From Casetext: Smarter Legal Research

Johnson v. Nice Pak Prods.

United States District Court, Southern District of Indiana
Jun 5, 2024
1:23-cv-01734-JMS-CSW (S.D. Ind. Jun. 5, 2024)

Opinion

1:23-cv-01734-JMS-CSW

06-05-2024

Darin Johnson and Robert Willey on behalf of; themselves and all others similarly situated, Plaintiffs, v. Nice Pak Products, Inc. and Professional Disposables International, Inc., Defendants


ORDER

Hon. Jane Magnus-Stinson, Judge United States District Court Southern District of Indiana

Plaintiff's Darin Johnson and Robert Willey, on behalf of a putative class of similarly situated individuals, are suing Defendants Nice Pak Products, Inc. ("Nice Pak") and Professional Disposables International, Inc. ("Professional Disposables") for losses they suffered from a data breach due to cybertheft. They allege that Defendants failed to use updated cybersecurity measures to prevent the breach and failed to promptly notify victims about their compromised personally identifiable information ("PII"). They assert claims for negligence, negligence per se in violation of the Federal Trade Commission Act ("FTC Act"), breach of implied contract, unjust enrichment, bailment, and violation of the New York Deceptive Trade Practices Act. Defendants have filed a Motion to Dismiss Amended Complaint, which is ripe for the Court's consideration. [Filing No. 26].

I.

Standard of Review

Under Rule 12(b)(6), a party may move to dismiss a claim that does not state a right to relief. The Federal Rules of Civil Procedure require that a complaint provide the defendant with "fair notice of what the . . . claim is and the grounds upon which it rests." Erickson v. Pardus, 551 U.S. 89, 93 (2007) (quoting Bell Atlantic v. Twombly, 550 U.S. 544, 555 (2007)). In reviewing the sufficiency of a complaint, the Court must accept all well-pled facts as true and draw all permissible inferences in favor of the plaintiff. SeeActive Disposal Inc. v. City of Darien, 635 F.3d 883, 886 (7th Cir. 2011). A Rule 12(b)(6) motion to dismiss asks whether the complaint "contain[s] sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face.'" Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 570). The Court will not accept legal conclusions or conclusory allegations as sufficient to state a claim for relief. SeeMcCauley v. City of Chicago, 671 F.3d 611, 617 (7th Cir. 2011). Factual allegations must plausibly state an entitlement to relief "to a degree that rises above the speculative level." Munson v. Gaetz, 673 F.3d 630, 633 (7th Cir. 2012). This plausibility determination is "a contextspecific task that requires the reviewing court to draw on its judicial experience and common sense." Id.

II.

Background

The following are the factual allegations set forth in the Amended Complaint, the operative Complaint in this case, which the Court must accept as true at this time:

A. Defendants Collect Employees' PII

Nice Pak "is a corporation that provides 'quality wet wipes,' and other healthcare products." [Filing No. 20 at 1.] Professional Disposables "is a health corporation and affiliate of [Nice Pak], that provides 'products and solutions, educational resources, in-service training, and clinical support' to . . . healthcare providers or similar companies." [Filing No. 20 at 2.] Mr. Johnson and Mr. Willey and the putative Class Members are or were employees for one or both Defendants. [Filing No. 20 at 2.]

Pursuant to their employment, Defendants collected Plaintiffs' PII, including "full names, addresses, Social Security numbers . . . and medical and health insurance information." [Filing No. 20 at 2.] Plaintiffs allege that "Defendants promised to provide confidentiality and adequate security for employee data though their applicable privacy policy and through other disclosures in compliance with data privacy requirements." [Filing No. 20 at 7.]

B. Cyberthieves Steal Employees' PII from Defendants

Sometime between May 28 and June 15, 2023, "an unauthorized actor viewed and obtained files" kept by Defendants (the "Data Breach"). [Filing No. 20 at 9.] Among those files were "names, addresses, Social Security Numbers, health plan member numbers, and health saving account numbers." [Filing No. 20 at 9-10.] On June 15, 2023, the final day of the Data Breach, Defendants identified the "unusual activity." [Filing No. 20 at 9.] After nearly two months had passed, on August 14, 2023, Defendants finally sent letters to Plaintiffs informing them of the Data Breach. [Filing No. 20 at 8-9 (letter available at https://www.doj.nh.gov/consumer/security-breaches/documents/nice-pak-products-20230814.pdf)] According to Plaintiffs, missing from the letter were "details of the root cause of the Data Breach, the vulnerabilities exploited, and the remedial measures taken to ensure such a breach does not occur again." [Filing No. 20 at 9.]

C. This Litigation

Plaintiffs filed suit in the Marion Superior Court, and Defendants removed the case to this Court. [Filing No. 1-1; Filing No. 1.] Plaintiffs allege that "[a]rmed with the [PII] accessed in the Data Breach, data thieves have . . . engaged in identity theft and fraud . . . and can in the future commit a variety of crimes including . . . opening new financial accounts, . . . taking out loans, . . . obtain[ing] government benefits, filing fraudulent tax returns, . . . obtaining driver's licenses, . . . and giving false information to police during an arrest"-all while posing as Plaintiffs using their PII. [Filing No. 20 at 4.] As a result of these risks, Plaintiffs allege they must "now and in the future closely monitor their financial accounts," and "purchas[e] credit monitoring services, credit freezes, credit reports, or other protective measures to deter and detect identity theft." [Filing No. 20 at 4.]

Plaintiffs state that they have since "spent significant time remedying the [Data Breach] . . . valuable time [that] would have [been] spent on other activities." [Filing No. 20 at 13.] Plaintiffs state that they have suffered many injuries, including "invasion of privacy"; "theft of PII"; "lost or diminished value of PII"; "lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach"; "loss of benefit of the bargain"; "anxiety and increased concerns for the loss of . . . privacy, especially . . . Social Security number[s] being in the hands of criminals";" impending injury arising from the substantially increased risk of fraud, identity theft, and misuse resulting from . . . stolen [PII] being placed in the hands of unauthorized third parties and possibly criminals"; and other damages. [Filing No. 20 at 13-17.]

Plaintiffs allege that Defendants "failed to adhere to industry standards," such as "educating all employees; strong passwords; multi-layer security, including firewalls, anti-virus, and antimalware software; encryption, making data unreadable without a key; multi-factor authentication; backup data and limiting which employees can access sensitive data." [Filing No. 20 at 21.] Plaintiffs also allege that "Defendants failed to adhere to FTC guidelines," which allegedly admonish businesses to maintain certain standards of data protection, including "protect[ing] personal customer information that they keep," "encrypt[ing] information stored on computer networks," and "implementing] policies to correct security problems." [Filing No. 20 at 20.] According to Plaintiffs, businesses falling beneath the standard of care for data security have historically been subject to legal actions by the FTC pursuant to Section 5 of the Federal Trade Commission Act. [Filing No. 20 at 20-21 (citing 15 U.S.C. § 45).]

Plaintiffs claim that Defendants' alleged actions and omissions amounted to negligence, negligence per se under Section 5 of the FTC Act, breach of implied contract, unjust enrichment, violation of bailment, and violation of the New York Deceptive Trade Practices Act, General Business Law § 349 ("GBL § 349"). [Filing No. 20 at 27-39.]

Pursuant to these claims, Plaintiffs seek remedies, "including, but not limited to, compensatory damages and injunctive relief including improvements to Defendants' data security systems, future annual audits, and adequate credit monitoring services funded by Defendants." [Filing No. 20 at 5.] Plaintiffs note that although Defendants "ma[d]e an offer of 12 months of identity monitoring services," such compensation is "wholly inadequate" due to the risk of identity theft extending for "multiple years." [Filing No. 20 at 10.]

Plaintiffs ultimately seek to have the case certified as a class action on behalf of the following classes:

• All persons residing in the United States whose PII was accessed and/or acquired by an unauthorized party as a result of the Data Breach reported by Defendants in August 2023, including all persons who received the Notice Letter.
• All New York citizens whose PII was accessed and/or acquired by an unauthorized party as a result of the Data Breach reported by Defendants in August 2023, including all persons who received the Notice Letter.
[Filing No. 20 at 22-23.]

III.

Discussion

A. Negligence Claim

Defendants argue that Plaintiffs have failed to state a claim for negligence because the "economic loss rule" prevents their claims, they have not alleged a "breach of any duty recognized by Indiana law," and "their claim fails for a lack of cognizable injuries." [Filing No. 27 at 4-5.] Defendants argue that under the economic loss rule, "a defendant is not liable under a tort theory for any purely economic loss caused by its negligence" without "personal injury or damage to property other than the product or service itself." [Filing No. 27 at 4.] Defendants argue that instead, "the sole remedy for the failure of a product or service" is the contract itself. [Filing No. 27 at 5.] Defendants state that the negligence claims must necessarily be "governed by contract" because the Plaintiffs have not pointed to an independent duty of care outside of the contract, since "no such common-law duty exists in Indiana." [Filing No. 27 at 6.] Defendants further argue that they did not owe a duty to Plaintiffs, stating that "the Seventh Circuit has specifically determined that the Indiana data breach statutes create no duty related to safeguarding of personal information." [Filing No. 27 at 7 (citing Pisciotta v Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007)).] Defendants state further that Plaintiffs have alleged no cognizable damages because neither "the harm caused by identity information exposure" nor the "attendant costs to guard against identity theft" "are compensable injuries under Indiana law." [Filing No. 27 at 8.]

Plaintiffs state in their response that they have "adequately pleaded Nice Pak's negligence." [Filing No. 30 at 5.] Plaintiffs explain that their negligence claims "are not barred by the economic loss rule" because their damages are not "solely economic" and because Nice Pak owed them an "independent duty" to protect its employee's PII. [Filing No. 30 at 5.] Plaintiffs further state that the economic loss doctrine applies only in the context of "products liability and construction." [Filing No. 30 at 6.] Plaintiffs state that their damages extend beyond the solely economic because they relate to "increased risk of identity theft and misuse of their" PII, and "time spent monitoring accounts, protecting against, and mitigating risk of misuse, lost time, annoyance, interference, and inconvenience." [Filing No. 30 at 6.] Plaintiffs note that a bailment claim "can be styled as one in contract or in tort," hence under tort law, they have demonstrated that the Defendants owed a "duty of outside of a contractual relationship." [Filing No. 30 at 7.] Plaintiffs state further that they allege "cognizable damages as [a] result of the data breach." [Filing No. 30 at 8.] Plaintiffs argue that since the decision of Pisciotta, the Seventh Circuit's later decisions have recognized that "time and effort spent protecting against and mitigating the risks created by data breaches" are cognizable injuries. [Filing No. 30 at 8 (citing Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015) and Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016))]. Plaintiffs argue that under several Indiana state court cases, "plaintiffs who are victims of a data breach are injured by the mere theft of their personal data, and thus have suffered a direct injury sufficient to confer standing." [Filing No. 30 at 9.]

In reply, Defendants argue that Plaintiffs allege only economic damages. [Filing No. 34 at 4.] Defendants maintain that Plaintiffs' allegations related to "the financial value of their time and personal information" are either "conclusory," are simply economic injuries, or are otherwise not specific in "what kind of damages they pled." [Filing No. 34 at 4.] Defendants state that in another Indiana case, "[t]he same types of damages that were alleged . . . are alleged by Plaintiffs." [Filing No. 34 at 5.] Defendants state that the economic loss doctrine does extend beyond the contexts of products liability and construction and prior caselaw was decided in prior plaintiffs' favor because they alleged non-economic losses and no contractual relationship. [Filing No. 34 at 5.] Defendants state that a Southern District of Indiana case that permitted a bailment-data-breach claim is "contrary to Indiana law, not binding, and is unpersuasive," so it "cannot provide the basis of the 'independent tort' or the requisite duty for their negligence claim." [Filing No. 34 at 5 (citing Krupav. TIC Int'l Corp., No. 1:22-CV-01951-JRS-MG, 2023 WL 143140 (S.D. Ind. Jan. 10, 2023).] Defendants further argue that "Plaintiffs have not alleged cognizable damages," arguing that Indiana state-court cases cited by Plaintiffs are factually distinguishable because they "contain allegations of actual financial loss or identity theft." [Filing No. 34 at 6.] Defendants argue that "[t]he mere notice of a data incident without additional facts of financial loss or identity theft does not amount to compensable damages recoverable in tort." [Filing No. 34 at 7.] Defendants continue to state that "the standard for alleging actual damages is generally higher than that for plausibly alleging injury in fact." [Filing No. 34 at 7.] Defendants contrast the authorities cited by Plaintiffs as focusing on Article III standing, while Defendants maintain that this case is controlled by Seventh Circuit caselaw on compensable injuries. [Filing No. 34 at 7 (comparing Remijas, 794 F.3d at 697 and Lewert, 819 F.3d at 969-70 with Pisciotta, 499 F.3d at 633).]

The parties dispute whether a common-law negligence duty applies, whether there are compensable damages, and if there are damages, whether they are precluded by the economic loss rule. The Court addresses each issue in turn.

Regarding a claim for common-law negligence, such an action "has three elements: (1) a duty owed to the plaintiff by the defendant, (2) a breach of the duty, and (3) an injury proximately caused by the breach of duty." Stachowski v. Est. of Radman, 95 N.E.3d 542, 543 (Ind.Ct.App. 2018). "[B]usinesses have the common-law 'duty to exercise ordinary and reasonable care in the conduct of their operations . . . for the safety of others whose injuries should reasonably have been foreseen or anticipated." WEOC, Inc. v. Niebauer, No. 23S-CT-184 at 10,N.E.3d(Ind. Feb. 12, 2024) (slip op). "[T]he existence of a duty in negligence is a question of law." Reedv. Cent.Soya Co., 621 N.E.2d 1069, 1076 (Ind. 1993). In this case, and generally, employees reasonably expect their employers to keep their personal information safe. Even in the era before digital recordkeeping, if an employer kept its employees' Social Security numbers in an unlocked box on the sidewalk for anyone to take, no one would question that the employer would be negligent. The Court notes that although Pisciotta interpreted the Indiana data-breach statute, it was decided before Indiana cases permitting common law data-breach negligence claims. See, e.g., Paul v. Ardagh Glass, Inc., No. 49D07-2209-CT-031302, 2023 WL 5153147, at *7 (Ind. Super. Ct. Jan. 23, 2023); In re Eskenazi Health Data Incident Litig., No. 49D01-2111-PL-038870, 2022 WL 20505180, at *11 (Ind. Super. Ct. Sep. 2, 2022). The Court holds that Defendants owed a duty to Plaintiffs to keep their PII safe and that Plaintiffs have adequately pled that element of their negligence claim.

Regarding damages, the Seventh Circuit has recognized the imminent and concrete injuries that victims of data breaches face. The Seventh Circuit has explained that such victims are "at risk for both fraudulent charges and identity theft," even if no such occurrences have yet happened. Lewert, 819 F.3d at 967. Such individuals must "spen[d] time and effort monitoring both [their] card statements and [their] other financial information as a guard against fraudulent charges and identity theft." Id. In offering and encouraging credit monitoring to Plaintiffs, Defendants "implicitly acknowledged this," id. since "[i]t is unlikely that [Defendants] did so because the risk is so ephemeral that it can safely be disregarded." Remijas, 794 F.3d at 694. After all, "[w]hy else would hackers break in . . . and steal . . . private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those . . . identities." Id. at 693. While Defendants argue that compensable damages must be higher than standing's injury-in-fact, they cite no Seventh Circuit authority for that proposition and the out-of-circuit case they do cite itself cites to no authority. To the extent other authority is used by Defendants to suggest the contrary, it indicates only that in some circumstances the inquiry for injury-in-fact and compensable damages yields different results. SeeDoe v. Chao, 540 U.S. 614, 627 (2004). Here, there is no difference. For example, Indiana law specifically allows for damages to include "the value of [lost time]." Ind. Model Civ. Jury Inst. 703(3) (brackets in original). As one Indiana court explained, further legal proceedings are necessary "to determine the extent to which those damages can be compensated as arising from the Data Breach at issue in this case." Paul, 2023 WL 5153147 at *6. The Court finds that Plaintiffs have plausibly alleged the damages element of their negligence claim.

Regarding the economic loss doctrine, both the Indiana Supreme Court and the Seventh Circuit agree that the term "economic loss" is a misnomer which "does not necessarily lead to a proper understanding of the scope and applicability of the doctrine." Indianapolis-Marion Cnty.Pub. Libr. v. Charlier Clark & Linard, PC., 929 N.E.2d 722, 729 n.8 (Ind. 2010). Rather, it is better understood as "'commercial loss,' not only because personal injuries and especially property losses are economic losses, . . . which . . . are monetized," but also because in commercial disputes, contract law is more suitable than tort law. Miller v. U.S. Steel Corp., 902 F.2d 573, 574 (7th Cir. 1990). In this case, the parties' relationship is not one of business-to-business or consumer-to-business, but employer-to-employee. In any event, at least some of the harms experienced by the Plaintiffs are not solely economic, such as lost time and worry. And for the harms Plaintiffs have mitigated, plaintiffs generally have a duty to mitigate their damages, and were the Plaintiffs to do otherwise, "the more time that passes between a data breach and an instance of identity theft, the more latitude a defendant has to argue that the identity theft is not 'fairly traceable' to the defendant's data breach." Remijas, 794 F.3d at 693.

The economic loss doctrine does not apply, and Plaintiffs have plausibly alleged compensable damages. The Court DENIES Defendants' Motion to Dismiss as to Plaintiffs' negligence claim.

B. Negligence Per Se Claim

Defendants argue that "Plaintiffs fail to state a claim for negligence per se" under the FTC Act because the FTC Act "does not provide Plaintiff[s] with a private right of action." [Filing No. 27 at 9-10.] Defendants state that "Allowing third-parties like Plaintiffs to enforce the FTC Act 'would be inconsistent'" with its legislative scheme. [Filing No. 27 at 10.]

Plaintiffs respond that "in the context of data breach litigation, "courts routinely reject this argument" that the FTC Act does not provide a private right of action such that a negligence per se claim must fail. [Filing No. 30 at 9-10.] They argue that "negligence per se differs from bringing a private right of action under the statute, so the non-existence of such a right under either the FTC Act . . . does not preclude Plaintiffs' claims." [Filing No. 30 at 10.] From this, Plaintiffs argue that they are not "pursuing a private cause of action for violations of . . . the FTC Act; rather, they assert that Defendants' violations of those statutes evince Nice Pak's breach of its duty to protect sensitive" PII. [Filing No. 30 at 10.] According to Plaintiffs, "Indiana courts recognize that allegations of an 'unexcused violation of a statutory duty constitutes negligence per se 'if the statute or ordinance is intended to protect the class of persons in which the plaintiff is included and to protect against the risk of the type of harm which has occurred as a result of its violation." [Filing No. 30 at 10.]

Defendants reply that "[w]hen a plaintiff alleges that a statute supplies a defendant's duty, courts must first inquire whether the Legislature intended to make the defendant liable in tort under that statute." [Filing No. 34 at 8.] Defendants argue that controlling Indiana appellate-court authority supports that rule and is not bound by Indiana trial-court authority to the contrary. [Filing No. 34 at 8.]

As Defendants' brief has demonstrated, private-right-of-action claims and negligence-perse claims "are often confused." Gresser v. Reliable Exterminators, Inc., 160 N.E.3d 184, 191 (Ind.Ct.App. 2020) (referring to each claim alternatively as "Statutory-Duty Claim" and "CommonLaw-Duty Claim). A "private right of action" assumes that an allegation of a "violation of a statute or ordinance gives rise to civil liability even in the absence of a common-law duty.'" Stachowski, 95 N.E.3d at 545. In contrast, "negligence per se" "assumes the existence of a common-law duty of reasonable care, and the court is asked to adopt the standard of conduct set forth in a statute or ordinance . . . as the standard of conduct required under that preexisting duty, so that a violation of the statute or ordinance serves to satisfy the breach element of a negligence action." Id. at 544 Thus, "[t]hough similar, negligence-per-se claims differ in that a violation of certain statutes or ordinances 'serves to satisfy the breach element.'" Niebauer, No. 23S-CT-184 at 9.

"Generally speaking, 'the unexcused violation of a statute or ordinance constitutes negligence per se if the provision (1) 'protects the class of persons in which the plaintiff is included' and (2) 'protects against the type of harm that has occurred as a result of the violation.'" Gresser, 160 N.E.3d at 191. Section 5 of the FTC Act prohibits "unfair . . . acts or practices in or affecting commerce." 15 U.S.C. § 45. Applied to this case, "[t]he question for the jury is not whether the FTC Act was violated but whether [Defendants] breached [their] duty to protect [Plaintiffs'] PII by failing to meet the standard of care articulated in the FTC Act." Paul, 2023 WL 5153147 at *9. Data breaches affect commerce, and Plaintiffs benefit from protections against the kinds of harms that proper data security would avoid. As other courts have similarly decided, "the FTC Act can serve as the basis of a negligence per se claim." Perdue v. Hy-Vee, Inc., 455 F.Supp.3d 749, 76061 (C.D. Ill. 2020); In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1143 (C.D. Cal. 2021). Plaintiffs have plausibly alleged a claim for negligence per se, so the Court DENIES Defendants' Motion to Dismiss as to that claim.

C. Breach of Implied Contract Claim

Defendants argue that "Plaintiffs fail to state a claim for breach of implied contract." [Filing No. 27 at 10.] Defendants reject the argument that Nice Pak agreed to prevent disclosure of PII and provide prompt notice of such disclosure only "implicitly." [Filing No. 27 at 11.] They argue that to state a claim for breach of an implied contract, Plaintiffs must show the contract's terms to be "reasonably definite and certain." [Filing No. 27 at 11.] But according to Defendants, Plaintiffs do not allege "what Nice Pak implicitly promised to do in the event of, or to protect against, a third-party cyber security attack, nor do they allege what Nice Pak failed to do that constitutes a 'material breach.'" [Filing No. 27 at 12.] Defendants argue further that Plaintiffs have not alleged any damages, stating that "[t]here are no allegations that Plaintiffs suffered any quantifiable loss or incurred 'any completed direct financial loss' arising from the Data Breach. [Filing No. 27 at 13.] As an example, Defendants state that "both plaintiffs expressly admit that they 'sign[ed] up for the credit monitoring and identity theft insurance offered by Defendant,' and thus have no out-of-pocket damages." [Filing No. 27 at 13.]

Plaintiffs respond that their "implied contract claim is well pleaded." [Filing No. 30 at 11.] According to Plaintiffs, "[u]nder Indiana law, an implied contract is formed 'if it can be inferred that the parties mutually intended to be bound by the agreement," which includes implied contracts "formed by conduct." [Filing No. 30 at 11.] They state that "it is enough to allege that there was an explicit or implicit contract for data security, that plaintiffs placed value on that data security, and that Defendants failed to meet their representations about data security." [Filing No. 30 at 12.] Plaintiffs state that "[accordingly, even standing alone, the provision of PII by an employee to an employer is accompanied by the implicit understanding that it will be reasonably maintained as confidential." [Filing No. 30 at 12.] Plaintiffs explain that they have alleged cognizable damages as "the value of one's own time needed to set things straight is a loss from an opportunity-cost perspective. These injuries can justify money damages." [Filing No. 30 at 13-14.]

Defendants reply that Plaintiffs have made only "vague allegations of unilateral belief and assumptions[, which] do not come close to a plausible claim of breach of implied contract." [Filing No. 34 at 9.] Defendants argue that "[t]he essential terms of an agreement to safeguard and protect [PII] would naturally include terms governing the reasonable and adequate steps that Plaintiffs contend Nice Pak should have taken to protect their PII," but "Plaintiffs cannot point to any promise, agreement, or term that would support an implied contract." [Filing No. 34 at 9.] Defendants assert that Nice Pak's "online privacy policies" likewise do not prevent dismissal. [Filing No. 34 at 9.] According to Defendants, "[t]here are no allegations that Plaintiffs read those website privacy policies-let alone read them before they submitted any PII to Nice Pak." [Filing No. 34 at 9.] Regardless, Defendants point to the policy's express disclaimer of "any specific promise or expectation [of] data security." [Filing No. 34 at 10.] Defendants reiterate that "[a] court employs different standards of review in considering injury for standing purposes and damages for sufficiency of a claim." [Filing No. 34 at 10.] Defendants state that "there are no allegations that Plaintiffs suffered any quantifiable loss or incurred 'any completed direct financial loss' arising from the" Data Breach. [Filing No. 34 at 10.]

Under Indiana law, "[a]n implied in fact contract refers to the class of obligations which arises from mutual agreement and intent to promise, when the agreement and promise have simply not been expressed in words." McCart v. Chief Exec. Officer in Charge, Indep. Fed. Credit Union, 652 N.E.2d 80, 85 (Ind.Ct.App. 1995). "[A] contract implied in fact arises out of acts and conduct of the parties, coupled with a meeting of the minds and a clear intent of the parties in the agreement." Id. "No general rule can be set forth as to what facts are necessary to prove the existence of an implied contract." Wilhoite v. Beck, 230 N.E.2d 616, 623 (Ind.Ct.App. 1967). As such," [t]he question as to whether or not there was either an express contract or an implied contract to pay for the services is [a] matter of fact." Id. at 622.

In this case, employees and employers generally understand that PII-necessary for business operations like paying employee wages-should be kept private. Such an understanding is plausibly an implicit term of their employment agreement. "The terms of the implied contracts and the parties' intentions can be fleshed out in discovery." Trustees of Ind. Univ. v. Spiegel, 186 N.E.3d 1151, 1160 (Ind.Ct.App. 2022). The Court DENIES Defendants' Motion to Dismiss as to Plaintiffs' claim for breach of implied contract.

D. Unjust Enrichment Claim

Defendants argue that "Plaintiffs fail to state a claim for unjust enrichment." [Filing No. 27 at 13.] They assert that "[t]orecover for unjust enrichment under Indiana law, a plaintiff 'must show that . . . he rendered a measurable benefit to the defendant at the defendant's express or implied request.'" [Filing No. 27 at 13.] Defendants argue that "[e]ven assuming that Plaintiffs did confer a benefit on Nice Pak by applying for employment, there are no allegations that they did so 'at the defendant's express or implied request.'" [Filing No. 27 at 14.] Rather, Defendants state that Plaintiffs "sought out employment with Nice Pak and provided their information in hopes of gaining employment for themselves" and "[a]ny monies that later flowed from Nice Pak to [Plaintiffs] were for employment services exchanged, not in return for their personal information." [Filing No. 27 at 14.]

Plaintiffs respond that they have "stated a claim for unjust enrichment." [Filing No. 30 at 14.] They state that for purposes of the unjust enrichment doctrine, conferring a "benefit" to an employer includes providing PII and the provision of labor itself. [Filing No. 30 at 14-15.] Plaintiffs argue that the terms of such unjust enrichment include "the promise to protect sensitive information acquired as part of a transaction." [Filing No. 15 at 30.]

Defendants argue in their reply that "Plaintiffs do not cite to any Indiana case or Indiana legal authority in opposing dismissal of their unjust enrichment claim" or make arguments under Indiana law. [Filing No. 34 at 11.] Defendants further argue that "Plaintiffs do not plead, and cannot plead, that they expected a fee from Nice Pak in exchange for providing their PII for the purpose of applying [for] or maintaining employment." [Filing No. 34 at 11.] Defendants argue further that Plaintiffs "do not plead that Nice Pak withheld some portion of their salary to go toward data security or that Nice Pak ever requested money from Plaintiffs to pay for data security." [Filing No. 34 at 11.] Defendants contend that Plaintiffs' cited authority is otherwise distinguishable because those cases primarily concern plaintiffs who expressly made a purchase in exchange for some other benefit. [Filing No. 34 at 11-12.]

Under Indiana law, "[t]o prevail on a claim of unjust enrichment, a plaintiff must establish that a measurable benefit has been conferred on the defendant under such circumstances that the defendant's retention of the benefit without payment would be unjust." Kohl's Indiana, L.P. vOwens, 979 N.E.2d 159, 167 (Ind.Ct.App. 2012). Plaintiffs have not alleged that Defendants benefited from the PII information other than as incidental to benefitting from Plaintiffs' compensated labor. The PII is better understood as necessary to conduct business operations, not a good whose inherent value was extracted by Defendants. Defendants Motion to Dismiss as to the claim for unjust enrichment is GRANTED.

E. Bailment Claim

Defendants argue that "Plaintiffs fail to state a claim for bailment." [Filing No. 27 at 15.] Defendants argue that "[u]nder Indiana law, a bailment arises when personal property belonging to the bailor is delivered into the exclusive possession of the bailee, and the property is accepted by the bailee." [Filing No. 27 at 15.] Defendants argue that "[i]t is factually implausible for Nice Pak to have ever been in the 'exclusive possession or 'sole custody' of Plaintiffs' PII or to have prevented Plaintiffs from using it." [Filing No. 27 at 15.] According to Defendants, "Plaintiffs have been free at all relevant times to disseminate their" PII "in any way they wish to whomever they wish" and "there's no allegation that Nice Pak was to 'return' Plaintiffs' PII." [Filing No. 27 at 16.]

Plaintiffs state that "[astonishingly, Defendants argue this Court should reject one of its own recent decisions speaking directly to this point in concluding that Plaintiffs have not stated a claim for bailment." [Filing No. 30 at 16.] Plaintiffs state that "[i]n Indiana, bailment law is not reserved for physical goods. Indiana recognizes data as a form of property." [Filing No. 30 at 16.] Plaintiffs allege that they "entrusted their personal information to Defendants 'on the mutual understanding that Defendants would protect it against disclosure[,]' and that as a direct result of Defendants['] failure to implement adequate and reasonable cyber-security procedures, [P]laintiffs' [PII] was exposed to cybercriminals." [Filing No. 30 at 16.] Plaintiffs explain that they "need nothing more to state their claim for bailment." [Filing No. 30 at 17.]

Defendants argue in their reply that the Court is not bound by another decision of this Court and note that other Indiana state courts have rejected bailment claims for data breaches. [Filing No. 34 at 2-3.] Defendants state that a key distinction between traditional bailment and Plaintiffs' claims is that "Nice Pak was [not] in exclusive possession of Plaintiffs' [PII]." [Filing No. 34 at 3.] Without such exclusive possession," [s]ubmitting forms to an employer which contain personal information does not give rise to a bailment under Indiana law." [Filing No. 34 at 3.]

Under Indiana law, "[a] bailment arises when: (1) personal property belonging to a bailor is delivered into the exclusive possession of the bailee and (2) the property is accepted by the bailee." Albanese Confectionary Grp., Inc. v Cwik, 165 N.E.3d 139, 148 (Ind.Ct.App. 2021). Although the Court acknowledges the holding in Krupa, 2023 WL 143140, and its reasoning that PII was delivered and accepted by the Defendants, in this case Plaintiffs' PII was not in Defendants' exclusive possession. Plaintiffs were free to use or disseminate their PII as they pleased and deliver it to limitless others. Lacking this essential element of bailment, Plaintiffs' bailment claimdoes not support each essential element and Defendants' Motion to Dismiss as to that claim is GRANTED.

F. New York Deceptive Trade Practices Act

In support of their Motion to Dismiss, Defendants argue that "Plaintiffs fail to state a claim under the New York Deceptive Trade Practices Act, General Business Law § 349." [Filing No. 27 at 18.] Defendants argue that to bring such a claim, Plaintiffs "must charge conduct of the defendant that is consumer-oriented" or "demonstrate that the acts or practices have a broader impact on consumers at large." [Filing No. 27 at 18.] Defendants argue that Plaintiffs "are not consumers. They are former employees," and that "[e]ven if the statute could be applied to an employee-employer relationship," "Plaintiffs do not point to any statement or document made by Nice Pak that was deceptive and do not allege that they sustained . . . damages." [Filing No. 27 at 18-19.] Further, Defendants argue that "Plaintiffs fail to state what misrepresentation Nice Pak made regarding its data security practices" that amounts to deception. [Filing No. 27 at 19.] Further still, Defendants argue that "even if Plaintiff could allege specific misrepresentations from Nice Pak about keeping personal information secure, the claim would still be insufficient because there was not an unlimited guaranty that information could not be stolen or hacked." [Filing No. 27 at 19.] Defendants conclude that "as with Plaintiffs' other claims, they fail to plead the requisite damages caused by the deceptive act." [Filing No. 27 at 20.]

Plaintiffs argue that New York's Deceptive Trade Practices Act "does not require that a plaintiff be a consumer to have standing but only that the complained of 'acts or practices have a broader impact on consumers at large.'" [Filing No. 30 at 17.] Plaintiffs state that "at the time [they] looked for employment and agreed to provide their PII to Defendants, they were not yet employees of Defendants and were members of the broader consuming public." [Filing No. 30 at 17.] Plaintiffs state further that they have "squarely alleged Defendants' misleading conduct including that they misrepresented their commitment to data security and the adequacy of their data protection regimen," which amounts to "actionable misrepresentations," as it is under the FTC Act, which New York courts specifically use as a guide to interpret GBL § 349. [Filing No. 30 at 18.] Finally, Plaintiffs state that they have suffered cognizable damages, including "the lost benefit of their bargains with Defendants, that they have spent time and effort in response to the Data Breach, and that the value of their PII has diminished as a result of the Data Breach." [Filing No. 30 at 18.]

In reply, Defendants state that under New York law, for purposes of GBL § 349, consumers are defined as "those who purchase goods and services for personal, family, or household use." [Filing No. 34 at 13.] They assert that "Plaintiffs fail to meet the threshold question of being a 'consumer,'" so "New York's consumer protection statute does not apply to the allegations in this case." [Filing No. 34 at 13.] Defendants state that "[t]o establish the requisite causal connection [for a GBL § 349 claim] [a] plaintiff must plausibly allege that she actually viewed the misleading statement prior to making her decision to purchase, and must set forth where, when and how she came to view it." [Filing No. 34 at 14.] Defendants further argue that "[e]ven assuming Plaintiffs could point to Nice Pak's privacy policies as the source of the alleged misleading statements, the privacy policies were not an unlimited guaranty that information could not be stolen or hacked." [Filing No. 34 at 14.]

Under New York Law "to state a claim under section[] 349 . . ., 'a plaintiff must allege that a defendant has engaged in (1) consumer-oriented conduct, that is (2) materially misleading, and that (3) the plaintiff suffered injury as a result of the allegedly deceptive act or practice.'" Plavinv. Grp. Health Inc., 35 N.Y.3d 1, 10 (N.Y. 2020). This case concerns an employer-employee relationship, which is not consumer-oriented. Nor have Plaintiffs identified in their allegations the specifically misleading conduct; the allegations concern negligence, not an intentionally misleading act. Defendants' Motion to Dismiss as to Plaintiffs' claim under the New York Deceptive Trade Practice Act is GRANTED.

IV. Conclusion

For the foregoing reasons, the Court makes the following rulings:

• As to Plaintiffs' claims for negligence, negligence per se, and breach of implied contract, Defendants' Motion to Dismiss, [26], is DENIED and those claims SHALL PROCEED;
• As to the Plaintiffs' claims for unjust enrichment, bailment, and violation of the New York Deceptive Trade Practices Act, Defendants' Motion to Dismiss, [26], is GRANTED and those claims are DISMISSED WITHOUT PREJUDICE.

No partial final judgment shall issue.


Summaries of

Johnson v. Nice Pak Prods.

United States District Court, Southern District of Indiana
Jun 5, 2024
1:23-cv-01734-JMS-CSW (S.D. Ind. Jun. 5, 2024)
Case details for

Johnson v. Nice Pak Prods.

Case Details

Full title:Darin Johnson and Robert Willey on behalf of; themselves and all others…

Court:United States District Court, Southern District of Indiana

Date published: Jun 5, 2024

Citations

1:23-cv-01734-JMS-CSW (S.D. Ind. Jun. 5, 2024)

Citing Cases

Attias v. CareFirst, Inc.

To be sure, some courts in other jurisdictions have moved toward permitting the recovery of mitigation…