Summary
stating that the following language appeared to be intended as an integration clause: "The policy is a legal contract. It is the entire contract between you and us. . . . Any change to it must be in writing and approved by us. Only our President or one of our Vice-Presidents can give our approval."
Summary of this case from Mukite v. Advocate Health & Hosps. Corp.Opinion
No. 14 C 3809
02-23-2016
MEMORANDUM OPINION AND ORDER
Anne Dolmage ("Plaintiff") brings this putative class action against Combined Insurance Company of America ("Defendant"). (R. 36, Am. Compl.) Presently before the Court is Defendant's motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6). (R. 41, Def.'s Mot.) For the reasons stated below, the motion is denied.
RELEVANT FACTS
Plaintiff is a citizen of Missouri and is employed by the department store Dillard's. (R. 36, Am. Compl. ¶ 10.) Defendant is an insurance provider headquartered in Glenview, Illinois. (Id. ¶ 11.) Defendant provides a number of insurance products, including disability, accident, health, and life insurance policies. (Id.) Plaintiff and other Dillard's employees purchased insurance coverage from Defendant through their employer. (Id. ¶ 10.) Plaintiff purchased insurance from Defendant in June 2011, and maintained her coverage until July 2012. (Id. ¶ 10.) The proposed class members are Dillard's employees who purchased insurance policies from Defendant between March 2010 and March 2012, as well as their dependents covered under such policies. (Id. ¶ 41.) In the process of purchasing insurance from Defendant, Plaintiff and the proposed class members provided Defendant with various types of personal information, including their names, addresses, dates of birth, social security numbers, and insurance enrollment and premium information. (Id. ¶ 3.)
Plaintiff alleges that she and other enrollees received from Defendant a document entitled, "Our Privacy Pledge to You" (herein "Privacy Pledge"), along with other materials relating to their policies. (Id. ¶ 49; see also R. 36-1, Privacy Pledge.) The Privacy Pledge describes Defendant's handling of its insureds' personal information, and states that the company "will not disclose personal information about you, or any current or former insured, except as permitted and/or required by law." (R. 36-1, Privacy Pledge.) The Privacy Pledge further states that Defendant "maintain[s] physical, electronic and procedural safeguards that comply with federal regulations to guard your personal information," and that it "restrict[s] access to your personal information to those employees who need to know such information." (Id.) The Privacy Pledge acknowledges that Defendant may sometimes "share your information with a company or business not officially connected to [Defendant] but who may do work on our behalf," but states that "if we do provide your information to any party outside of [Defendant] we will require them to abide by the same privacy standards as indicated here." (Id.)
Defendant hired a third-party company called "Enrolltek" to perform insurance enrollment functions and other tasks relating to Plaintiff's and other class members' applications. (R. 36, Am. Compl. ¶ 12.) Defendant regularly provided Robert Diorio, the principal of Enrolltek, with access to Plaintiff's and the proposed class members' personal information, which was maintained in one or more databases on a server owned and controlled by Defendant. (Id. ¶ 13.) On more than one occasion, Defendant granted Diorio access to this personal information so that he could copy it to an external hard drive. (Id. ¶ 14.) This external hard drive was not secure. (Id.) Plaintiff alleges that for a sixteen-month period, proposed class members' personal information was "posted online, unsecure and unprotected," and was "accessible to anyone with an Internet connection." (Id. ¶ 3.) According to the complaint, "[a]ll one had to do was type in the name of Plaintiff or any other Class member into the Google search engine and their [personal information] . . . would be included in the results." (Id.)
On or about July 8, 2013, Defendant was notified about this data breach by some Dillard's employees who, upon entering their names into the Google search bar, had discovered that their personal information was readily available online. (Id. ¶ 19.) In a letter dated July 26, 2013, Defendant formally notified Plaintiff and other class members that their personal information had been "stored on an Internet server by a third party enrollment system vendor since March 2012 without the proper security measures." (Id. ¶ 22.) Defendant offered the class members credit monitoring services for a one-year period. (Id. ¶ 23; see also R. 36-2, Breach Notification Letter.)
Plaintiff alleges that the data breach "was a direct and foreseeable result of [Defendant's] failure to adopt and maintain industry-standard and regulatory-compliant security measures to safeguard and protect Plaintiff's and Class members' [personal information] from unauthorized access, use, and disclosure." (R. 36, Am. Compl. ¶ 36.) Plaintiff alleges that the breach was caused by Defendant's "failure to ensure that Enrolltek implemented similar security measures" to those employed by Defendant. (Id.) According to the complaint, Defendant knew prior to July 2013 that Enrolltek had posted files containing class members' personal information on its unsecured website, "as Diorio emailed [Defendant] links to the files on the Enrolltek website." (Id. ¶ 80.) And yet, the complaint alleges, Defendant allowed class members' personal information to remain on the website for over a year. (Id. ¶ 80.) Plaintiff alleges that these actions and omissions violated the promises Defendant made in its Privacy Pledge to her and other class members. (Id. ¶ 1.)
The complaint alleges that because of Defendant's actions and omissions, Plaintiff and the proposed class members have suffered economic damages and other injuries, including:
(1) identity theft related losses, including but not limited to fraudulent income tax returns, fraudulent use of credit to open financial and other accounts, and medical fraud; (2) expenses and time to cure and remediate identity theft related losses, including but not limited to filing police reports, defending against claims, credit monitoring and insurance, and constant vigilance in detecting fraudulent account activity; (3) expenses and time reasonably incurred to prevent future identity theft related losses; and (4) loss of a contractual benefit in the form of maintenance of industry-standard and regulatory-mandated privacy and security measures to prevent against unauthorized disclosure of confidential [personal information].(Id. ¶ 83.) Plaintiff claims that because of the data breach, unknown individuals stole her information and submitted a false income tax return in her name to the Internal Revenue Service, allowing them to obtain her tax refund for 2013. (Id. ¶ 38.) She claims that unknown individuals also incurred fraudulent cell phone charges and medical expenses in her name. (Id. ¶¶ 38-39.) She alleges that she has spent time and money addressing these fraudulent charges and also had her tax refund delayed. (Id.) According to the complaint, at least 30 other Dillard's employees have reported being victims of identity theft following the data breach. (Id. ¶ 40.)
PROCEDURAL HISTORY
On May 22, 2014, Plaintiff filed a ten-count complaint against Defendant alleging claims under the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681 et seq., and state law claims of negligence, breach of fiduciary duty, breach of express contract, breach of implied contract, unjust enrichment, invasion of privacy, and violation of the Illinois Insurance Code, 215 ILL. COMP. STAT. 5/1001 et seq. (R. 1, Compl.) Defendant moved to dismiss all counts of the complaint pursuant to Rule 12(b)(6). (R. 20, Def.'s Mot. to Dismiss.) In a memorandum opinion and order issued on January 21, 2015, the Court dismissed all of Plaintiff's claims with prejudice, except for the breach of express contract and breach of fiduciary duty claims. Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2015 WL 292947, at *3-10 (N.D. Ill. Jan. 21, 2015). These two claims were dismissed with leave to replead them in an amended complaint after the parties engaged in certain limited discovery. Id. at *10.
On September 25, 2015, Plaintiff filed her amended complaint asserting only the breach of contract claim. (R. 36, Am. Compl. ¶¶ 47-83.) Defendant now moves for dismissal under Rule 12(b)(6), arguing that Plaintiff has again failed to allege a plausible breach of contract claim. (R. 41, Def's Mot.) Plaintiff opposes the request for dismissal, (R. 48, Pl.'s Resp.), and Defendant has filed a reply in support of its request, (R. 50, Def.'s Reply).
LEGAL STANDARD
Under federal pleading standards, a complaint must contain a "short and plain statement of the claim showing that the pleader is entitled to relief." FED. R. CIV. P. 8(a)(2). A Rule 12(b)(6) motion "challenges the viability of a complaint by arguing that it fails to state a claim upon which relief may be granted." Camasta v. Jos. A. Bank Clothiers, Inc., 761 F.3d 732, 736 (7th Cir. 2014). In deciding a Rule 12(b)(6) motion, the Court construes the complaint in the light most favorable to the non-movant, accepts all well-pleaded factual allegations as true, and draws all reasonable inferences in the non-movant's favor. Vesely v. Armslist LLC, 762 F.3d 661, 664-65 (7th Cir. 2014). The Court can consider "allegations set forth in the complaint itself, documents that are attached to the complaint, documents that are central to the complaint and are referred to in it, and information that is properly subject to judicial notice." Williamson v. Curran, 714 F.3d 432, 436 (7th Cir. 2013).
Plaintiff attached the Privacy Pledge and the letter from Defendant notifying her of the data breach to her amended complaint. (R. 36-1, Privacy Pledge; R. 36-2, Breach Notification Letter.) Additionally, Defendant has submitted the insurance policy and related documents that were mailed to Plaintiff, including an additional copy of the Privacy Pledge. (R. 42-1, Insurance Materials at 1-41.) Defendant asserts that Plaintiff produced these documents in discovery. (R. 42, Def.'s Mem. at 2-3.) Plaintiff does not contradict this assertion, nor does she object to the Court's consideration of these documents or question their authenticity. (See R. 48, Pl.'s Resp.) Because these documents are referenced in the amended complaint and are central to Plaintiff's claim, they will be considered in connection with the motion. See Williamson, 714 F.3d at 436.
To survive dismissal, a complaint must "contain sufficient factual matter . . . to 'state a claim to relief that is plausible on its face.'" Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. It is not enough for the plaintiff to allege "[t]hreadbare recitals of the elements of a cause of action, supported by conclusory statements." Id.
By the same token, "the Supreme Court has signaled on several occasions that it has not amended the rules of civil procedure sub silentio to abolish notice pleading and return to the old fact pleading standards that pre-dated the modern civil rules." Alexander v. United States, 721 F.3d 418, 422 (7th Cir. 2013). Thus, a plaintiff is not required to include "detailed factual allegations" to survive a motion to dismiss. Id. Nor is "plausibility" the same as "probability," and it is therefore inappropriate for the Court to "stack up inferences side by side and allow the case to go forward only if the plaintiff's inferences seem more compelling than the opposing inferences." Id. (citation omitted). Instead, "the plausibility requirement demands only that a plaintiff provide sufficient detail to present a story that holds together." Id. (internal quotation marks and citation omitted).
ANALYSIS
This lawsuit now boils down to one claim: that Defendant breached the promises made in its Privacy Pledge in connection with the handling of Plaintiff's personal information, resulting in the theft of this information and attendant damages. (R. 36, Am. Compl. ¶¶ 1-7.) In Plaintiff's view, the Privacy Pledge was part of the insurance policy she and other class members obtained from Defendant. (Id. ¶ 48.) Defendant disagrees that the Privacy Pledge was incorporated into the parties* insurance policy or that is otherwise enforceable in a breach of contract action. (R. 41, Def.'s Mot. at 2-3.)
Under Illinois law, "[a]n insurance policy is a contract, and its construction is reviewed de novo as a question of law." Earth v. State Farm Fire & Cas. Co., 886 N.E.2d 976, 982 (Ill. 2008). To establish breach of contract, "a plaintiff must show the existence of a valid and enforceable contract, performance of the contract by the plaintiff, breach of the contract by the defendant, and resulting injury to the plaintiff." Carlton at the Lake, Inc. v. Barber, 928 N.E.2d 1266, 1270 (Ill. App. Ct. 2010). The elements of a valid contract consist of "offer and acceptance, consideration, and definite and certain terms." Id. In interpreting an insurance policy, "a court's primary objective is to ascertain and give effect to the intentions of the parties as expressed by the words of the policy." Cent. Ill. Light Co. v. Home Ins. Co., 821 N.E.2d 206, 213 (Ill. 2004). The policy must be "construed as a whole, giving effect to every provision, if possible, because it must be assumed that every provision was intended to serve a purpose." Id. Additionally, "[i]f the words used in the policy are clear and unambiguous, they must be given their plain, ordinary, and popular meaning." Id. Conversely, "if the words used in the policy are reasonably susceptible to more than one meaning, they are ambiguous and will be strictly construed against the drafter." Id.; see also Outboard Marine Corp. v. Liberty Mut. Ins. Co., 607 N.E.2d 1204, 1217 (Ill. 1992) ("Ambiguous terms are construed strictly against the drafter of the [insurance] policy and in favor of coverage.").
The parties agree for purposes of the present motion that Illinois law applies. (See R. 42, Def.'s Mem. at 6 n.3; R. 48, Pl.'s Resp. at 8-11.)
I. Incorporation of the Privacy Pledge
Defendant first argues that Plaintiff "fails to allege sufficient facts supporting her conclusory contention that [Defendant] entered into an agreement with Plaintiff that incorporated [Defendant's] Privacy Pledge." (R. 41, Def.'s Mot. at 2.) It is worth noting again that under federal pleading standards, Plaintiff does not have to include "detailed factual allegations" to survive dismissal. Alexander, 721 F.3d at 422. Because notice pleading standards apply, the question is whether Plaintiff has alleged enough detail to "present a story that holds together." Id. (citation omitted). In the amended complaint, Plaintiff alleges that Defendant "entered into agreements" with Plaintiff and the proposed class members that "incorporated the terms in [Defendant's] Privacy Pledge." (R. 36, Am. Compl. ¶ 48.) She further alleges that she received a copy of the Privacy Pledge from Defendant "with other materials relating to her application for health insurance." (Id. ¶ 49.) These allegations must be accepted as true at this stage. Vesely, 762 F.3d at 664.
Defendant submits the policy and related documents that were sent to Plaintiff with her policy, and argues that these documents "leave no doubt that the Privacy Pledge, as a matter of law, was not part of the insurance contract between Plaintiff and [Defendant]." (R. 42, Def.'s Mem. at 7; see also R. 42-1, Insurance Materials at 1-41.) The documents are not nearly as straightforward as Defendant suggests.
The insurance policy provides in pertinent part: "The policy is a legal contract. It is the entire contract between you and us. . . . Any change to it must be in writing and approved by us. Only our President or one of our Vice-Presidents can give our approval." (R. 42-1, Insurance Materials at 11 (emphasis added).) It would appear that this language was intended as an integration clause, and Plaintiff does not argue otherwise. See Westlake Fin. Grp., Inc. v. CDH-Delnor Health Sys., 25 N.E.3d 1166, 1171 (Ill. App. Ct. 2015) (contract provision stating, "[t]his Agreement is the complete and exclusive agreement between the parties" constituted an integration clause). "[W]here parties formally include an integration clause in their contract, they are explicitly manifesting their intention to protect themselves against misinterpretations which might arise from extrinsic evidence." Air Safety, Inc. v. Teachers Realty Corp., 706 N.E.2d 882, 885 (Ill. 1999).
The matter is complicated, however, because the policy also expressly incorporates by reference certain extraneous documents. Specifically, it defines "policy" as "this policy with any attached application(s), and any riders and endorsements." (R. 42-1, Insurance Materials at 11 (emphasis added).) The policy's table of contents specifies that "[a] copy of the application and any riders and endorsements follow page 17." (Id. at 6.) As the documents have been submitted to the Court, there are several documents following page 17, including the Privacy Pledge. (See id. at 39.) Based on the manner in which the Privacy Pledge was given to her, Plaintiff argues that this document qualifies as an endorsement. (R. 48, Pl.'s Resp. at 12.) Defendant responds that the Privacy Pledge could not possibly constitute an endorsement under the plain meaning of that term. (R. 50, Def.'s Reply at 4-6.)
Defendant criticizes Plaintiff for raising different legal theories during the course of this litigation as to why the Privacy Pledge is enforceable. (See R. 42, Def.'s Mem. at 14 n.6; R. 50, Def.'s Reply at 3-4.) To the extent Plaintiff has done so, her actions were not improper. See Albiero v. City of Kankakee, 122 F.3d 417, 419 (7th Cir. 1997) ("[M]atching facts to a legal theory was an aspect of code pleading interred in 1938 with the adoption of the Rules of Civil Procedure. . . . [A] plaintiff may substitute one legal theory for another without altering the complaint." (internal citation omitted)). It is also worth noting that Plaintiff was given express permission to replead her breach of contract claim, and the limited discovery that occurred may well have led her to include different allegations or theories in the amended complaint.
"[A]n endorsement has been defined as being merely an amendment to an insurance policy; a rider." Alshwaiyat v. Amer. Serv. Ins. Co., 986 N.E.2d 182, 191 (Ill. App. Ct. 2013) (internal quotation marks and citation omitted). A "rider," in turn, is defined as "[a]n attachment to some document, such as . . . an insurance policy, that amends or supplements the document." BLACK'S LAW DICTIONARY (10th ed. 2014). The Court disagrees with Defendant that the Privacy Pledge could not possibly satisfy these definitions. Plaintiff alleges that the Privacy Pledge accompanied the policy that was mailed to her, and this document can be read to supplement the policy by providing additional benefits to insureds regarding the handling of their personal information. The policy does require that endorsements be approved by Defendant's president or one if its vice-presidents, (R. 42-1, Insurance Materials at 11), but the Privacy Pledge states that it was authored by Defendant's "Chairman, President and Chief Executive Officer." (R. 36-1, Privacy Pledge.)
Defendant argues that "an endorsement must be properly attached to the policy so as to indicate that it and the policy are parts of the same contract and must be construed together." (R. 50, Def.'s Reply at 5 (citation omitted).) But again, Plaintiff alleges that the Privacy Pledge was sent to her along with the policy documents, and the Court must accept this allegation as true. (R. 38, Am. Compl. ¶ 49.) The policy itself states that the documents following page 17 are considered part of the policy, which would appear to include the Privacy Pledge. (R. 42-1, Insurance Materials at 6, 39.) Based on Plaintiff's allegations and the language of the policy, her claim that the policy incorporated the Privacy Pledge is not implausible. See W. W. Vincent & Co. v. First Colony Life Ins. Co., 814 N.E.2d 960, 966 (Ill. App. Ct. 2004) (where integration clause included reference to extraneous documents delivered with the contract, plaintiffs were not precluded from stating a claim for breach of contract based upon those extraneous documents).
Defendant could have avoided any ambiguity by clearly labeling the documents sent with the policy that were intended to be incorporated by reference, but it did not do so. (See R. 42-1, Insurance Materials at 22-41.) Or defendant could have drafted an integration clause that did not reference outside documents, in which case Plaintiff would have been precluded from relying on outside documents to assert a breach of contract claim. See Air Safety, Inc., 706 N.E.2d at 885. But that is not how the policy was drafted, and any ambiguities must be construed against Defendant. See Cent. Ill. Light Co., 821 N.E.2d at 213; Outboard Marine Corp., 607 N.E.2d at 1217. Therefore, the Court rejects Defendant's argument that the contract documents foreclose Plaintiff's claim as a matter of law.
For instance, one of the documents accompanying the policy includes the prominent disclaimer: "THIS IS A PROPOSAL AND IS NOT PART OF THE CONTRACT." (R. 42-1, Insurance Materials at 30.) The Privacy Pledge contains no such disclaimer. (See R. 36-1, Privacy Pledge.)
II. Reliance
Defendant also argues that Plaintiff's claim fails because she "nowhere alleges that she relied on or read the Privacy Pledge, or even was aware that it existed, before she agreed to the insurance contract." (R. 42, Def.'s Mem. at 8.) However, reliance is not one of the elements of a breach of contract claim under Illinois law. See Barber, 928 N.E.2d at 1270. Defendant cites several cases from other jurisdictions in support of its argument, but aside from the fact that these cases are not binding authority and do not interpret Illinois law, the Court finds them distinguishable on the facts. (See R. 42, Def.'s Mem. at 8 (collecting cases).)
In Austin-Spearman v. AARP, ---- F. Supp. 3d ----, 2015 WL 4555098 (D.D.C. July 28, 2015), the plaintiff purchased a membership with AARP, Inc. through the organization's website and subsequently opted to create an online account—which was not a requirement of membership nor limited to members only—during which process she reviewed and agreed to the organization's privacy policy. She claimed that some of her personally identifiable information was obtained by a third-party social network through AARP's website, which caused her "surprise and outrage." Id. at *2-*3, *6. The court concluded that the plaintiff had suffered no actual injury and thus lacked standing under Article III of the U.S. Constitution. Id. at *7. The court commented in dicta that AARP's privacy policy "indisputably applie[d] to members and non-members alike," and that "a promise that is offered freely and equally to all people—without regard to who has provided consideration and who has not—is not a contract." Id. at *8.
This case is weak support for Defendant's argument here, as this Court is not deciding whether Plaintiff suffered an injury for purposes of Article III standing, nor is there anything in the documents to reflect that the Privacy Pledge was "offered freely and equally to all people." To the contrary, it is apparent from the language of the Privacy Pledge that it was directed exclusively to Defendant's insureds. (See R. 36-1, Privacy Pledge.)
The other cases cited by Defendant are also of limited relevance. In Willingham v. Global Payments, Inc., No. 1:12-CV-01157-RWS, 2013 WL 440702 (N.D. Ga. Feb. 5, 2013), the plaintiffs provided their personal data to a merchant, who in turn provided the data to the defendant. The magistrate judge, applying Georgia law, recommended that the plaintiffs not be permitted to pursue a contract claim against the defendant based on an alleged violation of the defendant's privacy policy, given the lack of any relationship between the parties and the lack of support for the plaintiffs' argument that they were intended third-party beneficiaries of the privacy policy. Id. at *20-21. Here, Plaintiff and the proposed class members provided their personal information directly to Defendant, and they are not proceeding on an implied contract or third-party beneficiary claim. Instead, their argument is that they contracted directly with Defendant, and that the Privacy Pledge was part of that contract.
Plaintiff raised an implied contract claim in her original complaint, but this claim was dismissed with prejudice after the Court determined that an express contract—the insurance policy—governed the parties' relationship. Dolmage, 2015 WL 292947, at *7-8; see also Maness v. Santa Fe Park Enters., Inc., 700 N.E.2d 194, 200 (Ill. App. Ct. 1998) ("[A]n implied contract cannot coexist with an express contract on the same subject.").
Defendant also cites Azeltine v. Bank of America, No. CV 10-218-TUC-RCC (HCE), 2010 WL 6511710 (D. Ariz. Dec. 14, 2010), in which the district court applied Arizona law to conclude that a bank's privacy policy was not an enforceable contract. The court in Dyer v. Northwest Airlines Corps., 334 F. Supp. 2d 1196 (D.N.D. 2004), reached a similar conclusion under North Dakota law, holding that an airline's privacy policy posted on its website does not constitute a "contract." These cases are distinguishable, however, because Plaintiff is not attempting to enforce the Privacy Pledge as a stand-alone contract. Rather, her argument is that the Privacy Pledge was part of the parties' insurance agreement. (See R. 48, Pl.'s Resp. at 9-10.) Thus, the Court finds these cases unpersuasive.
Notably, there are other cases from outside jurisdictions permitting claims like Plaintiff's to proceed past the pleading stage. See, e.g., Resnick v. AvMed, Inc., 693 F.3d 1317, 1322-27 (11th Cir. 2012) (members of health care plans adequately alleged breach of contract and other claims against plan operator stemming from identity thefts that occurred after unencrypted laptops containing members' sensitive personal information were stolen from plan operator's corporate office); Claridge v. RockYou, Inc., 785 F. Supp. 2d 855, 865 (N.D. Cal. 2011) (account holder adequately stated claim for breach of privacy policy by developer of online services for allegedly storing his personal information on an unsecure server).
III. Timing of Plaintiff's Receipt of the Privacy Pledge
Defendant also argues that the Privacy Pledge could not possibly be part of the insurance policy because "Plaintiff received the Privacy Pledge after the insurance contract had been entered." (R. 41, Def.'s Mot. at 2.) As is explained above, the language of the policy and the manner in which Plaintiff alleges that the Privacy Pledge was conveyed to her plausibly suggests that it was intended to be part of the parties' agreement. Indeed, "[t]ransactions in which the exchange of money precedes the communication of detailed terms are common." ProCD, Inc. v. Zeidenberg, 86 F.3d 1447, 1451 (7th Cir. 1996). The U.S. Court of Appeals for the Seventh Circuit offered the following illustrations:
Consider the purchase of insurance. The buyer goes to an agent, who explains the essentials (amount of coverage, number of years) and remits the premium to the home office, which sends back a policy. On the district judge's understanding, the terms of the policy are irrelevant because the insured paid before receiving them. Yet the device of payment, often with a "binder" (so that the insurance takes effect immediately even though the home office reserves the right to withdraw coverage later), in advance of the policy, serves buyers' interests by accelerating effectiveness and reducing transactions costs. Or consider the purchase of an airline ticket. The traveler calls the carrier or an agent, is quoted a price, reserves a seat, pays, and gets a ticket, in that order. The ticket contains elaborate terms, which the traveler can reject by canceling the reservation. To use the ticket is to accept the terms . . . .Id.
In Hill v. Gateway 2000, Inc., 105 F.3d 1147 (7th Cir. 1997), the Seventh Circuit extended this reasoning to a case involving computers purchased over the telephone. The computers arrived with a list of terms that was "said to govern unless the customer return[ed] the computer within 30 days." Id. at 1148. The Seventh Circuit reasoned that because the customer had an opportunity to return the computer after reading the additional terms included with it, those terms were fully enforceable. Id. at 1148-49. This was true even if the customer did not actually read the additional terms. Id. at 1149; see also Kaufman v. Am. Exp. Travel Related Servs. Co., No. 07 C 1707, 2008 WL 687224, at *6 (N.D. Ill. Mar. 7, 2008) ("Courts have held that a consumer accepts terms, read or not, upon using a product . . . where an opportunity to avoid the undesirable terms exists.").
Accepting Plaintiff's allegations as true and affording her all reasonable inferences, the complaint alleges that Plaintiff received the Privacy Pledge at the same time she received her policy and other materials. (R. 35, Am. Compl. ¶ 49.) The documentation reflects that this occurred in June 2011. (R. 42-1, Insurance Materials at 2.) Under the terms of the policy, Plaintiff had an opportunity to review those materials and cancel within 30 days if she wished, in which case Defendant would "treat the policy as if it had never been issued," including refunding any premiums that were paid. (Id. at 5; see also R. 42, Def.'s Mem. at 11.) Plaintiff did not cancel, however, and instead asserts that she retained the policy until July 2012. (R. 35, Am. Compl. ¶ 10.) Her retention of the policy constituted an acceptance of its terms, rendering those terms enforceable. See ProCD, 86 F.3d at 1451; Hill, 105 F.3d at 1148. Therefore, the Court finds Defendant's argument unavailing.
The Court notes that Plaintiff's application for insurance benefits, which is incorporated by reference in the policy and attached thereto, contains an acknowledgement that Plaintiff received various documents in connection with her application, including a "Notice of Information Practices" and an "Accelerated Benefit Disclosure." (R. 42-1, Insurance Materials at 25.) Defendant asserts that Plaintiff applied for benefits by telephone, (see R. 42, Def.'s Mem. at 10), such that it can be reasonably inferred that these documents were actually sent to her at a later date. The "Accelerated Benefit Disclosure" was one of the documents included with the policy materials. (R. 42-1, Insurance Materials at 24.) Although neither party addresses this issue, it seems plausible that the "Notice of Information Practices" was in fact the Privacy Pledge that was sent to Plaintiff at the same time. Although the evidence may ultimately show that they are not the same documents, this ambiguity lends further support to Plaintiff's claim.
IV. Consideration
Defendant also argues that "[t]he Privacy Pledge is a unilateral statement of company policy and cannot stand as consideration." (R. 41, Def.'s Mot. at 2.) "[C]onsideration is the bargained-for exchange of promises or performances, and may consist of a promise, an act or a forbearance." McInerney v. Charter Golf, Inc., 680 N.E.2d 1347, 1350 (Ill. 1997); see also Johnson v. Maki & Assocs., Inc., 682 N.E.2d 1196, 1199 (Ill. App. Ct. 1997) ("Consideration for a contract consists either of some right, interest, profit, or benefit accruing to one party or some forbearance, detriment, loss of responsibility given, suffered, or undertaken by the other.").
Defendant's argument is somewhat confusing, but to the extent Defendant is arguing that the Privacy Pledge must meet all the independent requirements of a contract, including being supported by adequate consideration, the Court disagrees. Plaintiff is not seeking to enforce the Privacy Pledge as an independent contract; rather, she is claiming that the Privacy Pledge was incorporated into the parties' insurance agreement. (See R. 48, Pl.'s Resp. at 9-10, 13-14.) There was clearly consideration for the insurance agreement (Plaintiff's premiums in exchange for insurance coverage), and Defendant does not argue otherwise.
Within this argument, Defendant also suggests that the Privacy Pledge is unenforceable because it "is nothing more than a statement that [Defendant] is complying with its pre-existing duties to follow applicable federal regulations." (R. 42, Def.'s Mem. at 13.) Defendant is correct that a party's promise to do "what it is already legally obligated to do" does not give rise to contractual rights. See Johnson, 682 N.E.2d at 1199; see also GLS Develop., Inc. v. Wal-Mart Stores, Inc., 3 F. Supp. 2d 952, 967 (N.D. Ill. 1998) ("Black letter law teaches that a promise to do or to pay something that the promisor is already bound to do or to pay provides no consideration for the other party's promise in exchange, so that the other party's promise is not legally enforceable."). As Defendant points out, the Privacy Pledge references Defendant's compliance with unspecified "federal regulations." (R. 36-1, Privacy Pledge). But the Privacy Pledge contains other provisions unrelated to Defendant's compliance with federal law. For instance, it provides that Defendant will restrict access of insureds' personal information "to those employees who need to know such information," and further, that if insureds' personal information is shared with a third party, Defendant will "require them to abide by the same privacy standards as indicated here." (R. 36-1, Privacy Pledge.) The amended complaint plausibly alleges that Defendant breached these provisions when it provided class members' personal information to Enrolltek without ensuring that Enrolltek properly limited the disclosure of that information. (See 36, Am. Compl. ¶¶ 1-5, 13-18.) Therefore, the Court rejects Defendant's argument.
In the amended complaint, Plaintiff includes extensive allegations about Defendant's compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 45 C.F.R. Parts 160 and 164, the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq. (See R. 36, Am. Compl. ¶¶ 57-81.) The exact purpose of these allegations is unclear, as Plaintiff does not purport to raise a claim under any of these federal laws, and instead couches her claim solely in terms of breach of contract. For completeness, the Court notes that none of these provisions have been interpreted to provide a right of action for private individuals like Plaintiff. See e.g., Carpenter v. Phillips, 419 F. App'x 658, 659 (7th Cir. 2011) ("HIPAA does not furnish a private right of action."); Int'l Tax Advisors, Inc. v. Tax Law Assocs., LLC, No. 08 C 2222, 2011 WL 612093, at *5 (N.D. Ill. Feb. 15, 2011) (no private right of action exists for a violation of the Federal Trade Commission Act); Am. Family Mut. Ins. Co. v. Roth, No. 05 C 3839, 2005 WL 3700232, at *6 (N.D. Ill. Aug. 5, 2005) (no private right of action exists for a violation of the Gramm-Leach-Bliley Act).
V. Breach of the Privacy Pledge
Defendant also argues that even if the Privacy Pledge is enforceable, "Plaintiff has not sufficiently pled that [Defendant] breached the Privacy Pledge, which contemplates that [Defendant] will share personal information with third parties who do work on [Defendant]'s behalf." (R. 41, Def.'s Mot. at 3.) As Defendant points out, the Privacy Pledge does provide that "sometimes, we may . . . share your information with a company . . . who may do work on our behalf." (R. 36-1, Privacy Pledge (emphasis in original).) However, the Privacy Pledge also promises that if insureds' personal information is provided to any third parties, Defendant will "require them to abide by the same privacy standards" that are employed by Defendant. (Id.) Accepting Plaintiff's allegations as true, she has plausibly alleged a series of events showing that Defendant failed to take adequate steps to ensure that Enrolltek limited access of insureds' personal information under the same standards employed by Defendant. (See 36, Am. Compl. ¶¶ 1-5, 13-18, 55.) If Defendant knew the data was not being handled securely and did nothing to remedy the situation, as Plaintiff alleges, it certainly cannot be said that Defendant "required" Enrolltek to comply with its privacy standards. Therefore, the Court finds Defendant's argument unavailing.
VI. Causation
Defendant's final argument is that Plaintiff has not sufficiently alleged that Plaintiff's claimed damages were the result of Defendant's conduct. (R. 41, Def.'s Mot. at 3.) Defendant believes that the complaint falls short because "Plaintiff's alleged damages do not arise out of [Defendant's] conduct, but rather out of the acts of third parties—namely, Enrolltek . . . and the unidentified third party thieves who stole her data." (R. 42, Def.'s Mem. at 16.) In Defendant's view, "Plaintiffs' [personal information] could have been compromised by any number of sources (e.g., her use of a department store credit card that is involved in a security breach) entirely unrelated to her [personal information] provided to [Defendant]." (Id.)
Defendant cites to Slaughter v. AON Consulting, Inc., No. 10C-09-001 FSS, 2012 WL 1415772 (Del. Super. Ct. Jan. 31, 2012), in support of its argument, and although that case also involved a data breach, it has little relevance here. The Delaware court dismissed for lack of standing after giving the plaintiffs an opportunity to present expert testimony to establish that they were injured by the defendant's actions. Id. at *2-4. The present motion does not attack Plaintiff's standing, nor has Plaintiff had an opportunity to present expert testimony to establish the cause of her injuries. Indeed, Defendant appears to concede that the standing analysis has little application here, as Defendant distinguishes one of the cases cited by Plaintiff on this same ground. (See R. 50, Def.'s Reply at 13.) Defendant also cites to Clinical Radiology Associates, P.C. v. Kim, No. 1-96-0353, 1996 WL 33576909 (Ill. App. Ct. Dec. 17, 1996), for the proposition that "[P]laintiff must plead facts which show that it suffered damages as a consequence of the breach." (R. 50, Def.'s Reply at 12.) That case is also of limited assistance because federal notice pleading standards apply to the present motion, not the fact pleading standard employed by Illinois courts. See Alexander, 721 F.3d at 422; see also Albiero, 122 F.3d at 419 ("Some states, including Illinois, use fact pleading to this day, but federal courts took a different path 59 years ago.").
There is no question that Plaintiff will ultimately be required to prove that her damages were caused by Defendant's actions. See In re Illinois Bell Tel. Link-Up II, 994 N.E.2d 553, 558 (Ill. App. Ct. 2013) ("The basic theory of damages in a breach of contract action requires that a plaintiff establish an actual loss or measurable damages resulting from the breach in order to recover. . . . Damages which are not the proximate cause of the breach are not allowed." (internal quotation marks and citations omitted)). But, again, the issue at the pleading stage is solely whether Plaintiff has stated a plausible claim for relief. See Ashcroft, 556 U.S. at 678; Alexander, 721 F.3d at 422.
To that end, Plaintiff alleges that Defendant was contractually obligated to ensure that her personal data was secure, even if Defendant gave it to a third party. (R. 36, Am. Compl. ¶¶ 1-17.) She claims that Defendant's actions and omissions led to her personal information being readily available to "anyone with an Internet connection" from March 2012 to July 2013. (Id. ¶¶ 3, 17-20.) She also claims that Defendant was aware that the data was not being stored securely, because Enrolltek emailed Defendant internet links where the data could be readily accessed, and yet Defendant allegedly did nothing to remedy this issue. (Id. ¶ 17.) Thereafter, an unknown identity thief stole Plaintiff's personal information and used it to obtain her 2013 tax refund. (Id. ¶ 38.) Given the timeline of events, and the fact that at least 30 other Dillard's employees allegedly suffered the same type of identity theft, it is certainly plausible that there is a causal link between Defendant's failure to ensure the confidentiality of the data and the damages alleged. That is all that is required at this stage. Alexander, 721 F.3d at 422; see also Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 696 (7th Cir. 2015) ("It is enough at this stage of the litigation that [the defendant] admitted that 350,000 cards might have been exposed [to a data breach] and that it contacted members of the class to tell them they were at risk. Those admissions and actions by the store adequately raise the plaintiffs' right to relief above the speculative level." (citing Twombly, 550 U.S. at 570)). Therefore, Defendant's motion to dismiss will be denied.
CONCLUSION
For the foregoing reasons, Defendant's motion to dismiss (R. 41) is DENIED. The parties are DIRECTED to reevaluate their settlement positions in light of this opinion and exhaust all efforts to settle the case. The parties shall appear for a status hearing on March 30, 2016, at 9:45 a.m.
ENTERED: /s/ _________
Chief Judge Rubén Castillo
United States District Court Dated: February 23, 2016