Case Information
*1 1:19-cv-01330-MMM-JEH # 41 Page 1 of 34 E-FILED Monday, 20 April, 2020 03:45:49 PM Clerk, U.S. District Court, ILCD UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF ILLINOIS PEORIA DIVISION
NOREEN PERDUE, ELIZABETH DAVIS- )
BERG, DUSTIN MURRAY, MELANIE )
SAVOIE, CHERYL ELLINGSON, ANGELA )
TRANG, HARLEY WILIAMS, MARY )
WILLIAMS, GORDON GREWING, MELISSA )
WARD and PATRICIA DAVIS, individually and )
on behalf of all other similarly situated, )
)
Plaintiffs, )
)
v. ) Case No. 19-1330 )
HY-VEE, INC., )
)
Defendant. )
ORDER AND OPINION
This matter is now before the Court on Defendant Hy-Vee, Inc.’s (“Defendant”) Motion to Dismiss Plaintiffs’ Consolidated Second Amended Class Action Complaint (ECF No. 30). For the reasons stated below, Defendant’s Motion is GRANTED IN PART AND DENIED IN PART.
JURISDICTION The Court exercises subject matter jurisdiction under 28 U.S.C. § 1332(d)(2)(A), because the matter in controversy exceeds $5 million, exclusive of interest and costs, and is a class action in which some members of the class are citizens of states different than Defendant. The Court also exercises supplemental jurisdiction over the state law claims under 28 U.S.C. § 1367(a).
1:19-cv-01330-MMM-JEH # 41 Page 2 of 34
BACKGROUND
Defendant is a large supermarket chain that also operates gas pumps, restaurants, and coffee shops. [1] Between November 2018 and August 2019, Defendant was exposed to a data breach. On July 29, 2019, Defendant detected the breach and alerted its customers on August 14, 2019. On October 3, 2019, Defendant notified its customers that the breach was carried out by the use of “malware designed to access payment card data from cards used on point-of-sale (‘POS’) devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants.” (ECF Nos. 21 at 18; 31-2 at 2). Payment card information of customers who made purchases at the affected POS devices were compromised in the data breach. Defendant posted an online tool for customers to determine which locations were affected and during what timeframe.
Plaintiffs claim they each used one or more payment cards at a compromised POS, and as a result, dealt with suffered side effects of the breach. Plaintiff Perdue accessed a gas pump in Galesburg, Illinois, that was impacted by the data breach. She went three weeks without her bank card, which was the only way she could allegedly access her money and pay her bills. Plaintiff Savoie accessed gas pumps in Iowa that were affected by the data breach. She experienced two fraudulent charges for $100.00 and $74.28. She also spent approximately five hours dealing with fraudulent charges on her credit card. Plaintiff Ellingson accessed a restaurant operated by Defendant in Iowa that was affected by the data breach. She was unable to access her bank funds between August 27, 2019, and September 4, 2019, due to her bank cancelling and replacing her debit card. Plaintiff Trang accessed several food retailers and gas pumps operated by Defendant in Minnesota that were affected by the data breach. She experienced $1000.00 in fraudulent charges and spent approximately three hours dealing with those charges, an overdraft fee, and a cancelled *3 1:19-cv-01330-MMM-JEH # 41 Page 3 of 34 card. Plaintiffs Harley and Mary Williams accessed gas pumps in Kansas that were affected by the data breach. They spent approximately three-to-four hours dealing with $700.00 in fraudulent charges on their debit account. They also were unable to access their monies for three weeks. Plaintiff Grewing accessed gas pumps in Missouri that were affected by the data breach. Two fraudulent charges for $7.81 and $25.94 appeared on his debit cards. He also spent time driving to the bank, disputing charges, and cancelling his debit card. Additionally, he purchased a TransUnion Credit Monitoring Plan as a result of the breach. Plaintiff Murray visited restaurants operated by Defendant in Missouri that were affected by the data breach. He spent approximately three hours dealing with the breach after his debit card had been cancelled and replaced. Plaintiff Davis visited a restaurant operated by Defendant in Wisconsin that was affected by the data breach. She had a card cancelled and replaced. Plaintiffs Ward, in Kansas, and Davis-Berg, in Illinois, spent time monitoring their accounts subsequent to the breach.
On October 15, 2019, Plaintiffs filed a Class Action Complaint against Defendant. (ECF No. 1). On November 25, 2019, Plaintiffs filed their First Amended Class Action Complaint against Defendant. (ECF No. 8). On December 30, 2019, Plaintiffs filed a Second Amended Class Action Complaint asserting fifteen claims: negligence (Count I); negligence per se (Count II); breach of implied contract (Count III); breach of contracts to which Plaintiffs and class members were intended third-party beneficiaries (Count IV); ten statutory claims under the laws of Illinois, Iowa, Kansas, Minnesota, Missouri, and Wisconsin (Counts V-XIV); and unjust enrichment (Count XV). (ECF No. 21). On January 31, 2020, Defendant filed a Motion to Dismiss Plaintiffs’ Second Amended Class Action Complaint under Federal Rule of Civil Procedure 12(b)(6). On February 28, 2020, Plaintiffs filed their response. (ECF No. 36). On March 17, 2020, Defendant filed its reply. (ECF No. 40). This Opinion follows.
1:19-cv-01330-MMM-JEH # 41 Page 4 of 34
STANDARD OF REVIEW
Dismissal under Federal Rule of Civil Procedure 12(b)(6) is proper if a complaint fails to
state a claim upon which relief can be granted. Fed. R. Civ. P. 12(b)(6). To survive a motion to
dismiss, a complaint must contain sufficient factual matter, which when accepted as true, states a
claim for relief that is plausible on its face.
Ashcroft v. Iqbal
,
When evaluating a motion to dismiss, courts must accept as true all factual allegations in
the complaint.
Ashcroft
, 556 U.S. at 678. However, the court need not accept as true the
complaint’s legal conclusions; “[t]hreadbare recitals of the elements of a cause of action, supported
by mere conclusory statements, do not suffice.”
Id.
(citing
Bell Atlantic Corp.
,
Federal Rule of Civil Procedure 8(a)(2) requires only “a short and plain statement of the
claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). The complaint must
give fair notice of what the claim is and the grounds upon which it rests.
E.E.O.C. v. Concentra
Health Servs., Inc.,
1:19-cv-01330-MMM-JEH # 41 Page 5 of 34
ANALYSIS
I. Plaintiffs’ Negligence and Negligence Per Se Claims In Count I, Plaintiffs, under each state class, allege negligence against Defendant claiming that Defendant owed a duty to Plaintiffs to maintain confidentiality and exercise reasonable care in safeguarding their personal information, and it breached that duty. Plaintiffs claim Defendant’s conduct created a foreseeable risk of harm, and as a direct and proximate result, they have been injured. In Count II, Plaintiffs, under each state class, allege negligence per se against Defendant claiming that it had a duty to provide adequate computer systems and data security practices to safeguard their personal information. As a result of breaching that duty, Plaintiffs allege they have suffered damages.
Defendant argues that Plaintiffs fail to state a claim for negligence because there is no duty to safeguard personal information under Illinois law. Alternatively, Defendant states that if the Court determines that a duty exists under any of the relevant states’ laws, Plaintiffs’ negligence and negligence per se claims should be barred by the economic-loss doctrine recognized in Illinois, Iowa, Missouri, and Kansas. Defendant also argues that Plaintiffs fail to plead any damages that are compensable under Minnesota or Wisconsin law. Regarding Plaintiffs’ negligence per se claims, Defendant also states that Plaintiffs do not identify any statute or regulation that sets out a standard of conduct specific enough to establish that it is in violation of that statute or regulation. According to Defendant, the one statute that Plaintiffs do reference, Section 5 of the Federal Trade Commission Act (“FTC Act”), does not impose any data security standard. Plaintiffs contend that Defendant is incorrect about Illinois law and that it has ignored the laws of Minnesota, Kansas, Wisconsin, and Missouri, as they relate to a duty to safeguard personal information. Lastly,
1:19-cv-01330-MMM-JEH # 41 Page 6 of 34 Plaintiffs argue that Section 5 of the FTC Act was designed to protect consumers from unfair and deceptive trade practices such as failing to protect private consumer information.
A. Choice-of-Law Before the Court turns to the specific claims, it must consider a preliminary issue: choice- of-law. The Parties do not agree which state law applies to Plaintiffs’ claims. Plaintiffs state that the negligence and negligence per se claims should be governed by the law of the state where the alleged injury occurred, because differences exist among the laws of each state. Defendant argues that there is no conflict of law between the relevant states; therefore, Illinois law should apply.
A federal court sitting in diversity applies the forum state’s choice-of-law rules to
determine which state's substantive law applies.
See Klaxon Co. v. Stentor Elec. Mfg. Co
., 313
U.S. 487, 496–97 (1941) (“The conflict of laws rules to be applied by the federal court in Delaware
must conform to those prevailing in Delaware's state courts.”);
Auto–Owners Ins. Co. v. Websolv
Computing, Inc
.,
Since the Parties disagree whether Illinois or each respective state’s law applies, the Court
looks to Illinois choice-of-law rules to determine which law applies. Under Illinois choice-of-law
rules, a conflict of law exists only where the application of one state’s law over that of another
state will make a difference in the outcome of a case, and where there is no conflict in the relevant
state law, a court will apply Illinois law.
See Malatesta v. Mitsubishi Aircraft Int'l, Inc
., 655 N.E.2d
1093, 1096 (Ill. App. Ct. 1995);
Barron v. Ford Motor Co. of Canada
,
1:19-cv-01330-MMM-JEH # 41 Page 7 of 34
are appealed to only when a difference in law will make a difference to the outcome.”). Illinois
uses the “most significant relationship” approach of the Restatement (Second) of Conflicts of Law.
Esser v. McIntyre
, 661 N.E.2d 1138, 1141 (Ill. 1996). In applying this test, courts weigh four
factors: “(1) where the injury occurred; (2) where the injury-causing conduct occurred; (3) the
domicile of the parties; and (4) where the relationship of the parties is centered.”
Id.
Generally, the
law of the place of injury controls unless some other jurisdiction has a more significant relationship
with the occurrence and with the parties
. Id.
Moreover, choice-of-law issues in nationwide class
actions are rarely so uncomplicated that one can delineate clear winning and losing arguments at
an early stage in the litigation.
Mirfasihi v. Fleet Mortg. Corp
.,
At this stage, the factors weigh in favor of applying the laws of the non-forum states to the non-forum Plaintiffs. The injuries Plaintiffs allege each occurred in the state in which Plaintiffs used a payment card to make a purchase from Defendant. Defendant could not have predicted that Illinois law would apply to its business with customers in other states. Likewise, it would interfere with interstate order to supplant the laws of the non-forum states with Illinois law. See generally Heath v. Zellmer , 151 N.W.2d 664, 672 (Wis. 1967) (“[F]or a state that is only minimally concerned with a transaction or tort to thrust its law upon the parties would be disruptive of the comity between states.”). Additionally, as Plaintiffs point out, the respective states recognize different standards of the common law claims, even if they are small variations. As seen below, these variations can be outcome determinative. Therefore, the Court will apply the laws of the non- forum states to the non-forum Plaintiffs.
B. Illinois, Missouri, and Kansas
In
Cooney v. Chicago Public Schools
,
1:19-cv-01330-MMM-JEH # 41 Page 8 of 34 to 1750 former employees to inform them that they were eligible to change their insurance benefit plans. Id. at 27. However, an inadvertent mailing contained the names of all 1750 former employees, along with their addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information. Id. The former employees sued, alleging, among other things, negligence under Illinois law. Id. The appellate court affirmed the circuit court’s dismissal of the negligence claims, finding that the plaintiffs had not established that the Board of Education owed them a duty to safeguard their personal information. Id. at 28.
The appellate court opined that the Illinois Personal Information Protection Act (“PIPA”), 815 Ill. Comp. Stat. 530/1 et seq ., did not create a legal duty to safeguard the plaintiffs’ information. Id. The court held that the plain language of PIPA only requires data collectors that maintain personal information to “notify the owner or licensee of the information of any breach of the security of the data immediately following discovery.” Id. (citing 815 Ill. Comp. Stat. 530/10(b)). The court rejected the plaintiffs’ argument that PIPA must also encompass a duty to protect the information from inadvertent disclosure in the first place. Id. The court explained, “[b]ecause the provisions in the Act are clear, we must assume it reflects legislative intent to limit defendants' duty to providing notice.” Id.
In
Cmty. Bank of Trenton v. Schnuck Markets, Inc.,
1:19-cv-01330-MMM-JEH # 41 Page 9 of 34 information. Id. at 816. Noting that the Illinois Supreme Court had not addressed this issue, the Seventh Circuit followed Cooney and held that no common law data security duty applied. Id.
Plaintiffs argue that in 2017, subsequent to the ruling in Cooney, the Illinois legislature amended PIPA to expressly add a duty to safeguard personal information; however, Plaintiffs admit that no court has analyzed that amendment’s effect on the duty analysis in an Illinois negligence claim. In 2018, the Seventh Circuit addressed a similar question and predicted that Illinois would not impose such a duty on retailers like Defendant. Id. Plaintiffs have failed to highlight any Illinois authority contrary to Cooney. PIPA clearly imposes a duty to notify an Illinois resident of any data breach, but it does not explicitly include a duty to safeguard personal information. See 815 Ill. Comp. Stat. 530/10. This Court agrees with the Seventh Circuit’s reading of Cooney and accordingly adopts its conclusion.
Defendant also argues that Plaintiffs fail to identify statutory language that imposes a duty
to safeguard personal information upon it. Plaintiffs allege that Defendant violated Section 5 of
the FTC Act, and Defendant argues that Section 5 cannot form the basis of a negligence
per se
claim. Plaintiffs argue that Defendant had a duty to protect their personal financial information
under the FTC Act and similar state statutes. The FTC Act prohibits “unfair methods of
competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting
commerce.” 15 U.S.C. § 45(a)(1) (2006). “Unfair or deceptive acts” are defined as those that: (i)
cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve
material conduct occurring within the United States.
Id.
§ 45(4)(A)(i-ii). Defendant contends that
the Seventh Circuit has already affirmed the dismissal of similar claims under Illinois and Missouri
law by citing
Cmty. Bank of Trenton
,
Notwithstanding the above, the Court agrees with Defendant that even if there is an
existence of some duty, the Illinois economic loss doctrine bars Plaintiffs’ negligence
per se
claim.
The economic loss doctrine bars a plaintiff from recovering for purely economic losses under a
tort theory of negligence.
Moorman Mfg. Co. v. Nat'l Tank Co
.,
Here, Plaintiffs’ damages are economic losses. Specifically, Illinois Plaintiff Perdue
alleges she went weeks without access to her account while awaiting a replacement card, and
Illinois Plaintiff Davis-Berg spent time monitoring his account to deal with the side-effects of the
data breach. The Seventh Circuit has noted that lost time and an inability to use or access funds
due to a data breach are economic losses.
Dieffenbach v Barnes & Noble, Inc.,
Similarly, the elements presented in
Cooney
are also present in Missouri law. Missouri
courts use the same four-factor common law duty test for negligence.
See Hoffman v. Union Elec.
Co
., 176 S.W.3d 706, 708 (Mo. 2005). Missouri also has a data privacy statute whose only
consumer-facing mandate is notice.
Compare
Mo. Ann. Stat. § 407.1500
with
815 Ill. Comp. Stat.
530/10. In addition, the Missouri Attorney General has “exclusive authority” for enforcing
Missouri’s data breach notice statute by a civil action.
Id.
at § 407.1500(4);
see Amburgy v. Express
Scripts, Inc.,
671 F.Supp.2d 1046, 1055 (E.D. Mo. 2009) (concluding that no such negligence
cause of action exists under Missouri law). Additionally, Missouri does not permit “recovery in
tort for pure economic damages” without personal injuries or property damage.
Autry Morlan
Chevrolet Cadillac, Inc. v. RJF Agencies, Inc
., 332 S.W.3d 184, 192 (Mo. Ct. App. 2010).
Missouri’s economic loss doctrine applies to “losses that are contractual in nature,”
Captiva Lake
Inv., LLC v. Ameristructure, Inc
.,
Missouri Plaintiffs’ negligence
per se
claim also fails because of the same statutory
inferences. Neither Illinois nor Missouri have legislatively imposed liability for personal data
breaches, opting instead to limit their statutory intervention to notice requirements.
Cooney
, 943
N.E.2d at 28–29;
Amburgy
,
Kansas courts also recognize the economic loss doctrine.
Rand Const. Co. v. Dearborn
Mid-W. Conveyor Co
., 944 F. Supp. 2d 1042, 1062 (D. Kan. 2013). Under the economic loss
doctrine, a plaintiff seeking recovery for economic losses cannot proceed under theories sounding
in tort.
Prof'l Lens Plan, Inc. v. Polaris Leasing Corp
.,
C. Minnesota and Wisconsin
Defendant claims that Plaintiffs’ negligence and negligence
per se
claims under Minnesota
and Wisconsin law fail because Plaintiffs do not allege any compensable damages. Whether
Plaintiffs have stated a claim for negligence depends on whether they sufficiently pled facts, which
if proven true, would establish all four required elements of an actionable negligence claim.
Hoida,
Inc. v. M & I Midstate Bank
, 717 N.W.2d 17, 26 (Wis. 2006). Under both Minnesota and
Wisconsin law, a plaintiff must establish: (1) the existence of a duty of care on the part of the
defendant; (2) that the defendant breached that duty of care; (3) a causal connection between the
defendant's breach of the duty of care and the plaintiff's injury; (4) and that he or she suffered an
actual loss or damage that resulted from the breach.
Id; Glorvigen v. Cirrus Design Corp.,
796
N.W.2d 541, 549 (Minn. Ct. App. 2011), aff'd,
Foreseeability of harm is an element of the duty of care. Nichols, 746 N.W.2d at 226 (internal citation omitted). As noted above, data breaches are a foreseeable risk of participating in card networks. See Cmty. Bank of Trenton , 887 F.3d at 817. Plaintiffs alleges that Defendant breached its duty of care when it failed to maintain the security of its payment system, and that they were injured as a result. Therefore, Plaintiffs satisfy the first, second, and third elements of a negligence claim.
Rule 8 does not create a pleading standard for damages beyond what is necessary to
establish standing.
Dieffenbach,
D. Iowa Plaintiffs conceded their Iowa negligence and negligence per se claims; therefore, the Court dismisses the claims as they relate to Plaintiffs Savoie and Ellingson, as well as state classes from Iowa. (ECF No. 36 at 29).
II. Plaintiffs’ Contract and Quasi-Contract Claims Defendant claims that Plaintiffs’ contract and quasi contract claims are deficient because: (1) Plaintiffs fail to sufficiently plead facts that infer an implied contract existed; (2) Plaintiffs fail to sufficiently plead the existence of any contract to which they were intended third-party beneficiaries; (3) Plaintiffs insufficiently allege that Defendant was unjustly enriched; and (4) Plaintiffs unjust enrichment claim cannot stand on its own. The Court addresses each argument in turn.
A. Implied Contract The Parties agree that that there is no conflict of laws related to Plaintiffs’ implied contract claim, accordingly, the Court will apply Illinois law. (ECF No 31 at 24; ECF No. 26 at 28). In Count I, Plaintiffs allege that implied contracts were created when they provided Defendant with their card information, and in exchange, Defendant agreed to provide them with certain services, to take measures to protect their security and confidentiality, and protect their personal information. Plaintiffs claim that the protection of their personal information was a material term of these implied contracts.
An implied contract is created by the parties’ conduct and contains all of the elements of
an express contract—offer, acceptance, and consideration—as well as a meeting of the minds.
Brody v. Finch Univ. of Health Scis.
a jury could reasonably find an implied contract between the defendant and its customers that defendant would take reasonable measures to protect the customers’ financial information . . . [W]hen a customer uses a credit card in a commercial transaction, [he or] she intends to provide the data to the merchant only . . . and does not expect—and certainly does not intend—the merchant to allow unauthorized third parties to access that data.
In re Michaels , 830 F.Supp.2d at at 531 (internal quotation and citation omitted).
The Court finds that the reasoning outlined in Michaels also applies here. Plaintiffs have plausibly alleged the existence of an implied contract obligating Defendant to take reasonable measures to protect their private information and to timely notify them of the data breach. Plaintiffs have also plausibly alleged they would not have entered into transactions with Defendant if they had known it would not protect their information. Therefore, the Court declines to dismiss Count III’s breach of implied contract claim.
B. Breach of Contract/Third Party Beneficiary The Court will apply Illinois law to Plaintiffs’ breach of contract claim as Plaintiffs have not claimed the existence of an outcome determinative conflict. Int’l Adm'rs, Inc., 753 F.2d at 1376. In Count IV, Plaintiffs allege breach of contracts to which Plaintiffs were intended third- party beneficiaries. These contracts include “various entities . . . (i) contracts between Hy-Vee and its merchant customers . . . (ii) contracts between Hy-Vee and Visa and/or Mastercard . . . [and] (iii) contracts between Hy-Vee and its acquiring banks.” (ECF No 21 at 40). Defendant argues that Plaintiffs have not alleged the necessary facts to put it on notice of what contracts it allegedly breached; rather, the Plaintiffs only vaguely allude to unspecified contracts. Defendant contends that the vague allegations are insufficient to give notice of any breach of contract claim. Furthermore, Defendant claims that Plaintiffs have failed to establish that they were the intended third-party beneficiaries of these unidentified contracts. Plaintiffs argue that they are not required to attach the breached contracts at this stage and that Defendant “knows what agreements Plaintiffs are referring to.” (ECF No. 36 at 31).
To state a claim for breach of contract, a plaintiff must allege: “(1) the existence of a valid
and enforceable contract; (2) substantial performance by the plaintiff; (3) a breach by the
defendant; and (4) resultant damages.”
Reger Dev., LLC v. Nat'l City Bank
,
C. Unjust Enrichment The Court will also apply Illinois law to Plaintiffs’ unjust enrichment claim, as Plaintiffs have not claimed the existence of an outcome determinative conflict. Int’l Adm'rs, Inc. , 753 F.2d at 1376. In Count XV, Plaintiffs plead unjust enrichment in the alternative of their implied contract claim. Plaintiffs allege that they conferred a monetary benefit upon Defendant in the form of monies paid for the purchase of goods and that Defendant was supposed to use Plaintiffs’ monies, in part, to pay for the costs of reasonable data privacy and security measures. Defendant claims that these allegations lack merit because Plaintiffs admit they obtained goods in exchange for the financial benefit they conferred on Defendant. Additionally, Defendant contends that no allegations support the idea that there was an understanding between Defendant and Plaintiffs that some portion of their purchase was intended for data security.
Under Illinois law, “a plaintiff must allege that the defendant has unjustly retained a benefit
to the plaintiff’s detriment, and that defendant’s retention of the benefit violates the fundamental
principles of justice, equity, and good conscience.”
HPI Health Care Servs., Inc. v. Mt. Vernon
Hosp., Inc
.,
Plaintiffs have not alleged that any specific portion of their payments went toward data
protection; rather, they state that their payments were for food and gas. Additionally, Plaintiffs
have not alleged a benefit conferred in exchange for protection of their personal information. The
Seventh Circuit has stated that similar arguments are not applicable unless the product plaintiff
received was defective or dangerous.
See Lewert v. P.F. Chang's China Bistro, Inc
.,
III. Plaintiffs’ Statutory Claims
A. Iowa and Kansas Data Breach Notification Statutes In Count VI, Plaintiffs allege Defendant violated the Iowa Personal Information Security Breach Protection Act, Iowa Code Ann. § 715C.2 (“PISBPA”), by delaying sending notice of the data breach to consumers in a timely fashion. In Count IX, Plaintiffs allege Defendant violated the Kansas Protection of Consumer Information Act, Kan. Stat. Ann. § 50-7a02 (“PCI”), by failing to immediately provide notice of the data breach to consumers.
Defendant claims that neither the Iowa PIBPA nor the Kansas PCI allow for a private right of action and that both statutes are only enforceable by the respective state’s attorney general. Plaintiffs contend that the statutes are ambiguous as to whether they create a private right of action.
In Iowa, a violation of PIBPA entails:
[a]ny person who owns or licenses computerized data that includes a consumer's personal information that is used in the course of the person's business, vocation, occupation, or volunteer activities and that was subject to a breach of security shall give notice of the breach of security following discovery of such breach of security, or receipt of notification . . . to any consumer whose personal information was included in the information that was breached. The consumer notification shall be made in the most expeditious manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement . . . and consistent with any measures necessary to sufficiently determine contact information for the affected consumers, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data.
Iowa Code Ann. § 715C.2(1). Additionally, it
is an unlawful practice [under the consumer-protection statute] and, in addition to the remedies provided to the attorney general [in the consumer-protection statute], the attorney general may seek and obtain an order that a party held to violate this section pay damages to the attorney general on behalf of a person injured by this violation.
§ 715C.2(9)(a). However, the statute further provides that the “rights and remedies available under
this section are cumulative to each other and to any other rights and remedies available under the
law.” § 715C.2(9)(b). In recent decisions in data breach cases interpreting this statute, other courts
have found that the statute is ambiguous with regard to whether it creates a private right of action,
and therefore, these courts have not been inclined to dismiss such claims at the motion to dismiss
stage.
See In re Target Corp.,
In Kansas, a violation of the PCI entails:
[a] person that conducts business in this state, or a government, governmental subdivision or agency that owns or licenses computerized data that includes personal information shall, when it becomes aware of any breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information has occurred or is reasonably likely to occur, the person or government, governmental subdivision or agency shall give notice as soon as possible to the affected Kansas resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
Kan. Stat. Ann. § 50-7a02 (a). Additionally,
[f]or violations of this section, except as to insurance companies licensed to do business in this state, the attorney general is empowered to bring an action in law or equity to address violations of this section and for other relief that may be appropriate. The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law.
§ 50-7a02 (g). Similarly, courts in recent data breach cases have also found the Kansas PCI to be
ambiguous as to whether a private right of action exists.
See In re Target Corp
., 66 F.Supp.3d at
1169 (pointing out that the Kansas statute states “the enforcement provisions are not exclusive).
The Defendant here has not identified any authority construing the language from this particular
data breach statute as precluding a private right of action. “[A]bsent any authority construing this
ambiguity to exclude private rights of action, the [Kansas PCI] claims should not be dismissed.”
In re Equifax, Inc
.,
B. Consumer Fraud and Deceptive Trade Practices In Count V, Plaintiffs allege a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, 815 Ill. Comp. Stat. Ann. 505/1 et seq. (“Illinois CFA”). In Count VI, Plaintiffs allege a violation of the Illinois Uniform Deceptive Trade Practices Act, 815 Ill. Comp. Stat. 510/1 et seq . (“Illinois DTPA”). In Count VIII, Plaintiffs allege a violation of the Iowa Consumer Fraud Act, Iowa Code Ann. §§ 714H.3, 714H.5 (“Iowa CFA”). In Count X, Plaintiffs allege a violation of the Kansas Consumer Protection Act, Kan. Stat. Ann. § 50-623 et. seq. (“Kansas CPA”). In Count XI, Plaintiffs allege a violation of the Minnesota Prevention of Consumer Fraud Act, Minn. Stat. Ann. §§ 325F.68 et. seq ; 8.31 (“Minnesota CFA”). In Count XII, Plaintiffs allege a violation of the Minnesota Uniform Deceptive Trade Practices Act, Minn. Stat. Ann. §325D.43 et seq . (“Minnesota DTPA”). In Count XIII, Plaintiffs allege a violation of the Missouri Merchandising Practices Act, Mo. Ann. Stat. § 407.020(a) et seq . (“Missouri MPA”). In Count XIV, Plaintiffs allege a violation of the Wisconsin Deceptive Trade Practices Act, Wis. Stat. Ann. § 100.18 et seq. (“Wisconsin DTPA”).
Defendant argues that the respective consumer fraud and deceptive trade practices claims should be dismissed for failure to plead fraud under Federal Rule of Civil Procedure 9(b)’s heightened pleading standard. Alternatively, Defendant argues that if the claims are s not dismissed under Rule 9(b), then the claims should be dismissed for the following reasons: (1) the Illinois CFA claim fails for lack of damages, causation, and failure to plead a nexus to Illinois; (2) the Illinois DTPA claim fails for failure to allege a likelihood of future harm; (3) the Iowa CFA claim fails for lack of damages and causation; (4) the Minnesota CFA claim fails to allege a misstatement made in connection with the sale of merchandise; (4) the Minnesota DTPA claim fails to allege a misstatement made in connection with the sale of merchandise or a likelihood of future harm; (6) the Missouri MPA claim fails to allege a misstatement made in connection with the sale of merchandise or damages; and (7) the Wisconsin DTPA claim fails for lack of damages and causation. Plaintiffs contend that their claims are not subjected to the heightened pleading standard under Rule 9(b), rather, they are subject to the liberal notice pleading requirements under Rule 8(a). Plaintiffs also state that they have properly alleged actual damages and ascertainable losses as a result of Defendant’s unfair and deceptive conduct; that the Illinois and Iowa CFAs require only that Plaintiffs’ damages occur as a result of an unfair or deceptive practice; that they have plausibly alleged multiple acts and forbearances that constitute omission under Minnesota and Missouri law in connection with sales made at Defendant’s locations; and Plaintiffs have made numerous allegations of risk of future harm resulting from the breach.
i. Rule 9(b) Rule 9(b) requires a complaint to “state with particularity the circumstances constituting fraud.” Fed. R. Civ. P. 9(b). This ordinarily requires describing the “who, what, when, where, and how” of the fraud. Pirelli Armstrong Tire Corp. Retiree Med. Benefits Tr. v. Walgreen Co ., 631 F.3d 436, 441–42 (7th Cir. 2011). Claims are only subject to these heightened pleading standards if they “sound in fraud,” i.e., they are “premised on a fraudulent course of conduct.” Id. at 446–47 (citation omitted). According to Defendant, Plaintiffs allege claims under many state laws that are subject to these heightened pleading standards, including their claims for deceptive trade practices; however, the Court concludes that Plaintiffs’ unfair and deceptive trade practices claims are not subject to Rule 9(b)'s heightened pleading standards.
As a procedural matter, courts have held that similar complaints alleging fraud and
deceptive practices in federal court should be judged under Rule 8(a) and not the particularity
requirement for fraud under Rule 9(b).
Windy City Metal Fabricators & Supply, Inc. v. CIT Tech.
Fin. Servs, Inc
.,
Here, Defendant has failed to show that the state unfair and deceptive trade practice statutes sound in fraud. It has also failed to demonstrate that the elements of these statutes are similar to the elements of common law fraud, and they have not shown that Plaintiffs’ theory of recovery rests upon a unified course of fraudulent conduct. Defendant’s sole argument is that Plaintiffs have failed to allege the “who, what, when, where, and how” of its conduct. (ECF No. 31 at 35). Even assuming arguendo that the Rule 9(b) standard applies, Plaintiffs have alleged enough facts to establish who (the Defendant), what and how (security was inadequate to protect against a data breach and the information was withheld), when (the data breach occurred between November 2018 and August 2019), and where (respective Plaintiffs’ states). Therefore, the Court concludes that the heightened pleading standards of Rule 9(b) do not apply to the particular state statutes.
ii. Actual Damages Plaintiffs do not oppose Defendant’s motion to dismiss their claims under the Wisconsin DTPA; therefore, Count XIV is dismissed. (ECF No. 36 at 13).
In Illinois, only a person who suffers actual damage may bring an action under the CFA.
815 Ill. Comp. Stat. 505/10a(a). The plaintiff must allege a purely economic injury, measurable by
the plaintiff's loss.
Morris v. Harvey Cycle & Camper, Inc
.,
The Court has already determined that Plaintiffs have alleged economic injury under
Illinois law and suffered economic losses. Additionally, Defendant itself concedes that the alleged
damages are considered economic. (ECF No. 31 at 22);
see Dieffenbach,
Private actions brought under the Iowa CFA, “require[] plaintiffs to prove an ascertainable
loss of money or property caused by the misrepresentation.”
Fox
,
To state a claim under the Missouri MPA, a plaintiff must allege: (1) the purchase of
merchandise; (2) for personal, family, or household purposes; and (3) an ascertainable loss of
money or property as a result of an act or practice declared unlawful under the MPA.
See Hess v.
Chase Manhattan Bank, USA, N.A
., 220 S.W.3d 758, 773 (Mo. 2007). The MPA defines
merchandise as “objects, wares, goods, commodities, intangibles, real estate or services.”
Mo. Ann. Stat. § 407.010(4);
Edmonds v. Hough
,
Here, Plaintiffs purchased merchandise in the form of food or gas. They also experienced an ascertainable loss of money or property. Specifically, Missouri Plaintiff Grewing purchased merchandise by accessing gas pumps that were affected by the data breach, and as a result, experienced an ascertainable loss of money when two fraudulent charges for $7.81 and $25.94 occurred. He also spent time driving to the bank, disputing charges, and cancelling his debit card. Missouri Plaintiff Murray purchased food at restaurants operated by Defendant that were affected by the data breach, and as a result, lost his property for a time period when his debit card was cancelled and replaced. Therefore, the Court declines to dismiss Count XIII’s Missouri MPA claim on Defendant’s basis that the Missouri Plaintiffs did not allege actual damages.
iii.
Causation
The Illinois CFA declares unlawful the “unfair or deceptive acts or practices, including …
misrepresentation or the concealment, suppression or omission of any material fact, with intent
that others rely upon [it] . . . in the conduct of trade or commerce . . . whether any person has in
fact been misled, deceived or damaged thereby.” 815 Ill. Comp. Stat. 505/2. Defendant argues that
Plaintiffs must allege that he or she actually saw a communication or advertisement and was
deceived by Defendant’s statements. In
Cozzi Iron & Metal, Inc. v. U.S. Office Equipment, Inc.
,
Here, Plaintiffs allege a deceptive omission of material fact. Courts have held that an omission or concealment of material fact in the conduct of trade can constitute a violation of the Illinois CFA. See Lateef v. Pharmavite LLC , No. 12 C 5611, 2013 WL 1499029, at *3 (N.D. Ill. Apr. 10, 2013) (citing Wigod v. Wells Fargo Bank, N.A ., 673 F.3d 547, 575 n.13 (7th Cir. 2012) (collecting cases)) (“Omissions are also actionable under the [Illinois CFA] if they are intended to induce the plaintiff's reliance.”); see also Haymer v. Countrywide Bank, FSB , 2011 WL 2790172, at *4 (N.D. Ill. July 15, 2011) (finding the plaintiffs allegations were sufficient to show reliance under the Illinois CFA when the defendants omitted or concealed a material fact in the loan application process); Capiccioni v. Brennan Naperville, Inc ., 791 N.E.2d 553, 558 (Ill. App. Ct. 2003) (“A defendant need not have intended to deceive the plaintiff; innocent misrepresentations or omissions intended to induce the plaintiff's reliance are actionable under [the Illinois CFA]”). Accordingly, the Court finds that Plaintiffs have plausibly alleged causation and a claim under the Illinois CFA, because the allegation that Defendant’s failure to disclose that its system for payment cards was not reasonably secure is a material omission, and if Plaintiffs had known that information, they would not have made the purchases. The Court declines to dismiss Count V’s Illinois CFA claim as they relate to the Illinois Plaintiffs.
Under the Iowa CFA, a plaintiff must have “suffer[ed] an ascertainable loss of money or
property as the result of a prohibited practice.” Iowa Code Ann. § 714H.5(1). “[T]he phrase ‘as a
result of’ can be ‘naturally read simply to impose the requirement of a causal connection.’ ”
Sanders v. Kohler Co
.,
[T]he defendant's conduct is a cause in fact of the plaintiff's harm if, but-for the defendant's conduct, that harm would not have occurred. The but-for test also implies a negative. If the plaintiff would have suffered the same harm had the defendant not acted negligently, the defendant's conduct is not a cause in fact of the harm.
Id. (quotations and citations omitted). Moreover, “[c]ausation is ordinarily a jury question.” Id. at 870.
The Court finds that Plaintiffs have alleged enough facts that plausibly establish Defendant’s failure to implement reasonable security measures caused Plaintiffs’ harm, and but for Defendant’s conduct, that harm would not have occurred. Plaintiffs allege they would not have been victims of a data breach had Defendant not acted negligently. At this stage, the Court cannot go into a further inquiry regarding causation as that is ordinarily a question for the jury. Therefore, the Court declines to dismiss Count VII’s Iowa CFA claim as it relates to the Iowa Plaintiffs.
iv. Misstatements Defendant argues that to state a claim under the Minnesota DTPA, Minnesota CFA, and Missouri MPA, Plaintiffs must allege that Defendant made misstatements in connection with the sale or advertisement of merchandise. Defendant also argues that Plaintiffs’ allegations are defective because it does not sell data security services. Plaintiffs state that Defendant misapprehends the case and that their claims instead arise from Defendant’s omission of its data security failures in its POS systems.
The Minnesota DTPA describes conduct that constitutes deceptive trade practices,
including “pass[ing] off goods or services as those of another,” “caus[ing] likelihood of confusion
or of misunderstanding as to ... certification of goods or services” and “any other conduct which
similarly creates a likelihood of confusion or misunderstanding.” Minn. Stat. Ann.§ 325D.44,
subdiv. 1(1),(2),(13). The Minnesota CFA prohibits “[t]he act, use, or employment by any person
of any fraud, false pretense, false promise, misrepresentation, misleading statement or deceptive
practice, with the intent that others rely thereon in connection with the sale of any merchandise....”
Minn. Stat. Ann. § 325F.69, subdiv. 1. Furthermore, the Missouri MPA was enacted “to preserve
fundamental honesty, fair play, and right dealings in public transactions.”
In re Sony Gaming
Networks & Customer Data Sec. Breach Litig.,
At this stage, the Court finds that Plaintiffs have sufficiently pled claims under the
Minnesota and Missouri statutes. Specifically, Plaintiffs allege that Defendant was on notice of its
data security shortcomings and failed to disclose the data breach in a timely manner. These
misstatements were all made in connection with sales at Defendant’s various locations. Courts
have refused to dismiss these types of claims when similar allegations were made.
See In re Target
Corp.,
66 F.Supp.3d at 1162-63 (denying motion to dismiss claims brought under Minnesota
consumer protection statutes in data breach case);
see In re Sony,
v. Future Deception or Harm Defendant argues that Plaintiffs have failed to allege a likelihood of future harm as required under the Illinois DTPA and Minnesota DTPA, because those statutes only permit injunctive relief. Plaintiffs contend that they made allegations of risk of future harm resulting from the breach because their stolen information could be used in the future to perpetrate identity theft, to drain bank accounts, or make clone cards.
The Illinois DTPA “was enacted to prohibit unfair competition and was not intended to be
a consumer protection statute.”
Chabraja v. Avis Rent A Car Sys
., Inc., 549 N.E.2d 872, 876
(Ill. App. Ct. 1989). Nonetheless, a consumer may seek injunctive relief under the DTPA if she
can show that she is likely to be damaged in the future by the defendant's misleading trade
practices.
Popp v. Cash Station, Inc.
,
Similarly, the Minnesota DTPA also requires that Plaintiffs allege a likelihood of future
harm.
See Johnson v. Bobcat Co
.,
vi. Nexus to Illinois Lastly, Defendant argues that Plaintiff Davis-Berg’s Illinois CFA and DTPA claims should be dismissed because while Plaintiff alleges to be a resident of Illinois, she used her credit card to make a gas purchase in Kansas.
To bring a claim under the Illinois CFA or DTPA, a plaintiff must allege “circumstances
that relate to the disputed transaction occur primarily and substantially in Illinois.”
Int'l Equip.
Trading, Ltd. v. Illumina, Inc.,
CONCLUSION For the reasons stated above, Defendant’s Motion to Dismiss [31] is GRANTED IN PART and DENIED IN PART.
- Count I’s negligence claim and Count II’s negligence per se claim are dismissed as they relate to the Illinois Plaintiffs, the Missouri Plaintiffs, the Kansas Plaintiffs, and the Iowa Plaintiffs;
- Count IV’s breach of contract claim is dismissed without prejudice and the Court grants Plaintiffs leave to file an amended complaint to re-plead this count within twenty-one (21) days, if they can do so in good faith;
- Count XV’s unjust enrichment claim is dismissed;
- Count XIV’s claim under the Wisconsin DTPA is dismissed as it relates to the Wisconsin Plaintiffs;
- Count VI’s claim under the Illinois DTPA is dismissed as it relates to the Illinois Plaintiffs; - Count XII’s claim under the Minnesota DTPA claim is dismissed as they relate to the Minnesota Plaintiffs; and
- The Court will allow Plaintiffs to replead the Illinois CFA claim on behalf of Davis-Berg. The Court declines to dismiss all remaining causes of action. The Court will also reach out the Parties to schedule a status conference in order to address class certification under Fed. R. Civ. P. 23(c)(1).
ENTERED this 20 th day of April, 2020.
/s/ Michael M. Mihm Michael M. Mihm United States District Judge
Notes
[1] The facts in the Background section are derived from Plaintiffs’ Consolidated Second Amended Class Action Complaint. (ECF No. 21).