Summary
declining to determine whether Illinois’ economic loss rule barred the plaintiff's claims in a data breach case
Summary of this case from Toretto v. Donnelley Fin. Sols.Opinion
18-cv-2097
09-21-2021
LYNN MCGLENN, Plaintiff, v. DRIVELINE RETAIL MERCHANDISING, INC., Defendant.
ORDER AND OPINION
SUE E. MYERSCOUGH, UNITED STATES DISTRICT JUDGE
This cause is before the Court on Defendant Driveline Retail Merchandising, Inc.'s (“Driveline”) Motion for Summary Judgment (d/e 84). For the reasons stated below, the Court GRANTS Defendant's Motion for Summary Judgment (d/e 84).
I. FACTS
The Court draws the following facts from the parties' statements of undisputed facts and from the evidence submitted by the parties. Any facts not disputed, or disputed without evidentiary documentation of the basis for the dispute, have been deemed admitted. See CDIL-LR 7.1(D)(2)(b)(2).
On January 25, 2017, Driveline and thousands of its employees became the victims of a criminal phishing attack. An unknown individual (the “perpetrator”), disguised as the Chief Financial Officer (“CFO”) of Driveline, sent an e-mail to a Driveline employee who worked in the payroll department. The perpetrator asked the employee to send all of Driveline's employees' 2016 W-2s. The employee responded to the email and sent the 2016 W-2s of 15, 878 employees to the perpetrator. These 15, 878 W-2s contained social security numbers, names, home addresses, and wage information for employees who worked at and received wages from Driveline during the time period of January 1 2016 to December 31, 2016. Driveline admits that this information is irretrievably lost, to be used against its employees forever.
When Driveline realized that the email had been a phishing attack, it notified the Federal Bureau of Investigation (“FBI”). Driveline also provided the IRS with the names and Social Security numbers (“SSNs”) of the affected employees so the IRS could impose appropriate controls to prevent the filing of fraudulent returns. Driveline notified the appropriate governmental authorities of all fifty states, Guam, and Puerto Rico of the Disclosure.
McGlenn states that she objects to the temporal characterization of the FBI and IRS notifications being “immediately” or “within hours of the breach.” At least with regards to the IRS notification, email documentation confirms that this information was sent to the IRS roughly two days after the phishing email was sent. See January 27, 2017 Email Communications from S. Hasenfratz to A. Douglas, attached as Exhibit 3 to Defendant's Motion, d/e 84-3. The Court finds that the dispute on temporal terminology, however, is not material to this motion.
Effective January 31, 2017, Driveline retained the services of AllClear ID, a credit and identity theft prevention monitoring service, to protect the employees whose personal identifying information (“PII”) was involved in the Disclosure. All affected employees were automatically enrolled in the base protection, called “AllClear ID Identity Repair.” Any employee suspecting identity theft could file a claim, and AllClear ID would provide identity and credit remediation services. Additionally, employees were given the opportunity to enroll for free for one year of enhanced services, called “AllClear Credit Monitoring.” To obtain the enhanced services, the employees had to contact AllClear ID and set up their individual accounts.
Driveline waited to notify employees of the Disclosure until the FBI gave Driveline the “green light.” On February 14, 2017, after the FBI notified Driveline that issuing notice would not hinder the FBI's investigation, AllClear ID mailed a letter and supporting materials on behalf of Driveline to all the employees involved in the Disclosure.
McGlenn's PII was part of the Disclosure. She received the Disclosure notification letter, but McGlenn did not enroll in the free enhanced credit monitoring offered by Driveline through AllClear Id. Some Driveline employees involved in the Disclosure received letters from the IRS requiring them to present to an IRS office in person before filing their 2016 taxes, but McGlenn did not receive such a letter. McGlenn does not claim that anyone attempted to file a fraudulent tax return using her PII.
McGlenn, however, did experience some fraudulent activity on her financial accounts after the Disclosure. Six months after the Disclosure, someone tried to activate a Capital One credit card on an account opened in her name. Capital One received a credit card application that included McGlenn's former married name (Lynn Watts), her telephone number, her date of birth, address, and SSN on or about July 20, 2017. A man attempted to activate the Capital One account via telephone by providing McGlenn's former name, her telephone number, and her date of birth. McGlenn's W-2 does not contain her date of birth. Nor did the Disclosure reveal her telephone number or former last names. Driveline never even knew McGlenn's former married name (Watts) because when she applied for a job with Driveline, she was already married to Mr. McGlenn.
In December 2017, eleven months after the Disclosure, someone used McGlenn's Charlotte Metro Credit Union debit card to incur a $252.79 charge. McGlenn confirmed that the information at issue in the debit card charge, which included her credit union account number, credit union name, credit card numbers, and debit card numbers, were not part of the Driveline Disclosure.
McGlenn also acknowledged that her data was stolen during the Equifax data breach. As clarified in McGlenn's response, Equifax provided notice of the breach in September 2017, but the breach itself occurred between May 2017 and July 2017. See d/e 86 at p. 3 (citing In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F.Supp.3d 1295, 1308 (N.D.Ga. 2019) (“On September 7, 2017, the Defendant Equifax Inc. announced that it was the subject of one of the largest data breaches in history. From mid- May through the end of July 2017, hackers stole the personal and financial information of nearly 150 million Americans.”)). McGlenn assumes that the Equifax data breach disclosed her SSN, her past and present address, her date of birth, other names she has used in the past, and the identities of her banks, lending institutions, and past and present credit card issuers. Equifax, like Driveline, offered free credit monitoring. McGlenn declined both offers because she was already using Credit Karma.
McGlenn also highlights reports by the IRS and FBI warning about certain frauds prior to the Disclosure. Driveline does not dispute the facts surrounding these reports, but Driveline argues that they are immaterial because there is no evidence that Driveline had received, was aware of, or should have been aware of these reports. First, on August 27, 2015, the FBI issued a report warning of the increasingly common scam, known as Business Email Compromise, in which companies had fallen victim to phishing emails. The report called attention to the significant spike in scams, also referred to as “spoofing, ” in which emails that appear to have been initiated from the CEO or other top-level executives request employee W-2 or other personal information.
Second, on March 1, 2016, the IRS issued an alert to payroll and human resources professionals warning of a scheme whereby false emails, purportedly from one of the company's chief officers, were sent to individuals in the human resources or accounting department asking for copies of W-2 data for all employees. The alert stated:
The Internal Revenue Service today issued an alert to payroll and human resources professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.
The IRS has learned this scheme-part of the surge in phishing emails seen this year-already has claimed several victims as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives.Pl. Resp., Ex. 4, IRS March 1, 2016 Alert, d/e 86-4. The IRS renewed this alert on January 25, 2017, specifically urging “company payroll officials to double check any executive-level or unusual requests for lists of Forms W-2 or Social Security numbers.” Pl. Resp., Ex. 5, IRS January 25, 2017 Alert, d/e 86-5.
McGlenn also alleges these additional facts regarding the training, or lack of training, that Driveline provided its employees:
• Before January 25, 2017, Susan Merciel, the Driveline Payroll Department Manager who released Driveline Employees' W-2s, had no training from Driveline that would have aided her in spotting a phishing email.
• Before January 25, 2017, Ms. Merciel had not been trained or advised by Driveline that W-2 phishing emails were being perpetrated on payroll departments.
• Before Driveline sent out its employees' personal data, its employees had not been trained to hover their computer mouse over the sender's name to see from whom an email was sent.
• If Driveline's employees had been so trained, Ms. Merciel or any other employee receiving the spoofing email would have seen that the request for employees W-2 was coming not from Driveline's CFO Lori Bennett, whose Driveline email address had always been “lbennett@drivelineretail.com, ” but instead came from fidelitycharitylaw@gmail.com.
• Ms. Merciel told another Driveline employee, Kristine Fountain, that she had previously received a request for W-2s in 2016, and that was why she did not find the 2017 phishing email unusual.
• Before Driveline sent out employees' personal data, Driveline employees had not been trained to question a request to email employees' PII or to call the person who was requesting via email a file containing the sensitive personal financial information of employees to confirm it was a real request.
• Prior to the Driveline Disclosure, Driveline's CFO Lori Bennett routinely requested confidential personal information of employees be sent to her via email without requiring or suggesting that the requested file be encrypted or password protected.
• Prior to the Driveline Disclosure, Driveline employees had not been trained to transfer sensitive and private employee data in an encrypted file.
• Driveline employees handling the most sensitive personal and financial information for the company's workforce had never been trained how to encrypt a file or how to transfer sensitive and private employee information in a password protected file.
• Following the Driveline Disclosure, some employees were required to take a one-time computer training course on identity theft. They were not required to take the course annually.
While Driveline does not dispute these facts, Driveline argues that the facts are immaterial to Driveline's Motion for Summary Judgment because Driveline argues it does not owe a duty to its employees to safeguard their PII.
II. PROCEDURAL BACKGROUND
The Complaint for this action was originally brought by Shirley Lavender, individually and on behalf of all others similarly situated, against Driveline. However, Plaintiff Lavender filed a Motion for Leave to Substitute Class Representative and for Leave to File an Amended Class Action Complaint in Accordance with the Substitution. See d/e 34. On September 6, 2019, the Court granted Plaintiff Lavender's Motion for Leave to Substitute. See Order, d/e 43. On September 10, 2019, Plaintiff Lynn McGlenn was substituted as Plaintiff in this case when she filed an Amended Complaint. See Amended Complaint, d/e 44. McGlenn has filed claims for negligence (Count I), invasion of privacy (Count II), breach of implied contract (Count III), breach of fiduciary duty (Count IV), violation of Illinois Personal Information Protection Act (“IPIPA”) (Count V), and violation of Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”) (Count VI) against Driveline. McGlenn seeks a mandatory injunction directing Driveline to adequately safeguard the PII of employees by implementing improved security procedures and measures and to provide adequate notice to each employee relating to the full nature and extent of the Disclosure and ordering Driveline to pay an award of monetary damages. See d/e 44. On January 19, 2021, the Court denied McGlenn's Renewed Motion for Class Certification. See Opinion and Order, d/e 87.
Driveline filed this Motion for Summary Judgment (d/e 84) on December 14, 2020, and moves for summary judgment on all of McGlenn's individual claims. McGlenn filed a response (d/e 86) on January 15, 2021, in which she agreed summary judgment was appropriate for her invasion of privacy claim, see d/e 86 at p. 2, n.1, but otherwise opposed summary judgment. Driveline filed its reply (d/e 88) on January 29, 2021.
III. JURISDICTION AND VENUE
McGlenn invokes jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d) (“CAFA”). The CAFA provides federal courts with jurisdiction over certain class actions if the class has more than 100 members, the parties are minimally diverse, and the amount in controversy exceeds $5 million, exclusive of interest and costs. 28 U.S.C. § 1332(d)(2), (5)(B); Standard Fire Ins. Co. v. Knowles, 568 U.S. 588, 592 (2013). The claims of the individual class members are aggregated to determine whether the amount in controversy threshold is met. 28 U.S.C. § 1332(d)(6).
McGlenn's Amended Complaint alleged that the aggregate amount in controversy exceeds $5 million, exclusive of interest and costs, that there are more than 100 class members, and that at least one class member is a citizen of a state different from Driveline. See Amended Complaint, d/e 44, ¶ 3. McGlenn is a citizen of North Carolina. Id., ¶ 1. Driveline has indicated that Driveline is a citizen of New Jersey and Texas because Driveline is incorporated in New Jersey and has its principal place of business in Texas. See Defendant's Declaration of State of Incorporation and Principal Place of Business, d/e 42.
Moreover, the Court retains jurisdiction over the case pursuant to 28 U.S.C. § 1332(d) even though the Court has now denied Plaintiff's Motion for Class Certification. See Cunningham Charter Corp. v. Learjet, Inc., 592 F.3d 805 (7th Cir. 2010) (“Federal jurisdiction under the Class Action Fairness Act does not depend on certification”). Therefore, the Court finds that the Court continues to have subject-matter jurisdiction.
IV. LEGAL STANDARD
Summary judgment is proper if the movant shows that no genuine dispute exists as to any material fact and that the movant is entitled to judgment as a matter of law. Fed.R.Civ.P. 56(a). The movant bears the initial responsibility of informing the Court of the basis for the motion and identifying the evidence the movant believes demonstrates the absence of any genuine dispute of material fact. Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986). A genuine dispute of material fact exists if a reasonable trier of fact could find in favor of the nonmoving party. Marnocha v. St. Vincent Hosp. & Health Care Ctr., Inc., 986 F.3d 711, 718 (7th Cir. 2021).
When ruling on a motion for summary judgment, the Court must construe all facts in the light most favorable to the non-moving party and draw all reasonable inferences in that party's favor. King v. Hendricks Cty. Commissioners, 954 F.3d 981, 984 (7th Cir. 2020). A movant may demonstrate the absence of a genuine dispute through specific cites to admissible evidence or by showing that the nonmovant “cannot produce admissible evidence to support the [material] fact.” Fed.R.Civ.P. 56(c)(1). If the movant clears this hurdle, the nonmovant may not simply rest on his or her allegations in the complaint, but instead must point to admissible evidence in the record to show that a genuine dispute exists. Id.; Harvey v. Town of Merrillville, 649 F.3d 526, 529 (7th Cir. 2011).
V. ANALYSIS
Driveline argues that it is entitled to summary judgment on all of the claims brought by McGlenn (negligence (Count I), invasion of privacy (Count II), breach of implied contract (Count III), breach of fiduciary duty (Count IV), violation of Illinois Personal Information Protection Act (“IPIPA”) (Count V), and violation of Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”) (Count VI)).
McGlenn agrees that her invasion of privacy claim (Count II) is subject to summary judgment. Accordingly the Court grants summary judgment for Driveline on this claim. Further, the Court agrees with Driveline that summary judgment is appropriate on McGlenn's remaining claims.
A. Driveline is Entitled to Summary Judgment on McGlenn's Illinois Common Law Tort Claims.
As an initial matter, the Court finds that McGlenn has waived any arguments that Illinois law does not apply. McGlenn has previously argued that Illinois law applies to her common law claims. See Plaintiff's Memorandum of Law In Support of Renewed Motion for Summary Judgment, d/e 52-1 at p.16. While Driveline has previously questioned whether the law of Illinois or North Carolina (the state of McGlenn's residence and where she worked while employed by Driveline) applies, see Defendant's Objection to Plaintiff's Renewed Motion for Class Certification, d/e 54, p.36, n.25, Driveline's Motion for Summary Judgment assumes that Illinois law does apply. It is not clear from the facts of this case that Illinois law would necessarily apply given that neither McGlenn nor Driveline are Illinois residents and any harm to McGlenn did not occur in Illinois. Nonetheless, McGlenn did not raise the choice-of-law issue in her response, and the Court finds that the argument is now waived. See Ward v. Soo Line R.R. Co., 901 F.3d 868, 880 (7th Cir. 2018) (“The choice-of-law issue is waived if a party fails to raise it.”).
Applying Illinois law, Driveline argues that McGlenn cannot succeed on her negligence claim because Driveline does not have a duty under Illinois law to safeguard McGlenn's PII. Driveline argues that McGlenn cannot succeed on her breach of fiduciary duty claim because she has not established that Driveline owed her a fiduciary duty. Driveline also argues that the economic loss doctrine bars recovery of any tort damages.
1. McGlenn Cannot Prove Negligence Because Driveline Does Not Have a Duty Under Illinois Law to Safeguard McGlenn's PII.
To show negligence under Illinois law, a plaintiff must prove “that the defendant owed a duty to the plaintiff, that defendant breached that duty, and that the breach was the proximate cause of the plaintiff's injuries.” Blood v. VH-1 Music First, 668 F.3d 543, 546 (7th Cir. 2012) (quoting First Springfield Bank & Trust v. Galman, 188 Ill.2d 252, 242 Ill.Dec. 113, 720 N.E.2d 1068, 1071 (1999)). Driveline argues that under Illinois law, Driveline did not owe any duty to McGlenn to safeguard her PII. While the Illinois Supreme Court has not spoken on this issue, the Seventh Circuit in Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 816 (7th Cir. 2018), found that the defendant retailer, Schnuck Markets, did not owe a duty to the customer's banks under Illinois law when Schnucks suffered a major breach of its customers' data. See also Perdue v. Hy-Vee, Inc., 455 F.Supp.3d 749, 757-58 (C.D. Ill. 2020). The Seventh Circuit relied on the Illinois appellate case of Cooney v. Chicago Pub. Sch., 407 Ill.App.3d 358, 363, 943 N.E.2d 23, 29 (2010) in reaching its holding. In Cooney, the city board of education, through a third party, had mistakenly sent PII of former school employees in a mailing. Cooney, 407 Ill.App. at 363. In declining to create a new common law duty, the Illinois appellate court emphasized that “[w]hile we do not minimize the importance of protecting this information, we do not believe that the creation of a new legal duty beyond legislative requirements already in place is part of our role on appellate review. As noted, the legislature has specifically addressed the issue and only required the Board to provide notice of the disclosure.” Id. The Seventh Circuit in Cmty. Bank of Trenton interpreted Cooney as “a more general statement that no duty to safeguard personal information existed, regardless of the kind of loss” and predicted “that the state court would not impose the common law data security duty the plaintiff banks call for here.” Cmty. Bank of Trenton, 887 F.3d at 817.
McGlenn attempts to distinguish Cooney based on the way the information was disclosed, arguing the disclosure in Cooney was a “mistake, ” whereas the disclosure here “was the foreseeable consequence of the defendant's actions and failure to act.” See d/e 86 at p. 11. McGlenn points to cases applying Georgia law and argues that this Court should find Illinois law would recognize the existence of a similar common law duty when the disclosure was foreseeable. See d/e 86 at p. 11-12 (citing In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F.Supp.3d 1295 (N.D.Ga. 2019); In re: The Home Depot, Inc. Customer Data Sec. Breach Litig., 2016 WL 2897520, at *3 (N.D.Ga. May 18, 2016); In re Arby's Restaurant Grp. Inc. Litig., 2018 WL 2128441, at *5 (N.D.Ga. Mar. 5, 2018)). However, while these cases highlight important policy reasons why a company should be required to safeguard PII, McGlenn does not explain how these cases would allow the Court to ignore the Seventh Circuit's holding in Cmty. Bank of Trenton. Moreover, McGlenn's distinction between a “mistake” and a “foreseeable consequence” does not address Cooney's rationale that courts should not impose “a new legal duty beyond legislative requirements.” Cooney, 407 Ill.App. at 363. Regardless of whether the data breach was foreseeable or merely a “mistake, ” the Court finds that Illinois does not impose a common law duty to safeguard PII.
McGlenn also argues that, even if no common law duty exists, a statutory duty now exists. As the court noted in Cooney, “a violation of a statute designed to protect human life and property may be used as prima facie evidence of negligence.” 407 Ill.App.3d at 361. In Cooney, the court rejected the plaintiffs' argument that a statutory duty existed under Illinois Personal Information Protection Act (“PIPA”) because PIPA only requires a data collector to provide notice of a breach. Id. at 363; see also Cmty. Bank of Trenton, 887 F.3d at 816 (noting Cooney's conclusions).
However, McGlenn highlights that in 2017, after Cooney, the Illinois legislature amended PIPA. Specifically, PIPA now includes a section that provides:
A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.815 ILCS § 530/45(a) (emphasis added). Driveline argues that this provision is irrelevant in light of the Seventh Circuit's decision in Cmty. Bank of Trenton, which is binding on this Court. However, the data breach at issue in Cmty. Bank of Trenton occurred in 2012, so the 2017 amendments to PIPA were not relevant to the Seventh Circuit's analysis in Cmty. Bank of Trenton.
Nonetheless, the Court finds that the 2017 amendments to PIPA do not change the result here. While Driveline qualifies as a “data collector” under the broad definition of the act, see 815 ILCS 530/5, Driveline's duty under this provision is expressly limited to Illinois residents. McGlenn is not an Illinois resident-she is a North Carolina resident. McGlenn has not responded to Driveline's argument that PIPA does not protect non-Illinois residents, nor has she otherwise attempted to explain how this provision could be interpreted to create a duty to safeguard a non-resident's PII. Accordingly, the Court finds that Driveline is entitled to summary judgment on McGlenn's negligence claim because Driveline did not owe a duty under Illinois law to safeguard McGlenn's PII.
2. McGlenn Cannot Show a Breach of Fiduciary Duty Because Driveline did not have a Fiduciary Duty to Protect McGlenn's PII.
To establish a claim for breach of fiduciary duty under Illinois law, McGlenn “must prove the existence of a fiduciary duty, breach of that duty, and damages proximately resulting from that breach.” Autotech Tech. Ltd. P'ship v. Automationdirect.com, 471 F.3d 745, 748 (7th Cir. 2006) (citing Neade v. Portes, 193 Ill.2d 433, 739 N.E.2d 496, 502, 250 Ill.Dec. 733 (Ill. 2000)). A fiduciary duty exists under Illinois law either “as a matter of law from the relationship of the parties (such as an attorney-client relationship), or based on the facts of a particular situation, such as a relationship where confidence and trust is reposed on one side, resulting in dominance and influence on the other side.” Dahlin v. Evangelical Child & Family Agency, 252 F.Supp.2d 666, 669 (N.D. Ill. 2002) (citations omitted).
McGlenn does not argue that a fiduciary duty exists as a matter of law, but rather that a fiduciary duty exists because McGlenn was required to entrust Driveline with her sensitive personal information as a condition of gaining and maintaining her employment. However, in Cooney, the Illinois appellate court found that there is no fiduciary duty created when an employee provides an employer with information “in confidence.” 407 Ill.App.3d at 363; Landale Signs & Neon, Ltd. v. Runnion Equip. Co., No. 16-cv-7619, 2016 WL 7409916, at *4 (N.D. Ill.Dec. 22, 2016). McGlenn has not attempted to distinguish Cooney and does not provide caselaw to support her argument.
McGlenn does, however, acknowledge that under Illinois law “trust and confidence are not enough to create a fiduciary relationship; superiority and influence must result from the trust and confidence.” Tummelson v. White, 47 N.E.3d 579, 584 (Ill.App.Ct. 2015). In Tummelson, the Illinois appellate court further explained that a fiduciary relationship exists where “trust and confidence are reposed by one person in another who, as a result thereof, gains influence and superiority over the other. . . significant dominance and superiority [are] necessary to establish a fiduciary relationship.” . . .“Dominance, ” in this context, means “the ability to exercise undue influence.” Id. (internal citations and quotations omitted). In Tummelson, the court found no fiduciary relationship existed between a homeowner and cohabitant merely because the cohabitant contributed money toward the mortgage of the house and he trusted that this would result in his ability to continue to reside at the house. Id. Rather, the court found that the dominance that the homeowner had over the cohabitant (to evict the cohabitant if she chose) was “merely the dominance that a licenser typically has over a licensee.” Id.
Here, McGlenn argues that she put trust in Driveline to safeguard her PII and that, as her employer, Driveline had superiority and influence. But it is not enough that superiority and influence generally exists in the relationship. The superiority and influence must result from the trust and confidence. McGlenn trusted Driveline with her PII because it was required as a condition of employment. Moreover, McGlenn has not explained how Driveline gained dominance or “undue influence” over McGlenn because of the information McGlenn provided. Like Tummelson, the “dominance” that existed was typical for the type of relationship (employer-employee) that McGlenn and Driveline had. Accordingly, the Court finds that Driveline is entitled to summary judgment on McGlenn's breach of fiduciary duty claim.
3. The Court Declines to Determine Whether the Economic Loss Doctrine Applies.
Driveline also argues that it is entitled to summary judgment on McGlenn's tort claims because her damages are barred under the economic loss doctrine. In addressing tort claims in commercial litigation, “state courts have generally refused to recognize tort liabilities for purely economic losses inflicted by one business on another where those businesses have already ordered their duties, rights, and remedies by contract.” Cmty. Bank of Trenton, 887 F.3d at 812. “Courts invoking the economic loss rule trust the commercial parties interested in a particular activity to work out an efficient allocation of risks among themselves in their contracts. Courts see no reason to intrude into the parties' allocation of the risk when bargaining should be sufficient to protect the parties' interests, and where additional tort law remedies would act as something of a wild card to upset their expectations.” Id. (internal quotations omitted).
In Illinois, the economic loss rule is known as the Moorman Doctrine. Id. (citing Moorman Mfg. Co. v. Nat'l Tank Co., 91 Ill.2d 69, 435 N.E.2d 443 (1982)). “Illinois recognizes three exceptions, but none applies here: for personal injuries or property damage resulting from sudden or dangerous occurrences, for fraud, and for negligent misrepresentations by professional business advisors.” Id. at 813. In Cmty. Bank of Trenton, the Seventh Circuit held that the Illinois' economic loss rule barred the tort claims alleged by the customers' banks as a result of a grocery chain's data breach. Id. (“The plaintiff banks are disappointed in the amounts the card networks' contractual reimbursement process provided. That type of tort claim is not permitted under Moorman.”).
McGlenn argues that the Seventh Circuit and other federal courts have reached the wrong answer when they “reflexively applied the economic loss rule to negligence claims” because they did not perform any analysis about whether the principles behind the economic loss rule apply to data breaches. McGlenn draws support from In re Marriott International, Inc., Customer Data Security Breach Litigation, 440 F.Supp.3d 447, 473 (D. Md. 2020), which noted that the Illinois Supreme Court has not yet addressed whether the economic loss rule would apply to data breaches. The district court in In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig. found that “the rule's development suggests that its historical roots in products liability are not a close fit with the injuries that arise in the context of data breaches like this one, which casts doubt on how it would be applied by the Illinois Supreme Court.” In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d at 469.
While the analysis by the district court in In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig. is well-reasoned, the Court must not disregard the Seventh Circuit's binding precedent in Cmty. Bank of Trenton which found that the economic loss rule did apply to data breaches. However, the Court notes that Cmty. Bank of Trenton was litigation between two commercial entities: a grocery store chain that had a data breach of its customers' data, and the banks of the customers whose data was breached. Here, where McGlenn is a former employee of Driveline and provided her PII as a legal condition of employment, the economic loss rule would be stretched significantly further from its product liability roots than the application of the rule in Cmty. Bank of Trenton. Regardless, as the Court finds that Driveline is entitled to summary judgment on its tort claims due to an absence of duty, the Court declines to also determine whether the economic loss doctrine would bar McGlenn's claims.
B. McGlenn Has Not Shown Sufficient Evidence That Driveline Proximately Caused Her Present Injuries For Her Tort or Contract Claims.
Driveline next argues that McGlenn cannot succeed on any of her common law claims-including her breach of implied contract claim-because she has not established proximate cause that the Disclosure caused her present injuries, and an increased risk of future harm alone is insufficient to show damages. McGlenn does not dispute that, under Illinois law, an increased risk of future harm alone is insufficient to show damages. See also, Rowe v. UniCare Life & Health Ins. Co., No. 09 C 2286, 2010 WL 86391, at *6 (N.D. Ill. Jan. 5, 2010) (applying Illinois law and concluding that the plaintiff in a data breach action “may collect damages based on the increased risk of future harm he incurred, but only if he can show that he suffered from some present injury beyond the mere exposure of his information to the public.”); Williams v. Manchester, 228 Ill.2d 404, 425, 888 N.E.2d 1, 13 (2008) (“[A]n increased risk of future harm is an element of damages that can be recovered for a present injury-it is not the injury itself.” (emphasis in original)). Accordingly, standing alone, McGlenn's allegation that she is at an increased risk of future identity theft is insufficient to show damages.
Nonetheless, McGlenn argues that she has suffered two incidents of identity theft that qualify as present injuries: First, six months after receiving the notice of the data breach from Driveline, Plaintiff was alerted that someone used her PII to open a new credit card account with Capital One. Second, approximately eleven months after the breach, a fraudulent charge of $252.79 was made on her debit card. However, the Court agrees that McGlenn has not shown that Driveline caused these present injuries.
In tort law, as well as with breaches of contracts, a defendant is only liable for damages the breach caused. See In re: Emerald Casino, Inc., 867 F.3d 743, 755 (7th Cir. 2017). In Illinois, causation is referred to as proximate causation and has two components: legal cause and cause in fact. Id. (citing Young v. Bryco Arms, 213 Ill.2d 433, 290 Ill.Dec. 504, 821 N.E.2d 1078, 1085-1086 (2004)). Here, only cause in fact is at issue. To show cause in fact, a plaintiff must show that “there is a reasonable certainty that a defendant's acts caused the injury or damage.” In re: Emerald Casino, Inc., 867 F.3d at 755. In Illinois, two tests are used to determine cause in fact. First, under the traditional “but-for” test, “a defendant's breach is a cause in fact of damages if the damages would not have occurred had the defendant not breached the contract” or breached its duty. Id. Second, “a defendant's breach is a cause in fact of damages ‘if it was a material element and a substantial factor in bringing the event about.'” Id. (internal citations omitted). McGlenn argues that the substantial-factor test applies here, which is used “when multiple defendants caused the damages so that no one defendant could be considered a but-for cause.” Id.
Driveline argues that McGlenn has not produced sufficient evidence for a jury to find that Driveline's Disclosure caused the two incidents of identity theft. The only evidence McGlenn has presented tying the Driveline Disclosure to the incidents of identity theft is that the identity theft incidents occurred a few months after the Driveline Disclosure. Driveline highlights that McGlenn was also involved in the Equifax breach, which revealed more of McGlenn's PII than the Driveline Disclosure did and included the identity of her financial institutions and credit card companies. Moreover, Driveline highlights that the individual who attempted to open a new credit card at Capital One used her former last name, her current telephone number, and her date of birth-none of which was included in the Driveline Disclosure. Further, Driveline's Disclosure did not reveal the identity of her credit union, the debit-card number, or account information used in the fraudulent charge on McGlenn's debit card
At the initial pleading stage, allegations that data was disclosed and that McGlenn later suffered identity theft would be sufficient to survive a motion to dismiss. See, e.g., Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 696 (7th Cir. 2015) (finding that to survive a motion to dismiss, it is sufficient that defendant “admitted that 350, 000 cards might have been exposed and that it contacted members of the class to tell them they were at risk. Those admissions and actions by the store adequately raise the plaintiffs' right to relief above the speculative level.”); Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 969 (7th Cir. 2016). See also In re Zappos.com, Inc., 888 F.3d 1020, 1029 (9th Cir. 2018) (“That hackers might have stolen Plaintiffs' PII in unrelated breaches, and that Plaintiffs might suffer identity theft or fraud caused by the data stolen in those other breaches (rather than the data stolen from Zappos), is less about standing and more about the merits of causation and damages.”).
However, at the summary judgment phase more than these allegations is needed. Under Illinois law, at the summary judgment phase, facts cannot “be established from circumstantial evidence where more than one conclusion can be drawn. . . If plaintiff relies upon circumstantial evidence to establish proximate cause to defeat a motion for summary judgment, the circumstantial evidence must be of such a nature and so related as to make the conclusion more probable as opposed to merely possible.” Majetich v. P.T. Ferro Const. Co., 389 Ill.App.3d 220, 224-25, 906 N.E.2d 713, 718 (2009) (internal citations omitted); Garland v. Sybaris Clubs Int'l, Inc., 141 N.E.3d 730, 764 (Ill. Ct. App. 2019) (“Cause in fact exists where there is a reasonable certainty that a defendant's acts caused the injury or damage.”).
As McGlenn notes, “[i]f there are multiple companies that could have exposed the plaintiffs' private information to the hackers, then the common law of torts has long shifted the burden of proof to defendants to prove that their negligent actions were not the “but-for” cause of the plaintiff's injury.” Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 696 (7th Cir. 2015) (citation and internal quotation marks omitted). But, McGlenn's incidents of identity theft necessarily relied on PII that was not disclosed in Driveline's Disclosure. The obvious implication is that the thieves could not have relied on Driveline's Disclosure alone to commit the incidents of identity theft. And McGlenn does not dispute that at least the Equifax data breach would have exposed all the information that was needed to commit these incidents of identity theft. Moreover, data breaches have become increasingly common. McGlenn has not presented any evidence that Driveline's Disclosure was involved in her incidents of identity theft beyond the fact that Driveline's Disclosure happened prior to these incidents.
Understandably, neither McGlenn nor Driveline has been able to determine who committed the identity thefts and determine where they got the information used. But, especially in light of the fact that Driveline's Disclosure did not provide all the information used to commit the incidents of identity theft, McGlenn needed to present some evidence of causation other than temporal proximity for a reasonable jury to find Driveline responsible for her injuries. Any finding in McGlenn's favor would be merely speculative. See also Walker v. Macy's Merchandising Group, Inc., 288 F.Supp.3d 840, 856 (N.D. Ill. 2017) (under Illinois law, “[p]roximate cause is not established, however, where the causal connection is contingent, speculative or merely possible.” (internal citations omitted)). See also, Nolan v. Weil-McLain, 233 Ill.2d 416, 431, 910 N.E.2d 549, 557 (2009) (“Illinois courts have, as a matter of law, refused to allow a plaintiff to take the causation question to the jury when there is insufficient evidence for the jury to reasonably find that the defendant's conduct was a cause of the plaintiff's harm or injury.”).
Because McGlenn's only remaining alleged harm is her alleged increased risk of future identity theft, which she concedes is insufficient on its own to entitle her to damages, Driveline is entitled to summary judgment on McGlenn's tort and contract claims under Illinois law.
C. Driveline is Entitled to Summary Judgment on McGlenn's Statutory Claims.
McGlenn also claims that Driveline violated the Illinois Personal Information Protection Act (“PIPA”) and the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”). Driveline argues that it met the Notice requirements of PIPA and, therefore, McGlenn cannot prove a violation of PIPA. In her response, McGlenn clarifies that the basis of her PIPA claim is not the notice requirements but, rather, the 2017 amendments. As stated above, these amendments require that a data collector that “maintains or stores . . . records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” 815 ILCS § 530/45(a) (emphasis added).
However, McGlenn fails to respond to Driveline's other argument regarding PIPA: McGlenn is a North Carolina resident. Even if McGlenn can show that Driveline failed to “implement and maintain reasonable security measures to protect” her PII from disclosure, she will not have shown a PIPA violation because she is not an Illinois resident.
Driveline is also entitled to summary judgment for McGlenn's final claim: a violation ICFA. McGlenn argues that Driveline violated ICFA because a violation of PIPA “constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act.” 815 ILCS § 530/20. However, because the Court finds that Driveline did not violated PIPA as to McGlenn, McGlenn also cannot show a violation of ICFA. Accordingly, the Court finds that Driveline is entitled to summary judgment on McGlenn's Illinois statutory claims as well.
VI. CONCLUSION
For the reasons set forth above, the Court GRANTS Defendant's Motion for Summary Judgment (d/e 84). The Court DIRECTS the Clerk to enter judgment in favor of Defendant Driveline. This order terminates the case.