Opinion
Case No. 18 CV 2086
10-16-2018
MEMORANDUM OPINION AND ORDER
A hacker breached the electronic data storage system of defendant Citywide Title Corporation ("Citywide"), accessed plaintiff Robert White's personal information, and tricked plaintiff into sending $177,000 to an unknown bank account. Plaintiff filed a four-count complaint against Citywide, alleging that Citywide: (I) was negligent; (II) breached its fiduciary duty; (III) violated the Illinois Consumer Fraud Act; and (IV) invaded his privacy. Citywide moves to dismiss all four counts, arguing that none of them states a claim. For the following reasons, Citywide's motion is granted on Counts I, III, and IV, and denied on Count II.
The facts from plaintiff's complaint are presumed true for resolving Citywide's motion to dismiss. Firestone Financial Corp. v. Meyer, 796 F.3d 822, 826 (7th Cir. 2015).
The other defendant in this case, Wells Fargo Home Mortgage, also moved to dismiss. That motion was addressed in a separate order (Doc. 42).
BACKGROUND
Plaintiff wanted to buy an Illinois residential property, and hired defendant Citywide to serve as title company and escrow agent. Consistent with its normal practice, Citywide required plaintiff to provide his email address, home address, social security number, telephone number, birthdate, and other personal information.
During his attempted acquisition of the property, plaintiff received an email from Citywide telling him that he would soon get transfer instructions telling him how and where to transfer his money, and that to complete the purchase, he would have to follow the instructions within a certain a number of days. Later that day, plaintiff received those instructions from what he believed to be Citywide, and instructed his bank, Wells Fargo (the other defendant in this case), to transfer his money accordingly. The transfer instructions email contained his private information and information about the purchase, so plaintiff thought that the email had come from Citywide. He was wrong—the email had actually come from a hacker who, posing as Citywide's agent, had obtained plaintiff's private information by breaching Citywide's electronic data storage system. Plaintiff had been duped into sending a stranger $177,000.
After plaintiff discovered the fraud, he called Citywide and spoke to one of its employees. That employee told him that this situation—fraudulent wire transfer instructions being sent to consumers—had been happening to Citywide "a lot." Plaintiff also contacted the account administrators of his email account, who told him that his email account had no suspicious activity or unauthorized access.
DISCUSSION
Plaintiff's complaint alleges that Citywide: (I) was negligent; (II) breached its fiduciary duty; (III) violated the Illinois Consumer Fraud Act; and (IV) invaded his privacy. Citywide moves to dismiss all four counts under Federal Rule of Civil Procedure 12(b)(6). To survive the motion to dismiss, plaintiff's complaint must give fair notice of his claims and the grounds on which they rest. Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007). To give fair notice, his complaint must contain enough facts to state claims that are "plausible on [their] face." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quotation marks omitted), citing id. at 570. Plaintiff's claims are plausible if the court can "draw the reasonable inference" that Citywide is liable for what he alleges. Id. In reviewing his complaint, the court takes his facts as true and draws all inferences in his favor, but the court need not accept his legal conclusions. Id. He need not "delineate every detail of [his] legal theory," Robertson v. Allied Solutions, LLC, No. 17-3196, 2018 WL 4113815, at *3 (7th Cir. 2018), or plead "facts corresponding to the elements of a legal theory." Chapman v. Yellow Cab Cooperative, 875 F.3d 846, 848 (7th Cir. 2017).
The parties disagree on whether the court can reasonably infer that there was a cybersecurity breach at all. It was enough for plaintiff to allege, however, that: (1) he gave his private information to Citywide; (2) he received an email from someone pretending to be a Citywide agent; (3) that person had the same personal information he gave Citywide; (4) a Citywide representative told him that many of its customers had received fraudulent wire transfer instructions; and (5) his email administrator said that his account had not been compromised. Taking all inferences in plaintiff's favor, the fake Citywide agent could have obtained plaintiff's private information only because Citywide had suffered a cybersecurity breach. Whether plaintiff can survive summary judgment or convince a jury of that is a question for another day.
Citywide argues that an email from one of plaintiff's attorneys undermines his allegation that Citywide suffered a cybersecurity breach. That email can be considered only if it was referred to in plaintiff's complaint and is central to his claim. Wright v. Associated Ins. Companies Inc., 29 F.3d 1244, 1248 (7th Cir. 1994). It was neither, so the court will not consider it. --------
1. Negligence and violation of the Illinois Consumer Fraud Act
Plaintiff argues that Citywide, as his escrow agent, had a duty to take reasonable steps to protect his private information. According to plaintiff, Citywide breached this duty by failing to inform him of the cybersecurity breach, and by failing to prevent unauthorized access to its electronically stored data. The Illinois Appellate Court, however, has rejected "a new common law duty to safeguard . . . personal information." Cooney v. Chicago Public Schools, 943 N.E.2d 23, 28-29 (Ill. App. 2010) (quotation marks omitted) (affirming the dismissal of negligence claims brought by over 1700 former school employees when the school had accidentally disclosed their names, addresses, social security numbers, and medical information). If Citywide owed a duty to plaintiff, therefore, that duty arose from serving as plaintiff's escrow agent.
When a plaintiff suffers financial losses arising from a services contract, however, he cannot recover under a tort theory of negligence. See Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 636 N.E.2d 503, 514 (Ill. 1994). This is known as the economic loss rule, and unless an exception applies, it ends plaintiff's negligence claim. The economic loss rule has three exceptions: (1) when the plaintiff suffers personal injury or property damage from a sudden or dangerous event; (2) when the plaintiff's damages were proximately caused by a defendant's intentionally false representation; and (3) when the plaintiff's damages were proximately caused by the negligent misrepresentation of a defendant in the business of supplying information to guide others in business transactions. In re Chicago Flood Litigation, 680 N.E.2d 265, 275 (Ill. 1997).
None of the three exceptions applies. First, plaintiff does not allege that he has suffered personal or property damage. Second, even though plaintiff alleges that Citywide told him that it could adequately protect his data and adequately perform as his escrow agent, and that these statements were unfair or deceptive, plaintiff does not allege that Citywide's representations were intentionally false. Nor could he so allege to prove a negligence claim, "because by definition fraud is intentional and negligence is not." Ibarolla v. Nutrex Research, Inc., No. 12 C 4848, 2012 WL 5381236, at *6 (N.D. Ill. Oct. 31, 2012) (applying Illinois's economic loss rule and dismissing a negligence claim), citing Olson v. Hunter's Point Homes, LLC, 964 N.E.2d 60, 64 (Ill. App. Ct. 2012) ("[E]conomic loss is recoverable where one intentionally makes false representations," but "a plaintiff cannot recover for economic losses under a theory of negligence.").
Third, plaintiff has not alleged negligent misrepresentation. Negligent misrepresentation requires him to prove that: (1) Citywide made a false statement of material fact; (2) Citywide was careless or negligent in ascertaining the truth of that statement; (3) Citywide intended to induce him to act; (4) he reasonably relied on the truth of Citywide's false statement; (5) his reliance damaged him; and (6) Citywide owed him a duty to communicate accurate information. See Rosenstein v. Standard & Poor's Corp., 636 N.E.2d 665, 667 (Ill. App. 1993); id. at 669 (noting that the plaintiff's reliance must be reasonable).
None of Citywide's statements identified by plaintiff allows the court to draw a reasonable inference of negligent misrepresentation. Citewide's representations that its "service is unprecedented," and that its "quality is unparalleled," are not statements of material fact—they are the kinds of "exaggerations reasonably to be expected of a seller as to the degree of quality of his or her product, the truth or falsity of which cannot be precisely determined." Abazari v. Rosalind Franklin University of Medicine and Science, 40 N.E.3d 264, 273 (Ill. App. 2015) (affirming a dismissal of negligent misrepresentation claim brought against a university whose catalog stated that there was "unprecedented opportunity for new doctors of podiatric medicine"). The only other Citywide representations identified by plaintiff are that Citywide could adequately protect his data and adequately perform as his escrow agent, but all businesses claim that they are adequate to perform the services that they advertise. These, too, are general statements about the quality of Citywide's service, not statements of material fact on which plaintiff could have reasonably relied.
The same reasoning applies to plaintiff's claim that Citywide violated the Illinois Consumer Fraud Act: the court cannot reasonably infer that Citywide's general representations about the quality of its service were unfair or deceptive. Nor has plaintiff "state[d] with particularity the circumstances constituting fraud," which he must do under Federal Rule of Civil Procedure 9(b). Camasta v. Jos. A. Bank Clothiers, Inc., 761 F.3d 732, 737 (7th Cir. 2014) (quoting Rule 9(b) and holding that Illinois Consumer Fraud Act claims are subject to Rule 9(b)'s heightened pleading requirements). "[A]lthough the exact level of particularity" depends on the case, plaintiff ordinarily must state the "who, what, when, where, and how of the fraud . . . ." AnchorBank, FSB v. Hofer, 649 F.3d 610, 615 (7th Cir. 2011). He has neither done so nor explained why he cannot.
2. Invasion of privacy
Plaintiff argues that Citywide invaded its privacy when it solicited his private information, including his home address, email address, birthdate, and social security number, and then allowed his information to fall into the hands of third parties. Plaintiff does not dispute that he can sustain his invasion of privacy claim only if he can show that Citywide either, (1) intruded upon his seclusion, or (2) publicly disclosed his private facts. Even if his information was "private" for the purposes of an invasion of privacy claim, however, he has not adequately stated a claim. The tort of intrusion upon seclusion requires that Citywide have "intentionally intrude[d], physically or otherwise, upon the solitude or seclusion" of plaintiff. Lawlor v. North American Corp. of Illinois, 983 N.E.2d 414, 424 (Ill. 2012) (emphasis added) (recognizing the tort of intrusion upon seclusion). Nothing in plaintiff's complaint allows the court to reasonably infer that Citywide intentionally shared his information with third parties. Similarly, the tort of disclosure of private facts requires Citywide to have disclosed plaintiff's personal information to the public. Miller v. Motorola, Inc., 560 N.E.2d 900, 902 (Ill. App. 1990) ("One who gives publicity to a matter concerning the private life of another is subject to liability . . . .") (emphasis added), quoting Restatement (Second) of Torts § 652D (1977). Again, nothing in plaintiff's complaint allows the court to reasonably infer that Citywide gave publicity to plaintiff's private information.
3. Breach of fiduciary duty
Plaintiff argues that Citywide, as his escrow agent, had a fiduciary duty to him and breached it by acting outside the scope of their escrow agreement, encouraging him to use email to communicate without warning him about the risk to his private information, and failing to warn him of the risk to his private information when Citywide's systems were breached. The parties agree that Citywide had a fiduciary duty under the escrow agreement, but dispute whether Citywide had duties that went beyond the agreement. The court need not decide that dispute, however, because plaintiff's allegations are enough to give Citywide fair notice of his claim: Citywide, according to plaintiff, breached the escrow agreement by failing to safeguard plaintiff's private information and failing to warn him that his information might have been compromised. Drawing all inferences in plaintiff's favor, this is enough for the court to reasonably infer that Citywide breached the escrow agreement.
Citywide protests that plaintiff does not attach a copy of the escrow agreement or point to how it was breached, but Citywide itself could have done so. Documents attached to a motion to dismiss may be considered if they are referred to in the plaintiff's complaint and are central to his claim. Wright v. Associated Insurance Companies Inc., 29 F.3d 1244, 1248 (7th Cir. 1994). The escrow agreement is such a document, and if Citywide thought that plaintiff was trying to "evade dismissal under Rule 12(b)(6) simply by failing to attach to his complaint a document that proved that his claim had no merit," Citywide itself could have supplied the agreement. Tierney v. Vahle, 304 F.3d 734, 738 (7th Cir. 2002).
CONCLUSION
Counts I (negligence), III (Illinois Consumer Fraud Act), and IV (invasion of privacy) are dismissed. Citywide is directed to answer Count II (breach of fiduciary duty) on or before November 7, 2018. Citywide and plaintiff are directed to submit a joint status report using this court's form on or before November 9, 2018. This matter is set for a report on status on November 15, 2018, at 9:00 a.m. ENTER: October 16, 2018
/s/ _________
Robert W. Gettleman
United States District Judge