Opinion
No. 14 C 3809
01-21-2015
ANNE DOLMAGE, Plaintiff, v. COMBINED INSURANCE COMPANY OF AMERICA, Defendant.
MEMORANDUM OPINION AND ORDER
Anne Dolmage ("Plaintiff"), individually and on behalf of all others similarly situated, brings this consumer class action against Combined Insurance Company of America ("Defendant") alleging violations of the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681 et seq., as well as Illinois state law claims for violation of the Illinois Insurance Code, 215 Ill. Comp. Stat. 5/1001 et seq., negligence, negligence per se, breach of fiduciary duty, breach of contract, breach of implied contract, unjust enrichment, and invasion of privacy by public disclosure of private facts. Presently before the Court is Defendant's motion to dismiss the complaint pursuant to Federal Rule of Civil Procedure 12(b)(6). For the reasons stated below, Defendant's motion is granted.
RELEVANT FACTS
Defendant is an insurance provider headquartered in Glenview, Illinois, and it has offices located throughout the United States. (R.1, Compl. ¶ 10.) Defendant provides a number of insurance products, including disability, accident, health, and life insurance policies. (Id.) Plaintiff is a Missouri citizen, and she and others similarly situated purchased insurance coverage from Defendant. (Id. ¶ 9.) Defendant sold the insurance coverage through Dillard's, which is Plaintiff's and the putative class's employer. (Id.)
Plaintiff purchased insurance coverage from Defendant in June 2011. (Id.) The putative class consists of persons who purchased certain policies from Defendant between March 2010 and March 2012, as well as their dependents covered under such policies. (Id. ¶ 14.) Plaintiff and the class members entrusted to Defendant their personally identifiable information—including their names, addresses, dates of birth, social security numbers, and insurance enrollment and premium information (collectively, "personal information"). (Id. ¶ 1.) On or around July 8, 2013, Defendant learned that for approximately 16 months, from March 2012 to July 2013, Plaintiff's and other class members' personal information had been stored on an unsecure Internet server maintained by a third-party enrollment system vendor. (Id. ¶ 11.) Plaintiff alleges that during this 16-month period, anyone with an Internet connection was able to access Plaintiff's and the class members' personal information without their knowledge, authorization, or consent (the "Security Breach"). (Id.)
Plaintiff alleges that despite knowing about the Security Breach since at least July 8, 2013, Defendant did not inform Plaintiff and the class members of the Security Breach until July 26, 2013, via letter. (Id. ¶ 16.) During the intervening period between the Security Breach and July 26, 2013, Plaintiff alleges that she and the class members had no opportunity to take measures to protect their privacy while their personal information was accessible for sale and misuse on the cyber black market. (Id. ¶ 17.) In its July 26, 2013 letter, Defendant informed Plaintiff that it took remedial steps in the aftermath of the Security Breach, including removing the files from all publicly accessible online environments. (Id. ¶ 18; R. 1-1, Ex. 1, Letter at 2.) Defendant also offered Plaintiff one year of credit monitoring services. (R. 1, Compl. ¶ 19.)
Plaintiff alleges that the Security Breach was a direct and foreseeable result of Defendant's failure to adopt and maintain reasonable and industry-standard security measures to safeguard and protect Plaintiff's and the class members' personal information from unauthorized access, use, and disclosure. (Id. ¶¶ 2, 33.) Plaintiff alleges that as a result of Defendant's wrongful actions and inaction leading to the Security Breach, Plaintiff and the class members have suffered, and will continue to suffer, economic damages and other actual harm including: (i) economic losses as a result of identify theft, identity fraud, and medical fraud; (ii) improper disclosure of their personal information; (iii) loss of privacy; (iv) reasonable out-of-pocket expenses incurred to remedy identity theft, identity fraud, and medical fraud and to mitigate the increased risk of identity theft, identity fraud, and medical fraud resulting from the Security Breach; (v) anxiety and emotional distress; and/or (vi) the value of their time spent mitigating the effects of identity theft, identity fraud, and medical fraud and/or the increased risk of identity theft, identity fraud, and medical fraud. (Id. ¶ 34.)
Plaintiff also alleges that as a result of the Security Breach, a thief or thieves submitted to the Internal Revenue Service a fraudulent Income Tax Return for 2013 in Plaintiff's name. (Id. ¶ 35.) Plaintiff alleges that she has spent time and has incurred, and likely will in the future incur, out-of-pocket expenses for accountant/tax preparer services in order to challenge and remedy the fraudulent Income Tax Return. (Id.) Plaintiff alleges that she has also been damaged financially by the related delay in receiving her tax refund for 2013. (Id.) Additionally, Plaintiff alleges that she has been damaged by fraudulent T-Mobile charges and medical charges made in her name. (Id. ¶ 36.) Plaintiff alleges that she had to take the time to file a police report, obtain a copy of her social security card, and make calls in order to challenge the fraudulent charges. (Id.)
PROCEDURAL HISTORY
On May 22, 2014, Plaintiff filed a ten-count complaint against Defendant. (R. 1, Compl.) In Count I, Plaintiff alleges willful violation of the FCRA, 15 U.S.C. § 1681 et. seq., (id. ¶¶ 45-58); in Count II, she alleges negligent violation of the FCRA, (id. ¶¶ 59-64); in Count III, she alleges violation of the Illinois Insurance Code, 215 Ill. Comp. Stat. 5/1001 et seq., (id. ¶¶ 65-70); in Count IV, she alleges negligence per se, (id. ¶¶ 71-75); in Count V, she alleges negligence, (id. ¶¶ 76-82); in Count VI, she alleges breach of fiduciary duty, (id. ¶¶ 83-86); in Count VII, she alleges breach of contract, (id. ¶¶ 87-92); in Count VIII, she alleges breach of implied contract, (id. ¶¶ 93-99); in Count IX, she alleges unjust enrichment, (id. ¶¶ 100-106); and in Count X, she alleges invasion of privacy by public disclosure of private facts, (id. ¶¶ 107-111).
On July 11, 2014, Defendant moved to dismiss the complaint for failure to state a claim pursuant to Rule 12(b)(6). (R. 20, Def.'s Mot.) On September 5, 2014, Plaintiff responded to Defendant's motion to dismiss, (R. 31, Pl.'s Resp.), and on September 26, 2014, Defendant replied, (R. 32, Def.'s Reply).
LEGAL STANDARD
A motion under Rule 12(b)(6) "challenges the sufficiency of the complaint to state a claim upon which relief may be granted." Hallinan v. Fraternal Order of Police of Chi. Lodge No. 7, 570 F.3d 811, 820 (7th Cir. 2009). When reviewing a Rule 12(b)(6) motion to dismiss, the Court construes the complaint in the light most favorable to the nonmoving party, accepts all well-pleaded factual allegations as true, and draws all reasonable inferences in the plaintiff's favor. Tamayo v. Blagojevich, 526 F.3d 1074, 1081 (7th Cir. 2008). Pursuant to Rule 8(a)(2), a complaint must contain "a 'short and plain statement of the claim showing that the pleader is entitled to relief,' sufficient to provide the defendant with 'fair notice' of the claim and its basis." Id. (quoting Fed. R. Civ. P. 8(a)(2) and Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007)). "Detailed factual allegations" are not required, but the complaint "must contain sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face.'" Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 570). Plausibility in this context does not imply that a court "should decide whose version to believe, or which version is more likely than not." Swanson v. Citibank, N.A., 614 F.3d 400, 404 (7th Cir. 2010). Rather, to survive a motion to dismiss under Rule 12(b)(6), "the plaintiff must give enough details about the subject-matter of the case to present a story that holds together. In other words, the court will ask itself could these things have happened, not did they happen." Id.
ANALYSIS
I. Whether Defendant willfully or negligently violated the Fair Credit Reporting Act (Count I and Count II)
Plaintiff alleges that Defendant willfully (Count I) and negligently (Count II) violated the FCRA by failing to adopt and maintain reasonable procedures designed to limit the furnishing of Plaintiff's and the class members' personal information. (R. 1, Compl. ¶¶ 53, 60.) The purpose of the FCRA is to require "consumer reporting agencies [to] adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information[.]" 15 U.S.C. § 1681(b). The FCRA "imposes civil liability only [on]... consumer reporting agencies." Frederick v. Marquette Nat. Bank, 911 F.2d 1, 2 (7th Cir. 1990). Thus, to successfully state a claim for a willful or negligent violation of the FCRA, Plaintiff must first sufficiently plead that Defendant is a "consumer reporting agency." Under the FCRA, a "consumer reporting agency" is defined as "any person which, for monetary fees, dues, or on a cooperative nonprofit basis regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties[.]" 15 U.S.C. § 1681a(f). Although "furnish" is not defined in the FCRA, courts generally use the term to describe the active transmission of information to a third-party rather than a failure to safeguard the data. See Strautins v. Trustwave Holdings, Inc., No. 12 C 09115, 2014 WL 960816, at *8 (N.D. Ill. Mar. 12, 2014); Holmes v. Countrywide Fin. Corp., No. 5:08-CV-00295-R, 2012 WL 2873892, at *16 (W.D. Ky. Jul. 12, 2012).
The FCRA defines consumer report as follows: "The term 'consumer report' means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for—(A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 1681b of this title." 15 U.S.C. § 1681a(d)(1)(A)-(C).
Defendant argues that Plaintiff has not, and cannot, plausibly allege that Defendant is a consumer reporting agency as defined by the FCRA. (R. 27, Def.'s Mem. at 9.) Plaintiff alleges that Defendant, on a cooperative nonprofit basis and/or for monetary fees, "regularly assembles consumer information including, among other things, insurance policy information, such as names, dates of birth, and Social Security numbers of those insured; claims information, such as the date of loss, type of loss, and amount paid for claims submitted by an insured; and a description of insured items." (R. 1, Comp. ¶ 50.) Plaintiff further alleges that Defendant "regularly utilizes interstate commerce to furnish such information[] on consumers (consumer reports) to third parties, including the Medical Information Bureau." (Id.) Plaintiff does not allege, however, that Defendant collects personal information on consumers for the purpose of furnishing consumer reports to third parties. Rather, Plaintiff's allegations support Defendant's contention that it is an "insurance provider" that collects personal information on consumers for the purpose of providing them with insurance coverage. (Id. ¶¶ 1, 10, 66-68; R. 27, Def.'s Mem. at 9.) Thus, the Court finds that Plaintiff has not sufficiently pleaded that Defendant is a consumer reporting agency under the FCRA. See Tierney v. Advocate Health & Hosps. Corp., No. 13 CV 6237, 2014 WL 5783333, at *3 (N.D. Ill. Sept. 4, 2014) (finding that the defendant, a health care provider, did not engage in the practice of assembling consumer information for the purpose of furnishing consumer reports to third parties); Menefee v. City of Country Club Hills, No. 08 C 2948, 2008 WL 4696146, at *2-*3 (N.D. Ill. Oct. 23, 2008) (finding that the City was not a consumer reporting agency and dismissing the FCRA claims against it because the City did not collect the information on potential employees for the purpose of furnishing consumer reports to third parties); see also In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 1011 (S.D. Cal. Jan. 21, 2014) (dismissing FCRA claims because the complaint did "not contain any allegations suggesting that [the defendant] regularly compiles and distributes consumer reports as defined under the FCRA"); Galligan v. Commonwealth Mortg. Assurance Co., No. CIV. A. 93-3129, 1994 WL 263351, at *3 (E.D. Pa. 1994) ("The Defendant, an insurance company, does not regularly disseminate consumer credit information to third parties and was only a user of consumer credit information, and therefore, there is no liability under [the FCRA].").
Additionally, even if Defendant were a consumer reporting agency, Plaintiff's FCRA claims must still be dismissed. Plaintiff alleges that Defendant violated Section 1681e of the FCRA, which requires that "[e]very consumer reporting agency shall maintain reasonable procedures designed to . . . limit the furnishing of consumer reports to the purposes listed under section 1681b of this title." (R. 1, Compl. ¶¶ 52-53, 60.) However, to establish a violation of Section 1681e, Plaintiff must plead that Defendant improperly furnished consumer reports to third parties. See Washington v. CSC Credit Servs. Inc., 199 F.3d 263, 267 (5th Cir. 2000) ("[A] plaintiff bringing a claim that a reporting agency violated the "reasonable procedures" requirement of § 1681e must first show that the reporting agency released the report in violation of § 1681b."). Plaintiff does not, and cannot, plausibly allege that Defendant furnished or actively transmitted her personal information to the identity thieves. Rather, Plaintiff alleges that the information was stolen from the third-party vendor as a result of Defendant's wrongful actions and inaction. (R. 1, Compl. ¶¶ 34, 56, 62.). Courts in this District and elsewhere have concluded that defendants cannot be held liable under the FCRA for improperly furnishing information where that information was stolen by third parties. See Tierney, 2014 WL 5783333, at *3 (plaintiffs failed to plausibly allege that defendant furnished any information to a third-party because plaintiffs only alleged that the personal information was stolen); Strautins, 2014 WL 960816, at *8 (finding plaintiff's allegations insufficient where plaintiff alleged that defendant furnished the data by "means of its negligent or willful failure to safeguard the data"); Willingham v. Global Payments, Inc., No. 1:12-CV-01157-RWS, 2013 WL 440702, at *13 (N.D. Ga. Feb. 5, 2013) (holding that because "the data was stolen, not furnished . . . [and] Defendant did not transmit or furnish data to the hackers, [Defendant] . . . did not violate [the FCRA]"); Holmes, 2012 WL 2873892, at *16 (finding that plaintiff did not adequately allege that defendant furnished financial information to a third-party who had engineered "an elaborate and sophisticated theft").
Accordingly, the Court finds that Plaintiff fails to state a claim under the FCRA. The Court therefore dismisses Counts I and II with prejudice.
II. Whether Defendant has standing to assert a violation of the Illinois Insurance Code (Count III and Count IV)
In Count III, Plaintiff alleges that Defendant violated the Insurance Information and Privacy Protection portion, or Article XL, of the Illinois Insurance Code, by allowing Plaintiff's and the class members' personal information to become accessible and available via the Internet. (R. 1, Compl. ¶¶ 65-70.) Specifically, Plaintiff alleges that the disclosure of Plaintiff's and the class members' information was not pursuant to a valid, written request submitted by an authorized individual and/or agency in accordance with Section 1014 of Article XL. (Id. ¶ 68.) In Count IV, Plaintiff alleges a claim of negligence per se based on Count Ill's alleged statutory violation. (Id. ¶¶ 71-75.) Defendant argues that Plaintiff lacks standing to assert a claim under Article XL of the Illinois Insurance Code because she is not a resident of Illinois, and therefore Counts III and IV should be dismissed. (R. 27, Def.'s Mem. at 11.)
Section 1014 of Article XL provides that "[a]n insurance institution, agent or insurance-support organization shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure" complies with specific requirements. 215 Ill. Comp. Stat. 5/1014.
Section 1002 of Article XL, which defines the scope of the Article, provides:
(B) The rights granted by this Article shall extend to:215 Ill. Comp. Stat. 5/1002(B)(1)(a)-(b). "For the purposes of this Section, a person shall be considered a resident of this State if the person's last known mailing address, as shown in the records of the insurance institution, agent or insurance-support organization, is located in this State." 215 Ill. Comp. Stat. 5/1002(C).
(1) in the case of life, health or disability insurance, the following persons who are residents of this State:
(a) natural persons who are the subject of information collected, received or maintained in connection with insurance transactions, and
(b) applicants, individuals or policyholders who engage in or seek to engage in insurance transactions[.]
Plaintiff is a Missouri citizen, not a resident of Illinois. (R. 1, Compl. ¶ 9.) Plaintiff nonetheless argues that she has standing to assert her claims under Article XL because Section 1021, which is the specific statutory provision that provides a remedy for a violation of Article XL, refers to "individuals" and not "residents." (R. 31, Pl.'s Resp. at 13-14.) Section 1021 provides that "[a]n insurance institution, agent or insurance-support organization which discloses information in violation of Section 1014 of this Article shall be liable for damages sustained by the individual about whom the information relates[.]" 215 Ill. Comp. Stat. 5/1021(B). An "individual" under Article XL is defined as:
any natural person who:215 Ill. Comp. Stat. 5/1003(J)(2)-(6). Plaintiff argues that as an insured and policyowner of Defendant's insurance, she is an "individual," and thus has a right to recover for Defendant's alleged violation of Article XL pursuant to Section 1021. (R. 31, Pl.'s Resp. at 13.) Plaintiff contends that the specific substantive right provided in Section 1021 supersedes the general scope and standing provision of Section 1002. (Id. at 14.)
(2) in the case of life, health or disability insurance, is a past, present or proposed principal insured or certificateholder;
(3) is a past, present or proposed policyowner;
(4) is a past or present applicant;
(5) is a past or present claimant; or
(6) derived, derives or is proposed to derive insurance coverage under an insurance policy or certificate subject to this Article.
The Court does not agree with Plaintiff's statutory interpretation of Article XL. Section 1002, which is the second of Article XL's twenty-four sections, outlines the scope of the entire Article. 215 Ill. Comp. Stat. 5/1002. Section 1002 establishes that the "applicants, individuals, and policyholders" referred to in the twenty-four Article XL sections must be residents of Illinois. 215 Ill. Comp. Stat. 5/1002(B)(1)(b). Thus, only Illinois residents have standing to sue under any section of Article XL of the Illinois Insurance Code. Because Plaintiff is a Missouri citizen, she does not having standing to sue under the Illinois Insurance Code. Therefore, the Court dismisses Counts III and IV with prejudice.
III. Whether Defendant was negligent and violated a duty to protect Plaintiff's personal information (Count V)
In Count V, Plaintiff alleges a claim of negligence against Defendant. (R. 1, Compl. ¶¶ 76-82.) Under Illinois law, "[t]o recover damages based upon a defendant's alleged negligence, a plaintiff must allege and prove that the defendant owed a duty to the plaintiff, that defendant breached that duty, and that the breach was the proximate cause of the plaintiff's injuries." First Springfield Bank & Trust v. Galman, 720 N.E.2d 1068, 1071 (Ill. 1999). Plaintiff alleges that Defendant "had a duty to exercise reasonable care and caution in storing and maintaining Plaintiff's and Class members' [personal information]" and that Defendant "violated its duty by failing to adopt and maintain reasonable and appropriate safeguards and security protocols to ensure that [the personal information] was not disclosed to unauthorized third parties." (R. 1, Compl. ¶¶ 77-78.)
Defendant argues that Plaintiff's negligence claim is fatally flawed because there is no common law duty to exercise reasonable care in storing and maintaining personal information. (R. 27, Def.'s Mot. at 12 (citing Cooney v. Chi. Public Sch., 943 N.E.2d 23, 28-29 (Ill. App. Ct. 2010)). The Illinois Appellate Court in Cooney analyzed a similar factual scenario to the present case where a third-party vendor accidentally disclosed "the names of all 1,750 plaintiffs, along with their addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information." 943 N.E.2d 23 at 27. The court considered the plaintiff's assertion that a new common law duty to safeguard information "is justified by the sensitive nature of personal data such as dates of birth and social security numbers." Id. at 28-29. Nonetheless, the court expressly declined to "recognize a 'new common law duty' to safeguard information" because the court did not "believe that the creation of a new legal duty beyond legislative requirements already in place [was] part of [its] role on appellate review." Id. (affirming the trial court's dismissal of plaintiff's negligence claims).
Plaintiff attempts to circumvent the Illinois Appellate Court's holding in Cooney by arguing that unlike the plaintiff in Cooney, she is alleging that Defendant violated the "well-established ordinary standard of care standard." (R. 31, Pl.'s Resp. at 15 (quoting Jane Doe-3 v. McLean Cnty. Unit Dist. No. 5 Bd. of Dirs., 973 N.E.2d 880, 887 (Ill. 2012) ("every person owes a duty of ordinary care to all others to guard against injuries which naturally flow as a reasonably probable and foreseeable consequence of an act")).) In her complaint, however, Plaintiff bases her negligence claim on Defendant's "failure to exercise reasonable care and caution in safeguarding and protecting" Plaintiff's and the class member's personal information. (R. 1, Compl. ¶ 80.) Because there is no common law duty to protect personal information in Illinois, see Cooney, 943 N.E.2d at 29, Plaintiff has failed to state a claim for negligence, see Washington v. City of Chi., 720 N.E.2d 1030, 1032 (Ill. 1999) ("[U]nless a duty is owed, there is no negligence, and plaintiffs cannot recover as a matter of law." (internal citation and quotation marks omitted)). Accordingly, the Court dismisses Count V with prejudice.
IV. Whether Defendant breached its fiduciary duty toward Plaintiff (Count VI)
In Count VI, Plaintiff alleges that Defendant owed a fiduciary duty to Plaintiff and the class members to secure and protect their personal information. (R. 1, Compl. ¶ 84.) "To state a cause of action for breach of a fiduciary relationship, a plaintiff must allege that the defendant owed a fiduciary duty to the plaintiff, and that duty must exist as a matter of law." Cooney, 943 N.E.2d at 29 (citation omitted). In Illinois, "[i]t is well settled that no fiduciary relationship exists between an insurer and an insured as a matter of law." Fichtel v. Board of Dirs. of River Shore of Naperville Condo. Ass'n, 907 N.E.2d 903, 912 (Ill. App. Ct. 2009) (quoting Martin v. State Farm Mut. Auto. Ins. Co., 808 N.E.2d 47, 51 (Ill. App. Ct. 2004)). A fiduciary duty by "special relationship" may arise, however, where "one party places trust and confidence in another, thereby placing the latter party in a position of influence and superiority over the former." Ill. State Bar Ass'n Mut. Ins. Co. v. Cavenagh, 983 N.E.2d 468, 480 (Ill. App. Ct. 2012) (quoting Martin, 808 N.E.2d at 52); see also Khan v. Deutsche Bank AG, 978 N.E.2d 1020, 1040-41 (Ill. 2012). "This position of superiority may arise by reason of friendship, agency, or experience." Fichtel, 907 N.E.2d at 912 (quoting Connick v. Suzuki Motor Co., 675 N.E.2d 584, 593 (Ill. 1996)). "Nevertheless, if the relationship between the parties is not a fiduciary one as a matter of law, then the party alleging a fiduciary relationship bears the burden of pleading and proving it by clear and convincing evidence." Id.; see also Greenberger v. GEICO Gen. Ins. Co., 631 F.3d 392, 401 (7th Cir. 2011) (applying Illinois law).
Plaintiff alleges that she and the class members "placed their trust and confidence upon Defendant with regard to the handling, maintenance, and disposition of their confidential [personal information], and therefore, Defendant owed them a fiduciary duty to secure and protect their information. (R. 1, Compl. ¶ 84.) However, Plaintiff has pleaded no allegations "from which [the court] could infer that [she] placed trust and confidence in [Defendant] based on friendship, agency or experience," as is required under Illinois law. See Martin, 808 N.E.2d at 52. Plaintiff's conclusory allegations that she placed "trust and confidence" upon Defendant are insufficient to establish a fiduciary relationship. See, e.g., Ill. State Bar Ass'n Mut. Ins., 983 N.E.2d at 480-81 ("There are no specific factual allegations [] giving rise to a relationship of trust or confidence. Nor would a bare allegation of trust be sufficient to state a cause of action."); Cooney, 943 N.E.2d at 29 (affirming dismissal of fiduciary duty claim where "Plaintiffs' sole contention is that a fiduciary duty was created when they provided the [defendant] with information 'in confidence'"); Martin, 808 N.E.2d at 52 ("[P]laintiffs' conclusory allegations, even when viewed in the light most favorable to plaintiffs, do not give rise to an inference of the significant dominance and superiority necessary to establish a fiduciary relationship."). Because under Illinois law no fiduciary relationship exists between an insurer and an insured, and Plaintiff has not plausibly alleged the existence of a special relationship between the parties, the Court finds that Plaintiff has not sufficiently pleaded a claim for breach of fiduciary duty. Accordingly, Count VI is dismissed. Plaintiff may amend Count VI if she is able to provide the Court with additional allegations from which the Court can plausibly infer the existence of a special relationship between the parties.
V. Whether Defendant breached an express or implied contract between itself and Plaintiff (Count VII and Count VIII)
In Count VII, Plaintiff alleges a claim for breach of an express contract between the parties, (R. 1, Compl. ¶¶ 87-91), and in Count VIII, she alternatively alleges a claim for breach of an implied contract, (id. ¶¶ 93-99). Under Illinois law, a plaintiff must allege the same elements to state claims for breach of contract and breach of implied contract: offer, acceptance, and consideration. Nissan N. Am., Inc. v. Jim M'Lady Oldsmobile, Inc., 486 F.3d 989, 996 (7th Cir. 2007) (applying Illinois law).
A. Whether an express contract existed between the parties
Plaintiff alleges that she and the class members "entered into contracts" with Defendant whereby Defendant "received insurance premiums in exchange for providing insurance coverage and its promise to protect their [personal information]. (R. 1, Compl. ¶ 88.) Plaintiff alleges that Defendant promised to protect Plaintiff's and the class members' personal information in its written "Privacy Pledge" to its customers. (Id. ¶ 89.) In this Privacy Pledge, Defendant allegedly indicated that it "maintain[s] physical, electronic and procedural safeguards that comply with federal regulations to guard [its customers'] personal information," and that it "restricts] access to [its customers'] personal information to those employees who need to know such information." (Id.) Plaintiff alleges that Defendant's failure to meet these promises and obligations in its Privacy Pledge constitutes a breach of contract. (Id. 191.) Defendant argues that the Privacy Pledge was not part of Defendant's offer to provide insurance coverage in exchange for premiums. (R. 27, Def.'s Mem. at 17.) According to Defendant, the Privacy Pledge was a unilateral statement of corporate policy sent to Plaintiff after she contractually agreed to pay premiums in exchange for insurance coverage. (Id.)
Plaintiff has not attached the Privacy Pledge as an exhibit to her complaint, nor has she attached any insurance contract between the parties. However, the Court must accept Plaintiff's factual allegations as true and draw all reasonable inferences in Plaintiff's favor. See Tamayo, 526 F.3d at 1081. The Court thus finds that Plaintiff has sufficiently alleged that the Privacy Pledge was part of the insurance contract between Plaintiff and Defendant.
B. Whether Defendant breached its contract with Plaintiff
Defendant argues that even assuming that the Privacy Pledge was part of Defendant's offer to insure Plaintiff, there are no allegations in the complaint demonstrating that Defendant breached the Privacy Pledge. (R. 27, Def.'s Mem. at 18.) Defendant contends that the mere fact "that identity thieves may have obtained information from a third-party's server does not establish that the protocols referenced in [Defendant's] Privacy Pledge did not exist or that [Defendant] failed to properly exercise them." (Id.)
Plaintiff alleges that her personal information "was left unsecured and unprotected for approximately 16 months on a server accessible to anyone with an Internet connection." (R. 1, Compl. ¶ 90.) This factual allegation serves to support Plaintiff's conclusory statement that Defendant "did not maintain physical, electronic and procedural safeguards in compliance with federal regulations, including FCRA, and it did not restrict access to Plaintiff's and Class members' personal information to those employees who need to know such information." (Id.) However, Plaintiff fails to allege facts explaining how Defendant violated "physical, electronic and procedural safeguards" with respect to Defendant's use of a third-party vendor to store the personal information. Plaintiff also fails to allege how Defendant was responsible for the third-party vendor's failure to secure and protect the information on its Internet server. Plaintiff's conclusory assertion that Defendant failed to meet the promises in its Privacy Pledge, without more, is insufficient to support her breach of contract claim. See Adams v. City of Indianapolis, 742 F.3d 720, 728 (7th Cir. 2014) ("threadbare recitals of the elements of a cause of action, supported by conclusory statements," are insufficient to survive a motion to dismiss (quoting Iqbal, 556 U.S. at 678)). Because Plaintiff has failed to plausibly allege that Defendant breached the Privacy Pledge, the Court dismisses Count VII. Plaintiff may amend Count VII if she is able to provide the Court with additional allegations from which the Court can plausibly infer that Defendant breached the Privacy Pledge.
C. Whether Defendant breached an implied contract with Plaintiff
In Count VIII, Plaintiff pleads, in the alternative, a claim for breach of implied contract. (R. 1, Compl. ¶¶ 93-99.) Under Illinois law, "an implied contract cannot coexist with an express contract on the same subject." Maness v. Santa Fe Park Enters., Inc., 700 N.E.2d 194, 200 (Ill. App. Ct. 1998) (holding that the express contract negated the existence of any implied-in-fact contract and rejecting the contention that an alleged implied-in-fact contract supplemented express written contracts). Here, the Court found that there is an express contract (the Privacy Pledge); therefore, Plaintiff's claim for breach of an implied contract fails. Accordingly, the Court dismisses Count VIII with prejudice.
VI. Whether Defendant was unjustly enriched (Count IX)
In Count IX, Plaintiff alleges an unjust enrichment claim in the alternative to her breach of contract and breach of implied contract claims. (R. 1, Compl. ¶ 101.) "To state a cause of action based on a theory of unjust enrichment, a plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiff's detriment, and that defendant's retention of the benefit violates the fundamental principles of justice, equity, and good conscience." HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc., 545 N.E.2d 672, 679 (Ill. 1989). Under Illinois law, "unjust enrichment may be predicated on either quasi-contract or tort." Peddinghaus v. Peddinghaus, 692 N.E.2d 1221, 1225 (Ill. App. Ct. 1998).
Plaintiff alleges that she conferred a monetary benefit on Defendant in the form of insurance premiums, a portion of which was used to fund reasonable and industry-standard security measures. (R. 1, Compl. ¶ 102.) Plaintiff alleges that it would be "unjust for Defendant to retain the portion of the insurance premiums paid for the costs of data security and management, because Defendant failed to secure and protect Plaintiff's and Class members' [personal information] in accordance with the law and industry standards." (Id. ¶ 105.) Defendant highlights the fact that Plaintiff paid these premiums pursuant to the parties' insurance agreement. (R. 27, Def.'s Mem. at 20.) Under Illinois law, where a contract governs the parties' relationship, the theory of unjust enrichment based upon a quasi-contract (or an implied contract) is unavailable. People ex rel Hartigan v. E & E Hauling, Inc., 607 N.E.2d 165, 177 (Ill. 1992); Howard v. Chi. Transit Auth., 931 N.E.2d 292, 298 (Ill. App. Ct. 2010). Because Plaintiff paid her insurance premiums pursuant to the parties' express contract, she cannot recover on a claim of unjust enrichment predicated upon a quasi-contract.
However, where a "plaintiff's unjust enrichment claim is based on tort, instead of quasi-contract, the existence of a specific contract does not defeat [her] cause of action." Peddinghaus, 692 N.E.2d at 1225. In order to recover for unjust enrichment based on a tort claim, "there must be an independent basis that establishes a duty on the part of the defendant to act and the defendant must have failed to abide by that duty." Mortis v. Grinnell Mut. Reinsurance Co., 905 N.E.2d 920, 928 (Ill. App. Ct. 2009) (finding that "[b]ecause there was no valid underlying fraud claim, the trial court properly dismissed plaintiff's unjust enrichment claim"); see also Lewis v. Lead Indus. Ass'n, Inc., 793 N.E.2d 869, 877 (Ill. App. Ct. 2003). Thus, when an underlying claim of unlawful conduct is deficient, a claim for unjust enrichment based upon that same conduct should also be dismissed. Martis, 905 N.E.2d at 928.
As explained above, Plaintiff's negligence claim against Defendant fails because there is no common law duty to protect personal information under Illinois law. See Cooney, 943 N.E.2d at 29. Plaintiff thus fails to state a cause of action for unjust enrichment based on her tort claim. See Mortis, 905 N.E.2d at 928. Accordingly, the Court dismisses Count IX with prejudice.
VII. Whether Defendant unjustly invaded Plaintiff's privacy by public disclosure of private facts (Count X)
In Count X, Plaintiff alleges that Defendant's failure to secure and protect Plaintiff's and the class members' personal information directly resulted in the public disclosure of such private information. (R. 1, Compl. ¶ 108.) Under Illinois law, to state a claim for public disclosure of private facts, a plaintiff must allege that "(1) publicity was given to the disclosure of private facts; (2) the facts were private, and not public, facts; and (3) the matter made public was such as to be highly offensive to a reasonable person." Cooney, 943 N.E.2d at 32 (quoting Miller v. Motorola, Inc., 560 N.E.2d 900, 902 (Ill. App. Ct. 1990)).
Defendant argues that Plaintiff's and the class members' personal information does not consist of "private facts" under Illinois law. (R. 27, Def.'s Mem. at 21.) "Private facts" are facts that "are facially embarrassing and highly offensive if disclosed." Cooney, 943 N.E.2d at 32. Illinois courts have held that while "[mjatters of public record such as names and dates of birth," as well as "social security numbers," are "personal information," they are not "private facts." Id. (rejecting plantiffs' attempt to equate "personal" with "private" information and finding that the plaintiffs' names, "addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information" did not constitute private facts); see also Busse v. Motorola, Inc., 813 N.E.2d 1013, 1018 (Ill. App. Ct. 2004) (holding that "social security numbers" and "individual pieces of information—names, address, particulars of cell phone use—[are not] facially revealing, compromising or embarrassing"). Facts regarding "family matters, health problems, and sex lives," however, do constitute "private facts," as they are "highly personal information." Johnson v. K mart Corp., 723 N.E.2d 1192, 1197 (Ill. App. Ct. 2000); see also Wynne v. Loyola Univ. of Chi., 741 N.E.2d 669, 677 (Ill. App. Ct. 2000) ("infertility problems" and "inpatient psychiatric care" constitute "private facts"). Here, Plaintiff alleges that the personal information she and the class members' entrusted to Defendant included their names, addresses, dates of birth, and social security numbers. (R. 1, Compl. ¶ 1.) The Court therefore finds that these individual pieces of information do not constitute private facts. See Cooney, 943 N.E.2d at 32.
Plaintiff also alleges that the personal information she and the class members' entrusted to Defendant included "insurance reenrollment and premium information." (R. 1, Compl. ¶ 1.) Plaintiff argues that Defendant "has been secretive about what types of information are contained in its enrollment and premium information," and that "[d]iscovery may reveal that [this information] bear[s] upon [Plaintiff's] and other Class members' 'family matters, health problems or sex life.'" (R. 31, Pl.'s Resp. at 20 (quoting Johnson, 723 N.E.2d at 1197).) However, Plaintiff's argument is contradicted by the facts she alleges in her complaint. Plaintiff alleges that in its July 2013 notification letter, Defendant informed Plaintiff and the class members that the files that were stored on the unprotected server "did not [] contain personal medical or claims information." (R. 1, Compl. ¶ 18; R. 1-1, Ex. 1, Letter at 2.) Plaintiff provides no additional allegations in her complaint to either refute the letter or support an inference that the files contained personal medical information. Therefore, because the "enrollment and premium information" did not contain personal medical information, the Court finds that this information also does not constitute private facts. See Cooney, 943 N.E.2d at 32 (finding that "medical and dental insurers and health insurance plan information" are not private facts).
Additionally, even if the personal information constituted "private facts," Defendant argues that it did not publicly disclose Plaintiff's and the class members' personal information because the information was stolen from a third-party. (R. 27, Def.'s Mem. at 22.) In this context, "'publicity' means 'communicating the matter to the public at large or to so many persons that the matter must be regarded as one of general knowledge.'" Wynne, 3741 N.E.2d at 677 (quoting Roehrborn v. Lambert, 660 N.E.2d 180,182-183 (Ill. App. Ct. 1995) (finding that where the information was properly disclosed to only one entity, there was no public disclosure of private facts)). Here, the Defendant disclosed the Plaintiff's and the class members' personal information to a third-party vendor to store the information. (R.1, Compl. ¶ 11.) Thus, Defendant did not communicate the information to the public at large because the information was stolen from a third-party vendor. The Court therefore finds that Plaintiff has not met the publicity requirement to support her claim.
Accordingly, because Plaintiff has failed to state a claim for public disclosure of private facts, the Court dismisses Count X with prejudice.
CONCLUSION
For the foregoing reasons, Defendant's motion to dismiss the complaint (R. 20) is GRANTED. Counts I, II, III, IV, V, VIII, IX, and X are DISMISSED with prejudice. Counts VI and VII are DISMISSED without prejudice, and the Court grants Plaintiff leave to amend these counts after conducting reasonable, limited discovery to determine if these counts can in fact be amended in good faith. The parties are also encouraged to exhaust any remaining settlement possibilities for this dispute in light of this opinion. Plaintiff's motion for class certification (R. 6) is DENIED without prejudice with the potential to be reinstated if the case proceeds.
ENTERED: /s/_________
Chief Judge Rubén Castillo
United States District Court