Opinion
23 C 3999 23 C 4249
06-03-2024
MEMORANDUM OPINION AND ORDER
JORGE L. ALONSO, United States District Judge
These consolidated class-action cases arise out of a data breach incident involving the law firm Bryan Cave Leighton Paisner, LLP (“Bryan Cave”), which detected unauthorized access to its information systems in February 2023. Plaintiffs are all employees of Mondelez Global LLC (“Mondelez”), one of Bryan Cave's clients, and they assert claims of negligence and other statelaw causes of action against defendants Mondelez and Bryan Cave, based on the exposure of their personal information in the data breach. Defendants have moved to dismiss for lack of standing and failure to state a claim under Federal Rule of Civil Procedure 12(b)(1) and (6). For the following reasons, the motions are granted in part and denied in part. They are denied as to standing, as to the negligence claims, and as to any accompanying right to declaratory or injunctive relief, but otherwise granted.
I. Background
The following facts are taken from the complaints in these consolidated actions. Mondelez makes snack food products for retail sale. It operates in countries all over the world, with its principal place of business in Chicago, Illinois. It retained Bryan Cave to provide legal services, and, in the course of the representation, Mondelez provided certain of its employees' personally identifiable information to Bryan Cave, including names, dates of birth, Social Security numbers, and addresses. In February 2023, Bryan Cave detected unauthorized access to its information systems, and a forensic investigation revealed that the hackers obtained the personal information of 51,100 current and former Mondelez employees. Each of the seven named plaintiffs received a letter from Mondelez to notify employees of the data breach and that their personal information had been exposed. Plaintiffs allege that they are at an increased risk of identity theft, and they have taken prudent actions to mitigate the risk of identity theft, such as “signing up for credit monitoring and identity theft insurance, closing and opening new credit cards, and securing their financial accounts.” (In Re: Mondelez Data Breach Litigation, Case No. 23 C 3999, Consol. Compl. ¶ 106, ECF No. 24; see id. at ¶ 108; see also In Re: Bryan Cave Data Breach Litigation, Case No. 23 C 4249, Am. Compl. ¶¶ 84.d. & e., 111, ECF No. 34.) They filed a number of lawsuits in which they assert various state-law claims under the diversity jurisdiction, see 28 U.S.C. § 1332(d). The Court has consolidated these actions so that two consolidated class actions remain, one against Mondelez and another against Bryan Cave.
II. Legal Standards
Defendants move to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(1) and (6). “Rule 12(b)(1) is the means by which a defendant raises a defense that the court lacks subjectmatter jurisdiction,” such as a challenge to the plaintiff's standing. Bazile v. Fin. Sys. of Green Bay, Inc., 983 F.3d 274, 279 (7th Cir. 2020). “Standing” refers to the “‘personal stake in the outcome'” of the case that all plaintiffs must have in order to invoke the “judicial power” wielded by the federal courts. Warth v. Seldin, 422 U.S. 490, 499 (1975) (quoting Baker v. Carr, 390 U.S. 186, 204 (1962)). Where a defendant seeks dismissal under Rule 12(b)(1) for failure to set forth allegations sufficient to establish standing on the face of the complaint, courts must “accept all well-pleaded factual allegations as true and draw all reasonable inferences in favor of the plaintiff.” Prairie Rivers Network v. Dynegy Midwest Generation, LLC, 2 F.4th 1002, 1007 (7th Cir. 2021) (citing Silha v. ACT, Inc., 807 F.3d 169, 173 (7th Cir. 2015)).
A motion under Federal Rule of Civil Procedure 12(b)(6) tests whether the complaint states a claim on which relief may be granted. Richards v. Mitcheff, 696 F.3d 635, 637 (7th Cir. 2012). Under Rule 8(a)(2), a complaint must include “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). The short and plain statement under Rule 8(a)(2) must “give the defendant fair notice of what . . . the claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (internal quotation marks omitted). The complaint's “[f]actual allegations must be enough to raise a right to relief above the speculative level,” Twombly, 550 U.S. at 555; that is, the “complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 570). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. The Court must “construe the complaint in the light most favorable to plaintiff, accept all well-pleaded facts as true, and draw reasonable inferences in plaintiff's favor.” Taha v. Int'l Bhd. of Teamsters, Loc. 781, 947 F.3d 464, 469 (7th Cir. 2020); see also Silha, 807 F.3d at 174 (noting that courts apply the same standard to facial challenges to standing). However, it need not “accept as true legal conclusions, or threadbare recitals of the elements of a cause of action, supported by mere conclusory statements.” Brooks v. Ross, 578 F.3d 574, 581 (7th Cir. 2009).
III. Standing
The Court begins with standing-as it must, because standing is jurisdictional, and “it [is] improper for courts to skip over jurisdictional issues in order to reach the merits.” Yassan v. J.P. Morgan Chase & Co., 708 F.3d 963, 967 n.1 (7th Cir. 2013) (citing Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 93-94 (1998)). “To establish standing, a plaintiff must show that he has suffered or is at imminent risk of suffering an injury caused by the defendant and that the injury could likely be redressed by favorable judicial relief.” Patterson v. Howe, 96 F.4th 992, 996 (7th Cir. 2024) (citing TransUnion LLC v. Ramirez, 594 U.S. 413, 423 (2021)). An injury only confers standing to sue if it is an “injury in fact,” which means it must be “concrete, particularized, and actual or imminent.” Id.
Defendants argue that plaintiffs lack standing because they have not suffered an injury in fact. According to defendants, although plaintiffs' personal information was exposed in a data breach, plaintiffs allege nothing to indicate that their information has been misused in any way. That is, despite the fact that the data breach occurred over a year ago, plaintiffs do not allege that they have been sent fraudulent bills, that unauthorized accounts have been opened in their names, that their information has been posted on the dark web, or that there are any other indicia of identity theft or fraud.
Years ago, the Seventh Circuit held that plaintiffs “whose data has been compromised, but not yet misused,” have suffered an injury-in-fact sufficient to confer standing, explaining that a plaintiff may have standing if the defendant's actions leave her under a “threat of future harm” or “increase[e] the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions.” Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 634 (7th Cir. 2007). Since then, the Supreme Court has explained that, to confer standing, a threatened injury must be “certainly impending,” not merely feared based on “speculation” that a “highly attenuated chain of possibilities” might occur. Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409-10 (2013). But the Seventh Circuit has warned courts “not to overread Clapper,” which was “addressing speculative harm based on something that may not even have happened to some or all of the plaintiffs.” Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015). When the plaintiffs are victims of an “alleged data theft” that has “already occurred,” there is-unlike in Clapper- “‘no need to speculate as to whether . . . information has been stolen.'” Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 966 (7th Cir. 2016) (quoting Remijas, 794 F.3d at 693). Similarly, it is common sense that hackers steal personal information to profit from it, so there is no need “‘to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an objectively reasonable likelihood that such injury will occur.'” Id. at 966-67 (quoting Remijas, 794 F.3d at 693). Further, if the plaintiffs incur “mitigation expenses” to minimize the risk of harm from their stolen data being used for fraudulent purposes, these expenses qualify as “actual injuries” for standing purposes, because and to the extent that the data breach has “already occurred.” Lewert, 819 F.3d at 967.
Since Remijas and Lewert, the Supreme Court has addressed standing again, explaining that, “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm-at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” TransUnion, 594 U.S. at 436. Some district courts have since concluded that the mere exposure of personal information in a data breach, absent some reason apart from the breach itself to believe that identity theft or fraud is imminent, does not suffice to confer standing to sue for damages based on a risk of future harm. See, e.g., Kim v. McDonald's USA, LLC, No. 21-CV-05287, 2022 WL 4482826, at *5 (N.D. Ill. Sept. 27, 2022). It follows, these courts reason, that mitigation-related injuries cannot confer standing because otherwise plaintiffs could “‘manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.'” Id. at * 6 (quoting Clapper, 568 U.S. at 416).
Other courts reason, however, that a plaintiff who “has already lost time mitigating the risk of identity theft” following a data breach has suffered an injury-in-fact-namely, the lost time itself- and TransUnion is not to the contrary, as it merely “emphasized that whether a harm is concrete turns on whether it . . . already occurred.” Linman v. Marten Transp., Ltd., No. 22-CV-204-JDP, 2023 WL 2562712, at *3 (W.D. Wis. Mar. 17, 2023). These courts do not consider an injury to be speculative merely because it is “related to a risk of harm,” Linman, 2023 WL 2562712, at *3, where TransUnion held only that “the mere risk of future harm, standing alone, cannot qualify as a concrete harm,” 594 U.S. at 436 (emphasis added), while holding open the possibility that “the exposure to a risk of harm” might confer standing if it also “causes a separate harm,” id. These decisions conclude that “[t]he time spent mitigating the risk of identity theft is a separate harm from the risk of identity theft itself.” Linman, 2023 WL 2562712, at *3; see also Roper v. Rise Interactive Media & Analytics, LLC, No. 23 CV 1836, 2023 WL 7410641, at *4 (N.D. Ill. Nov. 9, 2023), Florence v. Ord. Express, Inc., 674 F.Supp.3d 472, 481 (N.D. Ill. 2023), Doe v. Fertility Centers of Illinois, S.C., No. 21 C 579, 2022 WL 972295, at *2 (N.D. Ill. Mar. 31, 2022).
The Court finds the reasoning of Linman and like cases to be persuasive. While TransUnion may have “marked a shift in the Court's standing jurisprudence,” this Court is not convinced that it cut the ground out from underneath Remijas and Lewert as they apply to this case, and the Seventh Circuit has stopped short of retreating from them, as yet. See Dinerstein v. Google, LLC, 73 F.4th 502, 516 (7th Cir. 2023). Further, the Court does not read Remijas and Lewert to depend on whether there are other facts, separate from and in addition to the data breach itself, to show that plaintiffs whose personal information has been acquired without authorization suffer a particular risk of future identity theft or fraud. Rather, those cases provide that a plaintiff who is the victim of a data breach has suffered a harm that has “already occurred,” and that harm satisfies the injury-in-fact requirement by putting him at a “substantial risk” of further “future harm,” because hackers steal personal information for the “primary purpose” of committing fraud or “assuming consumers' identities.” Dinerstein, 73 F.4th at 516 (cleaned up). Even if, under TransUnion, some “separate harm” is required, the time plaintiffs spent mitigating the risk of identify theft is that “separate harm,” as explained in Linman, Florence, Doe, and other such cases. Plaintiffs have sufficiently alleged an injury-in-fact, and their claims therefore survive defendants' motion to dismiss for lack of standing under Rule 12(b)(1).
IV. Failure to State a Claim
In the consolidated action against Mondelez, the complaint contains six counts, for claims of negligence, negligence per se, unjust enrichment, breach of implied contract, invasion of privacy, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), 815 ILCS 505/1 et seq. In the consolidated action against Bryan Cave, the complaint contains nine counts, for claims of negligence, negligence per se, unjust enrichment, violation of the ICFA, violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code § 17200, violation of the California Computer Protection Act, Cal. Civ. Code § 1798.100, injunctive and declaratory relief, breach of contract as third-party beneficiaries, and bailment. In response to the motions to dismiss, plaintiffs have withdrawn their ICFA claims and the California statutory claims.
Although defendants are separately represented and have filed separate motions to dismiss, they make similar arguments in support of dismissal of the negligence, negligence per se, and unjust enrichment claims, and the Court will begin by addressing defendants' common arguments on those issues. The Court will then address the issues raised by Mondelez and Bryan Cave individually.
A. Common Issues
1. Negligence
To state a claim for negligence under Illinois law, “a plaintiff must allege facts showing that (1) the defendant owed a duty of care to the plaintiff, (2) that the defendant breached that duty, and (3) that the breach was the proximate cause of plaintiff's injuries.” Flores v. Aon Corp., 2023 IL App (1st) 230140, ¶ 23. In both of these consolidated actions, defendants argue that they had no duty to protect plaintiffs' personal information and that plaintiffs' claims are barred by the economic loss doctrine.
a. Duty
In arguing that they had no duty to protect plaintiffs' personal information, defendants rely on Community Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 816 (7th Cir. 2018), which, in turn, relied on Cooney v. Chicago Public Schools, 943 N.E.2d 23, 28-29 (Ill.App.Ct. 2010). In Cooney, the defendant sent out a mailing that mistakenly exposed the plaintiffs' personal identifying information, and the plaintiffs argued that defendant had a duty to protect this information under the Illinois Personal Information Protection Act (“PIPA”), 815 ILCS 530/1 et seq. Id. at 27-28; see id. at 28 (citing Kalata v. Anheuser-Busch Cos., Inc., 581 N.E.2d 656, 661 (Ill. 1991) (“A violation of a statute or ordinance designed to protect human life or property is prima facie evidence of negligence.”)). The Illinois Appellate Court ruled that the PIPA imposed no such duty; it only required data collectors who leak data or suffer a data breach to notify anyone whose personal information has been exposed. Id. at 28. Further, the court declined to recognize any common-law duty to safeguard personal information. Id. at 28-29. Defendants argue that Cooney forecloses plaintiffs' negligence claims.
The trouble with this argument is that the PIPA was amended in 2017 to require data collectors to “implement and maintain reasonable security measures to protect” records from “unauthorized access, acquisition, destruction, use, modification, or disclosure.” 815 ILCS 530/45(a); see In re Arthur J. Gallagher Data Breach Litig., 631 F.Supp.3d 573, 590 (N.D. Ill. 2022). The Illinois Appellate Court has recently recognized that, based on this amendment, “the reasoning of the Cooney court no longer applies.” Flores, 2023 IL App (1st) 230140, ¶ 23; see Wittmeyer v. Heartland All. for Hum. Needs & Rts., No. 23 CV 1108, 2024 WL 182211, at *2 (N.D. Ill. Jan. 17, 2024), Gallagher, 631 F.Supp.3d at 590. With the ground thus cut out from under defendants' argument, the Court is in no position to conclude that, as a matter of law, defendants had no duty to safeguard plaintiffs' personal information.
b. Economic Loss Doctrine
The economic loss doctrine, known in Illinois as the Moorman doctrine, after Moorman Manufacturing Co. v. National Tank Co., 435 N.E.2d 443 (Ill. 1982), generally bars tort liability “for purely economic losses . . . where [the parties] have already ordered their duties, rights, and remedies by contract.” Schnuck Markets, 887 F.3d at 812-13. The traditional rationale for the doctrine is that courts can “trust the commercial parties interested in a particular activity to work out an efficient allocation of risks among themselves in their contracts,” id., without having to resort to tort law, which is better reserved for “a sudden, calamitous accident as distinct from a mere failure to perform up to commercial expectations,” Rardin v. T&D Mach. Handling, Inc., 890 F.2d 24, 29 (7th Cir. 1989). The Moorman doctrine arose in the context of products liability, but “Illinois applies Moorman to services as well as the sale of goods because both business contexts provide ‘the ability to comprehensively define a relationship' by contract.” Schnuck Markets, 887 F.3d at 813 (quoting Fireman's Fund Ins. Co. v. SEC Donohue, Inc., 679 N.E.2d 1197, 1200 (Ill. 1997)).
“In the context of the service industry, however, the Illinois Supreme Court has held that the economic loss doctrine applies only where the duty of the party performing the service is defined by contract executed with the client.” Wittmeyer, 2024 WL 182211, at *3 (citing Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 636 N.E.2d 503, 514 (Ill. 1994)). “If the duty arises outside of a contract between the parties, then recovery in tort for the negligent breach of that duty is not barred by the Moorman doctrine.” Flores, 2023 IL App (1st) 230140, ¶ 56. The Illinois Appellate Court recently opined that, although the Congregation of the Passion decision is not factually analogous to data breach cases, “its reasoning applies equally to them,” and that applying the economic loss doctrine to data breach cases “would stretch . . . the doctrine far beyond its products liability roots,” an extension the court was not prepared to make. Flores, 2023 IL App (1st) 230140, ¶ 56. It follows that this federal Court, sitting in diversity and applying Illinois law, is in no position to make it, either. The economic loss doctrine does not apply. The motions to dismiss are denied as to defendants' arguments based on the economic loss doctrine.
2. Negligence Per Se
In each consolidated action, plaintiffs assert a second negligence count, captioned as “negligence per se,” alleging that the exposure of their personal information resulted from defendants' violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45(a)(1), which makes unlawful “[u]nfair methods of competition” and “unfair or deceptive acts or practices.”
As stated above, a violation of a statute may serve as prima facie evidence of negligence. Kalata, 581 N.E.2d at 661. A person injured by a violation of a statute that protects life or property may assert a negligence claim against the violator if the violation “proximately caused his injury and the statute or ordinance was intended to protect a class of persons to which he belongs from the kind of injury he suffered.” Id.
But such a statutory violation “only constitutes negligence per se (which would mean strict liability) if the legislature clearly intends for the act to impose strict liability.” Flores, 2023 IL App (1st) 230140, ¶ 28. The Illinois Appellate Court recently explained in a data breach case that there was “no support for the notion that the legislature clearly intended to impose strict liability for FTC Act violations.” Id. Thus, while a violation of the FTC Act might, conceivably, establish a prima facie case of negligence, which defendants could then rebut with evidence that they acted reasonably under the circumstances, see Bier v. Leanna Lakeside Property Ass'n, 711 N.E.2d 773, 785 (Ill.App.Ct. 1999), it cannot support a claim of negligence per se. See Flores, 2023 IL App (1st) 230140, ¶¶ 27-28; see also Wittmeyer, 2024 WL 182211, at *3-4. Plaintiffs' negligence per se claims are dismissed.
3. Unjust Enrichment
Both consolidated complaints include counts of “unjust enrichment,” which is not an independent cause of action, but which may provide a theory of recovery where “the defendant has unjustly retained a benefit to the plaintiff's detriment,” in violation of “fundamental principles of justice, equity, and good conscience.” HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc., 545 N.E.2d 672, 679 (Ill. 1989); see Gagnon v. Schickel, 983 N.E.2d 1044, 1052 (Ill.App.Ct. 2012). Defendants argue that any claims based on an unjust enrichment theory should be dismissed because they never unjustly retained any benefit conferred by plaintiffs to their detriment.
The Court agrees with defendants. Plaintiffs provided personal information to Mondelez not as part of some transaction that enriched Mondelez but merely as an “administrative necessity” incidental to their employment. See Flores, 2023 IL App (1st) 230140, ¶ 38. And Bryan Cave similarly obtained the data incidentally to its representation of Mondelez. Given that the exposed personal information here was entrusted to defendants only in the ordinary course of plaintiffs' employment by Mondelez, the allegations do not support any conclusion that defendants have “unjustly retained any benefit provided by plaintiffs.” Id. The motions to dismiss are granted as to any claim of unjust enrichment.
B. Mondelez's Motion to Dismiss
In addition to the above, Mondelez argues that the negligence claim should be dismissed for failure to plausibly allege any breach by Mondelez or that the breach was the proximate cause of any injury, and that the implied breach of contract and invasion of privacy claims should similarly be dismissed for failure to plausibly allege certain elements of the causes of action.
1. Negligence-Breach and Proximate Cause
Mondelez argues that, even if it had any duty to safeguard plaintiffs' personal information, plaintiffs have not plausibly alleged that it proximately caused the exposure of plaintiffs' personal information by way of any breach of that duty, when all Mondelez is alleged to have done is turn plaintiffs' personal information over to its counsel, Bryan Cave. Bryan Cave's information systems, not Mondelez's, were hacked, and Mondelez argues that there are no plausible allegations to support the claim that Mondelez should be held responsible for a breach not of its own systems, but Bryan Cave's. In response, plaintiffs point out that they have alleged that Mondelez should have ensured that its counsel followed proper data security practices, and it should have deleted certain personal information that it no longer needed to maintain, rather than share it unnecessarily with counsel.
Neither side cites cases in which courts have directly addressed the viability of such a theory in a similar context, much less approved or rejected it. Plaintiffs argue that Mondelez's arguments about breach and proximate cause turn on questions of fact that make a ruling inappropriate at the pleading stage, and the Court tends to agree. To the extent that there is little precedent to guide the parties and the Court as to plaintiffs' precise legal theory, there is all the more reason to develop the facts first, rather than to hastily proceed to a dispositive ruling:
To the extent Plaintiffs' claims do “not fall within the four corners of our prior case law,” this “does not justify dismissal under Rule 12(b)(6). On the contrary, Rule
12(b)(6) dismissals ‘are especially disfavored in cases where the complaint sets forth a novel legal theory that can best be assessed after factual development.'” McGary v. City of Portland, 386 F.3d 1259, 1270 (9th Cir. 2004) (quoting Baker v. Cuomo, 58 F.3d 814, 818-19 (2d Cir. 1995), vacated in part on other grounds, 85 F.3d 919 (2d Cir. 1996) (en banc)). See also 5B Charles Alan Wright & Arthur R. Miller et al., Federal Practice & Procedure § 1357 (3d ed. 2015) (noting that courts should “be especially reluctant to dismiss on the basis of the pleadings when the asserted theory of liability” is “novel” and thus should be “explored”). Indeed, as the law “firm[s] up” in unsettled areas, “it may be more feasible to dismiss weaker cases on the pleadings;” otherwise, plaintiffs should be given “an opportunity to develop evidence before the merits are resolved.” Metts v. Murphy, 363 F.3d 8, 11 (1st Cir. 2004).Wright v. North Carolina, 787 F.3d 256, 263 (4th Cir. 2015); see also Cohesive Techs. v. Waters Corp., 130 F.Supp.2d 157, 160 (D. Mass. 2001) (similar reasoning at summary judgment stage). Therefore, the motion to dismiss is denied as to the negligence claim.
2. Breach of Implied Contract
“An implied-in-fact contract must contain all the elements of an express contract, but unlike an express contract or other contracts, its terms are inferred from the conduct of the parties.” Gociman v. Loyola Univ. of Chicago, 41 F.4th 873, 883 (7th Cir. 2022). Mondelez argues that plaintiffs have not plausibly alleged the existence of any valid enforceable contract, implied or otherwise, between it and plaintiffs concerning their personal information. Plaintiffs respond that a reasonable factfinder could infer from the circumstances the existence of a contract that required Mondelez to protect the data its employees had entrusted it with. In particular, they point to Mondelez's “Privacy Policy,” which affirmed that “protecting . . . personal information is important” to Mondelez, and, to that end, it “maintain[ed] administrative, technical, and physical safeguards designed to help protect against unauthorized use, disclosure, alteration, or destruction of the personal information” collected on its “Sites.” (Mondelez Consol. Compl. ¶ 31.) See Gallagher, 631 F.Supp.3d at 591.
Mondelez replies that the Privacy Policy addresses the collection of data from users of Mondelez's “Sites” (i.e. websites), not its employees, so it provides little support for any inference of an implied contract between Mondelez and its employees. Mondelez is correct that the Privacy Policy does not precisely address the collection of data in the context of the employee/employer relationship. This is clear from the plain language of the Policy; for example, as both sides point out, the Policy states, “if you apply for employment with us,” Mondelez “may provide you with additional disclosures or notices.” Nevertheless, Mondelez's argument strikes the Court as misplaced. The Court does not understand plaintiffs' claim to be that the Privacy Policy itself represents the contract. It understands the claim, as in Gallagher and like cases, to be that the existence of a Privacy Policy, even one addressed primarily to customers, demonstrates Mondelez's commitment to protecting personal information generally, and it is one of the circumstances that might support an inference of “an implicit promise to protect employees' personal information in exchange for their employment.” Gallagher, 631 F.Supp.3d at 591; see Tjahjono v. Westinghouse Air Brake Techs. Corp., No. 2:23-CV-531, 2024 WL 1287085, at *7 (W.D. Pa. Mar. 26, 2024); Enslin v. The Coca-Cola Co., 136 F.Supp.3d 654, 675 (E.D. Pa. 2015); see also Sackin v. TransPerfect Glob., Inc., 278 F.Supp.3d 739, 751 (S.D.N.Y. 2017) (“While [the defendant] may not have explicitly promised to protect [personal information] from hackers in Plaintiffs' employment contracts, it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient's assent to protect the information sufficiently.”) (internal quotation marks omitted). Thus, the Court is not persuaded to dismiss the claim at this early stage. Plaintiffs will have to flesh this claim out as the case proceeds, but the allegations, considered in context, amount to more than “naked assertions,” Tjahjono, 2024 WL 1287085, at *7, and they suffice to state a plausible claim to relief.
3. Invasion of Privacy
“Traditionally, the tort of invasion of privacy encompassed four theories of wrongdoing: intrusion upon seclusion, appropriation of a person's name or likeness, publicity given to private life, and publicity placing a person in a false light.” Persinger v. Sw. Credit Sys., L.P., 20 F.4th 1184, 1192 (7th Cir. 2021). Mondelez argues that plaintiffs' invasion of privacy claim should be dismissed because plaintiffs do not plausibly allege sufficient facts to support any such claim under any recognized legal theory. Plaintiffs respond that they state a claim under either of two theories- intrusion upon seclusion and public disclosure of private facts-because they allege that Mondelez recklessly disregarded their privacy rights by exposing their personal information to unauthorized persons, who thereby “acquired” it. (Consol. Compl. ¶ 35.)
The Court agrees with Mondelez that plaintiffs do not state a claim of invasion of privacy under either asserted theory. First, plaintiffs have not alleged that Mondelez itself intruded upon their “seclusion” by unearthing private facts about plaintiffs without their authorization; to the contrary, the allegation is that plaintiffs voluntarily disclosed the personal information at issue to Mondelez. See Gallagher, 631 F.Supp.3d at 598 (citing Bonilla v. Ancestry.com Operations Inc., 574 F.Supp.3d 582, 597 (N.D. Ill. 2021)). And they have not explained, nor does the Court see, how the mere acquisition of their personal information by hackers amounts to “public disclosure” of private facts. See Doe, 2022 WL 972295, at *6; see also Roper v. Rise Interactive Media & Analytics, LLC, No. 23 CV 1836, 2024 WL 1556298, at *3 (N.D. Ill. Apr. 10, 2024) (citing and following cases, including Doe, in which courts found similar allegations “insufficient to qualify as a ‘public disclosure'”). The invasion of privacy claim is dismissed.
C. Bryan Cave's Motion to Dismiss
Bryan Cave argues that the Court should dismiss all of plaintiffs' common-law claims because they have not alleged that Bryan Cave's actions caused plaintiffs to suffer any actionable damages, and the breach of contract and bailment claims should be dismissed for failure to plausibly allege all elements of the causes of action.
1. No Common Law Damages
Bryan Cave argues that plaintiffs have not pleaded sufficient facts to support any valid theory of damages on any of their common-law claims. The Court disagrees as to the negligence claims, which are viable for the reasons stated above and in Gallagher, in which the court explained that allegations supporting a finding of “emotional harms such as anxiety and increased concerns for the loss of privacy” suffice for a recovery of “non-economic damages.” 631 F.Supp.3d at 587; see Roper, 2024 WL 1556298, at *2.
The contract claim may be more complicated, to the extent that plaintiffs rely on a “losttime damages theory” in this case. Flores, 2023 IL App (1st) 230140, ¶ 34. In Flores, the Illinois Appellate Court explained that, although the district court recognized the same theory as viable in Gallagher, 631 F.Supp. at 587, its reasoning was “a product of federal law, not state law.” 2023 IL App (1st) 230140, ¶ 34. Flores held that the plaintiffs' breach of contract claim was properly dismissed to the extent it was premised only on a “lost-time damages theory” instead of allegations of “actual monetary damages.” Id. At least one federal district court has applied Flores in a data breach case and dismissed a contract claim on this basis. See Wittmeyer, 2024 WL 182211, at *5-6. The same reasoning would seem to apply to this case.
What gives the Court pause before following Flores and rejecting Gallagher's reasoning is that the Gallagher court relied on the Seventh Circuit's decision in Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828, 830 (7th Cir. 2018), which is, of course, binding on this Court. Flores cited only pre-Dieffenbach decisions of the Illinois Supreme Court, and the Court hesitates to diverge from Dieffenbach without a clearer indication that the Illinois Supreme Court would decide the issue differently. See Reiser v. Residential Funding Corp., 380 F.3d 1027, 1029 (7th Cir. 2004) (explaining that “decisions of intermediate state courts,” which are themselves “just prognostications,” do not “liberate district judges from the force of” an interpretation of state law in a binding decision of the United States Court of Appeals). Ultimately, the Court need not decide the issue, however, because plaintiffs' contract claim, as well as their only other remaining common-law claim, the bailment claim, must be dismissed on other grounds, as the Court will explain below.
2. Breach of Contract-Intended Beneficiaries
Plaintiffs assert a claim for breach of contract against Bryan Cave as third-party beneficiaries of its contract with Mondelez. Bryan Cave argues that plaintiffs do not state a claim because they have not plausibly alleged that they are intended beneficiaries of any contract between Bryan Cave and Mondelez.
“Under Illinois law, not every third party who benefits from a contract can sue for its breach”; the third-party must be “someone whom the parties intended to directly benefit by the performance of the contract,” as evidenced by “the language of the contract and the circumstances surrounding its execution.” Crawford v. Belhaven Realty LLC, 109 N.E.3d 763, 776 (Ill.App.Ct. 2018). “Because parties typically enter into contracts to benefit themselves rather than third parties, there is a presumption against intended beneficiary status that can only be overcome by an implication so strong as to be practically an express declaration.” Id. (internal quotation marks omitted).
Plaintiffs have not alleged circumstances sufficient to overcome the presumption here. They have not alleged the terms of the contract or that it was made with reference to any impact it might have on the rights, privileges, or welfare of any particular third parties. A vague awareness that the transaction might have consequences for non-contracting parties is not enough. See Altevogt v. Brinkoetter, 421 N.E.2d 182, 188 (Ill. 1981); Barney v. Unity Paving, Inc., 639 N.E.2d 592, 596 (Ill.App.Ct. 1994). This is not a case, like Crawford, 109 N.E.3d at 776, in which the parties contemplated rendering “a performance directly to a third party,” which typically shows an intent to benefit that party. See Advanced Concepts Chicago, Inc. v. CDW Corp., 938 N.E.2d 577, 582-83 (Ill.App.Ct. 2010). Without more, plaintiffs allege no more than the mere possibility that Mondelez and Bryan Cave intended to benefit Mondelez's employees by their agreement for legal services, and that possibility does not suffice to elevate the right to relief above the speculative level and over the plausibility threshold. Therefore, this breach of contract claim is dismissed.
3. Bailment
“A bailment is ‘the delivery of goods for some purpose, upon a contract, express or implied, that after the purpose has been fulfilled they shall be redelivered to the bailor, or otherwise dealt with according to his directions, or kept till he reclaims them.'” Kirby v. Chicago City Bank & Tr. Co., 403 N.E.2d 720, 723 (Ill.App.Ct. 1980) (quoting Knapp, Stout & Co. v. McCaffrey, 52 N.E. 898, 898 (Ill. 1899)). “Among the necessary elements of a bailment are an agreement by the bailor to transfer or deliver and the bailee to accept exclusive possession of goods for a specified purpose, the actual delivery or transfer of exclusive possession of the property of the bailor to the bailee, and acceptance of exclusive possession by the bailee.” Kirby, 403 N.E.2d at 723.
Bryan Cave argues that plaintiffs' bailment claim must be dismissed because plaintiffs have not alleged that it was in “exclusive possession” of plaintiffs' personal information. The Court agrees. The law of bailment in Illinois does not map onto the circumstances of this case, as no one can have “exclusive possession” of another person's personal information.
True, the Court has recognized above that, in borderline cases, it may be preferable to deny a motion to dismiss and permit the parties to develop the record before ruling on the availability of an untried legal theory. But plaintiffs' bailment claim does not present a question of foreseeability that might benefit from further factual development. Rather, the bailment claim would be a stretch under any conceivable version of the facts, and “‘federal court is not the place to press innovative theories of state law.'” Cima v. WellPoint Health Networks, Inc., 556 F.Supp.2d 901, 907 (S.D. Ill. 2008) (quoting Anderson v. Marathon Petroleum Co., 801 F.2d 936, 942 (7th Cir. 1986)); see Great N. Ins. Co. v. Amazon.com, Inc., 524 F.Supp.3d 852, 856 (N.D. Ill. 2021) (“[T]his court must bear in mind the Seventh Circuit's admonition that, “[w]hen given a choice between an interpretation of Illinois law which reasonably restricts liability, and one which greatly expands liability, [a federal court] should choose the narrower and more reasonable path (at least until the Illinois Supreme Court [says] differently).'”) (quoting Todd v. Societe Bic, S.A., 21 F.3d 1402, 1412 (7th Cir. 1994)).
Bryan Cave also moves for dismissal of any claim for injunctive or declaratory relief, arguing that any such claim must fail to the extent that each substantive claim fails. Despite the fact that plaintiffs assert their right to injunctive or declaratory relief in its own count, the Court does not consider this a separate claim; it is merely a separate form of relief. Regardless, the Court does not conclude that each substantive claim fails; the negligence claim survives Bryan Cave's motion to dismiss, so whatever right to injunctive or declaratory relief plaintiffs may have on that claim, if any, likewise survives.
CONCLUSION
Defendants' motions to dismiss [Case No. 23 C 3999, ECF No. 35; Case No. 23 C 4249, ECF No. 41] are granted in part and denied in part. The motions are denied as to standing and as to failure to state a claim of negligence or for declaratory or injunctive relief. Plaintiffs' negligence claims survive in both consolidated actions. The motions to dismiss are otherwise granted. Plaintiffs shall file an amended complaint, if desired, by July 3, 2024. The parties shall file a joint status report by July 10, 2024. The Court sets a status hearing in both consolidated actions for July 17, 2024.
SO ORDERED.