Office or the Gulf Port Police Department or both.” Id. ¶ 144. Horning received notice of the Data Breach around September 14, 2021, which stated that his name, medical diagnosis, and medical claim information was accessed or acquired. Id. ¶ 146. Horning has experienced a “substantial increase” in suspicious calls, emails, and text messages and believes these events are related to the Data Breach. Id. ¶ 153.
Plaintiff Kroll worked for the Glenbard School District in Illinois from August to November 2018 and entrusted her PII and/or PHI to Defendants, likely through the Suburban School Cooperative Insurance Pool. Id. ¶¶ 155–56. The notice Kroll received about the Data Breach stated that her name and medical claim information was accessed or acquired. Id. ¶ 158. Since the Data Breach, Kroll has experienced fraudulent charges on her credit card and an increase in suspicious calls and emails. Id. ¶ 159. The fraudulent charge made Kroll unable to purchase furniture. Id. Even now, Kroll experiences difficulties when she uses her credit card to make larger purchases. Id.
Plaintiff Marr worked for Omni Hotels and Resorts in California from 2013 to 2019, and in connection with that employment, entrusted her PII and/or PHI to Defendants. Id. ¶ 168. Marr received notice of the Data Breach around July 21, 2021, and the notice informed her that her name, social security number, medical diagnosis,
Plaintiff McDonald worked for Labor Finders in California from September 2018 through January 2019 and entrusted his PII and PHI to Defendants, possibly through Defendants’ provision of workers’ compensation insurance to Labor Finders. Id. ¶¶ 180–81. A July 21, 2021 notice informed McDonald that the Data Breach compromised his name, social security number, medical diagnosis, medical treatment information, and medical claim information. Id. ¶ 183. Since the Data Breach, McDonald experienced fraud and identify theft, which has led him being charged late fees by his bank, utility companies, and his landlord, id. ¶¶ 191–92.
Plaintiff Mitchell worked for Circle Home, Inc. in Massachusetts from May 2012 to present. Id. ¶ 198. Mitchell entrusted his PII and PHI to Defendants, possibly through their provision of workers’ compensation insurance to Plaintiff‘s employer. Id. ¶ 200. He also received notice that his name and social security number were compromised during the Data Breach, and claims to have experienced a “substantial increase” in spam calls, emails, and texts which he believes is related to the Data Breach. Id. ¶¶ 202, 209.
Plaintiff Owens worked for the Montgomery County Fire and Rescue in Maryland from 1986–2014. Id. ¶ 211. Owens submitted multiple workers compensation claims from 2001 through 2011, and as part of that insurance process, entrusted his PII and/or PHI to Defendants. Id. ¶ 212. The Data Breach notice to Owens stated that his name and medical information were accessed or acquired. Id. ¶ 214. As a result of experiencing an increase in spam phone calls and emails after the Data Breach, Owens purchased and installed a spam phone system that cost $100.00. Id. ¶ 220.
Plaintiff Welikoff, a Maryland citizen, is “unaware of how Defendants came into possession of his PII.” Id. ¶¶ 38, 223. Welikoff received a notice of the Data Breach in August 2021, stating that his name and medical information were among the information accessed or acquired. Id. ¶ 224. Since then, Welikoff has received text messages and password reset notifications from several of his accounts, indicating that unknown third parties have been attempting to access his accounts; an authorized third party also tried to access his bank accounts. Id. ¶ 225. Welikoff also received a notification from McAfee that his Comcast email address “was found on the dark web.” Id. ¶ 226.
Plaintiff Wilson worked for United Airlines in Colorado from 1997 to 2006, and again from June 2012 to present. Id. ¶ 235. Wilson entrusted her PII and/or PHI to Defendants, possibly in connection with one or more workers’ compensation claims. Id. ¶ 236. The notice to Wilson stated that her name, social security number, medical diagnosis, medical treatment information, health insurance information, and medical claim information were among the information accessed or acquired during the Data Breach. Id. ¶ 238. Since the Data Breach, Wilson has suffered from identity theft. Id. ¶ 239. In February and March 2021, she discovered that someone had opened five utility accounts in her name using her social security number and date of birth in Texas at three different utility
Plaintiff Yeremian worked for AJG in California from 2014 to 2017 and then again in 2020 for a couple of months. Id. ¶ 248. Yeremian received notice around August 10, 2021 that her name, social security number, and employee identification number were among the information accessed or acquired during the Data Breach. Id. ¶ 251. Yeremain claims that, as result of the Data Breach, she has experienced increased spam calls, a decrease in her credit score, and other actual damages. Id. ¶¶ 254–55, 259.
While employed as a flight attendant for Miami Air International in January 2017, Plaintiff Bock was injured while on the premise of a local hotel on a layover in North Dakota. Id. ¶ 263. In connection with her employment, Bock entrusted her PII and/or PHI to GBS as the third-party administrator to process her workers’ compensation claims. Id. ¶ 264. The notice letter to Bock informed her that her name, medical diagnosis, and medical claim information were compromised during the Data Breach. Id. ¶ 266. Among other inconveniences, Bock had to replace her debit card twice as a result of the Data Breach. Id. ¶ 267.
Plaintiff May, a California resident, claims that in July 2021, she learned that her PII and PHI were accessed, viewed, and/or acquired by unauthorized individuals through the Data Breach. MC ¶ 9. May provided her PII to Defendants in the course of purchasing “insurance products of services” from them. Id. ¶ 100.
C. Class Allegations
In the consolidated action, the consolidated Plaintiffs bring their claims on behalf of a nationwide class defined as:
All United States residents whose PII and/or PHI was accessed or acquired during the ransomware event that is the subject of the Notice of Data Breach that Defendants sent to Plaintiffs and other Class Members on or around August 17, 2021 (the “Nationwide Class“).
CC ¶ 276. In the alternative, the consolidated Plaintiffs seek to represent themselves and nine subclasses (California, Colorado, Florida, Georgia, Illinois, Louisiana, Maryland, New Hampshire, and West Virginia). Id. ¶¶ 277–85. Plaintiff May seeks to represent a class of California residents. MC ¶ 66.
The consolidated amended complaint brings claims for: negligence (Count I); breach of implied contract (Count II); unjust enrichment (Count III); violation of California‘s Consumer Privacy Act (CCPA) (Count IV); violation of California‘s Consumers Legal Remedies Act (CLRA) (Count V); violation of California‘s Customer Records Act (CCRA) (Count VI); violation of California‘s Confidentiality of Medical Information Act (CMIA) (Count VII); violation of California‘s Unfair Competition Law (UCL) (Counts VIII and IX); violations of the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA) (Count X); violation of the Louisiana Database Security Breach Notification Law (Count XI); violations of the Maryland Consumer Protection Act (MCPA) (Count XII); violation of the Maryland Personal Information Protection Act (Count XIII); violation of the New Hampshire Consumer Protection Act (NHCPA) (Count XIV); violation of the New Hampshire Notice of Security Breach statute (Count XV); violation of Colorado‘s Data Security Laws (Count XVI); violation of Colorado‘s Security
The May complaint alleges: violation of the CCPA (Count I); violation of the UCL (Count II); and breach of express contract (Count III). May seeks to represent a class of “[a]ll California residents who Defendants and/or its agents sent a ‘Notice of Data Breach’ letter to informing them their personally identifiable information (PII) was subjected to the Data Breach.” MC ¶ 66.
II. Legal Standard
A motion to dismiss tests the sufficiency of a claim, not the merits of the case. Gociman v. Loyola Univ. of Chi., 41 F.4th 873, 885 (7th Cir. 2022); Gunn v. Cont‘l Cas. Co., 968 F.3d 802, 806 (7th Cir. 2020). To survive a motion to dismiss under
Dismissal for failure to state a claim is proper “when the allegations in a complaint, however true, could not raise a claim of entitlement to relief.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 558 (2007). Deciding the plausibility of the claim is “a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Bilek v. Fed. Ins. Co., 8 F.4th 581, 586–87 (7th Cir. 2021) (quoting W. Bend Mut. Ins. Co. v. Schumacher, 844 F.3d 670, 676 (7th Cir. 2016)).
III. Analysis
A. Legal Duty
Defendants first argue that Plaintiffs do not plausibly allege breach of an applicable duty of care, warranting dismissal of Counts I–X, XII–XIV, and XVI of the consolidated complaint. [3] at 19. Defendants argue that all of those counts—which allege negligence, breach of implied contract, statutory data privacy laws, and statutory unfair competition—require Plaintiffs to plead that Defendants fell short of some “reasonable” level of security and that Plaintiffs have failed to do so here. Id. at 20. Initially, Defendants improperly presume, without discussing or citing to proper authorities, that these claims require Plaintiffs to plead a “breach of a cognizable duty of care.” See id. As Plaintiffs point out, the duty of care in the negligence context, which depends on principles of foreseeability and likelihood of injury, is quite different than a contractual breach of contract, which arises from contractual promises the parties made to each other. Compare, e.g., Hankins v. Alpha Kappa Alpha Sorority, Inc., 447 F. Supp. 3d 672, 680 (N.D. Ill. 2020) (discussing the factors that courts analyze to determine whether a legal duty exists in the negligence context) with Allscripts Healthcare, LLC v. Etransmedia Tech., Inc., 448 F. Supp. 3d 898, 904 (N.D. Ill. 2019) (“A breach of contract claim requires . . . the existence of a valid and enforceable contractual promise“) (quoting Doe v. Columbia Coll. Chi., 933 F.3d 849, 858 (7th Cir. 2019)). Thus, Defendants’ overbroad arguments regarding “breach of a legal duty,” which are perfunctory and undeveloped, fail to supply a basis for dismissal. Crespo v. Colvin, 824 F.3d 667, 674 (7th Cir. 2016) (quoting United States v. Berkowitz, 927 F.2d 1376, 1384 (7th Cir. 1991)).
Defendants’ reliance on Kuhns v. Scottrade, Inc. is misplaced. In Kuhns, 868 F.3d at 718, the Eighth Circuit affirmed the dismissal of a breach of implied contract claim in a data breach case because the plaintiff asserted, in conclusory terms, that the defendant failed to take reasonable measures to protect the data. 868 F.3d 711, 718 (8th Cir. 2017). The Eighth Circuit reasoned that the court was “left to guess” how Defendant failed to take security measures. Id. Kuhns does not discuss the applicability of a legal duty, as Defendants argue. Moreover, Kuhns is distinguishable to the extent Defendants use it to argue that Plaintiffs have failed to plead sufficient facts regarding the types of reasonable security measures Defendants should have taken. Here, in contrast to Kuhns, Plaintiffs have alleged that: (1) the United States government recommends certain measures that organizations can take to prevent and detect ransomware attacks, including awareness and training programs, spam filters, firewalls, anti-virus and anti-malware programs; and (2) Defendants failed to implement “one or more of the above measures to prevent ransomware attacks.” CC ¶¶ 62, 66. This sufficiently identifies the measures Defendants allegedly fell short of implementing, demonstrating that Plaintiffs have sufficiently alleged a breach for purposes of the negligence claim at this pleading stage.
B. Causation
Defendants argue that fourteen of Plaintiffs’ claims (Counts I, II, V–VI, VIII–V, XVII–XVIII) in the consolidated complaint must be dismissed because Plaintiffs do not plausibly plead that Defendants caused them harm. [3] at 22. As with their “breach of legal duty” argument above, Defendants advocate for a blanket dismissal of these claims, without parsing each legal theory or setting forth the appropriate authorities demonstrating why these claims require dismissal.
In any event, this argument is unpersuasive. Defendants argue that Plaintiffs allege harms that could not have been caused by the Data Breach, pointing to, for example, the fact that twelve Plaintiffs allege an increase in spam calls, emails and texts but none allege that their phone numbers or email addresses were compromised. [3] at 23 (citing CC ¶¶ 99, 106, 133, 134, 146, 153, 158, 159, 170, 173, 183, 196, 202, 209, 214, 220, 224, 227, 238, 240, 251, 254, 266, 273). To be sure, it strains plausibility to assume that Defendants caused increased spam to those Plaintiffs who do not allege that their contact information was accessed via the Data Breach. Nevertheless, Plaintiffs plausibly allege that the Data Breach caused other types of harm. For instance, all of these Plaintiffs allege “lost time,” anxiety, and increased concerns for the loss of the privacy as a result of the Data Breach. CC ¶¶ 100, 104, 112, 116, 123, 127, 136, 140, 147, 151, 164, 177, 184, 188, 203, 207, 215, 219, 228, 232, 241, 245, 260.
C. Damages
Defendants argue that nine of the named Plaintiffs in the consolidated complaint—Caswell, Kroll, Horning, Owens, Mitchell, Myers, Parsons, Villalobos, and Welikoff—fail to allege cognizable damages, warranting dismissal of the following claims: (1) negligence, (2) breach of implied contract, (3) CLRA; (4) UCL; (5) CCRA, (6) ICFA; (7) LDSBNA; (8) MCPA; (9) NHCPA; and (10) New Hampshire Notice of Security Breach statute. [3] at 24.
First, Illinois law2 requires a plaintiff to plead a “legally cognizable present injury or damage to sustain a negligence claim.” Leslie v. Medline Indus., Inc., No. 20-CV-01654, 2021 WL 4477923, at *7 (N.D. Ill. Sept. 30, 2021) (quoting Yu v. Int‘l Bus. Machs. Corp., 732 N.E.2d 1173, 1177 (Ill. App. Ct. 2000)). There can be no dispute that Plaintiffs have alleged present injuries or damages; for instance, all allege experiencing emotional harms such as anxiety and increased concerns for the loss of privacy. See, e.g., CC ¶ 219. These types of non-economic damages are recoverable under Illinois law. See Volling v. Antioch Rescue Squad, 999 F. Supp. 2d 991, 999 (N.D. Ill. 2013); see also Epping v. Commonwealth Edison Co., 734 N.E.2d 916, 920 (Ill. App. Ct. 2000).
To plead a viable breach of implied contract claim under Illinois law,3 Plaintiffs must allege “actual monetary damage.” Moyer v. Michaels Stores, Inc., No. 14 C 561, 2014 WL 3511500, at *7 (N.D. Ill. July 14, 2014); see also Archey v. Osmose Utilities Servs., Inc., No. 20-CV-05247, 2021 WL 3367156, at *2 (N.D. Ill. Aug. 3, 2021). Some Plaintiffs have alleged concrete monetary losses. Plaintiff Kroll alleges the loss of the economic value of purchases she would have made but for the Data Breach. Plaintiff Owens spent $100.00 purchasing a spam blocker due to the alleged increase in spam calls due to the Data Breach. CC ¶ 220. Moreover, all of the Plaintiffs have alleged injury in the form of time lost dealing with the consequences of the Data Breach, including verifying the accuracy of the notices they received and self-monitoring their accounts. See CC ¶¶ 99, 112, 123, 136, 147, 160, 171, 184, 203, 215, 228, 241, 256. Although neither party has pointed to Illinois cases discussing the scope of recoverable “actual monetary damage” in the context of implied contract cases, the Seventh Circuit has remarked in a data breach case that generally “the value of one‘s own time needed to set things straight is a loss from an opportunity-cost perspective. These injuries can justify money damages, just as they support standing.” Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018) (emphasis added). Because all Plaintiffs plead some type of lost time, they have sufficiently pled economic injuries for the purposes of their implied contract claim.
To survive a motion to dismiss an ICFA claim, a plaintiff must allege actual pecuniary loss. Id. at 887 F.3d 826, 829–30; see also Camasta v. Jos. A. Bank Clothiers, Inc., 761 F.3d 732, 739 (7th Cir. 2014) (explaining that a private ICFA plaintiff must allege actual pecuniary loss). Kroll, the named Plaintiff on the ICFA
claim, sufficiently alleges economic injury within the meaning of the ICFA. Kroll alleges that she experienced fraudulent
The California Plaintiffs4 adequately allege damages under the California consumer protection statutes. The California UCL provides that “lost money or property” supports recovery, and California courts hold that “lost money or property” means “economic injury.” Dieffenbach, 887 F.3d at 829 (first quoting
economic loss, as discussed above, the California Plaintiffs have alleged such losses. See id. (holding that even if a CCRA injury required economic injury, like the UCL, the plaintiffs had met their pleading burden).
As for Plaintiff Parsons, his claim under the Louisiana Database Security Breach Notification Law (LDSBNL) requires him to plead “actual damages.” Pinero v. Jackson Hewitt Tax Serv. Inc., 594 F. Supp. 2d 710, 716 (E.D. La. 2009) (quoting
Next, Maryland courts have held that the MCPA requires plaintiffs to have suffered an “objectively identifiable loss,” as “measured by the amount the consumer spent or lost.” Attias v. CareFirst, Inc., 518 F. Supp. 3d 43, 56 (D.D.C. 2021) (quoting Lloyd v. Gen. Motors Corp., 397 Md. 108, 916 A.2d 257, 277 (Md. 2007)); see also Ayres v. Ocwen Loan Servicing, LLC, 129 F. Supp. 3d 249, 270 (D. Md. 2015). Cognizable losses include emotional damages or mental anguish. See Ayres, 129 F. Supp. 3d. at 270 (collecting cases). Both Maryland Plaintiffs, Owens and Welikoff, allege annoyance, interference, inconvenience, anxiety, and increased concerns for
Finally, the New Hampshire Consumer Protection Act (NHCPA) requires “that the Plaintiffs show that the class members were personally harmed in some way by the Defendant‘s unlawful conduct.” Pagan v. Abbott Lab‘ys, Inc., 287 F.R.D. 139, 149 (E.D.N.Y. 2012). Mitchell, the named Plaintiff on the NHCPA claim, claims to have suffered emotional harm and time lost, among other things. CC ¶¶ 203, 207. Defendants have presented no authority suggesting that these harms are not cognizable under the NHCPA, and this Court has found none. Thus, this Court declines to dismiss the NHCPA claim due to failure to plead damages.
D. Data Breach Notification Statutes
Defendants argue that Plaintiffs’ notification statute claims (Counts VI, X, XI, XIII, XV, and XVII of the consolidated complaint) fail to allege cognizable harm which in this context means damages or incremental injury from Defendants’ delay in notifying Plaintiffs of the Data Breach. [3] at 29.
The data breach notification statutes all require companies to notify individuals of data breaches without unreasonable delay. See In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d 1130, 1149 (C.D. Cal. 2021) (observing that the CCRA requires businesses doing business in California to make disclosure of data breaches “in the most expedient time possible and without unreasonable delay“) (quoting
In moving to dismiss these claims, Defendants argue that Plaintiffs have not alleged incremental harm as a result of the delayed notification, as opposed to harm from the Data Breach generally. Not so. Plaintiffs allege that Defendants began notifying some class members of the Data Breach on June 30, 2021, more than nine months after reports began surfacing on the internet about the data breach. CC ¶ 8.
A nine-month delay is sufficient to raise an inference that the delay was “unreasonable.” See, e.g., In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., No. 3:19-CV-2284-H-KSC, 2020 WL 2214152, at *14 (S.D. Cal. May 7, 2020) (inferring that a five-month delay in notification was unreasonable). Plaintiffs also allege that the delayed notice prevented them from timely mitigating, preventing,
E. Plaintiffs’ Relationships to Defendants
Defendants contend that Plaintiffs’ “attenuated” relationships with Defendants foreclose their negligence, implied contract, and unjust enrichment claims in Counts I–IIII of the consolidated complaint. The Court turns to each claim in order below.
1. Negligence
Defendants first argue that Plaintiffs’ negligence claim requires the Court to predict that the law recognizes a “common law data security duty,” and the Seventh Circuit predicted in Community Bank of Trenton v. Schnuck Markets, Inc. that the Illinois Supreme Court “would not impose” a common law data security duty. See [3] at 30 (citing 887 F.3d 803, 816 (7th Cir. 2018)). Schnuck relied on the Illinois appellate court‘s opinion in Cooney v. Chicago Public Schools, 943 N.E.2d 23, 28 (2010), which rejected the notion of a “new common law duty” to safeguard information. Schnuck, 887 F.3d at 816. But the Illinois appellate court decided Cooney before the Illinois legislature‘s amendment of PIPA in 2017; that amendment now requires data collectors to “implement and maintain reasonable security measures to protect” records from “unauthorized access, acquisition, destruction, use, modification, or disclosure.”
2. Breach of Implied Contract
Defendants also move for dismissal of the implied contract claim, arguing that Plaintiffs allege no conduct from which a contract could be implied against Defendants. [3] at 30. In Illinois, the elements of a breach of implied contract claim track those of a breach of express contract claim; a plaintiff must allege: (1) the existence of a valid and enforceable contract; (2) performance by the plaintiff; (3) breach of contract by the defendant; and (4) resultant injury to the plaintiff. Archey v. Osmose Utilities Servs., Inc., No. 20-CV-05247, 2022 WL 3543469, at *2 (N.D. Ill. Aug. 18, 2022) (citing Hess v. Bresney, 784 F.3d 1154, 1158–59 (7th Cir. 2015)). An implied contract arises from a “promissory expression which may be inferred from the facts and circumstances and the expressions [on] the part of the promisor which show an intention to be bound.” Doe v. Fertility Centers of Ill., S.C., No. 21 C 579, 2022 WL 972295, at *4 (N.D. Ill. Mar. 31, 2022) (alteration in original) (quoting Estate of Jesmer v. Rohlev, 609 N.E.2d 816, 820 (Ill. App. Ct. 1993)). Of course, there must also be a “meeting of the minds or mutual assent as to the terms of the contract.” Nw. Mem‘l Healthcare v. Anthem Ins. Companies, Inc., No. 21 C 6306, 2022 WL 1620025, at *2 (N.D. Ill. May 23, 2022) (quoting Dynegy Mktg. & Trade v. Multiut Corp., 648 F.3d 506, 515 (7th Cir. 2011)).
The consolidated complaint reveals that the majority of the Plaintiffs could not have reached a “meeting of the minds” with Defendants. Among the Plaintiffs, only Parsons and Yeremian worked for one of the Defendants. CC ¶¶ 96, 248. The remaining Plaintiffs had no direct dealings with Defendants and were unaware of Defendants’ existence until they received notice from them of the Data Breach. They thus could not have reached any implied understanding with Defendants. See, e.g., Doe, 2022 WL 972295, at *4 (dismissing implied contract claim in a data breach case where the plaintiff was unaware of the company whose data breach allegedly caused disclosure of the plaintiff‘s sensitive medical information).
Defendants also contend that the Plaintiffs with direct employment relationships with Defendants—Parsons and Yeremian—also fail to state viable implied contract claims because they do not allege facts showing mutual assent for the protection of Plaintiffs’ PII and PHI. [3] at 31–32. But courts “that have found an implied contract in the employee-employer data breach context have done so when the plaintiffs were able to point to some document, expression, or action of the employer which indicated an intention to protect the employee‘s personal information.” Archey v. Osmose Utilities Servs., Inc., No. 20-CV-05247, 2022 WL 3543469, at *4 (N.D. Ill. Aug. 18, 2022). And here, Plaintiffs have pled the existence of Defendants’ privacy policy which applied to personal information collected from individuals and represents that Defendant would “restrict access to your personal information to those who require access to such information for legitimate, relevant business purposes.” CC ¶¶ 52–53. This policy supports a finding of an implicit promise to protect employees’ personal information in exchange for their employment. See, e.g., Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739, 750 (S.D.N.Y. 2017) (“TransPerfect‘s privacy policies and security practices manual—which states that the company ‘maintains robust procedures designed to carefully protect the PII with which it [is] entrusted‘—further supports a finding of an implicit promise” under New York law).
Thus, Parsons and Yeremian remain as Plaintiffs asserting the implied contract claim in Count II. This Court dismisses the remaining Plaintiffs from Count II of the consolidated complaint.
3. Unjust Enrichment
Defendants argue that Plaintiffs’ unjust enrichment must be dismissed because they fail to allege that Defendants retained any benefit. [3] at 32–33. This Court agrees. To survive a motion to dismiss an unjust enrichment claim, Plaintiffs must plausibly allege that Defendants unjustly retained a benefit, resulting in a detriment to Plaintiffs. See, e.g., Buschauer v. Columbia Coll. Chi., No. 20 C 3394, 2022 WL 103695, at *3 (N.D. Ill. Jan. 10, 2022) (citing HPI Health Care Servs. v. Mt. Vernon Hosp., 545 N.E.2d 672 (Ill. 1989)), appeal dismissed, No. 22-1216, 2022 WL 3211433 (7th Cir. Apr. 7, 2022); see [17] at 31 (agreeing with Defendants that unjust enrichment requires the defendant‘s retention of a benefit).
Plaintiffs have not plausibly alleged Defendants’ retention of a benefit conferred by Plaintiffs. If anything, the consolidated amended complaint suggests that third-party hackers, not Defendants, are the ones who benefitted from the Data Breach. Plaintiffs insist that Defendants retained the “monetary benefit” of Plaintiffs’ “valuable PII and PHI.” CC ¶ 343. Courts have, however, routinely rejected the “proposition that an individual‘s personal identifying information has an independent monetary value.” Fero v. Excellus Health Plan, Inc., 236 F. Supp. 3d 735, 755 (W.D.N.Y. 2017) (quoting Welborn v. Internal Revenue Serv., 218 F. Supp. 3d 64, 78 (D.D.C. 2016)); see also, e.g., Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 695 (7th Cir. 2015) (finding no Article III standing from such an “abstract injury” in the “loss of [plaintiffs‘] private information“). For this reason, this Court dismisses Plaintiffs’ unjust enrichment claim in Count III.
F. California Claims
This Court will now address Defendants’ arguments regarding the sufficiency of the claims brought by the various Plaintiffs under California statutes.
1. CCPA Claims
Defendants move to dismiss Count IV of the consolidated complaint arguing that Myers, the lone named Plaintiff, fails to adequately allege a violation of the California Consumer Privacy Act (CCPA). [3] at 33–35. The CCPA provides:
“Any consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business‘s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.”
Cal. Civ. Code § 1798.150(a)(1) .
This Court agrees that Myers’ CCPA claim is deficient because, as both parties acknowledge, Plaintiffs’ counsel inadvertently omitted allegations regarding Myers’ personal experience with the Data Breach, including his relationship with Defendants and how the Data Breach injured him specifically. See generally CC. Plaintiffs have requested leave to amend to include these allegations, [17] at 33 n.10, and this Court will grant that request. Because Myers will be amending the CCPA claim, this Court declines at this time to address Defendants’ other arguments on that claim. In addition, this Court notes that the consolidated complaint does not name Myers as one of the “California Plaintiffs.” See CC ¶ 277. This Court thus assumes that Myers does not purport to bring the claims asserted on behalf of the California Plaintiffs—Counts VI (CCRA), VII (CMIA), and VIII–IX (UCL).
Defendants also move to dismiss Count I of the May complaint, which alleges a violation of the CCPA. MC ¶¶ 75–86. Specifically, Defendants argue that May fails to allege a specific action Defendants took or failed to take that breached a duty under the CCPA to maintain “reasonable” security measures. [5] at 6. But they cite no authority requiring such specificity at this stage of the proceedings. This Court finds it sufficient that May alleges a Data Breach caused by Defendants’ purported lack of reasonable security measures that allowed third parties to view and steal her personal information. See, e.g., Mehta v. Robinhood Fin. LLC, No. 21-CV-01013-SVK, 2021 WL 6882377, at *8 (N.D. Cal. May 6, 2021) (denying motion to dismiss CCPA claim based on allegations that the defendants violated their duty to maintain reasonable security measures by “allow[ing] unauthorized users to view, use, manipulate, exfiltrate, and steal the nonencrypted and nonredacted personal information of Plaintiffs and other customers, including their personal and financial information“).
Defendants also argue that May inadequately alleges that she is a “customer,” and that Defendants constitute “businesses,” under the CCPA. This argument fares no better. The CCPA defines “consumer” broadly as a “natural person who is a California resident,”
2. CCRA Claim
Defendants move for dismissal of the CCRA claim in Count VI, which California Plaintiffs (Villalobos, Davie, Marr, McDonald, and Yeremian) bring on behalf of a putative California subclass. [3] at 39–40; CC ¶ 277, Count VI. Defendants argue that the California Plaintiffs are not “customers,” as defined under the CCRA, and thus lack statutory standing to bring a claim.
The CCRA “regulates businesses with regard to treatment and notification procedures relating to their customers’ personal information.” In re Yahoo! Inc. Customer Data Sec. Breach Litig., 313 F. Supp. 3d 1113, 1142 (N.D. Cal. 2018) (quoting Corona v. Sony Pictures Entm‘t, Inc., No. 14-CV-09600-RGK, 2015 WL 3916744, at *6 (C.D. Cal. June 15, 2015)). The statute limits civil actions to “any customer,” defined as an “individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.”
Based on this definition, the Court agrees with Defendants that two of the California Plaintiffs do not meet the definition of “customer” under the CRA. Plaintiff Yeremian provided her PII and PHI to Defendants in the course of her employment with AJG, not for the purpose of obtaining a service or a product. CC ¶ 249; see Corona, 2015 WL 3916744, at *7 (holding that former employees of the defendant were not “customers” under the CRA where they provided their personal data to defendant in the course of their employment). Villalobos, another one of the California Plaintiffs, does not know how his PII and/or PHI became compromised during the Data Breach; he pleads only that
The remaining California Plaintiffs plausibly plead that they constitute “customers” under the CCRA. Davie alleges that he entrusted his PII and/or PHI to GBS “as the third-party administrator” for his employer, Whirlpool‘s, worker compensation claims. CC ¶ 131. Likewise, Marr asserts she provided her PII and/or PHI to one of the Defendants “when she filed a workers’ compensation claim for an on-the-job injury” she sustained while working for her employer. CC ¶ 169. McDonald, too, states that he provided his PII and PHI to one of the Defendants as administrator of his employer‘s workers’ compensation insurance. CC ¶ 181. Taking these allegations as true, Davie, Marr, and McDonald all allege that they provided their personal information for the purpose of “obtaining a service,”
3. CMIA Claim
The CMIA “is intended to protect the confidentiality of individually identifiable medical information obtained from a patient by a health care provider, while at the same time setting forth limited circumstances in which the release of such information to specified entities or individuals is permissible.” Erhart v. BofI Holding, Inc., 269 F. Supp. 3d 1059, 1078 (S.D. Cal. 2017) (quoting Brown v. Mortensen, 253 P.3d 522, 533 (Cal. 2011)). To further that end, the CMIA contains a series of provisions regarding the use and disclosure of medical information by employers. Id. (citing
Defendants raise several arguments in support of dismissal of the CMIA claim. [3] at 40–43. Dispositive here, Defendants point out that they do not qualify as covered entities under the CMIA. Id. at 41. Indeed, for several of the CMIA sections under which the California Plaintiffs seek relief, they must sufficiently allege that Defendants constitute “providers of health care.” Under
Beyond their conclusory allegation that Defendants “were healthcare providers for the purposes of this cause of action,” CC ¶ 389, the consolidated complaint makes clear that the Defendants do not meet the definition of “provider of healthcare.” Under the Civil Code, a “provider of health care” means:
a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; a person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; a person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; or a clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. “Provider of health care” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code.
To be sure, as Plaintiff points out, the CMIA provides that, in addition to traditional medical providers, a “provider of healthcare” includes any “business organized for the purpose of maintaining medical information.” Oddei v. Optum, Inc., No. 2:21-CV-03974-SB-MRW, 2021 WL 6333467, at *2 (C.D. Cal. Dec. 3, 2021) (quoting
The California Plaintiffs also assert that Defendants violated
No person or entity engaged in the business of furnishing administrative services to programs that provide payment for health care services shall knowingly use, disclose, or permit its employees or agents to use or disclose medical information possessed in connection with performing administrative functions for a program, except as reasonably necessary in connection with the administration or maintenance of the program, or as required by law, or with an authorization.
For these reasons, this Court dismisses the CMIA claim in Count VII of the consolidated complaint.
4. UCL Claims
Defendants move for dismissal of the UCL claims in Counts VIII and IX of the consolidated complaint and Count II of the May complaint. Count VIII (brought only on behalf of California Plaintiffs) of the consolidated complaint asserts unlawful
The UCL serves the purpose of preserving “fair competition” and protects consumers from “market distortions.” Kwikset Corp. v. Superior Court, 51 Cal. 4th 310, 331 (2011). The UCL prohibits an individual or entity from engaging in any “unlawful, unfair or fraudulent business act or practice.”
Under California‘s presumption against extra-territoriality, ordinarily “the statutes of a state have no force beyond its boundaries.” Oman v. Delta Air Lines, Inc., 889 F.3d 1075, 1079 (9th Cir. 2018) (quoting N. Alaska Salmon Co. v. Pillsbury, 162 P. 93, 94 (Cal. 1916)). The key test looks at whether the conduct creating liability occurs in California: if the “conduct that ‘creates liability’ occurs in California, California law properly governs that conduct,” but “if the liability-creating conduct occurs outside of California, California law generally should not govern that conduct” unless the legislature indicates otherwise. Id. (first quoting Sullivan v. Oracle Corp., 254 P.3d 237, 248 (Cal 2011); then citing Diamond Multimedia Sys., Inc. v. Superior Court, 968 P.2d 539, 554 (Cal. 1999)). The California Supreme Court has instructed that California‘s presumption against extraterritoriality applies to the UCL “in full force.” Sullivan, 254 P.3d at 248.
Here, Defendants are Delaware corporations who maintain their principal places of business in Illinois. CC ¶¶ 42, 43. Plaintiffs do not allege that the Defendants’ wrongful conduct—implementing poor security measures—emanated from California. Rather, they suggest that the Data Breach stemmed from a ransomware attack to Defendants’ internal servers—presumably located at their headquarters in Illinois. E.g., CC ¶ 55. The conduct “allegedly creating liability in this case occurred wholly outside of California.” Toretto v. Donnelley Fin. Sols., Inc., No. 1:20-CV-2667-GHW, 2022 WL 348412, at *20 (S.D.N.Y. Feb. 4, 2022) (dismissing UCL claim brought by California resident against non-resident defendants where the alleged wrongdoing occurred outside of California); see also, e.g., Fernandez v. CoreLogic Credco, LLC., No. 320CV1262JMAGS, 2022 WL 891226, at *13 (S.D. Cal. Mar. 25, 2022) (observing that “non-California residents are foreclosed from bringing claims under California‘s consumer protection laws, such as the UCL, ‘where none of the alleged misconduct or injuries occurred in California‘“) (quoting Churchill Vill., L.L.C. v. Gen. Elec. Co., 169 F. Supp. 2d 1119, 1126 (N.D. Cal. 2000), aff‘d sub nom. Churchill Vill., L.L.C. v. Gen. Elec., 361 F.3d 566 (9th Cir. 2004)). This Court dismisses the UCL claims in Counts VIII and IX of the consolidated complaint and Count II of the May complaint.
G. Maryland Personal Information Protection Act
Defendants move to dismiss Count XIII of the consolidated complaint on the basis that the Maryland Personal Information Protection Act (MPIPA) does
H. Colorado Statutes
Like the MPIPA claim, Defendants move to dismiss Counts XVI and XVII of the consolidated complaint, arguing that those counts alleging violations of Colorado statutes do not provide a private right of action. [3] at 49. Again, the Court grants this request. Count XVI purports to plead a violation of
Neither section, however, supplies a private right of action. Instead, Colorado‘s code provides that: “The attorney general may bring an action in law or equity to address violations of this section [Section 6-1-716], section 6-1-713, or section 6-1-713.5, and for other relief that may be appropriate to ensure compliance with this section or to recover direct economic damages resulting from a violation, or both.”
Plaintiffs rely on In re Target Corp. Data Security Breach Litigation, where the district court declined to dismiss a
Defendants move to dismiss Count XVIII of the consolidated complaint, which alleges “invasion” of privacy on behalf of all Plaintiffs. As clarified in their opposition brief, Plaintiffs’ invasion of privacy claim arises from a theory of intentional intrusion upon seclusion. [17] at 48; see also CC ¶ 506 (alleging that the Data Breach “constitutes an intentional interference with Plaintiffs’ . . . interest in solitude or seclusion“). This Court agrees with Defendants that Plaintiffs have failed to adequately plead this claim.
Under Illinois law, a claim of intrusion upon seclusion requires the following elements: (1) an unauthorized intrusion or prying into the plaintiff‘s seclusion; (2) an intrusion that is highly offensive or objectionable to a reasonable person; (3) that the matter upon which the intrusion occurs is private; and (4) the intrusion causes anguish and suffering. Angelo v. Moriarty, No. 15 C 8065, 2016 WL 640525, at *4 (N.D. Ill. Feb. 18, 2016) (citing Jacobson v. CBS Broad., Inc., 19 N.E.3d 1165 (Ill. App. Ct. 2014)). Plaintiffs’ claim is deficient because there is no allegation that Defendants obtained Plaintiffs’ PII and PHI through an “unauthorized intrusion.” Instead, the consolidated complaint alleges that Plaintiffs “disclosed their PII and PHI to Defendants as part of their relationships with Defendants.” CC ¶ 505. Bonilla v. Ancestry.com Operations Inc., 574 F. Supp. 3d 582, 597 (N.D. Ill. 2021). Plaintiffs’ voluntary disclosure of their PII and PHI, either directly to Defendants or indirectly through their employers, dooms their claim. See, e.g., Bonilla v. Ancestry.com Operations Inc., 574 F. Supp. 3d 582, 597 (N.D. Ill. 2021) (dismissing intrusion claim because there “are no allegations that [the defendant]‘s collection of [personal information] was unauthorized“). This Court dismisses Plaintiffs’ invasion of privacy claim in Count XVIII of the consolidated complaint.
J. Breach of Express Contract: May
Defendants move to dismiss Count III of the May complaint, arguing that she fails to allege the existence or breach of any contract, or any resulting damages. Under California law, which the parties agree applies to this claim, May must allege the following four elements: (1) the existence of the contract, (2) May‘s performance or excuse for nonperformance, (3) Defendants’ breach, and (4) resulting damages. Oasis W. Realty, LLC v. Goldman, 250 P.3d 1115, 1121 (Cal. 2011).
Plaintiff‘s breach of contract theory rests on Defendants’ Terms of Use and Privacy Policy which she alleges is the express contract the parties entered into once Plaintiff provided her PII to Defendants “in relation to [her] purchase of insurance products or services” from them. MC ¶ 100. This contract, Plaintiff alleges, includes Defendants’ promises to implement certain measures “to help ensure a level of security appropriate to the risk to the personal information we collect, use, disclosure, and process” and to “restrict access to your personal information to those who require access to such information for legitimate, relevant business purposes.” Id. ¶¶ 39-40.
Defendants argue that May does not plausibly allege an enforceable contract because she does not state when Defendants offered the Terms of Use and Privacy Policy to May, when or how May accepted the contract, or how the parties exchanged consideration. But the law does not require such specificity. This Court finds it sufficient that May alleges that she was offered and accepted the Terms of Use and Privacy Policy upon purchase of Defendants’ services or products. See, e.g., Solara, 2020 WL 2214152, at *5 (denying motion to dismissbreach of express contract claim based on similar allegations that the defendant breached a privacy policy). Moreover, the existence of consideration is self-evident from May‘s allegations: Defendants provided a product or service in exchange for May‘s payment.
Defendants also unpersuasively argue that May inadequately alleges breach of the contract. They emphasize the complaint‘s allegations that the Terms of Use and Privacy Policy acknowledge that “no security measures are perfect or impenetrable” as representing a warranty of adequate, but not
For these reasons, May‘s breach of contract claim in Count III will proceed.
IV. Conclusion
For the reasons explained above, this Court grants in part and denies in part Defendants’ motions to dismiss [2]; [4].
As a result of the Court‘s rulings, the following claims are hereby dismissed from the consolidated amended complaint: the LDSBNL claim in Count XI; the implied contract claim in Count II as to all Plaintiffs but Parsons and Yeremian; the unjust enrichment claim in Count III; Myers’ CCPA claim in Count IV; the CCRA claim in Count VI only as to Yeremian and Villalobos; the CMIA claim in Count VII as to all Plaintiffs; the UCL claims in Counts VIII and IX; the MPIPA claim in Count XIII; the Colorado statutory claims in Counts XVI and XVII; and the invasion of privacy claim in Count XVIII. The Court also notes that Plaintiffs have voluntarily dismissed their CLRA claim in Count V. All other claims remain pending in the consolidated amended complaint. Plaintiffs must file their amended complaint to cure the CCPA claim (Count IV) by October 14, 2022. Defendants are directed to answer by November 4, 2022.
As for May‘s complaint, this Court dismisses her UCL claim in Count II; May‘s other claims for violations of the CCPA and breach of express contract may proceed. Defendants are directed to answer May‘s complaint by October 28, 2022.
All parties are directed to meet and confer and file a joint status report and proposed scheduling order by October 19, 2022. The parties shall propose discovery deadlines and explain why Ms. May has not been made a party to the consolidated complaint.
Dated: September 28, 2022
Entered:
Mary M. Rowland
United States District Judge