Opinion
1:22-cv-01951-JRS-MG
01-10-2023
RODNEY KRUPA individually, and on behalf of all others similarly situated, Plaintiff, v. TIC INTERNATIONAL CORPORATION, Defendant.
ORDER ON MOTION TO DISMISS
JAMES R. SWEENEY II, JUDGE
I. Introduction
This is a data breach case and a putative class action. TIC International Corporation, a benefits administration company, allegedly exposed Rodney Krupa's name and social security number to hackers in a March 30, 2022, data breach. Some 187,340 other customers were allegedly subject to the same breach.
TIC has filed a motion to dismiss, (ECF No. 13), under Rules 12(b)(1) and 12(b)(6), arguing that Krupa has neither standing nor a cause of action. Fed.R.Civ.P. 12(b)(1), 12(b)(6).
II. Legal Standard
"A motion to dismiss under Rule 12(b)(1) tests the jurisdictional sufficiency of the complaint, accepting as true all well-pleaded factual allegations and drawing reasonable inferences in favor of the plaintiffs." Bultasa Buddhist Temple of Chicago v. Nielsen, 878 F.3d 570, 573 (7th Cir. 2017) (citing Ezekiel v. Michel, 66 F.3d 894, 897 (7th Cir. 1995)).
"A Rule 12(b)(6) motion tests 'the legal sufficiency of a complaint,' as measured against the standards of Rule 8(a)." Gunn v. Cont'l Cas. Co., 968 F.3d 802, 806 (7th Cir. 2020) (quoting Runnion v. Girl Scouts of Greater Chi. & Nw. Ind., 786 F.3d 510, 526 (7th Cir. 2015)). Rule 8(a) requires that the complaint contain a short and plain statement showing that the pleader is entitled to relief. Fed.R.Civ.P. 8(a)(2). "To meet this standard, a plaintiff is not required to include 'detailed factual allegations,'" but the factual allegations must "state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible if it "pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 556).
Because the defendant must ultimately be liable, "Rule 12(b)(6) authorizes a court to dismiss a claim on the basis of a dispositive issue of law." Neitzke v. Williams, 490 U.S. 319, 326-27 (1989). That applies "without regard to whether [the claim] is based on an outlandish legal theory or on a close but ultimately unavailing one." Id. But "[a] complaint need not identify legal theories, and specifying an incorrect legal theory is not a fatal error." Rabe v. United Air Lines, Inc., 636 F.3d 866, 872 (7th Cir. 2011).
When considering a motion to dismiss for failure to state a claim, courts "take all the factual allegations in the complaint as true," Iqbal, 556 U.S. at 678, and draw all reasonable inferences in the plaintiff's favor, Roberts v. City of Chicago, 817 F.3d 561, 564 (7th Cir. 2016). Courts need not, however, accept the truth of legal conclusions, and "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Iqbal, 556 U.S. at 678.
III. Discussion
TIC's two arguments are basically one argument. Cf. Bond v. United States, 564 U.S. 211, 218-19 (2011) ("'[C]ause of action' and 'standing' [as] distinct concepts can be difficult to keep separate[.]") A plaintiff to have standing must have an injury, TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2203 (2021), and a plaintiff to have an Indiana cause of action for negligence or breach of contract must have an injury, Robertson v. B.O., 977 N.E.2d 341, 344 (Ind. 2012) ("injury" as an element of negligence), Berg v. Berg, 170 N.E.3d 224, 231 (Ind. 2021) ("damages" as an element of breach of contract). TIC argues that Krupa has not been injured by the theft of his personal data. (Def.'s Br. Supp. M. Dismiss 11-12, 17-20, ECF No. 14.) Therefore, TIC reasons, the only injuries he can show are future injuries (or present risks of future injuries), and those are insufficiently definite for recovery here. (Id. at 12-14.)
At first glance, this seems an odd case to be arguing about standing and damages. Krupa is not a random plaintiff speculating about future risks of harm or seeking to assert the rights of others-he personally is a victim of a data breach that actually happened. His social security number was stolen, and he alleges that TIC had it been more careful could have prevented the theft. If this were a bank robbery no one would blink. It is a classic adversarial case. The only way TIC can prevail on its motion to dismiss, then, is if it can show that the exposure of Krupa's social security number to hackers was not an injury at all.
It would then have to go on to show that Krupa's mitigation damages and the potential "imminent harm" of identity theft are likewise insufficient harms, which it cannot do. Even if the theft of a social security number is held not to be a harm under either Indiana law or the federal Constitution, see, e.g., Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 640 (7th Cir. 2007) (predicting based on then-available law that Indiana would not recognize a cause of action for data breach injuries), Krupa has standing. The Seventh Circuit holds that "'mitigation expenses qualify as "actual injuries" . . . when the harm is imminent,' and a data breach that has already occurred is 'sufficiently immediate to justify mitigation efforts.'" Doe v. Fertility Centers of Illinois, S.C., No. 21 C 579, 2022 WL 972295, at *2 (N.D. Ill. Mar. 31, 2022) (quoting Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016)); see also Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015) (holding that both risk of future harm and mitigation damages suffice for standing when a data breach has already occurred). Those holdings apply squarely to the facts as alleged.
And, again at first glance, that seems an odd position to take. Having one's social security number stolen seems an obvious harm. If it were not a harm, why should TIC (or anyone else) take any data security measures? TIC might as well leave its customer lists in a spreadsheet on its website. Then there would be no data breach to report; potential plaintiffs would likely never learn their social security numbers were exposed by TIC; and anyone who did identify and sue TIC over the resulting identity theft could be stymied by proof-of-fact issues as to where the thief got the victim's number. See Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015) (quoting In re Adobe Sys., Inc. Privacy Litig., 66 F.Supp.3d 1197, 1215 n. 5 (N.D.Cal.2014)) ("[T]he more time that passes between a data breach and an instance of identity theft, the more latitude a defendant has to argue that the identity theft is not 'fairly traceable' to the defendant's data breach."). That offends all reason. There is a common-sense expectation-which TIC implicitly recognizes through its attempts at data security-that social security numbers are best kept private and that their exposure to hackers is a harm (whether or not identity theft has yet occurred). Consumers are willing to give out their social security numbers in exchange for the benefits and services TIC and others provide, but that willingness is conditioned on the understanding that the business will take at least reasonable steps to ensure that their personal data is not misused. The picture, then, is one of entrustment: consumers entrust their data to firms with the expectation that those firms take reasonable care against data breaches. Sounds like common sense, and sounds like common law: fortunately, the two align.
The economic analysis, which reinforces that conclusion, goes something like this: the risk of identity theft is a cost that burdens consumer-firm interactions. Consumers and firms must allocate the risk between them. They could do so by contract or by statute, but in the absence of either, the default risk allocation is revealed by behavior. Consumers willingly give their data to firms in exchange for the benefits those firms provide; firms willingly undertake some data security measures. A firm that refused to protect customer data at all would lose business, but the right trade-off between marginal cost of increased data security and marginal benefit of increased consumer willingness-to-deal is imperfectly known. A reasonableness standard, though, roughly approximates that "right trade-off." The approximation might at first be very rough-firms, consumers, courts, and jurors know little about data security costs and how much security is "enough" relative to the risks involved- but its errors are fair in that they will be randomly distributed in favor of firms and in favor of consumers. Contrast TIC's proposed "no-harm" rule: if a data breach is regarded as no harm, then the cost of a firm's underinvestment in data security (as revealed by a breach "reasonable" measures could have prevented) would be pushed onto consumers after the fact. The firm would have captured consumer value (their willingness to do business) without incurring the true cost (the level of data security otherwise demanded by consumers). Thus, the no-harm rule would systematically subsidize businesses at consumers' expense, and it should be rejected.
The relevant law here is that of bailment.
Entrusting your stuff to others is a bailment. A bailment is the "delivery of personal property by one person (the bailor) to another (the bailee) who holds the property for a certain purpose." Black's Law Dictionary 169 (10th ed. 2014); J. Story, Commentaries on the Law of Bailments § 2, p. 2 (1832) ("a bailment is a delivery of a thing in trust for some special object or purpose, and upon a contract, expressed or implied, to conform to the object or purpose of the trust"). A bailee normally owes a legal duty to keep the item safe, according to the terms of the parties' contract
if they have one, and according to the "implication[s] from their conduct" if they don't. 8 C.J.S. Bailments § 36, pp. 468-469 (2017).Carpenter v. United States, 138 S.Ct. 2206, 2268-69 (2018) (Gorsuch, J., dissenting) (discussing, in a Fourth Amendment context, whether cell companies' cell phone location data is subject to an involuntary (or "implied") bailment on the customer's behalf). See also William LaRosa, New Legal Problems, Old Legal Solutions: Bailment Theory As the Baseline Data Security Standard of Care Owed to an Opponent's Data in E-Discovery, 167 U. PA. L. REV. 775 (2019) (arguing law of bailment is correct theory for data breaches); Miles Christian Skedvold, A Duty to Safeguard: Data Breach Litigation Through a Quasi-Bailment Lens, 25 J. INTELL. PROP. L. 201 (2018) (likewise).
Indiana law has long recognized bailment. Winters v. Pike, 171 N.E.3d 690, 697 (Ind.Ct.App. 2021) (noting "200 years" of history and collecting cases). In Indiana, "[a] bailment arises when: (1) personal property belonging to a bailor is delivered into the exclusive possession of the bailee and (2) the property is accepted by the bailee." Id. at 699 (quoting Cox v. Stoughton Trailers, Inc., 837 N.E.2d 1075, 1082 (Ind.Ct.App. 2005)). "[A] bailment may be implied, delivery may be constructive, and acceptance may be made other than by express contract." Kroger Co. v. Hammond, 877 N.E.2d 228 (Ind.Ct.App. 2007). One example of an implied bailment is a "constructive or involuntary bailment, [which] arises . . . (3) if a person lawfully acquired the possession of personal property of another and holds it under circumstances whereby she should, on principles of justice, keep it safely and restore it or deliver it to the owner." 8 C.J.S. Bailments § 14. As the constructive bailment cases illustrate, "[t]he bailee relationship will not be affected by the fact that a third person, and not the owner of the property, was the one who delivered the property to the bailee." 8 C.J.S. Bailments § 20. The requirement that the bailee have "exclusive possession" distinguishes bailments from leases or cases of shared control. 8 C.J.S. Bailments § 7; LaRosa, supra, at 793 ("The exclusivity requirement is designed to prevent the creation of bailments where the bailee maintains control over the property, particularly in cases of shared possession."). Cf. Stubbs v. Hook, 467 N.E.2d 29, 32 (Ind.Ct.App. 1984) (the classic Indiana case finding no bailment because a plane damaged by a storm while parked at an airfield was not in the "exclusive possession" of the airfield-the plane's owner kept a set of keys and could have moved or otherwise protected it). At the end of the term of bailment, the bailed property "is to be returned to the owner, or to a third person, or otherwise dealt with according to the bailor's direction." 4 Ind. Law Encyc. Bailment § 1. Or a bailment may last indefinitely, in which case the bailee has a continued duty of safekeeping. 8 C.J.S. Bailments § 118; 8A Am. Jur. 2d Bailments § 216.
If a bailment is found to exist, the bailee in possession of the bailed property must exercise the degree of care commensurate with the benefit that he derives from the arrangement. United Farm Fam. Ins. Co. v. Riverside Auto Sales, 753 N.E.2d 681, 684-85 (Ind.Ct.App. 2001).
Unless otherwise agreed, when the bailment is solely for the bailee's benefit, the bailee owes a high degree of care; when the bailment is solely for the bailor's benefit, the bailee owes only slight care, such as avoiding wanton or reckless acts; and when the bailment mutually benefits both parties, the bailee owes a duty of ordinary care. Id. at 685.Winters, 171 N.E.3d at 699. Generally, "[w]hen bailed property is damaged, lost or stolen, the bailor may bring an action for recovery of damages from the bailee based on breach of bailment, negligence, or both." 46 Am. Jur. Proof of Facts 3d 361. Whether the action is conceptualized legally as a contract of tort, "[t]he measure of a bailor's damages is the amount that will compensate him or her for the actual loss proximately resulting from the bailee's negligence or willfulness." 4 Ind. Law Encyc. Bailment § 21. But even where actual damages are unproven, nominal damages are available for breach of contract, 9 Ind. Law Encyc. Damages § 5, for replevin, Bank v. Huizar, 178 N.E.3d 326, 339 (Ind.Ct.App. 2021), and for conversion, Protect-All Ins. Agency, Inc. v. Surface, 957 N.E.2d 215 (Ind.Ct.App. 2011) (citing 18 Am. Jur. 2d Conversion § 126). See also 8A Am. Jur. 2d Bailments § 250 ("A bailee is liable at least for nominal damages for violation of contractual obligations of the bailment."). And "[n]ominal damages can be, and sometimes are, awarded for the loss of personal property where the plaintiff proves defendant's liability but cannot prove any basis for assessing value to the chattel in question." 3 Am. Jur. Proof of Facts 3d 171.
It seems to be an open question in Indiana (and elsewhere) whether a bailment action sounds in contract, in tort, or in some other domain. Dan B. Dobbs, Paul T. Hayden and Ellen M. Bublick, The Law of Torts § 68 (2d ed.) ("The underlying concerns of tort law, contract law and property law . . . converge in bailment cases."); 46 Am. Jur. Proof of Facts 3d 361 n.78 ("Some courts seem to confuse contract and tort theories[.]"); Daugherty v. Reveal, 54 Ind.App. 71, 102 N.E. 381, 385 (1913) ("[A] bailor may sue in tort for damages to the property bailed, resulting from a violation of the contract of bailment or from a negligent or willful injury to the same.") (emphasis added); Monarch Buick Co. v. Kennedy, 138 Ind.App. 1, 4, 209 N.E.2d 922, 924 (1965) (citing Cleveland, etc., R. Co. v. Wright, 58 N.E. 559 (1900)) ("It has been held in Indiana that a bailee may be guilty of conversion."); Winters, 171 N.E.3d at 697 ("[T]he law of bailments and the law of replevin are not mutually exclusive."). It largely does not matter in practice. Dobbs et al., supra, § 71 ("[B]oth a suit in conversion and a suit on the contract depend upon the contract's terms as to the condition of goods and their return."). TIC argues that the "economic loss doctrine" applies here to bar cases in tort, but "as generally understood, the economic loss doctrine has no application" to bailment. Id.; Residences at Ivy Quad Unit Owners Ass'n, Inc. v. Ivy Quad Dev., LLC, 179 N.E.3d 977, 983 (Ind. 2022) (economic loss doctrine applies to "disappointed . . . commercial expectations," not damages to property.).
In Indiana, bailment law is not reserved for physical goods. Indiana recognizes data as a form of property. 27 Ind. Law Encyc. Theft and Related Offenses § 3 (citing Ind. Code § 35-31.5-2-253(a) (amended 2014)) ("'[P]roperty' means anything of value. The term includes: . . . data."); Conwell v. Gray Loon Outdoor Mktg. Grp., Inc., 906 N.E.2d 805, 817 (Ind. 2009) (Boehm, J., concurring) (noting that even before codification of data as a form of property, "several decisions from this state suggest that electronic data is 'property' for the purposes of tortious or criminal conversion."). And at least one Indiana court has analyzed electronic data under a bailment theory. In Albanese Confectionery Grp., Inc. v. Cwik, 165 N.E.3d 139 (Ind.Ct.App.), transfer denied, 169 N.E.3d 1117 (Ind. 2021), the court held that the data an employee had on her phone was not subject to a bailment with her employer, because the employer did not have "exclusive possession" of that data. Id. at 148. The employee "was able to freely manipulate the data herself, notwithstanding the fact that she had granted [her employer] permission to do the same in a limited capacity." Id. at 148 n.8.
Here, Krupa alleges that TIC held his personal data subject to a shared understanding that it would remain confidential, but that TIC negligently exposed that data to hackers. (Compl. ¶ 6, ECF No. 1.) Krupa needs nothing more to establish a breach of bailment claim. He plausibly alleges that his data is "personal property" that is in TIC's "exclusive possession" once on TIC's servers, and that TIC had "accepted" the data in the course of business. Winters, 171 N.E.3d at 699. Krupa avoids the "exclusive possession" problem posed by Albanese Confectionary because, unlike the plaintiff in that case, he was unable to manipulate his personal data on TIC's servers; TIC was in full control. As described above, a breach of bailment claim can be styled as one in contract or in tort; Krupa brings both. (Id. ¶¶ 75-98, 107 115.) The Court finds that Krupa has alleged viable claims under Indiana law. See Smith v. RecordQuest, LLC, 989 F.3d 513, 518 (7th Cir. 2021), reh'g denied (Mar. 17, 2021) (federal court sitting in diversity must "interpret the law as [it] thinks [the state's] courts would"). Krupa's complaint thus survives a Rule 12(b)(6) motion to dismiss.
Armed with a common law cause of action Krupa also has standing sufficient to survive a Rule 12(b)(1) motion to dismiss. An invasion of a common law right (i.e., the existence of a common law cause of action) satisfies the "injury" prong of the Supreme Court's current three-prong standing inquiry. Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992); TransUnion LLC v. Ramirez, 210 L.Ed.2d 568, 141 S.Ct. 2190, 2204 (2021) (intangible harms "concrete" enough for standing include those "injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts"). The availability of nominal damages for breach of bailment, 8A Am. Jur. 2d Bailments § 250, satisfies the "redressability" prong, Uzuegbunam v. Preczewski, 141 S.Ct. 792, 802 (2021). "Causation" is not reasonably in dispute.
The Court reads TransUnion to affect standing analysis only for statutory causes of action. An injury is cognizable as "concrete" (though "intangible") when it bears a "close relationship" to those injuries that are "traditionally recognized as providing a basis for lawsuits." TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2204 (2021). Any common law cause of action is not only closely related to a traditional basis for lawsuits-it is the traditional basis for lawsuits! Indeed, what else could "traditional basis for lawsuits" mean? Thus, although TransUnion seems to reject the old foundational understanding that "violation of an individual right gives rise to an actionable harm," id. at 2218 (Thomas, J., dissenting) (citing Havens Realty Corp. v. Coleman, 455 U.S. 363, 373 (1982)), that rejection is effective only against newly created statutory rights-the old common law rights sneak back in under the "traditional basis" test. (One could go further and argue that any private right of action Congress has created or might reasonably create is going to have the necessary "close relationship" with common law rights, simply because we take our entire concept of individual rights and causes of action from common law. But sufficient unto the day-the Court will address those questions when and if they arise.)
IV. Conclusion
Krupa sufficiently alleges breach of bailment. His claim, whether characterized as "negligence" or "breach of implied contract," survives both a Rule 12(b)(1) and a Rule 12(b)(6) motion to dismiss.
TIC's motion to dismiss, (ECF No. 13), is therefore denied.
Next, Krupa has made class allegations in his complaint, (ECF No. 1), to which TIC has not yet responded. The Court, cognizant of its Rule 23(c)(1)(A) duty to determine "at an early practicable time" whether to certify a class, orders the parties to brief the class certification question on the following schedule:
Krupa shall file a separate motion to certify a class no later than Monday, January 16, 2023. (He may, of course, reuse some or all of the class certification briefing from his initial complaint.) Briefing shall then proceed according to Local Rule 7-1(c)(3), under which TIC will have 14 days from the service of Krupa's motion to file its response, and Krupa will have 7 days from the service of TIC's response to fill his reply.
SO ORDERED.