Irwin v. Jimmy John’s Franchise, LLC, --- F. Supp. 3d ---, No. 14–2275, 2016 WL 1355570 (C.D. Ill. Mar. 29, 2016)

Arizona citizen Barbara Irwin purchased prepared food products from the defendants (collectively, “Jimmy John’s”) at one or more Jimmy John’s locations in Arizona. Irwin swiped her debit and credit cards to complete the purchases.

In July 2014, Jimmy John’s learned that it was the victim of a data breach, potentially exposing its customers’ personal and financial information to unauthorized third parties. Irwin’s credit card was used fraudulently at least five times between August 25 and September 2, 2014. Jimmy John’s did not announce the data breach until September 24, 2014. Irwin has filed a ninecount complaint against Jimmy John’s on behalf of herself and as a class representative.1

The court has jurisdiction pursuant to the Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1332(d).2 The amount in controversy is alleged to exceed $5,000,000.

The defendants have filed a motion to dismiss the complaint pursuant to Federal Rule of Civil Procedure 12(b)(1) and 12(b)(6).

As an initial matter, Jimmy John’s correctly points out that Irwin has not responded to their arguments for dismissal of her claims under the Arizona data breach statute, or for bailment. Counts I and IV are therefore dismissed.

In ruling on a motion to dismiss, a court must accept the plaintiff’s well-pled allegations as true and draw reasonable inferences in the plaintiff’s favor. Perkins v. Silverstein, 939 F.2d 463, 466 (7th Cir. 1991). Dismissal is appropriate when there are not “enough facts to state a claim to relief that is plausible on its face.” Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007). From the complaint, the court must separate facts from legal conclusions, and determine if the facts alleged plausibly give rise to an entitlement to relief. Ashcroft v. Iqbal, 556 U.S. 662, 678-79 (2009). The determination of plausibility is “a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Iqbal, 556 U.S. at 678- 79.

Count II - Illinois Personal Information Protection Act Count VIII – Illinois Consumer Fraud and Deceptive Business Practices Act

Irwin alleges that Jimmy John’s was required, under the Illinois Personal Information Protection Act (“PIPA”), 815 ILCS 530/1 et seq., to provide timely notice of a data breach. Section 10(b) of PIPA states, in pertinent part,

Any data collector that maintains or stores, but does not own or license, computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

815 ILCS 530/10(b). Jimmy John’s is a “data collector” as defined by the statute; it is a retail operator that “handles, collects, disseminates, or otherwise deals with nonpublic personal information. 815 ILCS 530/5. Irwin’s claim is based on her status as an “owner” of her personal information.”

Jimmy John’s argues that the language of PIPA excludes Irwin from coverage. The court agrees. Subsection 10(b), upon which Irwin relies, applies to owners of computerized data that includes personal information. Irwin did not own computerized data of her personal information. Also, PIPA subsection 10(b) requires owners of computerized data to be notified “immediately following discovery.” In contrast, subsection 10(a) applies to Illinois residents; it requires notice to be made expediently “and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”

The court is further persuaded by the remainder of subsection 10(b), which distinguishes between owners and Illinois residents

In addition to providing such notification to the owner or licensee, the data collector shall cooperate with the owner or licensee in matters relating to the breach. . . . The data collector's cooperation shall not, however, be deemed to require . . . the notification of an Illinois resident who may have been affected by the breach.

815 ILCS 530/10(b).

To construe the statute as Irwin suggests is illogical; it would confer less protection to Illinois residents than nonresidents.

The court is further persuaded by the language in subsection 10(c), which specifies the form of notice to “consumers.” It does not distinguish on the basis of residence or ownership. Irwin is a nonresident consumer; therefore, she has no cause of action under subsection 10(b).

Moreover, the court notes that a violation of PIPA constitutes an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act (“Consumer Fraud Act”). See 815 ILCS 530/20; 815 ILCS 505/2Z. Irwin alleges a separate claim under the Consumer Fraud Act. However, the Consumer Fraud Act does not apply to conduct that has little connection to the State of Illinois. Crichton v. Golden Rule Ins. Co., 576 F.3d 392, 396 (7th Cir. 2009) (citing Avery v. State Farm Mut. Auto Ins. Co., 835 N.E.2d 801 (Ill. 2005)).

A nonresident plaintiff may sue under the Consumer Fraud Act only if the circumstances giving rise to the cause of action occurred “primarily and substantially in Illinois.” Crichton, 576 F.3d at 396 (quoting Avery, 835 N.E.2d at 853-54). The location of a company’s headquarters is not dispositive, and when a nonresident’s transaction occurs primarily out of state, she has no claim under the Consumer Fraud Act. See Avery, 835 N.E.2d at 853-54 (noting nonresidents’ car repair estimates and repair work occurred out of state); Phillips v. Bally Total Fitness Holding Corp., 865 N.E.2d 310, 315-16 (Ill. App. Ct. 2007) (noting nonresidents’ memberships at out-of-state health clubs). In Crichton, a nonresident claimed he was deceived by an artificially low initial premium on group insurance, and was not informed that renewal premiums would be much higher. Crichton, 576 F.3d at 395-97. In all three cases, the courts ruled that the nonresident plaintiffs lack standing to sue under the Consumer Fraud Act. The same outcome is warranted in Irwin’s case.

Counts II and VIII are dismissed.

Count III – Breach of implied contract

Irwin alleges in Count III that she and other members of the class entered into implied contracts with Jimmy John’s by virtue of an agreement that Jimmy John’s would safeguard and protect their personal information and, in the event of a breach, to timely and accurately notify its customers. Jimmy John’s argues that Irwin cannot prevail on her claim under Arizona law because she has not shown the “critical terms” of the agreement, citing Pyeatte v. Pyeatte, 661 P.2d 196 (Ariz. Ct. App. 1982).

The court is not persuaded by Pyeatte, a divorce case decided thirty-four years ago. Pyeatte declined to find an implied contract because the terms were not sufficiently defined as to location, duration, and other specifics; it was nothing more than a “loosely worded agreement” that the couple would take turns working full time, first while the husband completed a law degree, after which the wife would complete a masters degree. Pyeatte, 661 P.2d at 200. Aztec Film Prods. v. Tucson Gas & Elec. Co., 463 P.2d 547, 549 (Ariz. Ct. App. 1969) is similarly unpersuasive; the dispute pertained to unspecified terms in a written purchase order.

More on point is Lovell v. P.F. Chang’s China Bistro, Inc., 2015 WL 4940371 (W.D. Wash. Mar. 27, 2015), also cited by Jimmy John’s. Lovell is a data breach case involving credit or debit card payment for prepared food. The district court rejected the claim for breach of implied contract under Washington law, noting that the plaintiff’s unilateral, specific expectations of a particular cybersecurity standard and daily auditing did not give rise to an enforceable contract. Lovell, 2015 WL 4940371, at *3. However,

[t]he Court does not doubt that the offer and acceptance of a credit card as payment of a consumer debt necessarily involves certain implied promises, such as that the card is not fraudulent and that the vendor will utilize the card only for payment of the debt owed. Such promises arise out of the acts of the parties when viewed in light of the surrounding circumstances and the common understanding of the transaction.

Lovell, 2015 WL 4940371, at *3 n.4.

Under the circumstances, and under Illinois law, Irwin has stated a claim for breach of implied contract. There was an offer, acceptance, consideration, and a meeting of the minds. See In re Michaels Stores Pin Pad Litigation, 830 F. Supp. 2d 518, 531 (N.D. Ill. 2011); see also Anderson v. Hannaford Bros., 659 F.3d 161, 153-54 (1st Cir. 2011). When the customer uses a credit card for a commercial transaction, he intends to provide the data to the merchant, and not to an unauthorized third party. See In re Michaels, 830 F. Supp. 2d at 531; Hannaford Bros., 659 F.3d at 158. There is an implicit agreement to safeguard the customer’s information to effectuate the contract. In re Michaels, 830 F. Supp. 2d at 531; Hannaford Bros., 659 F.3d at 158. Irwin has alleged the existence of an implied contract obligating Jimmy John’s to take reasonable measures to protect Irwin’s information and to timely notify her of a security breach. In re Michaels, 830 F. Supp. 2d at 531.

Count V - Negligence

Irwin alleges in Count V that Jimmy John’s had a duty to safeguard her personal information, knew that a data breach would damage millions of its customers, and created a foreseeable risk of harm to her and other class members.

Jimmy John’s argues that Illinois law applies to this claim because Irwin’s allegations focus on data security policies established at Jimmy John’s headquarters in Illinois. Irwin argues that Arizona law applies.

The court need not determine which state’s law applies because the outcome would be the same. An essential element of a negligence claim is the existence of a duty owed to the plaintiff. Gipson v. Kasey, 150 P.3d 228, 230 (Ariz. 2007); Washington v. City of Chicago, 720 N.E.2d 1030, 1032 (Ill. 1999). Irwin contends that in two data breach cases, Cumis Ins. Soc., Inc. v. Merrick Bank Corp., 2008 WL 4277877 (D. Ariz. Sept. 18, 2008), and In re Target Corp. Data Sec. Breach Litigation, 66 F. Supp. 3d 1154 (D. Minn. 2014), the courts recognized a duty under Arizona law. Irwin’s reading of Cumis and In re Target is a stretch. In Cumis, the court dismissed the negligence claims, disagreeing with the plaintiff that he had adequately pleaded general negligence by alleging “an ordinary duty of care to take reasonable measures to prevent foreseeable harm[.]” Cumis, 2008 WL 4277877, at *12. In In re Target, the defendant’s argument was limited to the element of damages, and whether the economic loss rule barred the negligence claims; the court had no cause to consider the existence of a duty. In re Target, 66 F. Supp. 3d at 1171.

Irwin fares no better under Illinois law. In In re Target, the court dismissed negligence claims asserted under the laws of certain states, including Illinois, as barred by the economic loss rule. In re Target, 66 F. Supp. 3d at 1174.

Count V is dismissed.

Count VI - Unjust enrichment

Irwin alleges a three-pronged approach to unjust enrichment: (1) her payment for purchases at Jimmy John’s was supposed to be used, in part, to pay the costs of providing reasonable data security and protection; (2) she did not receive that protection and therefore overpaid for purchases using her debit and credit cards; and (3) Jimmy John’s was unjustly enriched by the overpayment.

The elements of unjust enrichment under Arizona law are: “(1) an enrichment; (2) an impoverishment; (3) a connection between the enrichment and the impoverishment; (4) absence of justification for the enrichment and the impoverishment; and (5) an absence of a remedy provided by law.” City of Sierra Vista v. Cochise Enter., Inc., 697 P.2d 1125, 1131 (Ariz. Ct. App. 1984). Under Illinois law, “a plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiff's detriment, and that defendant's retention of the benefit violates the fundamental principles of justice, equity, and good conscience.” HPI Health Care Services, Inc. v. Mt. Vernon Hosp., Inc., 545 N.E.2d 672, 679 (Ill. 1989).

Irwin argues that Jimmy John’s was enriched, and she was impoverished, by her debit and credit card payments, without providing data security and protection, and has retained the amount without justification. The defendants argue that Irwin did not pay any more with her debit or credit card than customers paid for the same items using cash. Bearing in mind that “the court must draw on its judicial experience and common sense,” Iqbal, 556 U.S. at 678-79, the court agrees with the defendants. Irwin paid for food products. She did not pay for a side order of data security and protection; it was merely incident to her food purchase, as is the ability to sit at a table to eat her food, or to use Jimmy John’s restroom. Jimmy John’s would not be enriched by customers who paid full price for their purchases but found all tables occupied, or a restroom temporarily out of order. The court is further persuaded by the fact that merchants are assessed a fee for each debit and credit card transaction, and merchants sometimes offer a discount for cash payment. See, e.g., Consumer Reports, Don’t be Tricked by Gas Station Cash Discounts, available at . Irwin does not allege that she paid more than cash customers did for the same food items, so it cannot be said that Jimmy John’s was unjustly enriched by her purchases.

Count VI is dismissed.

Count VII - Arizona Consumer Fraud Act

Irwin alleges a claim under the Arizona Consumer Fraud Act, Ariz. Rev. Stat. § 44-1521 et seq. (“ACFA”). She alleges that Jimmy John’s induced her and other Arizona consumers to rely on Jimmy John’s deception that their financial information was secure and protected when using debit and credit cards. Jimmy John’s argues that Arizona has a data breach statute requiring notification to individuals affected by the breach “in the most expedient manner possible and without unreasonable delay[.]” Ariz. Rev. Stat. § 44-7501(A). Only the attorney general may enforce the provisions of this statute. Ariz. Rev. Stat. § 44-7501(H).

Jimmy John’s argues that, had the Arizona legislature intended to create a private right of action for data breaches, it would have stated so in this statute, as other states – including Illinois – have done. However, Illinois’ data breach statute, PIPA, allows a private right of action by way of the Consumer Fraud Act. The Arizona data breach statute does not so state, but neither does it limit, a private right of action through another statute, including the ACFA. In the absence of a private right of action in a data breach statute, “consumers must look to other theories of recovery such as . . . state consumer protection laws [.]” Rachael M. Peters, So You’ve Been Notified, Now What? The Problem with Current Data-Breach Notification Laws, 56 Ariz. L. Rev. 1171, 1185 (2014).

The ACFA states,

The act, use or employment by any person of any deception, deceptive or unfair act or practice, fraud, false pretense, false promise, misrepresentation, or concealment, suppression or omission of any material fact with intent that others rely on such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise whether or not any person has in fact been misled, deceived or damaged thereby, is declared to be an unlawful practice.

Ariz. Rev. Stat. Ann. § 44-1522(A).

It is the intent of the legislature, in construing subsection A, that the courts may use as a guide interpretations given by the federal trade commission[.]

Ariz. Rev. Stat. Ann. § 44-1522(C).

The Federal Trade Commission website contains numerous references to its actions relating to all kinds of data security breaches. “Since 2002, the FTC has brought almost 60 cases against companies that have engaged in unfair or deceptive practices that put consumers’ personal data at unreasonable risk.” Federal Trade Comm., Privacy & Data Security Update (2015), Data Security, available at(emphasis in original). Jimmy John’s argues that the courts may, but are not required to, look to the FTC for guidance, and that this court should not do so in this case. It is important to remember the standard that applies on a motion to dismiss. At this juncture the court need only decide whether Irwin has stated a plausible claim under the ACFA. Irwin may proceed on her claim under the Arizona statute.

Rule 12(b)(1)

Count IX – Declaratory judgment

The defendants contend that Irwin lacks standing to pursue her claim for declaratory judgment. Irwin has invoked federal jurisdiction, so she bears to burden of establishing the required elements of standing. Remijas v. Neiman Marcus Group, L.L.C., 794 F.3d 688, 691 (7th Cir. 2015).

A plaintiff has Article III standing when she has “(1) an ‘injury in fact,’ (2) a sufficient ‘causal connection between the injury and the conduct complained of,’ and (3) a ‘likelihood’ that the injury ‘will be redressed by a favorable decision.’” Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (internal citation omitted).

Irwin seeks a declaration that (1) the existing security measures at Jimmy John’s do not comply with contractual obligations and duties of care to supply adequate security, and (2) to comply with its contractual obligations and duties of care, Jimmy John’s must implement and maintain certain reasonable security measures, which she has detailed with some specificity in eight subparts.

Jimmy John’s contends that Irwin lacks standing because her claimed injury arises from a data breach that has already occurred. Yet, in her declaratory judgment claim she seeks remedies for future injury due to unspecified weaknesses in Jimmy John’s current security measures.

An injury sufficient to satisfy Article III must be “concrete and particularized” and “actual or imminent, not ‘conjectural’ or ‘hypothetical.’” Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992) (some internal question marks omitted). An allegation of future injury may suffice if the threatened injury is “certainly impending,” or there is a “ ‘substantial risk’ that the harm will occur.” Clapper v. Amnesty Intern., U.S.A., 568 U.S., at ––––, ––––, n. 5, 133 S. Ct. 1138, 1147, 1150, n. 5 (emphasis deleted and internal quotation marks omitted).

Susan B. Anthony, 134 S. Ct. at 2341. “[A]llegations of possible future injury are not sufficient.” Clapper, 133 S. Ct. at 1147 (emphasis in original).

The court agrees that Irwin lacks standing to assert this claim. The injury and the causal connection to the breach occurred in the past, but she seeks a remedy for a possible future injury. She claims that five fraudulent charges were made to the credit card that she used at Jimmy John’s before the announcement of the data breach. As a result, she cancelled her credit card account and received a new card; there is no risk to her if a thief were to attempt to use that information now. She alleges that Jimmy John’s still possesses the personal information and financial data revealed in the data breach, and that Jimmy John’s new data security is still not secure and is even more vulnerable now because its lax approach to security is widely known. She claims that she is at future risk of identity theft because other breaches may occur; however, that future risk is conjectural or hypothetical. She does not allege that the data breach exposed information that continues to pose a risk that is certainly impending, or presents a substantial risk of future harm.

Count IX is dismissed.

CONCLUSION

For the following reasons, the motion to dismiss [22] is granted in part and denied in part. Counts I, II, IV, V, VI, VIII, and IX are dismissed. Jimmy John’s shall file its answer to Counts III and VII within twenty-one (21) days of the date of this order.

1 To simplify this order the court refers to Irwin, without specifically referring to the

class. Where appropriate, reference to the class members should be inferred. If Irwin, acting on

her own behalf, cannot prevail on a particular claim, she cannot represent a class as to that claim.

2 Noting that the defendants are LLCs, the court would normally require the citizenship of the LLCs to be properly alleged. See Belleville Catering Co. v. Champaign Market Place, LLC, 350 F.3d 691, 692 (7th Cir. 2003). The inquiry would require a determination of the citizenship of each member of the defendant LLCs. However, under CAFA, “an unincorporated association shall be deemed to be a citizen of the State where it has its principal place of business and the State under whose laws it is organized.” 28 U.S.C. § 1332(d)(10). The complaint alleges that Jimmy John’s is a Delaware limited liability company with its principal place of business in Illinois. The allegation is sufficient.