Summary
applying Illinois law to breach of contract claim because "Plaintiffs have not claimed the existence of an outcome determinative conflict"
Summary of this case from In re Arthur J. Gallagher Data Breach Litig.Opinion
Case No. 19-1330
2020-04-20
Noreen PERDUE, Elizabeth Davis-Berg, Dustin Murray, Melanie Savoie, Cheryl Ellingson, Angela Trang, Harley Wiliams, Mary Williams, Gordon Grewing, Melissa Ward and Patricia Davis, individually and on behalf of all other similarly situated, Plaintiffs, v. HY-VEE, INC., Defendant.
Ben Barnow, Erich P. Schork, Anthony Lee Parkhill, Barnow and Associates PC, Kyle Alan Shamberg, Carlson Lynch LLP, Chicago, IL, Cornelius Pellman Dukelow, Abington Cole & Ellery, Tulsa, OK, William B. Federman, Federman & Sherwood, Oklahoma City, OK, Alex M. Kashurba, Andrew W. Ferich, Benjamin F. Johns, Chimicles Schwartz Kriner & Donaldson-Smith LLP, Haverford, PA, Shpetim Ademi, Ademi & O'Reilly LLP, Cudahy, WI, for Plaintiffs. George J. Tzanetopoulos, Maria Ann Boelen, Baker & Hostetler LLP, Chicago, IL, Emily Jane Perkins, John P. Heil, Jr., Heyl Royster Voelker & Allen, Peoria, IL, Paul G. Karlsgodt, Baker & Hostetler LLP, Denver, CO, for Defendant.
Ben Barnow, Erich P. Schork, Anthony Lee Parkhill, Barnow and Associates PC, Kyle Alan Shamberg, Carlson Lynch LLP, Chicago, IL, Cornelius Pellman Dukelow, Abington Cole & Ellery, Tulsa, OK, William B. Federman, Federman & Sherwood, Oklahoma City, OK, Alex M. Kashurba, Andrew W. Ferich, Benjamin F. Johns, Chimicles Schwartz Kriner & Donaldson-Smith LLP, Haverford, PA, Shpetim Ademi, Ademi & O'Reilly LLP, Cudahy, WI, for Plaintiffs.
George J. Tzanetopoulos, Maria Ann Boelen, Baker & Hostetler LLP, Chicago, IL, Emily Jane Perkins, John P. Heil, Jr., Heyl Royster Voelker & Allen, Peoria, IL, Paul G. Karlsgodt, Baker & Hostetler LLP, Denver, CO, for Defendant.
ORDER AND OPINION
Michael M. Mihm, United States District Judge
This matter is now before the Court on Defendant Hy-Vee, Inc.'s ("Defendant") Motion to Dismiss Plaintiffs' Consolidated Second Amended Class Action Complaint (ECF No. 30). For the reasons stated below, Defendant's Motion is GRANTED IN PART AND DENIED IN PART.
JURISDICTION
The Court exercises subject matter jurisdiction under 28 U.S.C. § 1332(d)(2)(A), because the matter in controversy exceeds $5 million, exclusive of interest and costs, and is a class action in which some members of the class are citizens of states different than Defendant. The Court also exercises supplemental jurisdiction over the state law claims under 28 U.S.C. § 1367(a).
BACKGROUND
Defendant is a large supermarket chain that also operates gas pumps, restaurants, and coffee shops. Between November 2018 and August 2019, Defendant was exposed to a data breach. On July 29, 2019, Defendant detected the breach and alerted its customers on August 14, 2019. On October 3, 2019, Defendant notified its customers that the breach was carried out by the use of "malware designed to access payment card data from cards used on point-of-sale (‘POS’) devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants." (ECF Nos. 21 at 18; 31-2 at 2). Payment card information of customers who made purchases at the affected POS devices were compromised in the data breach. Defendant posted an online tool for customers to determine which locations were affected and during what timeframe.
The facts in the Background section are derived from Plaintiffs' Consolidated Second Amended Class Action Complaint. (ECF No. 21).
Plaintiffs claim they each used one or more payment cards at a compromised POS, and as a result, dealt with suffered side effects of the breach. Plaintiff Perdue accessed a gas pump in Galesburg, Illinois, that was impacted by the data breach. She went three weeks without her bank card, which was the only way she could allegedly access her money and pay her bills. Plaintiff Savoie accessed gas pumps in Iowa that were affected by the data breach. She experienced two fraudulent charges for $100.00 and $74.28. She also spent approximately five hours dealing with fraudulent charges on her credit card. Plaintiff Ellingson accessed a restaurant operated by Defendant in Iowa that was affected by the data breach. She was unable to access her bank funds between August 27, 2019, and September 4, 2019, due to her bank cancelling and replacing her debit card. Plaintiff Trang accessed several food retailers and gas pumps operated by Defendant in Minnesota that were affected by the data breach. She experienced $1000.00 in fraudulent charges and spent approximately three hours dealing with those charges, an overdraft fee, and a cancelled card. Plaintiffs Harley and Mary Williams accessed gas pumps in Kansas that were affected by the data breach. They spent approximately three-to-four hours dealing with $700.00 in fraudulent charges on their debit account. They also were unable to access their monies for three weeks. Plaintiff Grewing accessed gas pumps in Missouri that were affected by the data breach. Two fraudulent charges for $7.81 and $25.94 appeared on his debit cards. He also spent time driving to the bank, disputing charges, and cancelling his debit card. Additionally, he purchased a TransUnion Credit Monitoring Plan as a result of the breach. Plaintiff Murray visited restaurants operated by Defendant in Missouri that were affected by the data breach. He spent approximately three hours dealing with the breach after his debit card had been cancelled and replaced. Plaintiff Davis visited a restaurant operated by Defendant in Wisconsin that was affected by the data breach. She had a card cancelled and replaced. Plaintiffs Ward, in Kansas, and Davis-Berg, in Illinois, spent time monitoring their accounts subsequent to the breach.
On October 15, 2019, Plaintiffs filed a Class Action Complaint against Defendant. (ECF No. 1). On November 25, 2019, Plaintiffs filed their First Amended Class Action Complaint against Defendant. (ECF No. 8). On December 30, 2019, Plaintiffs filed a Second Amended Class Action Complaint asserting fifteen claims: negligence (Count I); negligence per se (Count II); breach of implied contract (Count III); breach of contracts to which Plaintiffs and class members were intended third-party beneficiaries (Count IV); ten statutory claims under the laws of Illinois, Iowa, Kansas, Minnesota, Missouri, and Wisconsin (Counts V-XIV); and unjust enrichment (Count XV). (ECF No. 21). On January 31, 2020, Defendant filed a Motion to Dismiss Plaintiffs' Second Amended Class Action Complaint under Federal Rule of Civil Procedure 12(b)(6). On February 28, 2020, Plaintiffs filed their response. (ECF No. 36). On March 17, 2020, Defendant filed its reply. (ECF No. 40). This Opinion follows.
STANDARD OF REVIEW
Dismissal under Federal Rule of Civil Procedure 12(b)(6) is proper if a complaint fails to state a claim upon which relief can be granted. Fed. R. Civ. P. 12(b)(6). To survive a motion to dismiss, a complaint must contain sufficient factual matter, which when accepted as true, states a claim for relief that is plausible on its face. Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). Plausibility means alleging factual content that allows a court to reasonably infer that the defendant is liable for the alleged misconduct. Bell Atlantic Corp. v. Twombly , 550 U.S. 544, 547, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). A plaintiff's claim must "give enough details about the subject matter of the case to present a story that holds together" to be plausible. Swanson v. Citibank, N.A. , 614 F.3d 400, 404 (7th Cir. 2010). A court must draw all inferences in favor of the non-moving party. Bontkowski v. First Nat'l Bank of Cicero , 998 F.2d 459, 461 (7th Cir. 1993).
When evaluating a motion to dismiss, courts must accept as true all factual allegations in the complaint. Ashcroft , 556 U.S. at 678, 129 S.Ct. 1937. However, the court need not accept as true the complaint's legal conclusions; "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. (citing Bell Atlantic Corp. , 550 U.S. at 555, 127 S.Ct. 1955 ). Conclusory allegations are "not entitled to be assumed true." Id.
Federal Rule of Civil Procedure 8(a)(2) requires only "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). The complaint must give fair notice of what the claim is and the grounds upon which it rests. E.E.O.C. v. Concentra Health Servs., Inc. , 496 F.3d 773, 776–77 (7th Cir. 2007). Fair notice is not enough by itself; in addition, the allegations must show that it is plausible, rather than merely speculative, that the plaintiff is entitled to relief. Tamayo v. Blagojevich , 526 F.3d 1074, 1083 (7th Cir. 2008).
ANALYSIS
I. Plaintiffs' Negligence and Negligence Per Se Claims
In Count I, Plaintiffs, under each state class, allege negligence against Defendant claiming that Defendant owed a duty to Plaintiffs to maintain confidentiality and exercise reasonable care in safeguarding their personal information, and it breached that duty. Plaintiffs claim Defendant's conduct created a foreseeable risk of harm, and as a direct and proximate result, they have been injured. In Count II, Plaintiffs, under each state class, allege negligence per se against Defendant claiming that it had a duty to provide adequate computer systems and data security practices to safeguard their personal information. As a result of breaching that duty, Plaintiffs allege they have suffered damages.
Defendant argues that Plaintiffs fail to state a claim for negligence because there is no duty to safeguard personal information under Illinois law. Alternatively, Defendant states that if the Court determines that a duty exists under any of the relevant states' laws, Plaintiffs' negligence and negligence per se claims should be barred by the economic-loss doctrine recognized in Illinois, Iowa, Missouri, and Kansas. Defendant also argues that Plaintiffs fail to plead any damages that are compensable under Minnesota or Wisconsin law. Regarding Plaintiffs' negligence per se claims, Defendant also states that Plaintiffs do not identify any statute or regulation that sets out a standard of conduct specific enough to establish that it is in violation of that statute or regulation. According to Defendant, the one statute that Plaintiffs do reference, Section 5 of the Federal Trade Commission Act ("FTC Act"), does not impose any data security standard. Plaintiffs contend that Defendant is incorrect about Illinois law and that it has ignored the laws of Minnesota, Kansas, Wisconsin, and Missouri, as they relate to a duty to safeguard personal information. Lastly, Plaintiffs argue that Section 5 of the FTC Act was designed to protect consumers from unfair and deceptive trade practices such as failing to protect private consumer information.
A. Choice-of-Law
Before the Court turns to the specific claims, it must consider a preliminary issue: choice-of-law. The Parties do not agree which state law applies to Plaintiffs' claims. Plaintiffs state that the negligence and negligence per se claims should be governed by the law of the state where the alleged injury occurred, because differences exist among the laws of each state. Defendant argues that there is no conflict of law between the relevant states; therefore, Illinois law should apply.
A federal court sitting in diversity applies the forum state's choice-of-law rules to determine which state's substantive law applies. See Klaxon Co. v. Stentor Elec. Mfg. Co. , 313 U.S. 487, 496–97, 61 S.Ct. 1020, 85 L.Ed. 1477 (1941) ("The conflict of laws rules to be applied by the federal court in Delaware must conform to those prevailing in Delaware's state courts."); Auto–Owners Ins. Co. v. Websolv Computing, Inc. , 580 F.3d 543, 547 (7th Cir. 2009). "Courts do not worry about conflict of laws unless the parties disagree on which state's law applies." Auto–Owners Ins. Co. , 580 F.3d at 547.
Since the Parties disagree whether Illinois or each respective state's law applies, the Court looks to Illinois choice-of-law rules to determine which law applies. Under Illinois choice-of-law rules, a conflict of law exists only where the application of one state's law over that of another state will make a difference in the outcome of a case, and where there is no conflict in the relevant state law, a court will apply Illinois law. See Malatesta v. Mitsubishi Aircraft Int'l, Inc. , 275 Ill.App.3d 370, 211 Ill.Dec. 710, 655 N.E.2d 1093, 1096 (1995) ; Barron v. Ford Motor Co. of Canada , 965 F.2d 195, 197 (7th Cir. 1992) ("[B]efore entangling itself in messy issues of conflict of laws a court ought to satisfy itself that there actually is a difference between the relevant laws of the different states."); Int'l Adm'rs, Inc. v. Life Ins. Co. of N. Am. , 753 F.2d 1373, 1376 n.4 (7th Cir. 1985) ("Conflicts [of law] rules are appealed to only when a difference in law will make a difference to the outcome."). Illinois uses the "most significant relationship" approach of the Restatement (Second) of Conflicts of Law. Esser v. McIntyre , 169 Ill.2d 292, 214 Ill.Dec. 693, 661 N.E.2d 1138, 1141 (1996). In applying this test, courts weigh four factors: "(1) where the injury occurred; (2) where the injury-causing conduct occurred; (3) the domicile of the parties; and (4) where the relationship of the parties is centered." Id. Generally, the law of the place of injury controls unless some other jurisdiction has a more significant relationship with the occurrence and with the parties. Id. Moreover, choice-of-law issues in nationwide class actions are rarely so uncomplicated that one can delineate clear winning and losing arguments at an early stage in the litigation. Mirfasihi v. Fleet Mortg. Corp. , 450 F.3d 745, 750 (7th Cir. 2006).
At this stage, the factors weigh in favor of applying the laws of the non-forum states to the non-forum Plaintiffs. The injuries Plaintiffs allege each occurred in the state in which Plaintiffs used a payment card to make a purchase from Defendant. Defendant could not have predicted that Illinois law would apply to its business with customers in other states. Likewise, it would interfere with interstate order to supplant the laws of the non-forum states with Illinois law. See generally Heath v. Zellmer , 35 Wis.2d 578, 151 N.W.2d 664, 672 (1967) ("[F]or a state that is only minimally concerned with a transaction or tort to thrust its law upon the parties would be disruptive of the comity between states."). Additionally, as Plaintiffs point out, the respective states recognize different standards of the common law claims, even if they are small variations. As seen below, these variations can be outcome determinative. Therefore, the Court will apply the laws of the non-forum states to the non-forum Plaintiffs.
B. Illinois, Missouri, and Kansas
In Cooney v. Chicago Public Schools , 407 Ill.App.3d 358, 347 Ill.Dec. 733, 943 N.E.2d 23 (2010), the Board of Education of the City of Chicago retained a graphics company to print, package, and mail a letter to 1750 former employees to inform them that they were eligible to change their insurance benefit plans. Id. , 347 Ill.Dec. 733, 943 N.E.2d at 27. However, an inadvertent mailing contained the names of all 1750 former employees, along with their addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information. Id. The former employees sued, alleging, among other things, negligence under Illinois law. Id. The appellate court affirmed the circuit court's dismissal of the negligence claims, finding that the plaintiffs had not established that the Board of Education owed them a duty to safeguard their personal information. Id. 347 Ill.Dec. 733, 943 N.E.2d at 28.
The appellate court opined that the Illinois Personal Information Protection Act ("PIPA"), 815 Ill. Comp. Stat. 530/1 et seq. , did not create a legal duty to safeguard the plaintiffs' information. Id. The court held that the plain language of PIPA only requires data collectors that maintain personal information to "notify the owner or licensee of the information of any breach of the security of the data immediately following discovery." Id. (citing 815 Ill. Comp. Stat. 530/10(b) ). The court rejected the plaintiffs' argument that PIPA must also encompass a duty to protect the information from inadvertent disclosure in the first place. Id. The court explained, "[b]ecause the provisions in the Act are clear, we must assume it reflects legislative intent to limit defendants' duty to providing notice." Id.
In Cmty. Bank of Trenton v. Schnuck Markets, Inc. , 887 F.3d 803, 816 (7th Cir. 2018), the Seventh Circuit affirmed the dismissal of negligence claims under Illinois law in a data breach case, relying on Cooney . That case involved a data breach at a large Midwestern grocery chain that resulted in the theft of data for 2.4 million credit and debit cards. Id. at 807. The plaintiffs alleged common law and statutory claims against defendant, including negligence under Illinois law. Id. The plaintiffs argued that the defendant had a common law duty to safeguard customers' personal information. Id. at 816. Noting that the Illinois Supreme Court had not addressed this issue, the Seventh Circuit followed Cooney and held that no common law data security duty applied. Id.
Plaintiffs argue that in 2017, subsequent to the ruling in Cooney , the Illinois legislature amended PIPA to expressly add a duty to safeguard personal information; however, Plaintiffs admit that no court has analyzed that amendment's effect on the duty analysis in an Illinois negligence claim. In 2018, the Seventh Circuit addressed a similar question and predicted that Illinois would not impose such a duty on retailers like Defendant. Id. Plaintiffs have failed to highlight any Illinois authority contrary to Cooney . PIPA clearly imposes a duty to notify an Illinois resident of any data breach, but it does not explicitly include a duty to safeguard personal information. See 815 Ill. Comp. Stat. 530/10. This Court agrees with the Seventh Circuit's reading of Cooney and accordingly adopts its conclusion.
Defendant also argues that Plaintiffs fail to identify statutory language that imposes a duty to safeguard personal information upon it. Plaintiffs allege that Defendant violated Section 5 of the FTC Act, and Defendant argues that Section 5 cannot form the basis of a negligence per se claim. Plaintiffs argue that Defendant had a duty to protect their personal financial information under the FTC Act and similar state statutes. The FTC Act prohibits "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." 15 U.S.C. § 45(a)(1) (2006). "Unfair or deceptive acts" are defined as those that: (i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct occurring within the United States. Id. § 45(4)(A)(i-ii). Defendant contends that the Seventh Circuit has already affirmed the dismissal of similar claims under Illinois and Missouri law by citing Cmty. Bank of Trenton , 887 F.3d at 818-19 ; however, the court in that case found that Section 5 of the FTC Act does not extend its coverage to financial institutions in merchant data breach cases. That is not the case here as Plaintiffs are not financial institutions. As this district has previously stated, "the FTC has brought [several] cases against companies that have engaged in unfair or deceptive practices that put consumers' personal data at unreasonable risk." See Irwin v. Jimmy John's Franchise, LLC , 175 F. Supp. 3d 1064, 1073 (C.D. Ill. 2016) (internal quotation and citations omitted); see generally F.T.C. v. Wyndham Worldwide Corp. , 799 F.3d 236 (3d Cir. 2015) (case involving customer injuries in a data security case where FTC provisions were applicable). Other courts have held that "the failure to maintain reasonable and appropriate data security for consumers' sensitive personal information can constitute an unfair method of competition in commerce in violation of the [FTC]." In re Equifax, Inc., Customer Data Sec. Breach Litig. , 362 F. Supp. 3d 1295, 1327 (N.D. Ga. 2019) (internal citations omitted). Therefore, the FTC Act can serve as the basis of a negligence per se claim.
Notwithstanding the above, the Court agrees with Defendant that even if there is an existence of some duty, the Illinois economic loss doctrine bars Plaintiffs' negligence per se claim. The economic loss doctrine bars a plaintiff from recovering for purely economic losses under a tort theory of negligence. Moorman Mfg. Co. v. Nat'l Tank Co. , 91 Ill.2d 69, 61 Ill.Dec. 746, 435 N.E.2d 443, 453 (1982). The rationale underlying this doctrine is that tort law affords the proper remedy for loss arising from personal injury or damages to one's property, whereas contract law and the Uniform Commercial Code provide the appropriate remedy for economic loss stemming from diminished commercial expectations without related injury to person or property. In re Ill. Bell Switching Station Litig. , 161 Ill.2d 233, 204 Ill.Dec. 216, 641 N.E.2d 440, 444 (1994). Illinois law recognizes three exceptions to the economic loss doctrine: (1) where a plaintiff sustains personal injury or property damage resulting from a sudden or dangerous occurrence; (2) where plaintiff's damages were proximately caused by defendant's intentional, false representation; and (3) where plaintiff's damages were proximately caused by the negligent misrepresentation of a defendant in the business of supplying information for the guidance of others in business transactions. Moorman , 61 Ill.Dec. 746, 435 N.E.2d at 450–52.
Here, Plaintiffs' damages are economic losses. Specifically, Illinois Plaintiff Perdue alleges she went weeks without access to her account while awaiting a replacement card, and Illinois Plaintiff Davis-Berg spent time monitoring his account to deal with the side-effects of the data breach. The Seventh Circuit has noted that lost time and an inability to use or access funds due to a data breach are economic losses. Dieffenbach v. Barnes & Noble, Inc. , 887 F.3d 826, 828-29 (7th Cir. 2018). Moreover, none of the exceptions to the economic loss doctrine apply here. There was no sudden or dangerous occurrence. Data breaches are a foreseeable risk of participating in card networks, not an unexpected physical hazard. Cmty. Bank of Trenton , 887 F.3d at 817 (citations omitted). Plaintiffs suggest that Defendant engaged in wrongful conduct by "fail[ing] to inform Plaintiffs and members of the class that it did not maintain computer software and other security procedures and precautions ... [or by] fail[ing] to inform Plaintiffs and the class of the Data Breach in a timely and accurate manner." (ECF No. 21 at 33). These allegations, however, fail to identify a specific actionable fraudulent statement under Illinois law. See Moorman , 61 Ill.Dec. 746, 435 N.E.2d at 452. Moreover, Defendant did not have a professional advisory relationship with Plaintiffs, so that exception also does not apply. Id. ; see In re Michaels Stores Pin Pad Litig. , 830 F.Supp.2d 518, 530 (N.D. Ill. 2011). Therefore, Count I's negligence claim and Count II's negligence per se claim are dismissed as they relate to the Illinois Plaintiffs.
Similarly, the elements presented in Cooney are also present in Missouri law. Missouri courts use the same four-factor common law duty test for negligence. See Hoffman v. Union Elec. Co. , 176 S.W.3d 706, 708 (Mo. 2005). Missouri also has a data privacy statute whose only consumer-facing mandate is notice. Compare Mo. Ann. Stat. § 407.1500 with 815 Ill. Comp. Stat. 530/10. In addition, the Missouri Attorney General has "exclusive authority" for enforcing Missouri's data breach notice statute by a civil action. Id. at § 407.1500(4) ; see Amburgy v. Express Scripts, Inc. , 671 F.Supp.2d 1046, 1055 (E.D. Mo. 2009) (concluding that no such negligence cause of action exists under Missouri law). Additionally, Missouri does not permit "recovery in tort for pure economic damages" without personal injuries or property damage. Autry Morlan Chevrolet Cadillac, Inc. v. RJF Agencies, Inc. , 332 S.W.3d 184, 192 (Mo. Ct. App. 2010). Missouri's economic loss doctrine applies to "losses that are contractual in nature," Captiva Lake Inv., LLC v. Ameristructure, Inc. , 436 S.W.3d 619, 628 (Mo. Ct. App. 2014). There is an exception to the economic loss rule for special relationships that give rise to a fiduciary duty, but "the existence of a business relationship does not give rise to a fiduciary relationship, nor a presumption of such a relationship," short of, for example, a "financial partnership" or principal-agent relationship. See Autry Morlan Chevrolet , 332 S.W.3d at 194-95 (citations omitted). Plaintiffs' alleged damages do not include personal injury or property damage and there is no financial partnership here. Therefore, like Illinois, Missouri is not likely to recognize the negligence claims Plaintiffs assert here.
Missouri Plaintiffs' negligence per se claim also fails because of the same statutory inferences. Neither Illinois nor Missouri have legislatively imposed liability for personal data breaches, opting instead to limit their statutory intervention to notice requirements. Cooney , 347 Ill.Dec. 733, 943 N.E.2d at 28–29 ; Amburgy , 671 F.Supp.2d at 1055. For both states, a plaintiff must show that a statute or ordinance has been violated. Cmty. Bank of Trenton , 887 F.3d at 819. Under Missouri law, negligence per se is a type of negligent conduct that results from the violation of a statute imposing a duty. Lowdermilk v. Vescovo Building & Realty Co., Inc. , 91 S.W.3d 617, 628 (Mo. Ct. App. 2002). In Lowdermilk , the appellate court noted that any "conduct which constitutes untrustworthy or improper fraudulent or dishonest dealings or demonstrates bad faith or gross incompetence has been held not to be a basis for negligence per se ." Id. Further, the court noted that "the doctrine of negligence per se has traditionally arisen in cases involving personal injury and physical injury to property[,]" and the doctrine had not yet been extended to any case that involved damage to economic interests. Id. As stated above, the Court does not find that personal or property injury occurred here. Therefore, Count I's negligence claim and Count II's negligence per se claim are dismissed as they relate to the Missouri Plaintiffs.
Kansas courts also recognize the economic loss doctrine. Rand Const. Co. v. Dearborn Mid-W. Conveyor Co. , 944 F. Supp. 2d 1042, 1062 (D. Kan. 2013). Under the economic loss doctrine, a plaintiff seeking recovery for economic losses cannot proceed under theories sounding in tort. Prof'l Lens Plan, Inc. v. Polaris Leasing Corp. , 234 Kan. 742, 675 P.2d 887, 899 (1984). "In other words, where plaintiff has suffered no personal injuries or damage to other property, a cause of action based upon tort does not exist." City of Winfield, Kan. v. Key Equip. & Supply Co. , 2012 WL 1207256, at *1 (D. Kan. 2012) (internal citation omitted). This is similar to the economic loss doctrine established in Illinois and Missouri. For the same reasons stated above, the economic loss doctrine bars the Kansas Plaintiffs' claims for negligence and negligence per se . Therefore, Count I's negligence claim and Count II's negligence per se claim are dismissed as they relate to the Kansas Plaintiffs.
C. Minnesota and Wisconsin
Defendant claims that Plaintiffs' negligence and negligence per se claims under Minnesota and Wisconsin law fail because Plaintiffs do not allege any compensable damages. Whether Plaintiffs have stated a claim for negligence depends on whether they sufficiently pled facts, which if proven true, would establish all four required elements of an actionable negligence claim. Hoida, Inc. v. M & I Midstate Bank , 291 Wis.2d 283, 717 N.W.2d 17, 26 (2006). Under both Minnesota and Wisconsin law, a plaintiff must establish: (1) the existence of a duty of care on the part of the defendant; (2) that the defendant breached that duty of care; (3) a causal connection between the defendant's breach of the duty of care and the plaintiff's injury; (4) and that he or she suffered an actual loss or damage that resulted from the breach. Id. ; Glorvigen v. Cirrus Design Corp. , 796 N.W.2d 541, 549 (Minn. Ct. App. 2011), aff'd, 816 N.W.2d 572 (Minn. 2012). In Wisconsin, the elements of duty and breach are usually presented to the trier of fact in a question asking whether the defendant was negligent, and then the elements of causation and damages are addressed. Nichols v. Progressive Northern Ins. Co. , 308 Wis.2d 17, 746 N.W.2d 220, 225 (2008) (internal citation omitted). At the motion to dismiss stage, Wisconsin courts have "reserved the right to deny the existence of a negligence claim based on public policy reasons." Hoida , 717 N.W.2d at 24.
Foreseeability of harm is an element of the duty of care. Nichols , 746 N.W.2d at 226 (internal citation omitted). As noted above, data breaches are a foreseeable risk of participating in card networks. See Cmty. Bank of Trenton , 887 F.3d at 817. Plaintiffs alleges that Defendant breached its duty of care when it failed to maintain the security of its payment system, and that they were injured as a result. Therefore, Plaintiffs satisfy the first, second, and third elements of a negligence claim.
Rule 8 does not create a pleading standard for damages beyond what is necessary to establish standing. Dieffenbach , 887 F.3d at 828. "To say that the plaintiffs have standing is to say that they have alleged injury in fact, and if they have suffered an injury then damages are available." Id. Plaintiff Davis alleges her payment card was cancelled as a result of the data breach. Plaintiff Trang alleges she suffered approximately $1000.00 in fraudulent charges and the cancellation of her bank card due to the breach. Defendant argues that because Davis fails to allege that she experienced fraudulent charges, suffered any out-of-pocket loss, or experienced identity theft, that her negligence and negligence per se claims should be dismissed. Defendant further argues that because Trang fails to allege that the fraudulent charges were not reimbursed, or that her bank required her to pay any fees, that her claims should also be dismissed. The Court finds that the specific allegations Defendant contends are necessary to establish a claim are not required at the pleading stage. See Fox v. Iowa Health Sys. , 399 F.Supp.3d 780, 795 (W.D. Wis. 2019) (stating that at the pleading stage plaintiffs only have to allege they suffered injury in fact as a result of a data breach); see also In re Target Corp. Data Sec. Breach Litig. , 66 F.Supp.3d 1154, 1171 (D. Minn. 2014) (holding that negligence claims would not be dismissed because defendant was seeking a more detailed explanation of what damages were caused by delayed data breach notification). Therefore, the Court declines to dismiss Count I's negligence claim and Count II's negligence per se claim as they relate to Plaintiff Trang and Davis, as well as the state classes from Minnesota and Wisconsin.
D. Iowa
Plaintiffs conceded their Iowa negligence and negligence per se claims; therefore, the Court dismisses the claims as they relate to Plaintiffs Savoie and Ellingson, as well as state classes from Iowa. (ECF No. 36 at 29).
II. Plaintiffs' Contract and Quasi-Contract Claims
Defendant claims that Plaintiffs' contract and quasi contract claims are deficient because: (1) Plaintiffs fail to sufficiently plead facts that infer an implied contract existed; (2) Plaintiffs fail to sufficiently plead the existence of any contract to which they were intended third-party beneficiaries; (3) Plaintiffs insufficiently allege that Defendant was unjustly enriched; and (4) Plaintiffs unjust enrichment claim cannot stand on its own. The Court addresses each argument in turn.
A. Implied Contract
The Parties agree that that there is no conflict of laws related to Plaintiffs' implied contract claim, accordingly, the Court will apply Illinois law. (ECF No 31 at 24; ECF No. 26 at 28). In Count I, Plaintiffs allege that implied contracts were created when they provided Defendant with their card information, and in exchange, Defendant agreed to provide them with certain services, to take measures to protect their security and confidentiality, and protect their personal information. Plaintiffs claim that the protection of their personal information was a material term of these implied contracts.
An implied contract is created by the parties' conduct and contains all of the elements of an express contract—offer, acceptance, and consideration—as well as a meeting of the minds. Brody v. Finch Univ. of Health Scis. 298 Ill.App.3d 146, 232 Ill.Dec. 419, 698 N.E.2d 257, 265 (1998). Under a similar set of facts, this district held that plaintiffs plausibly alleged a claim for breach of implied contract under Illinois law. See Irwin , 175 F. Supp. 3d at 1070-71 (holding that plaintiffs in a data breach case alleged the existence of an implied contract obligating defendant to take reasonable measures to protect customers' information); see also In re Michaels , 830 F.Supp.2d at 531-32 (holding that an implicit contractual relationship existed between plaintiffs and defendant which obligated defendant to protect plaintiffs' financial information in data breach case). "[W]hen the customer uses a credit card for a commercial transaction, he [or she] intends to provide the data to the merchant, and not to an unauthorized third party." Irwin , 175 F. Supp. 3d at 1070 (internal citation omitted). Additionally,
a jury could reasonably find an implied contract between the defendant and its customers that defendant would take reasonable measures to protect the customers' financial information ... [W]hen a customer uses a credit card in a commercial transaction, [he or] she intends to provide the data to the merchant only ... and does not expect—and certainly does not intend—the merchant to allow unauthorized third parties to access that data.
In re Michaels , 830 F.Supp.2d at at 531 (internal quotation and citation omitted).
The Court finds that the reasoning outlined in Michaels also applies here. Plaintiffs have plausibly alleged the existence of an implied contract obligating Defendant to take reasonable measures to protect their private information and to timely notify them of the data breach. Plaintiffs have also plausibly alleged they would not have entered into transactions with Defendant if they had known it would not protect their information. Therefore, the Court declines to dismiss Count III's breach of implied contract claim.
B. Breach of Contract/Third Party Beneficiary
The Court will apply Illinois law to Plaintiffs' breach of contract claim as Plaintiffs have not claimed the existence of an outcome determinative conflict. Int'l Adm'rs, Inc. , 753 F.2d at 1376. In Count IV, Plaintiffs allege breach of contracts to which Plaintiffs were intended third-party beneficiaries. These contracts include "various entities ... (i) contracts between Hy-Vee and its merchant customers ... (ii) contracts between Hy-Vee and Visa and/or Mastercard ... [and] (iii) contracts between Hy-Vee and its acquiring banks." (ECF No 21 at 40). Defendant argues that Plaintiffs have not alleged the necessary facts to put it on notice of what contracts it allegedly breached; rather, the Plaintiffs only vaguely allude to unspecified contracts. Defendant contends that the vague allegations are insufficient to give notice of any breach of contract claim. Furthermore, Defendant claims that Plaintiffs have failed to establish that they were the intended third-party beneficiaries of these unidentified contracts. Plaintiffs argue that they are not required to attach the breached contracts at this stage and that Defendant "knows what agreements Plaintiffs are referring to." (ECF No. 36 at 31).
To state a claim for breach of contract, a plaintiff must allege: "(1) the existence of a valid and enforceable contract; (2) substantial performance by the plaintiff; (3) a breach by the defendant; and (4) resultant damages." Reger Dev., LLC v. Nat'l City Bank , 592 F.3d 759, 764 (7th Cir. 2010). Here, it is uncertain that a valid or enforceable contract exists. The Court agrees with Defendant that broadly referring to unspecific contracts with "various entities" such as "merchant customers," "Visa and/or Mastercard," and "acquiring banks" is not sufficient to put Defendant on notice which contracts it breached. (ECF No 21 at 40). While Plaintiffs are not required to attach the exact contracts they claim Defendant breached to their complaint, they must allege enough facts that identify a certain contract or provision. See Babbitt Municipalities, Inc. v. Health Care Serv. Corp. , 408 Ill.Dec. 93, 64 N.E.3d 1178, 1186 (2016) (holding that if contract terms are too uncertain or indefinite to enforce, allegations of a breach of those terms will not provide a basis for a breach of contract claim). As pled, the contracts Plaintiffs allude to could encompass a wide variety of different terms that are not applicable, or perhaps no such contracts exist. The allegations are extremely broad. Since the contracts are unidentified, it is also not possible to determine if Plaintiffs were third-party beneficiaries. Therefore, the Court dismisses Count IV's breach of contract claim without prejudice and grants Plaintiffs leave to file an amended complaint to re-plead this count within twenty-one (21) days, if they can do so in good faith.
C. Unjust Enrichment
The Court will also apply Illinois law to Plaintiffs' unjust enrichment claim, as Plaintiffs have not claimed the existence of an outcome determinative conflict. Int'l Adm'rs, Inc. , 753 F.2d at 1376. In Count XV, Plaintiffs plead unjust enrichment in the alternative of their implied contract claim. Plaintiffs allege that they conferred a monetary benefit upon Defendant in the form of monies paid for the purchase of goods and that Defendant was supposed to use Plaintiffs' monies, in part, to pay for the costs of reasonable data privacy and security measures. Defendant claims that these allegations lack merit because Plaintiffs admit they obtained goods in exchange for the financial benefit they conferred on Defendant. Additionally, Defendant contends that no allegations support the idea that there was an understanding between Defendant and Plaintiffs that some portion of their purchase was intended for data security. Under Illinois law, "a plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiff's detriment, and that defendant's retention of the benefit violates the fundamental principles of justice, equity, and good conscience." HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc. , 131 Ill.2d 145, 137 Ill.Dec. 19, 545 N.E.2d 672, 679 (1989). In Irwin , this Court addressed similar allegations and dismissed the plaintiff's unjust enrichment claim. 175 F. Supp. 3d at 1072 ("[T]he court agrees with the defendants. [Plaintiff] paid for food products. She did not pay for a side order of data security and protection; it was merely incident to her food purchase.").
Plaintiffs have not alleged that any specific portion of their payments went toward data protection; rather, they state that their payments were for food and gas. Additionally, Plaintiffs have not alleged a benefit conferred in exchange for protection of their personal information. The Seventh Circuit has stated that similar arguments are not applicable unless the product plaintiff received was defective or dangerous. See Lewert v. P.F. Chang's China Bistro, Inc. , 819 F.3d 963, 968 (7th Cir. 2016) (stating that plaintiffs' argument that the cost of their meals was an injury since they would not have dined at the restaurant had they known of its poor data security was insufficient because the product was not defective); see also Remijas v. Neiman Marcus Grp., LLC , 794 F.3d 688, 695 (7th Cir. 2015) (plaintiffs alleged unjust enrichment claiming department store sold its products at premium prices, instead of taking a portion of the proceeds for cybersecurity. The court held "this is a step that we need not, and do not, take in this case. Plaintiffs do not allege any defect in any product they purchased; they assert instead that patronizing [defendant] inflicted injury on them."). Plaintiffs here do not allege that the food or gas they received was defective. Therefore, the Court dismisses Count XV's unjust enrichment claim.
III. Plaintiffs' Statutory Claims
A. Iowa and Kansas Data Breach Notification Statutes
In Count VI, Plaintiffs allege Defendant violated the Iowa Personal Information Security Breach Protection Act, Iowa Code Ann. § 715C.2 ("PISBPA"), by delaying sending notice of the data breach to consumers in a timely fashion. In Count IX, Plaintiffs allege Defendant violated the Kansas Protection of Consumer Information Act, Kan. Stat. Ann. § 50-7a02 ("PCI"), by failing to immediately provide notice of the data breach to consumers.
Defendant claims that neither the Iowa PIBPA nor the Kansas PCI allow for a private right of action and that both statutes are only enforceable by the respective state's attorney general. Plaintiffs contend that the statutes are ambiguous as to whether they create a private right of action.
In Iowa, a violation of PIBPA entails:
[a]ny person who owns or licenses computerized data that includes a consumer's personal information that is used in the course of the person's business, vocation, occupation, or volunteer activities and that was subject to a breach of security shall give notice of the breach of security following discovery of such breach of security, or receipt of notification ... to any consumer whose personal information was included in the information that was breached. The consumer notification shall be made in the most expeditious manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement ... and consistent with any measures necessary to sufficiently
determine contact information for the affected consumers, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data.
Iowa Code Ann. § 715C.2(1). Additionally, it
is an unlawful practice [under the consumer-protection statute] and, in addition to the remedies provided to the attorney general [in the consumer-protection statute], the attorney general may seek and obtain an order that a party held to violate this section pay damages to the attorney general on behalf of a person injured by this violation.
§ 715C.2(9)(a). However, the statute further provides that the "rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under the law." § 715C.2(9)(b). In recent decisions in data breach cases interpreting this statute, other courts have found that the statute is ambiguous with regard to whether it creates a private right of action, and therefore, these courts have not been inclined to dismiss such claims at the motion to dismiss stage. See In re Target Corp. , 66 F.Supp.3d at 1169 (holding § 715C.2(9)(b) to be "ambiguous as to whether private enforcement is permissible, and Plaintiffs' Iowa claim will not be dismissed."); see also In re Equifax, Inc. , 362 F.Supp.3d at 1339 (agreeing with the court's decision from In re Target Corp. and declining to dismiss Iowa PISBPA claim). This Court likewise concludes that Plaintiffs' claims under Count VI's Iowa data breach statute should not be dismissed.
In Kansas, a violation of the PCI entails:
[a] person that conducts business in this state, or a government, governmental subdivision or agency that owns or licenses computerized data that includes personal information shall, when it becomes aware of any breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information has occurred or is reasonably likely to occur, the person or government, governmental subdivision or agency shall give notice as soon as possible to the affected Kansas resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
Kan. Stat. Ann. § 50-7a02 (a). Additionally,
[f]or violations of this section, except as to insurance companies licensed to do business in this state, the attorney general is empowered to bring an action in law or equity to address violations of this section and for other relief that may be appropriate. The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law.
§ 50-7a02 (g). Similarly, courts in recent data breach cases have also found the Kansas PCI to be ambiguous as to whether a private right of action exists. See In re Target Corp. , 66 F.Supp.3d at 1169 (pointing out that the Kansas statute states "the enforcement provisions are not exclusive). The Defendant here has not identified any authority construing the language from this particular data breach statute as precluding a private right of action. "[A]bsent any authority construing this ambiguity to exclude private rights of action, the [Kansas PCI] claims should not be dismissed." In re Equifax, Inc. , 362 F. Supp. 3d at 1341. Therefore, the Court declines to dismiss Plaintiffs' claims under Count IX's Kansas PCI in this matter.
B. Consumer Fraud and Deceptive Trade Practices
In Count V, Plaintiffs allege a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, 815 Ill. Comp. Stat. Ann. 505/1 et seq. ("Illinois CFA"). In Count VI, Plaintiffs allege a violation of the Illinois Uniform Deceptive Trade Practices Act, 815 Ill. Comp. Stat. 510/1 et seq. ("Illinois DTPA"). In Count VIII, Plaintiffs allege a violation of the Iowa Consumer Fraud Act, Iowa Code Ann. §§ 714H.3, 714H.5 ("Iowa CFA"). In Count X, Plaintiffs allege a violation of the Kansas Consumer Protection Act, Kan. Stat. Ann. § 50-623 et seq. ("Kansas CPA"). In Count XI, Plaintiffs allege a violation of the Minnesota Prevention of Consumer Fraud Act, Minn. Stat. Ann. §§ 325F.68 et seq. ; 8.31 ("Minnesota CFA"). In Count XII, Plaintiffs allege a violation of the Minnesota Uniform Deceptive Trade Practices Act, Minn. Stat. Ann. § 325D.43 et seq. ("Minnesota DTPA"). In Count XIII, Plaintiffs allege a violation of the Missouri Merchandising Practices Act, Mo. Ann. Stat. § 407.020(a) et seq. ("Missouri MPA"). In Count XIV, Plaintiffs allege a violation of the Wisconsin Deceptive Trade Practices Act, Wis. Stat. Ann. § 100.18 et seq. ("Wisconsin DTPA").
Defendant argues that the respective consumer fraud and deceptive trade practices claims should be dismissed for failure to plead fraud under Federal Rule of Civil Procedure 9(b)'s heightened pleading standard. Alternatively, Defendant argues that if the claims are s not dismissed under Rule 9(b), then the claims should be dismissed for the following reasons: (1) the Illinois CFA claim fails for lack of damages, causation, and failure to plead a nexus to Illinois; (2) the Illinois DTPA claim fails for failure to allege a likelihood of future harm; (3) the Iowa CFA claim fails for lack of damages and causation; (4) the Minnesota CFA claim fails to allege a misstatement made in connection with the sale of merchandise; (4) the Minnesota DTPA claim fails to allege a misstatement made in connection with the sale of merchandise or a likelihood of future harm; (6) the Missouri MPA claim fails to allege a misstatement made in connection with the sale of merchandise or damages; and (7) the Wisconsin DTPA claim fails for lack of damages and causation. Plaintiffs contend that their claims are not subjected to the heightened pleading standard under Rule 9(b), rather, they are subject to the liberal notice pleading requirements under Rule 8(a). Plaintiffs also state that they have properly alleged actual damages and ascertainable losses as a result of Defendant's unfair and deceptive conduct; that the Illinois and Iowa CFAs require only that Plaintiffs' damages occur as a result of an unfair or deceptive practice; that they have plausibly alleged multiple acts and forbearances that constitute omission under Minnesota and Missouri law in connection with sales made at Defendant's locations; and Plaintiffs have made numerous allegations of risk of future harm resulting from the breach.
i. Rule 9(b)
Rule 9(b) requires a complaint to "state with particularity the circumstances constituting fraud." Fed. R. Civ. P. 9(b). This ordinarily requires describing the "who, what, when, where, and how" of the fraud. Pirelli Armstrong Tire Corp. Retiree Med. Benefits Tr. v. Walgreen Co. , 631 F.3d 436, 441–42 (7th Cir. 2011). Claims are only subject to these heightened pleading standards if they "sound in fraud," i.e., they are "premised on a fraudulent course of conduct." Id. at 446–47 (citation omitted). According to Defendant, Plaintiffs allege claims under many state laws that are subject to these heightened pleading standards, including their claims for deceptive trade practices; however, the Court concludes that Plaintiffs' unfair and deceptive trade practices claims are not subject to Rule 9(b)'s heightened pleading standards.
As a procedural matter, courts have held that similar complaints alleging fraud and deceptive practices in federal court should be judged under Rule 8(a) and not the particularity requirement for fraud under Rule 9(b). Windy City Metal Fabricators & Supply, Inc. v. CIT Tech. Fin. Servs, Inc. , 536 F.3d 663, 670 (7th Cir. 2008) ; see In re Target Corp. , 66 F. Supp. 3d at 1163 ; see also Fed. Trade Comm'n v. Hornbeam Special Situations, LLC , 308 F.Supp.3d 1280, 1286-87 (N.D. Ga. 2018) (stating that to sound in fraud, the elements of the claim must be similar to that of common law fraud, requiring, among other things, proof of scienter, reliance, and injury).
Here, Defendant has failed to show that the state unfair and deceptive trade practice statutes sound in fraud. It has also failed to demonstrate that the elements of these statutes are similar to the elements of common law fraud, and they have not shown that Plaintiffs' theory of recovery rests upon a unified course of fraudulent conduct. Defendant's sole argument is that Plaintiffs have failed to allege the "who, what, when, where, and how" of its conduct. (ECF No. 31 at 35). Even assuming arguendo that the Rule 9(b) standard applies, Plaintiffs have alleged enough facts to establish who (the Defendant), what and how (security was inadequate to protect against a data breach and the information was withheld), when (the data breach occurred between November 2018 and August 2019), and where (respective Plaintiffs' states). Therefore, the Court concludes that the heightened pleading standards of Rule 9(b) do not apply to the particular state statutes.
ii. Actual Damages
Plaintiffs do not oppose Defendant's motion to dismiss their claims under the Wisconsin DTPA; therefore, Count XIV is dismissed. (ECF No. 36 at 13).
In Illinois, only a person who suffers actual damage may bring an action under the CFA. 815 Ill. Comp. Stat. 505/10a(a). The plaintiff must allege a purely economic injury, measurable by the plaintiff's loss. Morris v. Harvey Cycle & Camper, Inc. , 392 Ill.App.3d 399, 331 Ill.Dec. 819, 911 N.E.2d 1049, 1053 (2009) ; see Mulligan v. QVC, Inc. , 382 Ill.App.3d 620, 321 Ill.Dec. 257, 888 N.E.2d 1190, 1197–98 (2008) ("If the plaintiff is not materially harmed by the defendant's conduct, however flagrant it may have been, there may be no recovery.").
The Court has already determined that Plaintiffs have alleged economic injury under Illinois law and suffered economic losses. Additionally, Defendant itself concedes that the alleged damages are considered economic. (ECF No. 31 at 22); see Dieffenbach , 887 F.3d at 830 (holding that economic losses were alleged when plaintiff did not have access to funds for three days, and plaintiff spent time working with the police and her bank to restore the funds). Therefore, the Court declines to dismiss Count V's Illinois CFA claim on Defendant's basis that the Illinois Plaintiffs did not allege actual damages.
Private actions brought under the Iowa CFA, "require[ ] plaintiffs to prove an ascertainable loss of money or property caused by the misrepresentation." Fox , 399 F.Supp.3d at 798 (internal quotation omitted). Here, Iowa Plaintiff Savoie experienced two fraudulent charges, one for $100.00 and another for $74.28. Iowa Plaintiff Ellingson's debit card was cancelled leaving her without access to funds between August 27, 2019, and September 4, 2019. Defendant contends that because Savoie does not allege that the charges went unreimbursed, the Iowa CFA should not apply. The Court reiterates that Plaintiffs are not required to state whether they were reimbursed at the pleading stage. See Fox , 399 F.Supp.3d at 795 (finding that plaintiffs only have to allege they suffered injury in fact as a result of a data breach at the pleading phase). At this juncture, the Court finds that the two fraudulent charges suffice as ascertainable losses of money and that not having access to funds or a debit card suffices as loss of property. Therefore, the Court declines to dismiss Count VIII's Iowa CFA claim on Defendant's basis that the Iowa Plaintiffs did not allege actual damages.
To state a claim under the Missouri MPA, a plaintiff must allege: (1) the purchase of merchandise; (2) for personal, family, or household purposes; and (3) an ascertainable loss of money or property as a result of an act or practice declared unlawful under the MPA. See Hess v. Chase Manhattan Bank, USA, N.A. , 220 S.W.3d 758, 773 (Mo. 2007). The MPA defines merchandise as "objects, wares, goods, commodities, intangibles, real estate or services." Mo. Ann. Stat. § 407.010(4) ; Edmonds v. Hough , 344 S.W.3d 219, 223 (Mo. Ct. App. 2011) ;
Here, Plaintiffs purchased merchandise in the form of food or gas. They also experienced an ascertainable loss of money or property. Specifically, Missouri Plaintiff Grewing purchased merchandise by accessing gas pumps that were affected by the data breach, and as a result, experienced an ascertainable loss of money when two fraudulent charges for $7.81 and $25.94 occurred. He also spent time driving to the bank, disputing charges, and cancelling his debit card. Missouri Plaintiff Murray purchased food at restaurants operated by Defendant that were affected by the data breach, and as a result, lost his property for a time period when his debit card was cancelled and replaced. Therefore, the Court declines to dismiss Count XIII's Missouri MPA claim on Defendant's basis that the Missouri Plaintiffs did not allege actual damages.
iii. Causation
The Illinois CFA declares unlawful the "unfair or deceptive acts or practices, including ... misrepresentation or the concealment, suppression or omission of any material fact, with intent that others rely upon [it] ... in the conduct of trade or commerce ... whether any person has in fact been misled, deceived or damaged thereby." 815 Ill. Comp. Stat. 505/2. Defendant argues that Plaintiffs must allege that he or she actually saw a communication or advertisement and was deceived by Defendant's statements. In Cozzi Iron & Metal, Inc. v. U.S. Office Equipment, Inc. , 250 F.3d 570, 576 (7th Cir. 2001), the Seventh Circuit held that the misrepresentation must relate to information that is material to a buyer or essential to the transaction, while acknowledging Illinois state courts (at the time) did not require the plaintiff to show reliance for the claim to be valid. Id. However, in a case post-dating Cozzi , the Illinois state court held that for CFA claims, "a plaintiff must prove that he or she was actually deceived by the misrepresentation in order to establish the element of proximate causation." Avery v. State Farm Mut. Auto. Ins. Co. , 216 Ill.2d 100, 296 Ill.Dec. 448, 835 N.E.2d 801, 861 (2005).
Here, Plaintiffs allege a deceptive omission of material fact. Courts have held that an omission or concealment of material fact in the conduct of trade can constitute a violation of the Illinois CFA. See Lateef v. Pharmavite LLC , No. 12 C 5611, 2013 WL 1499029, at *3 (N.D. Ill. Apr. 10, 2013) (citing Wigod v. Wells Fargo Bank, N.A. , 673 F.3d 547, 575 n.13 (7th Cir. 2012) (collecting cases)) ("Omissions are also actionable under the [Illinois CFA] if they are intended to induce the plaintiff's reliance."); see also Haymer v. Countrywide Bank, FSB , 2011 WL 2790172, at *4 (N.D. Ill. July 15, 2011) (finding the plaintiffs allegations were sufficient to show reliance under the Illinois CFA when the defendants omitted or concealed a material fact in the loan application process); Capiccioni v. Brennan Naperville, Inc. , 339 Ill.App.3d 927, 274 Ill.Dec. 461, 791 N.E.2d 553, 558 (2003) ("A defendant need not have intended to deceive the plaintiff; innocent misrepresentations or omissions intended to induce the plaintiff's reliance are actionable under [the Illinois CFA]"). Accordingly, the Court finds that Plaintiffs have plausibly alleged causation and a claim under the Illinois CFA, because the allegation that Defendant's failure to disclose that its system for payment cards was not reasonably secure is a material omission, and if Plaintiffs had known that information, they would not have made the purchases. The Court declines to dismiss Count V's Illinois CFA claim as they relate to the Illinois Plaintiffs.
Under the Iowa CFA, a plaintiff must have "suffer[ed] an ascertainable loss of money or property as the result of a prohibited practice." Iowa Code Ann. § 714H.5(1). "[T]he phrase ‘as a result of’ can be ‘naturally read simply to impose the requirement of a causal connection.’ " Sanders v. Kohler Co. , 641 F.3d 290, 294 (8th Cir. 2011) (quoting Brown v. Gardner , 513 U.S. 115, 119, 115 S.Ct. 552, 130 L.Ed.2d 462 (1994) ). "Until recently, [the Iowa Supreme Court] described causation as consisting of two components: cause in fact and proximate, or legal, cause." Garr v. City of Ottumwa , 846 N.W.2d 865, 869 (Iowa 2014) (citations omitted). But the Iowa Supreme Court "no longer refer[s] to proximate or legal cause; instead, [it] use[s] a different formulation, scope of liability." Id. (citation omitted). Moreover, Iowa courts apply a but-for test in determining whether a "defendant in fact caused the plaintiff's harm." Id. The Iowa Supreme Court described that test as follows:
[T]he defendant's conduct is a cause in fact of the plaintiff's harm if, but-for the defendant's conduct, that harm would not have occurred. The but-for test also implies a negative. If the plaintiff would have suffered the same harm had the defendant not acted negligently, the defendant's conduct is not a cause in fact of the harm.
Id. (quotations and citations omitted). Moreover, "[c]ausation is ordinarily a jury question." Id. at 870.
The Court finds that Plaintiffs have alleged enough facts that plausibly establish Defendant's failure to implement reasonable security measures caused Plaintiffs' harm, and but for Defendant's conduct, that harm would not have occurred. Plaintiffs allege they would not have been victims of a data breach had Defendant not acted negligently. At this stage, the Court cannot go into a further inquiry regarding causation as that is ordinarily a question for the jury. Therefore, the Court declines to dismiss Count VII's Iowa CFA claim as it relates to the Iowa Plaintiffs.
iv. Misstatements
Defendant argues that to state a claim under the Minnesota DTPA, Minnesota CFA, and Missouri MPA, Plaintiffs must allege that Defendant made misstatements in connection with the sale or advertisement of merchandise. Defendant also argues that Plaintiffs' allegations are defective because it does not sell data security services. Plaintiffs state that Defendant misapprehends the case and that their claims instead arise from Defendant's omission of its data security failures in its POS systems.
The Minnesota DTPA describes conduct that constitutes deceptive trade practices, including "pass[ing] off goods or services as those of another," "caus[ing] likelihood of confusion or of misunderstanding as to ... certification of goods or services" and "any other conduct which similarly creates a likelihood of confusion or misunderstanding." Minn. Stat. Ann.§ 325D.44, subdiv. 1(1),(2),(13). The Minnesota CFA prohibits "[t]he act, use, or employment by any person of any fraud, false pretense, false promise, misrepresentation, misleading statement or deceptive practice, with the intent that others rely thereon in connection with the sale of any merchandise...." Minn. Stat. Ann. § 325F.69, subdiv. 1. Furthermore, the Missouri MPA was enacted "to preserve fundamental honesty, fair play, and right dealings in public transactions." In re Sony Gaming Networks & Customer Data Sec. Breach Litig. , 996 F. Supp. 2d 942, 999 (S.D. Cal. 2014) (internal quotation and citation omitted). The Act prohibits "deception, fraud, false pretense, false promise, misrepresentation, unfair practice or concealment, suppression, or omission of any material fact in connection with the sale or advertisement of any merchandise in trade or commerce." Mo. Ann. Stat. § 407.020(1)
At this stage, the Court finds that Plaintiffs have sufficiently pled claims under the Minnesota and Missouri statutes. Specifically, Plaintiffs allege that Defendant was on notice of its data security shortcomings and failed to disclose the data breach in a timely manner. These misstatements were all made in connection with sales at Defendant's various locations. Courts have refused to dismiss these types of claims when similar allegations were made. See In re Target Corp. , 66 F.Supp.3d at 1162-63 (denying motion to dismiss claims brought under Minnesota consumer protection statutes in data breach case); see In re Sony , 996 F.Supp.2d at 999 (denying motion to dismiss Missouri MPA claim because defendant "omitted material information regarding the security of its network at the point of sale."); see also Gordon v. Chipotle Mexican Grill, Inc. , 344 F. Supp. 3d 1231, 1254 (D. Colo. 2018) (affirming magistrate recommendation denying motion to dismiss Missouri MPA claim in data breach case); but see E-Shops Corp. v. U.S. Bank Nat. Ass'n , 678 F.3d 659, 666 (8th Cir. 2012) (granting motion to dismiss Minnesota DPA and CFA claims because factual allegations did not explain "the who, what, when, where and how [defendant's] conduct amounted to false, deceptive, or misleading conduct."). Defendant urges the Court to follow the opinion in Kuhns v. Scottrade, Inc. , 868 F.3d 711, 719 (8th Cir. 2017), where the court granted defendant's motion to dismiss plaintiffs' Missouri MPA claim; however, in that case, a securities brokerage firm told its customers that data security measures were in place to induce customers to voluntarily transfer their personal identifying information to defendant in order to obtain its brokerage services. Id. Here, Defendant did not induce consumers to provide personal identifying information by telling them they had data security measures in place in order for them to purchase merchandise, such as food or gas. Plaintiffs state that according to Defendant's argument, the only viable data breach class action lawsuits would be those asserting claims against companies that sell data security services, and such an argument would be nonsensical. The Court agrees. As stated above, there are numerous data breach cases that proceed against businesses that do not sell data security. Therefore, the Court declines to dismiss Counts XI and XII Minnesota CFA and DTPA claims as they relate to the Minnesota Plaintiffs. The Court also declines to dismiss Count XIII's Missouri MPA claim as it relates to the Missouri Plaintiffs.
v. Future Deception or Harm
Defendant argues that Plaintiffs have failed to allege a likelihood of future harm as required under the Illinois DTPA and Minnesota DTPA, because those statutes only permit injunctive relief. Plaintiffs contend that they made allegations of risk of future harm resulting from the breach because their stolen information could be used in the future to perpetrate identity theft, to drain bank accounts, or make clone cards.
The Illinois DTPA "was enacted to prohibit unfair competition and was not intended to be a consumer protection statute." Chabraja v. Avis Rent A Car Sys. , Inc., 192 Ill.App.3d 1074, 140 Ill.Dec. 221, 549 N.E.2d 872, 876 (1989). Nonetheless, a consumer may seek injunctive relief under the DTPA if she can show that she is likely to be damaged in the future by the defendant's misleading trade practices. Popp v. Cash Station, Inc. , 244 Ill.App.3d 87, 184 Ill.Dec. 558, 613 N.E.2d 1150, 1157 (1992). In most consumer actions, the plaintiff is unable to allege facts showing a likelihood of future harm because the harm has already occurred, and because the plaintiff is unlikely to be deceived by a defendant's misstatements again in the future. Reid v. Unilever U.S., Inc. , 964 F. Supp. 2d 893, 918 (N.D. Ill. 2013). While Plaintiffs argue that Defendant's misrepresentations leave them open to a future risk of additional fraudulent activity, this is not the type of harm that the Court is able to issue an injunction against. In other words, the Court cannot stop hackers from using their information in the future. Additionally, Plaintiffs acknowledge that Defendant has "removed the malware and implemented enhanced security measures." (ECF No. 21 at 19). Courts have ruled that these types of allegations do not suffice as threat of future harm. See Fox , 399 F. Supp. 3d at 799–800 (plaintiff's' "arguments go to the risk of harm that [plaintiff] faces from the data breaches themselves, not the risk of harm that [plaintiff] faces if [defendant] continues to misrepresent its protective measures ... because [plaintiff] does not explain how this risk of harm will be abated if the court enters an injunction ... the court will dismiss [plaintiff's] claim under the [Illinois DTPA].") Therefore, the Court dismisses Count VI's Illinois DTPA claim as they relate to the Illinois Plaintiffs.
Similarly, the Minnesota DTPA also requires that Plaintiffs allege a likelihood of future harm. See Johnson v. Bobcat Co. , 175 F. Supp. 3d 1130, 1140-1141 (D. Minn. 2016) (recognizing that a plaintiff must allege a threat of future injury in order to receive injunctive relief under the Minnesota DTPA). For the same reasons cited above, the Court will also dismiss Count XII's Minnesota DTPA claim as it relates to the Minnesota Plaintiffs.
vi. Nexus to Illinois
Lastly, Defendant argues that Plaintiff Davis-Berg's Illinois CFA and DTPA claims should be dismissed because while Plaintiff alleges to be a resident of Illinois, she used her credit card to make a gas purchase in Kansas.
To bring a claim under the Illinois CFA or DTPA, a plaintiff must allege "circumstances that relate to the disputed transaction occur primarily and substantially in Illinois." Int'l Equip. Trading, Ltd. v. Illumina, Inc. , 312 F. Supp. 3d 725, 733 (N.D. Ill. 2018) (quoting Avery , 296 Ill.Dec. 448, 835 N.E.2d at 853 (2005) ). Here, Davis-Berg's disputed transaction occurred in Kansas, not Illinois. Therefore, Plaintiffs have not sufficiently pled an Illinois CFA or DTPA claim for Davis-Berg. The Court will allow Plaintiffs to replead only the Illinois CFA claim on behalf of Davis-Berg, but not the Illinois DTPA since the Court has already dismissed the claim.
CONCLUSION
For the reasons stated above, Defendant's Motion to Dismiss [31] is GRANTED IN PART and DENIED IN PART.
- Count I's negligence claim and Count II's negligence per se claim are dismissed as they relate to the Illinois Plaintiffs, the Missouri Plaintiffs, the Kansas Plaintiffs, and the Iowa Plaintiffs;
- Count IV's breach of contract claim is dismissed without prejudice and the Court grants Plaintiffs leave to file an amended complaint to re-plead this count within twenty-one (21) days, if they can do so in good faith;
- Count XV's unjust enrichment claim is dismissed;
- Count XIV's claim under the Wisconsin DTPA is dismissed as it relates to the Wisconsin Plaintiffs;
- Count VI's claim under the Illinois DTPA is dismissed as it relates to the Illinois Plaintiffs;
- Count XII's claim under the Minnesota DTPA claim is dismissed as they relate to the Minnesota Plaintiffs; and
- The Court will allow Plaintiffs to replead the Illinois CFA claim on behalf of Davis-Berg.
The Court declines to dismiss all remaining causes of action. The Court will also reach out the Parties to schedule a status conference in order to address class certification under Fed. R. Civ. P. 23(c)(1).