Summary
In Flores, the Illinois Appellate Court explained that, although the district court recognized the same theory as viable in Gallagher, 631 F.Supp. at 587, its reasoning was “a product of federal law, not state law.
Summary of this case from In re Mondelez Data Breach Litig.Opinion
1-23-0140
09-29-2023
Attorneys for Appellant: Kenneth A. Wexler, Bethany R. Turke, and Eaghan S. Davis, of Wexler Boley & Elgersma LLP, and Gary M. Klinger, of Milberg Coleman Bryson Phillips Grossman, PLLC, both of Chicago, Raina C. Borrelli, Samuel J. Strauss (pro hac vice), Brittany Resch (pro hac vice), and Alex Phillips (pro hac vice), of Turke & Strauss LLP, of Madison, Wisconsin, Joseph M. Lyon, of Lyon Law Firm, LLC, and Terence R. Coates (pro hac vice), of Markovits, Stock & Demarco, LLC, both of Cincinnati, Ohio, Bryan L. Bleichner (pro hac vice), of Chestnut Cambronne PA, of Minneapolis, Minnesota, Patrick N. Keegan (pro hac vice), of Keegan & Baker, LLP, of Carlsbad, California, and Ryan A. Stygar (pro hac vice), of Centurion Trial Attorneys, APC, of San Diego, California, for appellants. Attorneys for Appellee: Craig C. Martin, LaRue L. Robinson, Mengjie Zou, Bianca L. Valdez, and Elizabeth P. Astrup, of Willkie Farr & Gallagher LLP, of Chicago, for appellee.
Appeal from the Circuit Court of Cook County. No. 2022 CH 6132 Honorable Neil H. Cohen, Judge presiding.
Attorneys for Appellant: Kenneth A. Wexler, Bethany R. Turke, and Eaghan S. Davis, of Wexler Boley & Elgersma LLP, and Gary M. Klinger, of Milberg Coleman Bryson Phillips Grossman, PLLC, both of Chicago, Raina C. Borrelli, Samuel J. Strauss (pro hac vice), Brittany Resch (pro hac vice), and Alex Phillips (pro hac vice), of Turke & Strauss LLP, of Madison, Wisconsin, Joseph M. Lyon, of Lyon Law Firm, LLC, and Terence R. Coates (pro hac vice), of Markovits, Stock & Demarco, LLC, both of Cincinnati, Ohio, Bryan L. Bleichner (pro hac vice), of Chestnut Cambronne PA, of Minneapolis, Minnesota, Patrick N. Keegan (pro hac vice), of Keegan & Baker, LLP, of Carlsbad, California, and Ryan A. Stygar (pro hac vice), of Centurion Trial Attorneys, APC, of San Diego, California, for appellants.
Attorneys for Appellee: Craig C. Martin, LaRue L. Robinson, Mengjie Zou, Bianca L. Valdez, and Elizabeth P. Astrup, of Willkie Farr & Gallagher LLP, of Chicago, for appellee.
PRESIDING JUSTICE MITCHELL delivered the judgment of the court, with opinion. Justices Lyle and Justice Navarro concurred in the judgment and opinion.
OPINION
MITCHELL, PRESIDING JUSTICE
¶ 1 Plaintiffs Maria Flores, Deanna Dube, Misty Williams, and Sharon Rushing appeal the dismissal of their class action complaint in this data breach case against defendant Aon Corporation. Plaintiffs raise a number of issues on appeal, chief among them are as follows: (1) did the circuit court err in dismissing plaintiffs' complaint for lack of standing (735 ILCS 5/2-619(a)(9) (West 2022)); (2) did the circuit court err in dismissing plaintiffs' claims for negligence, negligence per se, breach of implied contract, unjust enrichment, a violation of Illinois's Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505/1 et seq. (West 2022)), a violation of the Florida Deceptive and Unfair Trade Practices Act (Fla. Stat.§ 501.201 et seq. (2022)), and invasion of privacy for failure to state a claim (735 ILCS 5/2-615 (West 2022)); and (3) did the circuit court err in dismissing plaintiffs' claims for economic loss under the Moorman doctrine? See Moorman Manufacturing Co. v. National Tank Co., 91 Ill.2d 69 (1982). For the reasons below, we affirm in part and reverse in part.
¶ 2 I. BACKGROUND
¶ 3 Defendant is a global professional services company headquartered in Chicago that provides a wide range of services, including cybersecurity services, to its commercial clients. In February 2022, defendant discovered that an unauthorized third party had been repeatedly accessing some of defendant's systems since late December 2020. Defendant prevented any further unauthorized access, conducted an investigation concerning the data breach, and informed law enforcement of the incident.
¶ 4 Plaintiffs Flores, Rushing, Williams and Dube allege that they provided defendant with their personal information, including their names, social security numbers, dates of birth, e-mail addresses, and benefit-enrollment information. Flores and Williams provided their personal information to defendant because defendant managed the employee benefits program offered by their employers, while Rushing provided defendant with her personal information because she was formerly employed by defendant. Dube does not specify why she provided her personal information to defendant. Plaintiffs all reside in different states, with Flores being a resident of Illinois, Williams being a resident of Florida, Rushing being a resident of Texas, and Dube being a resident of Nevada.
¶ 5 Three months after the data breach was discovered, defendant sent a notice letter to everyone who was potentially impacted by the data breach. Plaintiffs all received this notice sometime in June 2022. The notice letter stated that an unauthorized third party had access to some of defendant's systems between December 2020 and February 2022 and that the unauthorized third party therefore had access to plaintiffs' personal information, including their names, social security numbers, driver's license numbers, and benefit enrollment information.
¶ 6 In June 2022, Flores filed a class action complaint against defendant. Flores later filed an amended class action complaint to add Dube, Rushing, and Williams as plaintiffs. Plaintiffs stated claims of relief for negligence, negligence per se, breach of implied contract, unjust enrichment, violation of Illinois's Consumer Fraud Act, violation of the Florida Deceptive and Unfair Trade Practices Act, and invasion of privacy.
¶ 7 All plaintiffs alleged that they suffered actual injury in the form of (1) damages to and diminution in the value of their personal information; (2) lost time, annoyance, interference, and inconvenience dealing with the consequences of the data breach; and (3) anxiety and increased concerns for the loss of their privacy due to the data breach. Plaintiffs also alleged that they suffered imminent and impending injury arising from the substantially increased risk of fraud and identity theft by unauthorized third parties due to the data breach. Additionally, Flores, Rushing, and Williams alleged that they have received increased spam and targeted marketing after the data breach occurred and that the increase in spam was caused by the data breach. After the data breach occurred, Williams alleged that she experienced an attempt to process a $499.99 charge to her PayPal account, while Dube alleged that she was charged for a prescription from Express Scripts that she did not order.
¶ 8 Defendant moved to dismiss plaintiffs' first amended class action complaint for lack of standing (735 ILCS 5/2-619(a)(9) (West 2022)) and failure to state a claim upon which relief can be granted (id. § 2-615). The circuit court granted defendant's motion and dismissed plaintiffs' complaint in its entirety. This timely appeal followed. Ill. S.Ct. R. 303 (eff. July 1, 2017).
¶ 9 II. ANALYSIS
¶ 10 A. Standing
¶ 11 Plaintiffs argue that the circuit court erred in dismissing their complaint due to lack of standing. They contend that they have demonstrated an injury-in-fact due to their allegations concerning (1) their imminent risk of future identity theft or fraud, (2) the unauthorized charges experienced by Williams and Dube, (3) the diminishment in the value of plaintiffs' personal information, (4) their emotional distress due to the data breach, and (5) the lost time they have spent responding to the data breach, including the increased number of spam and targeted marketing messages they have received. Defendant argues that none of these allegations are sufficient to establish injury-in-fact for standing purposes and that plaintiffs have not adequately established a connection between the data breach and the unauthorized charges experienced by Williams and Dube.
¶ 12 A motion to dismiss pursuant to section 2-619 of the Code of Civil Procedure (735 ILCS 5/2-619 (West 2022)) admits the legal sufficiency of the complaint, but raises defects, defenses, or some other affirmative matter that defeats the plaintiff's claim. Ball v. County of Cook, 385 Ill.App.3d 103, 107 (2008). The phrase "affirmative matter" encompasses any defense other than a negation of the essential allegations of the plaintiff's cause of action. Piser v. State Farm Mutual Automobile Insurance Co., 405 Ill.App.3d 341, 344 (2010). A defendant may properly raise lack of standing in a motion to dismiss brought under section 2-619(a)(9). 735 ILCS 5/2-619(a)(9) (West 2022); Glisson v. City of Marion, 188 Ill.2d 211, 220 (1999). We review a dismissal under section 2-619 de novo. Glisson, 188 Ill.2d at 220-21.
¶ 13 Under Illinois law, to have standing to bring a claim a plaintiff must only demonstrate "some injury in fact to a legally cognizable interest." Messenger v. Edgar, 157 Ill.2d 162, 170 (1993). "The claimed injury must be (1) distinct and palpable; (2) fairly traceable to defendant's actions; and (3) substantially likely to be prevented or redressed by the grant of the requested relief." Wexler v. Wirtz Corp., 211 Ill.2d 18, 23 (2004). The claimed injury can be actual or threatened. Greer v. Illinois Housing Development Authority, 122 Ill.2d 462, 492 (1988). Illinois courts are generally more willing than federal courts to recognize standing on the part of any person "who shows that he is in fact aggrieved." Id. at 491. While a court's determination of whether a plaintiff has standing depends on the allegations in the complaint, the plaintiff's lack of standing is an affirmative defense and therefore must be proven by the defendant. Maglio v. Advocate Health &Hospitals Corp., 2015 IL App (2d) 140782, ¶ 21. A putative class action requires that the named plaintiff allege an injury-in-fact. A named plaintiff cannot rely upon injuries suffered by other unidentified members of the claimed class to establish standing. I.C.S. Illinois, Inc. v. Waste Management of Illinois, Inc., 403 Ill.App.3d 211, 221 (2010).
¶ 14 In dismissing the plaintiffs' complaint for lack of standing, the circuit court relied heavily on Maglio, the only Illinois case addressing standing in a data breach lawsuit. Maglio, 2015 IL App (2d) 140782. The plaintiffs in Maglio filed negligence, invasion of privacy, and statutory claims against defendant Advocate Health and Hospitals Corporation after four password-protected computers containing patient information were stolen from Advocate's offices. Id. ¶¶ 1-3. The plaintiffs did not allege that anyone had improperly accessed or used their personal information on the stolen computers, nor did they allege that they had suffered identity theft or fraud because of the burglary. Id. ¶ 5. The appellate court affirmed the dismissal of the plaintiffs' claims due to lack of standing, holding that the plaintiffs had failed to allege a distinct and palpable injury and that the plaintiffs' allegations of increased risk of identity theft were speculative and conclusory since none of the plaintiffs had experienced any identity theft. Id. ¶ 24. Plaintiffs' claims of emotional injury were similarly rejected, "given the speculative and conclusory nature of their allegations and the lack of imminent, certainly impending, or a substantial risk of harm." Id. ¶ 30. Therefore, under Maglio, the risk of identity theft or fraud can create standing, but only if the risk of identity theft is imminent or certainly impending. Id. ¶¶ 29-30. A mere increased risk of identity theft is not enough. Id. ¶ 26.
¶ 15 Here, plaintiffs have alleged that their personal information has been obtained by unauthorized third parties and that this caused plaintiffs to experience identity theft and fraud. Williams and Dube each alleged that they experienced an attempted fraudulent charge after the data breach occurred, and Williams, Rushing, and Flores alleged that they have received increased spam messages and targeted marketing since the data breach. Plaintiffs also allege that these spam messages and unauthorized charges were caused by the data breach because personal information stolen in data breaches is compiled in "Fullz" packages that are then sold to unsavory parties that use the information for telemarketer operations or to commit fraud. Plaintiffs are not relying solely on speculative allegations concerning an increased risk of future identity theft or fraud like in Maglio. Instead, plaintiffs have clearly alleged that they face imminent, certainly impending, or a substantial risk of harm due to the data breach, since they allege that they have already experienced fraudulent charges and spam messaging. Unchageri v. Carefirst of Maryland, Inc., No. 16-1068, 2016 WL 8255012, at *6-7 (C.D. Ill. Aug. 23, 2016) (plaintiff lacked standing because he did not allege any present injuries that would show that the risk of future harm is certainly impending). Additionally, the risk of future identity theft and fraud is evident from the defendant's statements, offering plaintiffs free enrollment in a two-year credit-monitoring service to protect against identity theft. The alleged injuries suffered by plaintiffs (the fraudulent charges and the lost time spent dealing with increased spam messages and targeting marketing) are distinct and palpable injuries that satisfy standing. Craftwood II, Inc. v. Generac Power Systems, Inc., 920 F.3d 479, 481 (7th Cir. 2019) (holding that the time lost reading a junk fax before discarding it is a concrete injury satisfying standing). Since plaintiffs' allegations are sufficient to establish that, due to the data breach, they have already experienced harm and are at imminent risk of future identity theft and fraudulent charges, plaintiffs have standing to pursue their claims.
¶ 16 Defendant argues that plaintiffs have not alleged that defendant collected their payment information and therefore they have not established that the unauthorized charges alleged by Williams and Dube are fairly traceable to defendant's conduct and the data breach. However, Williams and Dube alleged that defendant informed both plaintiffs that their "benefit enrollment information" was obtained during the data breach. Defendant never defined what the term benefit enrollment information encompassed; therefore, it is possible that it included Williams's and Dube's payment information. Additionally, when personal information is obtained in a targeted data breach, it is reasonable to assume that the data thieves will use the stolen data for fraudulent purposes. Galaria v. Nationwide Mutual Insurance Co., 663 Fed.Appx. 384, 388 (6th Cir. 2016). Plaintiffs have alleged that, even if the stolen data did not contain payment information, data thieves can compile "Fullz" packages with the personal information that can be sold to third parties to be later used for illegal purposes. In re Mednax Services, Inc., Customer Data Security Breach Litigation, 603 F.Supp.3d 1183, 1206 (S.D. Fla. 2022) ("Even if the data accessed in the Data Breaches did not provide all the information necessary to inflict these harms, they very well could have been enough to aid therein."); Sweet v. BJC Health System, No. 3:20-CV-00947-NJR, 2021 WL 2661569, at *4 (S.D. Ill. June 29, 2021) ("while credit card information may not have been exposed, information such as dates of birth, Social Security numbers, and addresses would likely be sufficient to permit identity theft"). Plaintiffs have set forth sufficient allegations to establish that the fraudulent payments were fairly traceable to the data breach for the purposes of standing.
¶ 17 Finally, defendant argues that the fraudulent charges experienced by Williams and Dube were unsuccessful, and therefore the charges are not actual injuries. However, the fact that the alleged fraudulent charges were unsuccessful is immaterial and does not stop them from being actual injuries, nor does it stop them from showing that future fraudulent charges are imminent.
¶ 18 Since plaintiffs have sufficiently alleged that they are experiencing imminent and certainly impending risk of identity theft and fraud, we need not analyze plaintiffs' claims that they also have standing due to the diminishment in the value of plaintiffs' personal information or their emotional distress resulting from the loss of their privacy due to the data breach. The circuit court erred in dismissing plaintiffs' claims due to lack of standing under section 2-619.
¶ 19 B. Sufficiency of the Complaint
¶ 20 A motion to dismiss pursuant to section 2-615 of the Code of Civil Procedure (735 ILCS 5/2-615 (West 2022)) challenges the legal sufficiency of the complaint based upon defects apparent on its face. Beacham v. Walker, 231 Ill.2d 51, 57 (2008). The critical inquiry is whether the well-pleaded facts of the case, "taken as true and construed in a light most favorable to the plaintiff, are sufficient to state a cause of action upon which relief may be granted." Loman v. Freeman, 229 Ill.2d 104, 109 (2008). The complaint need only set forth the ultimate facts to be proved-not the evidentiary facts tending to prove such ultimate facts. City of Chicago v. Beretta U.S.A. Corp., 213 Ill.2d 351, 369 (2004). In ruling on a section 2-615 motion to dismiss, exhibits attached to the complaint are included as part of the complaint and control over inconsistent factual allegations within. Lipinski v. Martin J. Kelly Oldsmobile, Inc., 325 Ill.App.3d 1139, 1147 (2001). "Where unsupported by allegations of fact, legal and factual conclusions may be disregarded." Kagan v. Waldheim Cemetery Co., 2016 IL App (1st) 131274, ¶ 29. "Unless it is clearly apparent that the plaintiff could prove no set of facts that would entitle him to relief, a complaint should not be dismissed." Id. We review a dismissal under section 2-615 de novo. Randall v. Lemke, 311 Ill.App.3d 848, 850 (2000).
¶ 211. Negligence
¶ 22 Plaintiffs argue that defendant had a common law duty to protect their personal information and that they have sufficiently alleged that the data breach was the proximate cause of plaintiffs' injuries. Defendant argues that there is no common law duty to safeguard personal information in Illinois. Cooney v. Chicago Public Schools, 407 Ill.App.3d 358, 363 (2010). Additionally, defendant argues that plaintiffs have not alleged any facts that would show that their injuries were proximately caused by the data breach.
¶ 23 To state a claim for negligence, a plaintiff must allege facts showing that (1) the defendant owed a duty of care to the plaintiff, (2) that the defendant breached that duty, and (3) that the breach was the proximate cause of plaintiff's injuries. Cowper v. Nyberg, 2015 IL 117811, ¶ 13. In Cooney v. Chicago Public Schools, the court declined to recognize a new common law duty to safeguard personal information. Cooney, 407 Ill.App.3d at 363. The court pointed out that the legislature had recently addressed this issue in the Personal Information Protection Act (815 ILCS 530/1 et seq. (West 2022)). In the case of a data breach, the Information Protection Act only required the collector of the personal information to provide "timely notice of a security breach to the parties affected." Id. at 362; 815 ILCS 530/10 (West 2022). Given that the legislature had recently addressed the issue, the court declined to create a new common law duty beyond the legislative requirements of the Information Protection Act. Cooney, 407 Ill.App.3d at 363. In 2017, the Information Protection Act was amended in order to require data collectors in possession of the personal information of Illinois residents to "implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure." Pub. Act 99-503 (eff. Jan. 1, 2017) (adding 815 ILCS 530/45). Given that the legislature has now created a duty to maintain reasonable security measures under the Information Protection Act, the reasoning of the Cooney court no longer applies. See In re Arthur J. Gallagher Data Breach Litigation, 631 F.Supp.3d 573, 590 (N.D. Ill. 2022).
¶ 24 The existence of a common law duty is a question of law and is shaped by public policy considerations. Grant v. South Roxana Dad's Club, 381 Ill.App.3d 665, 669 (2008). "The touchstone of the duty analysis is to ask whether the plaintiff and defendant stood in such a relationship to one another that the law imposes on the defendant an obligation of reasonable conduct for the benefit of the plaintiff." Krywin v. Chicago Transit Authority, 238 Ill.2d 215, 226 (2010). When determining whether there is a duty of care under the common law, we look at (1) the reasonable foreseeability of the injury, (2) the likelihood of the injury, (3) the magnitude of the burden of guarding against the injury, and (4) the consequences of placing that burden on the defendant. Bogenberger v. Pi Kappa Alpha Corp., Inc., 2018 IL 120951, ¶ 46. Here, it is foreseeable that a failure to maintain reasonable security measures would allow unauthorized third parties to gain access to stored personal information, and it is likely that a data breach of this information would cause injury to the individuals that the personal information belongs to. Additionally, defendant is a sophisticated company that provides cyber security services to its clients, so it is well aware of the risks of providing inadequate security measures for personal information. Providing reasonable security measures for the storage of personal information would not be a large burden for defendant, given its experience and expertise in cyber security. All four factors support the conclusion that defendant has a common law duty to protect the personal information of its clients, in addition to its duty under the Information Protection Act.
¶ 25 Defendant argues that plaintiffs have failed to allege that defendant's conduct was the proximate cause of any actual injury. Plaintiffs have alleged that they carefully safeguard their personal information and that after the data breach they began to be targeted more frequently by spam messages and targeted marketing, as well as two fraudulent charges. They have also alleged that the data breach is the cause of these injuries because personal information stolen in data breaches is used to cross-reference other available information and to compile "Fullz" packages used to further identity theft and fraud attempts. These allegations of proximate cause and injury are sufficient at the pleading stage. The circuit court erred in dismissing plaintiffs' negligence claim.
¶ 26 2. Negligence Per Se
¶ 27 Plaintiffs assert a claim for negligence per se based upon defendant's alleged violations of section 45 of the Federal Trade Commission Act. 15 U.S.C. § 45(a) (2018) (declaring "unfair or deceptive acts or practices in or affecting commerce" as unlawful). "A violation of a statute or ordinance designed to protect human life or property is prima facie evidence of negligence." Kalata v. Anheuser-Busch Cos., 144 Ill.2d 425, 434 (1991). A party injured by such a violation may only recover by showing that "the violation proximately caused his injury and the statute or ordinance was intended to protect a class of persons to which he belongs from the kind of injury that he suffered." Id. However, such a violation does not constitute negligence per se and so "the defendant may prevail by showing that he acted reasonably under the circumstances." Bier v. Leanna Lakeside Property Ass'n, 305 Ill.App.3d 45, 58 (1999).
¶ 28 A violation of a statute only constitutes negligence per se (which would mean strict liability) if the legislature clearly intends for the act to impose strict liability. Abbasi v. Paraskevoulakos, 187 Ill.2d 386, 395 (1999). We find no support for the notion that the legislature clearly intended to impose strict liability for FTC Act violations. 15 U.S.C. § 45. While defendant's alleged violations of the FTC Act could be offered as prima facie evidence of defendant's negligence, they do not constitute negligence per se. Therefore, we uphold the circuit court's dismissal of plaintiffs' separate negligence per se claim.
¶ 29 3. Breach of Implied Contract
¶ 30 Plaintiffs allege that they entered into an implied contract with defendant in which, in return for providing defendant with their personal information, defendant would use reasonable security measures to prevent disclosure of that personal information to unauthorized persons. Defendant argues that there is no independent cause of action for a breach of the implied covenant of good faith and fair dealing and therefore plaintiffs' claim fails as a matter of law.
¶ 31 An implied contract can be created as a result of the parties' actions, even if there is no express contract between them. Trapani Construction Co. v. The Elliot Group, Inc., 2016 IL App (1st) 143734, ¶ 41. Under Illinois law, a contract in fact can be implied from the facts and circumstances that demonstrate the parties' intent to be bound. Heavey v. Ehret, 166 Ill.App.3d 347, 354 (1988). Unlike an express contract, in which the parties arrive at an agreement using words, agreement in an implied-in-fact contract is created through the actions and conduct of the parties. Trapani Construction, 2016 IL App (1st) 143734, ¶ 41. Every contract contains an implied covenant of good faith and fair dealing. Eckhardt v. The Idea Factory, LLC, 2021 IL App (1st) 210813, ¶ 28; McCleary v. Wells Fargo Securities, L.L.C., 2015 IL App (1st) 141287, ¶ 19; Northern Trust Co. v. VIII S. Michigan Associates, 276 Ill.App.3d 355, 367 (1995).
¶ 32 The circuit court correctly stated that there is no independent cause of action for a breach of the implied covenant of good faith and fair dealing. Voyles v. Sandia Mortgage Corp., 196 Ill.2d 288, 295-98 (2001); Northern Trust Co., 276 Ill.App.3d at 367. However, plaintiffs' claim rests on the alleged breach of an implied contract, not a breach of the implied covenant of good faith and fair dealing.
¶ 33 Plaintiffs have alleged sufficient facts to show that an implied contract existed between plaintiffs and defendant. Defendant made representations in its privacy policy that it would safeguard plaintiffs' personal information using reasonable security measures. On top of defendant's representations in its privacy policy, it is implied from the relationship between the parties that defendant would take reasonable steps to ensure that plaintiffs' personal information would be protected from unauthorized disclosure. Doe v. Fertility Centers of Illinois, S.C., No. 21 C 579, 2022 WL 972295, at *4 (N.D. Ill. Mar. 31, 2022); Castillo v. Seagate Technology, LLC, No. 16-CV-01958-RS, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016) ("it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient's assent to protect the information sufficiently").
¶ 34 Although defendant contends that plaintiffs failed to allege that they reviewed or relied upon any of the claimed representations made by defendant in its privacy policy, this does not require dismissal of plaintiffs' breach of implied contract claim because the facts and circumstances between the parties were sufficient to imply a contract between them for the security of plaintiffs' personal information. However, plaintiffs' claim for breach of implied contract ultimately must be dismissed because plaintiffs fail to allege an adequate injury-in-fact. To successfully make a breach of implied contract claim, a plaintiff must allege actual monetary damages. Avery v. State Farm Mutual Automobile Insurance Co., 216 Ill.2d 100, 149 (2005); In re Illinois Bell Telephone Link-Up II &Late Charge Litigation, 2013 IL App (1st) 113349, ¶ 19. Plaintiffs' alleged injuries, while sufficient to establish standing, do not amount to actual monetary damages. While plaintiffs argue that lost time responding to a data breach meets the standard of actual monetary damages, they rely on federal law rather than Illinois case law. In re Arthur J. Gallagher Data Breach Litigation, 631 F.Supp.3d at 587. We decline to hold that the alleged diminution in value of plaintiffs' personal information amounts to actual monetary damages. Plaintiffs have failed to allege adequate damages for a breach of implied contract claim. We affirm the circuit court's dismissal of plaintiffs' breach of implied contract claim.
¶ 35 4. Unjust Enrichment
¶ 36 Plaintiffs allege, in the alternative to their breach of implied contract claim, a claim for unjust enrichment. Plaintiffs argue that they conferred a benefit upon defendant in the form of their (1) employment with defendant, (2) payment of premiums for defendant's insurance products and services through their employment, and (3) the value of plaintiffs' personal information. Plaintiffs contend that defendant should not be permitted to retain the full value of these benefits due to defendant's alleged failure to adequately protect plaintiffs' personal information. Defendant argues that plaintiffs fail to allege any benefit retained by defendant to plaintiffs' detriment.
¶ 37 "To state a cause of action based on a theory of unjust enrichment, a plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiff's detriment, and that defendant's retention of the benefit violates the fundamental principles of justice, equity, and good conscience." HPI Health Care Services, Inc. v. Mt. Vernon Hospital, Inc., 131 Ill.2d 145, 160 (1989). Unjust enrichment is not an independent cause of action. Gagnon v. Schickel, 2012 IL App (1st) 120645, ¶ 25. "Rather, it is a condition that may be brought about by unlawful or improper conduct as defined by law, such as fraud, duress or undue influence, and may be redressed by a cause of action based upon that improper conduct." Charles Hester Enterprises, Inc. v. Illinois Founders Insurance Co., 137 Ill.App.3d 84, 90-91 (1985), aff'd, 114 Ill.2d 278 (1986).
¶ 38 Plaintiffs fail to allege that defendant unjustly retained a benefit to plaintiffs' detriment. The labor that plaintiff Rushing provided for defendant does not satisfy this requirement, because defendant adequately compensated Rushing through her wages. Additionally, the payments of premiums for defendant's insurance services were made by plaintiffs' employers, not plaintiffs themselves, and therefore were not benefits conferred by plaintiffs. Finally, plaintiffs argue that defendant benefited from the receipt of plaintiffs' personal information, since the personal information was used to purchase insurance through defendant. However, plaintiffs' personal information was not the payment for defendant's insurance services. Instead, defendant incidentally received plaintiffs' personal information as an administrative necessity for providing their insurance services. Perdue v. Hy-Vee, Inc., 455 F.Supp.3d 749, 766 (C.D. Ill. 2020). Plaintiffs have failed to allege that defendant has unjustly retained any benefit provided by plaintiffs. Therefore, we uphold the circuit court's dismissal of plaintiffs' unjust enrichment claim.
¶ 39 5. The Consumer Fraud Act
¶ 40 Plaintiff Flores and the putative Illinois class members allege that defendant violated the Information Protection Act by failing to maintain reasonable security measures to protect plaintiffs' personal information, and that a violation of the Information Protection Act constitutes an unlawful practice under the Consumer Fraud Act. 815 ILCS 530/20, 45 (West 2022). Defendant argues that Flores has not alleged an actual economic injury under the Consumer Fraud Act.
¶ 41 In order to plead a private cause of action for a violation of the Consumer Fraud Act, a plaintiff must allege: "(1) a deceptive act or practice by the defendant, (2) the defendant's intent that the plaintiff rely on the deception, (3) the occurrence of the deception in the course of conduct involving trade or commerce, and (4) actual damage to the plaintiff (5) proximately caused by the deception." Oliveira v. Amoco Oil Co., 201 Ill.2d 134, 149 (2002). The Consumer Fraud Act provides remedies for purely economic injuries. Morris v. Harvey Cycle & Camper, Inc., 392 Ill.App.3d 399, 402 (2009). "Actual damages must be calculable and 'measured by the plaintiff's loss.'" Id. (quoting City of Chicago v. Michigan Beach Housing Cooperative, 297 Ill.App.3d 317, 326 (1998)). The failure to allege specific economic damages precludes a claim brought under the Consumer Fraud Act. Id. at 402; White v. DaimlerChrysler Corp., 368 Ill.App.3d 278, 287 (2006).
¶ 42 Flores has failed to allege the specific economic damages necessary to bring a claim under the Consumer Fraud Act. Flores's alleged injuries are her emotional distress due to her loss of privacy, her lost time dealing with the consequences of the data breach, the increase in spam messages she has received, and the imminent risk of fraud and identity theft. None of these are the specific economic damages required for a claim under the Consumer Fraud Act. Williams v. Manchester, 228 Ill.2d 404, 425 (2008) ("an increased risk of future harm is an element of damages that can be recovered for a present injury-it is not the injury itself" (emphasis in original)); Morris, 392 Ill.App.3d at 402 (emotional damages are not specific economic injuries under the Consumer Fraud Act). Flores also alleges that she suffered damages in the form of diminution of the value of her personal information, but we decline to hold that diminution in the value of personal information is a specific economic injury under the Consumer Fraud Act. Morris, 392 Ill.App.3d at 402 ("[a]ctual damages must be calculable" (emphasis added)).
¶ 43 Plaintiffs cite to federal cases in which plaintiffs who experienced a data breach were able to claim economic losses under the Consumer Fraud Act. However, these cases are distinguishable because they all involved actual economic losses. Dieffenbach v. Barnes &Noble, Inc., 887 F.3d 826, 829-30 (7th Cir. 2018) (plaintiff spent $17 per month on a credit-monitoring service); In re Arthur J. Gallagher Data Breach Litigation, 631 F.Supp.3d at 587-88 (plaintiff experienced fraudulent credit card charges); Worix v. MedAssets, Inc., 869 F.Supp.2d 893, 901 (N.D. Ill. 2012) (plaintiff alleged lost wages and money spent on credit monitoring). Plaintiffs also cite to Perdue v. Hy-Vee, Inc., in which the court held that a plaintiff's time spent monitoring his account due to the data breach was an economic injury; however, this holding was based on federal law and we decline to follow it. 455 F.Supp.3d at 761. Because Flores fails to allege any specific economic injury, we affirm the circuit court's dismissal of plaintiffs' claim under the Consumer Fraud Act.
¶ 44 6. The Florida Deceptive and Unfair Trade Practices Act
¶ 45 Plaintiff Williams and the putative Florida class members assert a claim for violation of the Florida Deceptive and Unfair Trade Practices Act. Plaintiffs argue that defendant engaged in deceptive and unfair trade practices against Florida residents and that there is a sufficient nexus between defendant's actions and Florida for the Florida Trade Practices Act to apply. Defendant argues that plaintiffs' claim fails since the Florida Trade Practices Act only applies to actions that occurred within the state of Florida, and the data breach occurred in Illinois. Alternatively, defendant argues that plaintiffs' claim under the Florida Trade Practices Act is limited to injunctive relief because plaintiffs fail to allege actual damages.
¶ 46 A claim for damages under the Florida Trade Practices Act requires: "(1) a deceptive act or unfair practice; (2) causation; and (3) actual damages." Rollins, Inc. v. Butland, 951 So.2d 860, 869 (Fla. Dist. Ct. App. 2006). The Florida Trade Practices Act prohibits unfair and deceptive trade practices that occur anywhere within the territorial boundaries of Florida. Millennium Communications & Fulfillment, Inc. v. Office of Attorney General, Dept. of Legal Affairs, State of Florida, 761 So.2d 1256, 1262 (Fla. Dist. Ct. App. 2000). Therefore, the Florida Trade Practices Act applies at least to all actions that occurred within the state of Florida. Hakim-Daccach v. Knauf International GmbH, No. 17-20495-CIV, 2017 WL 5634629, at *7 (S.D. Fla. Nov. 22, 2017).
¶ 47 Williams has alleged that her injury was caused by wrongful acts that occurred in Florida. She alleged that she provided her personal information to defendant based on its promises to her and to other Florida residents to keep that information safe. She also alleged that defendant omitted material information concerning the adequacy of its data security and that had she known about the true state of defendant's cyber-security procedures, she would not have provided defendant with her personal information. Williams's allegations are sufficient to establish a claim under the Florida Trade Practices Act. Federal Trade Comm'n v. All U.S. Marketing LLC, No. 6:15-cv-1016-Orl-28KRS, 2017 WL 9398643, at *11 n.7 (M.D. Fla. Apr. 13, 2017) ("The amended complaint alleges that Defendants' misrepresentations actually misled consumers within the State of Florida. [Citation.] This provides a nexus between the State of Florida and acts that allegedly violate [the Florida Trade Practices Act]."), report & recommendation adopted by Federal Trade Comm'n v. All U.S. Marketing LLC, No. 6:15-cv-1016-Orl-28KRS, 2017 WL 2256650 (M.D. Fla. May 22, 2017). Although defendant argues that the data breach itself did not occur within Florida, this misses the point. Williams has alleged that defendant has made misrepresentations within the territorial boundaries of Florida to Florida residents.
¶ 48 However, plaintiffs' Florida Trade Practices Act claim is limited to injunctive relief. The Florida Trade Practices Act only allows for the recovery of actual damages, meaning the diminished value of the goods or services due to the Florida Trade Practices Act violation. Farmer v. Humana, Inc., 582 F.Supp.3d 1176, 1191 (M.D. Fla. 2022). The Florida Trade Practices Act expressly does not allow recovery for consequential damages, meaning damages to "property other than the property that is the subject of the consumer transaction."(Internal quotation marks omitted.) Id.; Fla. Stat. § 501.212(3) (West 2022). This includes "damages arising from identity theft and fraud" as well as the "increased risk of future identity theft and fraud, and the costs associated therewith; and time spent monitoring, addressing, and correcting the current and future consequences of the data breach." (Internal quotation marks omitted.) Farmer, 582 F.Supp.3d at 1191. Here, the subject of the consumer transaction was the insurance services defendant was providing Williams through her employer. None of Williams's alleged injuries, including the fraudulent PayPal charge, the diminution in the value of her personal information, and her emotional distress, are considered actual damages under the Florida Trade Practices Act. In re Mednax Services, Inc., Customer Data Security Breach Litigation, 603 F.Supp.3d at 1212-13; In re Brinker Data Incident Litigation, No. 3:18-CV-686-J-32MCR, 2020 WL 691848, at *13 (M.D. Fla. Jan. 27, 2020); In re American Medical Collection Agency, Inc. Customer Data Security Breach Litigation, No. CV 19-MD-2904, 2021 WL 5937742, at *28 (D.N.J. Dec. 16, 2021). Without any actual damages, Williams's Florida Trade Practices Act claim is limited to injunctive relief.
¶ 49 7. Invasion of Privacy
¶ 50 Finally, plaintiffs assert a claim for invasion of privacy based upon intrusion into seclusion. Plaintiffs argue that the personal information accessed by third parties during the data breach (names, driver's license numbers, social security numbers, and benefit enrollment information) consisted of private facts, while defendant argues that this information should be categorized as personal, non-private facts that are insufficient to establish an invasion of privacy claim.
¶ 51 There are four ways to state a cause of action for invasion of privacy in Illinois: (1) intrusion upon the seclusion of another, (2) appropriation of another's name or likeness, (3) public disclosure of private facts, and (4) publicity placing another in a false light. Busse v. Motorola, Inc., 351 Ill.App.3d 67, 71 (2004). The elements of intrusion upon seclusion are "(1) the defendant committed an unauthorized intrusion or prying into the plaintiff's seclusion; (2) the intrusion would be highly offensive or objectionable to a reasonable person; (3) the matter intruded on was private; and (4) the intrusion caused the plaintiff anguish and suffering." Id. The third element is the most significant in this case. The facts must be private, not merely personal. Id. at 72. Personal information such as names, addresses, telephone numbers, social security numbers, or dates of birth are not considered to be private facts. Id.
¶ 52 The names, driver's license numbers, and social security numbers that plaintiffs have alleged were accessed due to the data breach are not private facts necessary to establish a claim for intrusion upon the seclusion of another. Id. However, plaintiffs have alleged that the data breach included some of the plaintiffs' "benefit enrollment information." Since this is a term used by defendant, plaintiffs have no way of knowing what kind of personal information is included within this category until discovery occurs. Since the benefit enrollment information could contain private facts about plaintiffs, such as their financial history, medical history, and beneficiary information, we find that plaintiffs have adequately alleged a claim for invasion of privacy. Johnson v. K mart Corp., 311 Ill.App.3d 573, 579 (2000); Green v. Chicago Tribune Co., 286 Ill.App.3d 1, 18 (1996) (Cahill, J., dissenting).
¶ 53 Defendant argues that plaintiffs have forfeited their argument concerning benefit enrollment information because plaintiffs cannot raise new factual theories of recovery for the first time on appeal. Wilson v. Gorski's Food Fair, 196 Ill.App.3d 612, 617 (1990). However, plaintiffs alleged in their complaint that the data breach contained benefit enrollment information and beneficiary information. See Grund v. Donegan, 298 Ill.App.3d 1034, 1037 (1998) (stating that a plaintiff may rely on any allegations of fact made in the complaint). The circuit court erred in dismissing plaintiffs' claim for invasion of privacy.
¶ 55 Plaintiffs argue that their common law tort claims (negligence, negligence per se, unjust enrichment, and invasion of privacy) are not barred by the Moorman doctrine because the duty that defendant allegedly breached arose out of the common law, implied contract, and statutes rather than through an express contract. Defendant argues that plaintiffs' allegations of emotional distress are conclusory and must be dismissed and that the rest of plaintiffs' alleged injuries are purely economic and are thus barred by the Moorman doctrine.
¶ 56 The Moorman doctrine, also known as the economic loss doctrine, states that there can be no recovery in tort for purely economic losses. Moorman Manufacturing Co. v. National Tank Co., 91 Ill.2d 69, 88 (1982). Economic loss is defined as "damages for inadequate value, costs of repair and replacement of the defective product, or consequent loss of profits-without any claim of personal injury or damage to other property." (Internal quotation marks omitted.) Id. at 82. The Moorman doctrine is founded on the theory that "parties to a contract may allocate their risks by agreement and do not need the special protections of tort law to recover damages caused by a breach of contract." Mars, Inc. v. Heritage Builders of Effingham, Inc., 327 Ill.App.3d 346, 351 (2002). However, the Illinois Supreme Court later held that the doctrine applies to the service industry only where the duty of the party performing the service is defined by a contract executed with the client. Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 159 Ill.2d 137, 162 (1994). If the duty arises outside of a contract between the parties, then recovery in tort for the negligent breach of that duty is not barred by the Moorman doctrine. Id. Although the Congregation of the Passion decision concerned a professional malpractice claim against an accounting firm, its reasoning equally applies to data breach cases.
¶ 57 Here, plaintiffs allege no express contract between the parties that would establish a duty by defendant to safeguard plaintiffs' personal information. Additionally, the "product" of the transaction between the parties was the insurance services plaintiffs were receiving through their employers, not the protection of the personal information defendant needed to provide the insurance services. Applying the Moorman doctrine to this data breach case would stretch the applicability of the doctrine far beyond its products liability roots, given that there is no express contract between the parties and the injuries allegedly suffered by plaintiffs were not caused by any defect in the actual product of the transaction. See In re Marriott International, Inc., Customer Data Security Breach Litigation, 440 F.Supp.3d 447, 468-76 (D. Md. 2020) (thoroughly analyzing the history of the Moorman doctrine and the potential applicability of the doctrine to data breach cases under Illinois law); McGlenn v. Driveline Retail Merchandising, Inc., No. 18-CV-2097, 2021 WL 4301476, at *8-9 (C.D. Ill. Sept. 21, 2021). Instead, plaintiffs' injuries arose from defendant's alleged breach of its duty to safeguard personal information incidental to the transaction itself. Since plaintiffs' common law tort claims are based on defendant's common law duty to safeguard personal information rather than any express contractual duty, the Moorman doctrine does not prohibit plaintiffs from bringing their claims.
¶ 58 Defendant's contention that plaintiffs' injuries are economic is irrelevant since the Moorman doctrine does not apply to plaintiffs' claims in the first place. The circuit court erred in dismissing plaintiffs' negligence, negligence per se, unjust enrichment, and invasion of privacy claims under the Moorman doctrine.
¶ 59 Plaintiffs argue that the trial court abused its discretion in dismissing its various claims "with prejudice" because the fault found by the trial court-the failure to allege sufficient facts- could be cured by amending the complaint. However, in fairness to the trial court, its ruling under section 2-615 was an alternative holding to its conclusion (albeit mistaken) that plaintiffs lacked standing-a legal impediment that could not be cured by repleading. The standard for repleading, of course, is a generous one. Leave to replead should be "freely" given (People v. Brown, 336 Ill.App.3d 711, 716 (2002)), and a claim should be dismissed with prejudice only when it becomes clear that a plaintiff can plead no set of facts entitling him or her to relief. Loyola Academy v. S&S Roof Maintenance, Inc., 146 Ill.2d 263, 273 (1992); Mills v. County of Cook, 338 Ill.App.3d 219, 224 (2003).
¶ 60 Aside from plaintiffs' negligence per se claim, which is deficient as a matter of law, on those claims where we affirm the trial court's dismissal under section 2-615, the pleading defects may well be cured by repleading. For example, the dismissal of the breach of implied contract and consumer fraud claims are predicated on a failure to allege a monetary loss or economic injury. The dismissal of the unjust enrichment claim is based on the failure to allege an unjustly retained benefit. Whether plaintiffs can or will seek to replead to cure these and other defects is a matter to be taken up on remand.
¶ 61 III. CONCLUSION
¶ 62 The circuit court's dismissal of plaintiffs' complaint for lack of standing and its dismissal of plaintiffs' negligence, Florida Trade Practices Act, and invasion of privacy claims for failure to state a claim are reversed. The circuit court's dismissal of plaintiffs' negligence per se claim is affirmed, and its dismissal of the breach of implied contract, unjust enrichment and Consumer Fraud Act claims are affirmed, but modified to be without prejudice. The matter is remanded for further proceedings.
¶ 63 Affirmed in part and reversed in part; cause remanded.