ORDER
Arizona citizen Barbara Irwin purchased prepared food products from the defendants (collectively, “Jimmy John’s”) at one or more Jimmy John’s locations in Arizona. Irwin swiped her debit and credit cards to complete the purchases.
In July 2014, Jimmy John’s learned that it was the victim of a data breach, potentially exposing its customers’ personal and financial information to unauthorized third parties. Irwin’s credit card was used fraudulently at least five times between August 25 and September 2, 2014. Jimmy John’s did not announce the data breach until September 24, 2014. Irwin has filed a nine-count complaint against Jimmy John’s on behalf of herself and as a class representative.
The court has jurisdiction pursuant to the Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1332(d).
The defendants have filed a motion to dismiss the complaint pursuant to Federal Rule of Civil Procedure 12(b)(1) and 12(b)(6).
As an initial matter, Jimmy John’s correctly points out that Irwin has not responded to their arguments for dismissal of her claims under the Arizona data breach statute, or for bailment. Counts I and IV are therefore dismissed.
Rule 12(b)(6)
In ruling on a motion to dismiss, a court must accept the plaintiffs well-pled allegations as true and draw reasonable inferences in the plaintiffs favor. Perkins v. Silverstein,
Count II — Illinois Personal Information Protection Act
Count VIII — Illinois Consumer Fraud and Deceptive Business Practices Act
Irwin alleges that Jimmy John’s was required, under the Illinois Personal
Any data collector that maintains or stores, but does not own or license, computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
815 ILCS 530/10(b). Jimmy John’s is a “data collector” as defined by the statute; it is a retail operator that “handles, collects, disseminates, or otherwise deals with nonpublic personal information. 815 ILCS 530/5. Irwin’s claim is based on her status as an “owner” of her personal information.”
Jimmy John’s argues that the language of PIPA excludes Irwin from coverage. The court agrees. Subsection 10(b), upon which Irwin relies, applies to owners of computerized data that includes personal information. Irwin did not own computerized data of her personal information. Also, PIPA subsection 10(b) requires owners of computerized data to be notified “immediately following discovery.” In contrast, subsection 10(a) applies to Illinois residents; it requires notice to be made expediently “and without unreasonable delay, consistent , with any-measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”
The court is further persuaded by the remainder of subsection 10(b), which distinguishes between owners and Illinois residents.
In addition to providing such notification to the owner or licensee, the data collector shall cooperate with the owner or licensee in matters relating to the breach_ The data collector’s cooperation shall not, however, be deemed to require ... the notification of an Illinois resident who may have been affected by the breach.
815 ILCS 530/10(b).
To construe the statute as Irwin suggests is illogical; it would confer less protection to Illinois residents than nonresidents.
The court is further persuaded by the language in subsection 10(c), which specifies the form of notice to “consumers.” It does not distinguish on the basis of residence or ownership. Irwin is a nonresident consumer; therefore, she has no cause of action under subsection 10(b).
Moreover, the court notes that a violation of PIPA constitutes an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act (“Consumer Fraud Act”). See 815 ILCS 530/20; 815 ILCS 505/2Z. Irwin alleges a separate claim under" the Consumer Fraud Act. However, the Consumer Fraud Act does not apply to conduct that has little connection to the State of Illinois. Crichton v. Golden Rule Ins. Co.,
A nonresident plaintiff may sue under the Consumer Fraud Act only if the circumstances giving rise to the cause of action occurred “primarily and substantially in Illinois.” Crichton,
Counts II and VIII are dismissed.
Count III — Breach of implied contract
Irwin alleges in Count III that she and other members of the class entered into implied contracts with Jimmy John’s by virtue of an agreement that Jimmy John’s would safeguard and protect their personal information and, in the event of a breach, to timely and accurately notify its customers. Jimmy John’s argues that Irwin cannot prevail on her claim under Arizona law because she has not shown the “critical terms” of the agreement, citing Pyeatte v. Pyeatte,
The court is not persuaded by Pyeatte, a divorce case decided thirty-four years ago. Pyeatte declined to find an implied contract because the terms were not sufficiently defined as to location, duration, and other specifics; it was nothing more than a “loosely worded agreement” that the couple would take turns working full time, first while the husband completed a law degree, after which the wife would complete a masters degree. Pyeatte,
More on point is Lovell v. P.F. Chang’s China Bistro, Inc.,
[t]he Court does not doubt that the offer and acceptance of a credit card as pay-ipent of a consumer debt necessarily involves certain implied promises, such as that the card is not fraudulent and that the vendor will utilize the card only for payment of the debt owed. Such promises arise out of the acts of the parties when viewed in light of the surrounding circumstances and the common understanding of the transaction.
Lovell,
Under the circumstances, and under Illinois law, Irwin has stated a claim for breach of implied contract. There was an offer, acceptance, consideration, and a meeting of the minds. See In re Michaels Stores Pin Pad Litigation,
Count V — Negligence
Irwin alleges in Count V that Jimmy John’s had a duty to safeguard her personal information, knew that a data breach would damage millions of its customers, and created a foreseeable risk of harm to her and other class members.
Jimmy John’s argues that Illinois law applies to this claim because Irwin’s allegations focus on data security policies established at Jimmy John’s headquarters in Illinois. Irwin argues that Arizona law applies.
The court need not determine which state’s law applies because the outcome would be the same. An essential element of a negligence claim is the existence of a duty owed to the plaintiff. Gipson v. Kasey,
Irwin fares no better under Illinois law. In In re Target, the court dismissed negligence claims asserted under the laws of certain states, including Illinois, as barred by the economic loss rule. In re Target,
Count V is dismissed.
Count VI — Unjust enrichment
Irwin alleges a three-pronged approach to unjust enrichment: (1) her payment for purchases at Jimmy John’s was supposed to be used, in part, to pay the costs of providing reasonable data security and protection; (2) she did not receive that protection and therefore overpaid for purchases using her debit and credit cards; and (3) Jimmy John’s was unjustly enriched by the overpayment.
The elements of unjust enrichment under Arizona law are: “(1) an enrichment; (2) an impoverishment; (3) a connection between the enrichment and the impoverishment; (4) absence of justification for the enrichment and the impoverishment; and (5) an absence of a remedy provided by law.” City of Sierra Vista v. Cochise Enter., Inc.,
Irwin argues that Jimmy John’s was enriched, and she was impoverished, by her debit and credit card payments, without providing data security and protection, and has retained the amount with
Count VI is dismissed.
Count VII — Arizona Consumer Fraud Act
Irwin alleges a claim under the Arizona Consumer Fraud Act, Ariz.Rev. Stat, § 44-1521 et seq. (“ACFA”). She alleges that Jimmy John’s induced her and other Arizona consumers to rely on Jimmy John’s deception that their financial information was secure and protected when using debit and credit cards. Jimmy John’s argues that Arizona has a data breach statute requiring notification to individuals affected by the breach “in the most expedient manner possible and without unreasonable delay[,]” Ariz.Rev.Stat, § 44-7501(A). Only the attorney general may enforce the provisions of this statute. Ariz.Rev.Stat. § 44-7501(H).
Jimmy John’s argues that, had the Arizona legislature intended to create a private right of action for data breaches, it would have stated so in this statute, as other states — including Illinois — have done. However, Illinois’ data breach statute, PIPA, allows a private right óf action by way of the Consumer Fraud Act. The Arizona data breach statute does not so state, but neither does it limit, a private right- of action through another statute, including the ACFA. In the absence of a private right of action in a data breach statute, “consumers must look to other theories of recovery such as .; ¡ state consumer protection laws [.]” Rachael M. Peters, So You’ve Been Notified, Now What? The Problem with Current Data-Breach Notification Laws, 56 Ariz. L.Rev. 1171, 1185 (2014).
The ACFA states,
The act, use or employment by any person of any deception, deceptive or unfair act or practice, fraud, false pretense, false promise, misrepresentation, or concealment, suppression or omission of any material fact with intent that others rely on such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise whether or not any person has in fact been misled, deceived or damaged thereby, is declared to be an unlawful practice.
Ariz.Rev.Stat. Ann. § 44-1522(A).
It is the intent of the legislature, in construing subsection A, that the courts may use as a guide interpretations given by the federal trade commission^
Ariz.Rev.Stat. Ann. § 44-1522(C).
The Federal Trade Commission website contains numerous references to its actions
Rule 12(b)(1)
Count IX — Declaratory judgment
The defendants contend that Irwin lacks standing to pursue her claim for declaratory judgment. Irwin has invoked federal jurisdiction, so she bears to burden of establishing the required elements of standing. Remijas v. Neiman Marcus Group, LLC,
A plaintiff has Article III standing when she has “(1) an ‘injury in fact,’ (2) a sufficient ‘causal connection between the injury and the conduct complained of,’ and (3) a ‘likelihood’ that the injury ‘will be redressed by a favorable decision.’ ” Susan B. Anthony List v. Driehaus, — U.S. -,
Irwin seeks a declaration that (1) the existing security measures at Jimmy John’s do not comply with contractual obligations and duties of care to supply adequate security, and (2) to comply with its contractual obligations and duties of care, Jimmy John’s must implement and maintain certain reasonable security measures, which she has detailed with some specificity in eight subparts.
Jimmy John’s contends that Irwin lacks standing because her claimed injury arises from a data breach that has already occurred. Yet, in her declaratory judgment claim she seeks remedies for future injury due to unspecified weaknesses in Jimmy John’s current security measures.
An injury sufficient to satisfy Article III must be “concrete and particularized” and “actual or imminent, not ‘conjectural’ or ‘hypothetical.’ ” Lujan v. Defenders of Wildlife,504 U.S. 555 , 560,112 S.Ct. 2130 ,119 L.Ed.2d 351 (1992) (some internal question marks omitted). An allegation of future injury may suffice if the threatened injury is “certain pending,” or there is a “‘subs' y ím-;antial risk’ that the harm will occur.” Clapper v. Amnesty Intern., U.S.A., 568 U.S., at —, -, n. 5,133 S.Ct. 1138 , 1147, 1150, n. 5 (emphasis deleted and internal quotation marks omitted).
Susan B. Anthony,
The court agrees that Irwin lacks standing to assert this claim. The injury and the causal connection to the breach occurred in the past, but she seeks a remedy for a possible future injury. She claims that five fraudulent charges were made to the credit card that she used at Jimmy John’s before the announcement of the data breach. As a result, she cancelled her credit card account and received a new card; there is no risk to her if a thief were to attempt to use that information now. She alleges that Jimmy John’s still possesses the personal information and financial data revealed in the data breach, and that Jimmy John’s new data security is
Count IX is dismissed.
CONCLUSION
For the following reasons, the motion to dismiss [22] is granted in part and denied in part. Counts I, II, IV, V, VI, VIII, and IX are dismissed. Jimmy John’s shall file its answer to Counts III and VII within twenty-one (21) days of the date of this order.
Notes
. To simplify this order the court refers to Irwin, without specifically referring to the class. Where appropriate, reference to the class members should be inferred. If Irwin, acting on her own behalf, cannot prevail on a particular claim, she cannot represent a class as to that claim.
. Noting that the defendants are LLCs, the court would normally require the citizenship of the LLCs to be properly alleged. See Belleville Catering Co. v. Champaign Market Place, L.L.C.,