Lavender v. Driveline Retail Merchandising Inc
Filing
90
ORDER & OPINION entered by Judge Sue E. Myerscough on 9/21/2021. Defendant Driveline Retail Merchandising, Inc.'s Motion for Summary Judgment, d/e 84 is GRANTED. This case is TERMINATED. Judgment to enter. (SEE WRITTEN ORDER & OPINION) (MAS)
2:18-cv-02097-SEM-TSH # 90
Page 1 of 35
E-FILED
Tuesday, 21 September, 2021 12:51:32 PM
Clerk, U.S. District Court, ILCD
IN THE UNITED STATES DISTRICT COURT
FOR THE CENTRAL DISTRICT OF ILLINOIS
SPRINGFIELD DIVISION
LYNN MCGLENN,
Plaintiff,
v.
DRIVELINE RETAIL
MERCHANDISING, INC.,
Defendant.
)
)
)
)
)
)
)
)
)
)
Case No. 18-cv-2097
ORDER AND OPINION
SUE E. MYERSCOUGH, U.S. District Judge:
This cause is before the Court on Defendant Driveline Retail
Merchandising, Inc.’s (“Driveline”) Motion for Summary Judgment
(d/e 84). For the reasons stated below, the Court GRANTS
Defendant’s Motion for Summary Judgment (d/e 84).
I. FACTS
The Court draws the following facts from the parties’
statements of undisputed facts and from the evidence submitted by
the parties. Any facts not disputed, or disputed without evidentiary
documentation of the basis for the dispute, have been deemed
admitted. See CDIL-LR 7.1(D)(2)(b)(2).
Page 1 of 35
2:18-cv-02097-SEM-TSH # 90
Page 2 of 35
On January 25, 2017, Driveline and thousands of its
employees became the victims of a criminal phishing attack. An
unknown individual (the “perpetrator”), disguised as the Chief
Financial Officer (“CFO”) of Driveline, sent an e-mail to a Driveline
employee who worked in the payroll department. The perpetrator
asked the employee to send all of Driveline’s employees’ 2016 W-2s.
The employee responded to the email and sent the 2016 W-2s of
15,878 employees to the perpetrator. These 15,878 W-2s contained
social security numbers, names, home addresses, and wage
information for employees who worked at and received wages from
Driveline during the time period of January 1 2016 to December 31,
2016. Driveline admits that this information is irretrievably lost, to
be used against its employees forever.
When Driveline realized that the email had been a phishing
attack, it notified the Federal Bureau of Investigation (“FBI”).
Driveline also provided the IRS with the names and Social Security
numbers (“SSNs”) of the affected employees so the IRS could impose
appropriate controls to prevent the filing of fraudulent returns. 1
McGlenn states that she objects to the temporal characterization of the FBI
and IRS notifications being “immediately” or “within hours of the breach.” At
least with regards to the IRS notification, email documentation confirms that
1
Page 2 of 35
2:18-cv-02097-SEM-TSH # 90
Page 3 of 35
Driveline notified the appropriate governmental authorities of all
fifty states, Guam, and Puerto Rico of the Disclosure.
Effective January 31, 2017, Driveline retained the services of
AllClear ID, a credit and identity theft prevention monitoring
service, to protect the employees whose personal identifying
information (“PII”) was involved in the Disclosure. All affected
employees were automatically enrolled in the base protection, called
“AllClear ID Identity Repair.” Any employee suspecting identity
theft could file a claim, and AllClear ID would provide identity and
credit remediation services. Additionally, employees were given the
opportunity to enroll for free for one year of enhanced services,
called “AllClear Credit Monitoring.” To obtain the enhanced
services, the employees had to contact AllClear ID and set up their
individual accounts.
Driveline waited to notify employees of the Disclosure until the
FBI gave Driveline the “green light.” On February 14, 2017, after
this information was sent to the IRS roughly two days after the phishing email
was sent. See January 27, 2017 Email Communications from S. Hasenfratz to
A. Douglas, attached as Exhibit 3 to Defendant’s Motion, d/e 84-3. The Court
finds that the dispute on temporal terminology, however, is not material to this
motion.
Page 3 of 35
2:18-cv-02097-SEM-TSH # 90
Page 4 of 35
the FBI notified Driveline that issuing notice would not hinder the
FBI’s investigation, AllClear ID mailed a letter and supporting
materials on behalf of Driveline to all the employees involved in the
Disclosure.
McGlenn’s PII was part of the Disclosure. She received the
Disclosure notification letter, but McGlenn did not enroll in the free
enhanced credit monitoring offered by Driveline through AllClear
ID. Some Driveline employees involved in the Disclosure received
letters from the IRS requiring them to present to an IRS office in
person before filing their 2016 taxes, but McGlenn did not receive
such a letter. McGlenn does not claim that anyone attempted to file
a fraudulent tax return using her PII.
McGlenn, however, did experience some fraudulent activity on
her financial accounts after the Disclosure. Six months after the
Disclosure, someone tried to activate a Capital One credit card on
an account opened in her name. Capital One received a credit card
application that included McGlenn’s former married name (Lynn
Watts), her telephone number, her date of birth, address, and SSN
on or about July 20, 2017. A man attempted to activate the Capital
One account via telephone by providing McGlenn’s former name,
Page 4 of 35
2:18-cv-02097-SEM-TSH # 90
Page 5 of 35
her telephone number, and her date of birth. McGlenn’s W-2 does
not contain her date of birth. Nor did the Disclosure reveal her
telephone number or former last names. Driveline never even knew
McGlenn’s former married name (Watts) because when she applied
for a job with Driveline, she was already married to Mr. McGlenn.
In December 2017, eleven months after the Disclosure,
someone used McGlenn’s Charlotte Metro Credit Union debit card
to incur a $252.79 charge. McGlenn confirmed that the
information at issue in the debit card charge, which included her
credit union account number, credit union name, credit card
numbers, and debit card numbers, were not part of the Driveline
Disclosure.
McGlenn also acknowledged that her data was stolen during
the Equifax data breach. As clarified in McGlenn’s response,
Equifax provided notice of the breach in September 2017, but the
breach itself occurred between May 2017 and July 2017. See d/e
86 at p. 3 (citing In re Equifax, Inc., Customer Data Sec. Breach
Litig., 362 F. Supp. 3d 1295, 1308 (N.D. Ga. 2019) (“On September
7, 2017, the Defendant Equifax Inc. announced that it was the
subject of one of the largest data breaches in history. From midPage 5 of 35
2:18-cv-02097-SEM-TSH # 90
Page 6 of 35
May through the end of July 2017, hackers stole the personal and
financial information of nearly 150 million Americans.”)). McGlenn
assumes that the Equifax data breach disclosed her SSN, her past
and present address, her date of birth, other names she has used in
the past, and the identities of her banks, lending institutions, and
past and present credit card issuers. Equifax, like Driveline, offered
free credit monitoring. McGlenn declined both offers because she
was already using Credit Karma.
McGlenn also highlights reports by the IRS and FBI warning
about certain frauds prior to the Disclosure. Driveline does not
dispute the facts surrounding these reports, but Driveline argues
that they are immaterial because there is no evidence that Driveline
had received, was aware of, or should have been aware of these
reports. First, on August 27, 2015, the FBI issued a report warning
of the increasingly common scam, known as Business Email
Compromise, in which companies had fallen victim to phishing
emails. The report called attention to the significant spike in
scams, also referred to as “spoofing,” in which emails that appear to
have been initiated from the CEO or other top-level executives
request employee W-2 or other personal information.
Page 6 of 35
2:18-cv-02097-SEM-TSH # 90
Page 7 of 35
Second, on March 1, 2016, the IRS issued an alert to payroll
and human resources professionals warning of a scheme whereby
false emails, purportedly from one of the company’s chief officers,
were sent to individuals in the human resources or accounting
department asking for copies of W-2 data for all employees. The
alert stated:
The Internal Revenue Service today issued an alert to
payroll and human resources professionals to beware of
an emerging phishing email scheme that purports to be
from company executives and requests personal
information on employees.
The IRS has learned this scheme—part of the surge in
phishing emails seen this year—already has claimed
several victims as payroll and human resources offices
mistakenly email payroll data including Forms W-2 that
contain Social Security numbers and other personally
identifiable information to cybercriminals posing as
company executives.
Pl. Resp., Ex. 4, IRS March 1, 2016 Alert, d/e 86-4. The IRS
renewed this alert on January 25, 2017, specifically urging
“company payroll officials to double check any executive-level or
unusual requests for lists of Forms W-2 or Social Security
numbers.” Pl. Resp., Ex. 5, IRS January 25, 2017 Alert, d/e 86-5.
McGlenn also alleges these additional facts regarding the
training, or lack of training, that Driveline provided its employees:
Page 7 of 35
2:18-cv-02097-SEM-TSH # 90
Page 8 of 35
• Before January 25, 2017, Susan Merciel, the Driveline
Payroll Department Manager who released Driveline
Employees’ W-2s, had no training from Driveline that
would have aided her in spotting a phishing email.
• Before January 25, 2017, Ms. Merciel had not been
trained or advised by Driveline that W-2 phishing
emails were being perpetrated on payroll departments.
• Before Driveline sent out its employees’ personal data,
its employees had not been trained to hover their
computer mouse over the sender’s name to see from
whom an email was sent.
• If Driveline’s employees had been so trained, Ms.
Merciel or any other employee receiving the spoofing
email would have seen that the request for employees
W-2 was coming not from Driveline’s CFO Lori
Bennett, whose Driveline email address had always
been “lbennett@drivelineretail.com,” but instead came
from fidelitycharitylaw@gmail.com.
• Ms. Merciel told another Driveline employee, Kristine
Fountain, that she had previously received a request
for W-2s in 2016, and that was why she did not find
the 2017 phishing email unusual.
• Before Driveline sent out employees’ personal data,
Driveline employees had not been trained to question a
request to email employees’ PII or to call the person
who was requesting via email a file containing the
sensitive personal financial information of employees
to confirm it was a real request.
• Prior to the Driveline Disclosure, Driveline’s CFO Lori
Bennett routinely requested confidential personal
information of employees be sent to her via email
without requiring or suggesting that the requested file
be encrypted or password protected.
Page 8 of 35
2:18-cv-02097-SEM-TSH # 90
Page 9 of 35
• Prior to the Driveline Disclosure, Driveline employees
had not been trained to transfer sensitive and private
employee data in an encrypted file.
• Driveline employees handling the most sensitive
personal and financial information for the company’s
workforce had never been trained how to encrypt a file
or how to transfer sensitive and private employee
information in a password protected file.
• Following the Driveline Disclosure, some employees
were required to take a one-time computer training
course on identity theft. They were not required to
take the course annually.
While Driveline does not dispute these facts, Driveline argues that
the facts are immaterial to Driveline’s Motion for Summary
Judgment because Driveline argues it does not owe a duty to its
employees to safeguard their PII.
II. PROCEDURAL BACKGROUND
The Complaint for this action was originally brought by Shirley
Lavender, individually and on behalf of all others similarly situated,
against Driveline. However, Plaintiff Lavender filed a Motion for
Leave to Substitute Class Representative and for Leave to File an
Amended Class Action Complaint in Accordance with the
Substitution. See d/e 34. On September 6, 2019, the Court
granted Plaintiff Lavender’s Motion for Leave to Substitute. See
Order, d/e 43. On September 10, 2019, Plaintiff Lynn McGlenn
Page 9 of 35
2:18-cv-02097-SEM-TSH # 90
Page 10 of 35
was substituted as Plaintiff in this case when she filed an Amended
Complaint. See Amended Complaint, d/e 44. McGlenn has filed
claims for negligence (Count I), invasion of privacy (Count II),
breach of implied contract (Count III), breach of fiduciary duty
(Count IV), violation of Illinois Personal Information Protection Act
(“IPIPA”) (Count V), and violation of Illinois Consumer Fraud and
Deceptive Business Practices Act (“ICFA”) (Count VI) against
Driveline. McGlenn seeks a mandatory injunction directing
Driveline to adequately safeguard the PII of employees by
implementing improved security procedures and measures and to
provide adequate notice to each employee relating to the full nature
and extent of the Disclosure and ordering Driveline to pay an award
of monetary damages. See d/e 44. On January 19, 2021, the
Court denied McGlenn’s Renewed Motion for Class Certification.
See Opinion and Order, d/e 87.
Driveline filed this Motion for Summary Judgment (d/e 84) on
December 14, 2020, and moves for summary judgment on all of
McGlenn’s individual claims. McGlenn filed a response (d/e 86) on
January 15, 2021, in which she agreed summary judgment was
appropriate for her invasion of privacy claim, see d/e 86 at p. 2,
Page 10 of 35
2:18-cv-02097-SEM-TSH # 90
Page 11 of 35
n.1, but otherwise opposed summary judgment. Driveline filed its
reply (d/e 88) on January 29, 2021.
III. JURISDICTION AND VENUE
McGlenn invokes jurisdiction under the Class Action Fairness
Act, 28 U.S.C. § 1332(d) (“CAFA”). The CAFA provides federal
courts with jurisdiction over certain class actions if the class has
more than 100 members, the parties are minimally diverse, and the
amount in controversy exceeds $5 million, exclusive of interest and
costs. 28 U.S.C. § 1332(d)(2), (5)(B); Standard Fire Ins. Co. v.
Knowles, 568 U.S. 588, 592 (2013). The claims of the individual
class members are aggregated to determine whether the amount in
controversy threshold is met. 28 U.S.C. § 1332(d)(6).
McGlenn’s Amended Complaint alleged that the aggregate
amount in controversy exceeds $5 million, exclusive of interest and
costs, that there are more than 100 class members, and that at
least one class member is a citizen of a state different from
Driveline. See Amended Complaint, d/e 44, ¶ 3. McGlenn is a
citizen of North Carolina. Id., ¶ 1. Driveline has indicated that
Driveline is a citizen of New Jersey and Texas because Driveline is
incorporated in New Jersey and has its principal place of business
Page 11 of 35
2:18-cv-02097-SEM-TSH # 90
Page 12 of 35
in Texas. See Defendant’s Declaration of State of Incorporation and
Principal Place of Business, d/e 42.
Moreover, the Court retains jurisdiction over the case
pursuant to 28 U.S.C. § 1332(d) even though the Court has now
denied Plaintiff’s Motion for Class Certification. See Cunningham
Charter Corp. v. Learjet, Inc., 592 F.3d 805 (7th Cir. 2010) (“Federal
jurisdiction under the Class Action Fairness Act does not depend on
certification”). Therefore, the Court finds that the Court continues
to have subject-matter jurisdiction.
IV. LEGAL STANDARD
Summary judgment is proper if the movant shows that no
genuine dispute exists as to any material fact and that the movant
is entitled to judgment as a matter of law. Fed. R. Civ. P. 56(a).
The movant bears the initial responsibility of informing the Court of
the basis for the motion and identifying the evidence the movant
believes demonstrates the absence of any genuine dispute of
material fact. Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986). A
genuine dispute of material fact exists if a reasonable trier of fact
could find in favor of the nonmoving party. Marnocha v. St. Vincent
Hosp. & Health Care Ctr., Inc., 986 F.3d 711, 718 (7th Cir. 2021).
Page 12 of 35
2:18-cv-02097-SEM-TSH # 90
Page 13 of 35
When ruling on a motion for summary judgment, the Court
must construe all facts in the light most favorable to the nonmoving party and draw all reasonable inferences in that party’s
favor. King v. Hendricks Cty. Commissioners, 954 F.3d 981, 984
(7th Cir. 2020). A movant may demonstrate the absence of a
genuine dispute through specific cites to admissible evidence or by
showing that the nonmovant “cannot produce admissible evidence
to support the [material] fact.” Fed. R. Civ. P. 56(c)(1). If the
movant clears this hurdle, the nonmovant may not simply rest on
his or her allegations in the complaint, but instead must point to
admissible evidence in the record to show that a genuine dispute
exists. Id.; Harvey v. Town of Merrillville, 649 F.3d 526, 529 (7th
Cir. 2011).
V. ANALYSIS
Driveline argues that it is entitled to summary judgment on all
of the claims brought by McGlenn (negligence (Count I), invasion of
privacy (Count II), breach of implied contract (Count III), breach of
fiduciary duty (Count IV), violation of Illinois Personal Information
Protection Act (“IPIPA”) (Count V), and violation of Illinois Consumer
Fraud and Deceptive Business Practices Act (“ICFA”) (Count VI)).
Page 13 of 35
2:18-cv-02097-SEM-TSH # 90
Page 14 of 35
McGlenn agrees that her invasion of privacy claim (Count II) is
subject to summary judgment. Accordingly the Court grants
summary judgment for Driveline on this claim. Further, the Court
agrees with Driveline that summary judgment is appropriate on
McGlenn’s remaining claims.
A. Driveline is Entitled to Summary Judgment on
McGlenn’s Illinois Common Law Tort Claims.
As an initial matter, the Court finds that McGlenn has waived
any arguments that Illinois law does not apply. McGlenn has
previously argued that Illinois law applies to her common law
claims. See Plaintiff’s Memorandum of Law In Support of Renewed
Motion for Summary Judgment, d/e 52-1 at p.16. While Driveline
has previously questioned whether the law of Illinois or North
Carolina (the state of McGlenn’s residence and where she worked
while employed by Driveline) applies, see Defendant’s Objection to
Plaintiff’s Renewed Motion for Class Certification, d/e 54, p.36,
n.25, Driveline’s Motion for Summary Judgment assumes that
Illinois law does apply. It is not clear from the facts of this case
that Illinois law would necessarily apply given that neither McGlenn
nor Driveline are Illinois residents and any harm to McGlenn did
Page 14 of 35
2:18-cv-02097-SEM-TSH # 90
Page 15 of 35
not occur in Illinois. Nonetheless, McGlenn did not raise the
choice-of-law issue in her response, and the Court finds that the
argument is now waived. See Ward v. Soo Line R.R. Co., 901 F.3d
868, 880 (7th Cir. 2018) (“The choice-of-law issue is waived if a
party fails to raise it.”).
Applying Illinois law, Driveline argues that McGlenn cannot
succeed on her negligence claim because Driveline does not have a
duty under Illinois law to safeguard McGlenn’s PII. Driveline argues
that McGlenn cannot succeed on her breach of fiduciary duty claim
because she has not established that Driveline owed her a fiduciary
duty. Driveline also argues that the economic loss doctrine bars
recovery of any tort damages.
1. McGlenn Cannot Prove Negligence Because Driveline
Does Not Have a Duty Under Illinois Law to
Safeguard McGlenn’s PII.
To show negligence under Illinois law, a plaintiff must prove
“that the defendant owed a duty to the plaintiff, that defendant
breached that duty, and that the breach was the proximate cause of
the plaintiff’s injuries.” Blood v. VH-1 Music First, 668 F.3d 543,
546 (7th Cir. 2012) (quoting First Springfield Bank & Trust v.
Page 15 of 35
2:18-cv-02097-SEM-TSH # 90
Page 16 of 35
Galman, 188 Ill.2d 252, 242 Ill.Dec. 113, 720 N.E.2d 1068, 1071
(1999)). Driveline argues that under Illinois law, Driveline did not
owe any duty to McGlenn to safeguard her PII. While the Illinois
Supreme Court has not spoken on this issue, the Seventh Circuit in
Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803,
816 (7th Cir. 2018), found that the defendant retailer, Schnuck
Markets, did not owe a duty to the customer’s banks under Illinois
law when Schnucks suffered a major breach of its customers’ data.
See also Perdue v. Hy-Vee, Inc., 455 F. Supp. 3d 749, 757-58 (C.D.
Ill. 2020). The Seventh Circuit relied on the Illinois appellate case
of Cooney v. Chicago Pub. Sch., 407 Ill. App. 3d 358, 363, 943
N.E.2d 23, 29 (2010) in reaching its holding. In Cooney, the city
board of education, through a third party, had mistakenly sent PII
of former school employees in a mailing. Cooney, 407 Ill. App. at
363. In declining to create a new common law duty, the Illinois
appellate court emphasized that “[w]hile we do not minimize the
importance of protecting this information, we do not believe that the
creation of a new legal duty beyond legislative requirements already
in place is part of our role on appellate review. As noted, the
legislature has specifically addressed the issue and only required
Page 16 of 35
2:18-cv-02097-SEM-TSH # 90
Page 17 of 35
the Board to provide notice of the disclosure.” Id. The Seventh
Circuit in Cmty. Bank of Trenton interpreted Cooney as “a more
general statement that no duty to safeguard personal information
existed, regardless of the kind of loss” and predicted “that the state
court would not impose the common law data security duty the
plaintiff banks call for here.” Cmty. Bank of Trenton, 887 F.3d at
817.
McGlenn attempts to distinguish Cooney based on the way the
information was disclosed, arguing the disclosure in Cooney was a
“mistake,” whereas the disclosure here “was the foreseeable
consequence of the defendant’s actions and failure to act.” See d/e
86 at p. 11. McGlenn points to cases applying Georgia law and
argues that this Court should find Illinois law would recognize the
existence of a similar common law duty when the disclosure was
foreseeable. See d/e 86 at p. 11-12 (citing In re Equifax, Inc.,
Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295 (N.D. Ga.
2019); In re: The Home Depot, Inc. Customer Data Sec. Breach
Litig., 2016 WL 2897520, at *3 (N.D. Ga. May 18, 2016); In re
Arby’s Restaurant Grp. Inc. Litig., 2018 WL 2128441, at *5 (N.D.
Ga. Mar. 5, 2018)). However, while these cases highlight important
Page 17 of 35
2:18-cv-02097-SEM-TSH # 90
Page 18 of 35
policy reasons why a company should be required to safeguard PII,
McGlenn does not explain how these cases would allow the Court to
ignore the Seventh Circuit’s holding in Cmty. Bank of Trenton.
Moreover, McGlenn’s distinction between a “mistake” and a
“foreseeable consequence” does not address Cooney’s rationale that
courts should not impose “a new legal duty beyond legislative
requirements.” Cooney, 407 Ill. App. at 363. Regardless of whether
the data breach was foreseeable or merely a “mistake,” the Court
finds that Illinois does not impose a common law duty to safeguard
PII.
McGlenn also argues that, even if no common law duty exists,
a statutory duty now exists. As the court noted in Cooney, “a
violation of a statute designed to protect human life and property
may be used as prima facie evidence of negligence.” 407 Ill.App.3d
at 361. In Cooney, the court rejected the plaintiffs’ argument that a
statutory duty existed under Illinois Personal Information Protection
Act (“PIPA”) because PIPA only requires a data collector to provide
notice of a breach. Id. at 363; see also Cmty. Bank of Trenton, 887
F.3d at 816 (noting Cooney’s conclusions).
Page 18 of 35
2:18-cv-02097-SEM-TSH # 90
Page 19 of 35
However, McGlenn highlights that in 2017, after Cooney, the
Illinois legislature amended PIPA. Specifically, PIPA now includes a
section that provides:
A data collector that owns or licenses, or maintains or
stores but does not own or license, records that contain
personal information concerning an Illinois resident shall
implement and maintain reasonable security measures to
protect those records from unauthorized access,
acquisition, destruction, use, modification, or disclosure.
815 ILCS § 530/45(a) (emphasis added). Driveline argues that this
provision is irrelevant in light of the Seventh Circuit’s decision in
Cmty. Bank of Trenton, which is binding on this Court. However,
the data breach at issue in Cmty. Bank of Trenton occurred in
2012, so the 2017 amendments to PIPA were not relevant to the
Seventh Circuit’s analysis in Cmty. Bank of Trenton.
Nonetheless, the Court finds that the 2017 amendments to
PIPA do not change the result here. While Driveline qualifies as a
“data collector” under the broad definition of the act, see 815 ILCS
530/5, Driveline’s duty under this provision is expressly limited to
Illinois residents. McGlenn is not an Illinois resident—she is a
North Carolina resident. McGlenn has not responded to Driveline’s
argument that PIPA does not protect non-Illinois residents, nor has
Page 19 of 35
2:18-cv-02097-SEM-TSH # 90
Page 20 of 35
she otherwise attempted to explain how this provision could be
interpreted to create a duty to safeguard a non-resident’s PII.
Accordingly, the Court finds that Driveline is entitled to summary
judgment on McGlenn’s negligence claim because Driveline did not
owe a duty under Illinois law to safeguard McGlenn’s PII.
2. McGlenn Cannot Show a Breach of Fiduciary Duty
Because Driveline did not have a Fiduciary Duty to
Protect McGlenn’s PII.
To establish a claim for breach of fiduciary duty under Illinois
law, McGlenn “must prove the existence of a fiduciary duty, breach
of that duty, and damages proximately resulting from that
breach.” Autotech Tech. Ltd. P’ship v. Automationdirect.com, 471
F.3d 745, 748 (7th Cir. 2006) (citing Neade v. Portes, 193 Ill.2d 433,
739 N.E.2d 496, 502, 250 Ill.Dec. 733 (Ill. 2000)). A fiduciary duty
exists under Illinois law either “as a matter of law from the
relationship of the parties (such as an attorney-client relationship),
or based on the facts of a particular situation, such as a
relationship where confidence and trust is reposed on one side,
resulting in dominance and influence on the other side.” Dahlin v.
Page 20 of 35
2:18-cv-02097-SEM-TSH # 90
Page 21 of 35
Evangelical Child & Family Agency, 252 F. Supp. 2d 666, 669 (N.D.
Ill. 2002) (citations omitted).
McGlenn does not argue that a fiduciary duty exists as a
matter of law, but rather that a fiduciary duty exists because
McGlenn was required to entrust Driveline with her sensitive
personal information as a condition of gaining and maintaining her
employment. However, in Cooney, the Illinois appellate court found
that there is no fiduciary duty created when an employee provides
an employer with information “in confidence.” 407 Ill. App. 3d at
363; Landale Signs & Neon, Ltd. v. Runnion Equip. Co., No. 16-cv7619, 2016 WL 7409916, at *4 (N.D. Ill. Dec. 22, 2016). McGlenn
has not attempted to distinguish Cooney and does not provide
caselaw to support her argument.
McGlenn does, however, acknowledge that under Illinois law
“trust and confidence are not enough to create a fiduciary
relationship; superiority and influence must result from the trust
and confidence.” Tummelson v. White, 47 N.E.3d 579, 584 (Ill.
App. Ct. 2015). In Tummelson, the Illinois appellate court further
explained that a fiduciary relationship exists where “trust and
confidence are reposed by one person in another who, as a result
Page 21 of 35
2:18-cv-02097-SEM-TSH # 90
Page 22 of 35
thereof, gains influence and superiority over the other. . . significant
dominance and superiority [are] necessary to establish a fiduciary
relationship.” . . .“Dominance,” in this context, means “the ability to
exercise undue influence.” Id. (internal citations and quotations
omitted). In Tummelson, the court found no fiduciary relationship
existed between a homeowner and cohabitant merely because the
cohabitant contributed money toward the mortgage of the house
and he trusted that this would result in his ability to continue to
reside at the house. Id. Rather, the court found that the
dominance that the homeowner had over the cohabitant (to evict
the cohabitant if she chose) was “merely the dominance that a
licenser typically has over a licensee.” Id.
Here, McGlenn argues that she put trust in Driveline to
safeguard her PII and that, as her employer, Driveline had
superiority and influence. But it is not enough that superiority and
influence generally exists in the relationship. The superiority and
influence must result from the trust and confidence. McGlenn
trusted Driveline with her PII because it was required as a condition
of employment. Moreover, McGlenn has not explained how
Driveline gained dominance or “undue influence” over McGlenn
Page 22 of 35
2:18-cv-02097-SEM-TSH # 90
Page 23 of 35
because of the information McGlenn provided. Like Tummelson,
the “dominance” that existed was typical for the type of relationship
(employer-employee) that McGlenn and Driveline had. Accordingly,
the Court finds that Driveline is entitled to summary judgment on
McGlenn’s breach of fiduciary duty claim.
3. The Court Declines to Determine Whether the
Economic Loss Doctrine Applies.
Driveline also argues that it is entitled to summary judgment
on McGlenn’s tort claims because her damages are barred under
the economic loss doctrine. In addressing tort claims in commercial
litigation, “state courts have generally refused to recognize tort
liabilities for purely economic losses inflicted by one business on
another where those businesses have already ordered their duties,
rights, and remedies by contract.” Cmty. Bank of Trenton, 887
F.3d at 812. “Courts invoking the economic loss rule trust the
commercial parties interested in a particular activity to work out an
efficient allocation of risks among themselves in their contracts.
Courts see no reason to intrude into the parties’ allocation of the
risk when bargaining should be sufficient to protect the parties’
interests, and where additional tort law remedies would act as
Page 23 of 35
2:18-cv-02097-SEM-TSH # 90
Page 24 of 35
something of a wild card to upset their expectations.” Id. (internal
quotations omitted).
In Illinois, the economic loss rule is known as the Moorman
Doctrine. Id. (citing Moorman Mfg. Co. v. Nat’l Tank Co., 91 Ill. 2d
69, 435 N.E.2d 443 (1982)). “Illinois recognizes three exceptions,
but none applies here: for personal injuries or property damage
resulting from sudden or dangerous occurrences, for fraud, and for
negligent misrepresentations by professional business advisors.”
Id. at 813. In Cmty. Bank of Trenton, the Seventh Circuit held that
the Illinois’ economic loss rule barred the tort claims alleged by the
customers’ banks as a result of a grocery chain’s data breach. Id.
(“The plaintiff banks are disappointed in the amounts the card
networks’ contractual reimbursement process provided. That type
of tort claim is not permitted under Moorman.”).
McGlenn argues that the Seventh Circuit and other federal
courts have reached the wrong answer when they “reflexively
applied the economic loss rule to negligence claims” because they
did not perform any analysis about whether the principles behind
the economic loss rule apply to data breaches. McGlenn draws
support from In re Marriott International, Inc., Customer Data
Page 24 of 35
2:18-cv-02097-SEM-TSH # 90
Page 25 of 35
Security Breach Litigation, 440 F. Supp. 3d 447, 473 (D. Md. 2020),
which noted that the Illinois Supreme Court has not yet addressed
whether the economic loss rule would apply to data breaches. The
district court in In re Marriott Int’l, Inc., Customer Data Sec.
Breach Litig. found that “the rule’s development suggests that its
historical roots in products liability are not a close fit with the
injuries that arise in the context of data breaches like this one,
which casts doubt on how it would be applied by the Illinois
Supreme Court.” In re Marriott Int’l, Inc., Customer Data Sec.
Breach Litig., 440 F. Supp. 3d at 469.
While the analysis by the district court in In re Marriott Int’l,
Inc., Customer Data Sec. Breach Litig. is well-reasoned, the Court
must not disregard the Seventh Circuit’s binding precedent in
Cmty. Bank of Trenton which found that the economic loss rule did
apply to data breaches. However, the Court notes that Cmty. Bank
of Trenton was litigation between two commercial entities: a grocery
store chain that had a data breach of its customers’ data, and the
banks of the customers whose data was breached. Here, where
McGlenn is a former employee of Driveline and provided her PII as a
legal condition of employment, the economic loss rule would be
Page 25 of 35
2:18-cv-02097-SEM-TSH # 90
Page 26 of 35
stretched significantly further from its product liability roots than
the application of the rule in Cmty. Bank of Trenton. Regardless, as
the Court finds that Driveline is entitled to summary judgment on
its tort claims due to an absence of duty, the Court declines to also
determine whether the economic loss doctrine would bar McGlenn’s
claims.
B. McGlenn Has Not Shown Sufficient Evidence That
Driveline Proximately Caused Her Present Injuries For
Her Tort or Contract Claims.
Driveline next argues that McGlenn cannot succeed on any of
her common law claims—including her breach of implied contract
claim—because she has not established proximate cause that the
Disclosure caused her present injuries, and an increased risk of
future harm alone is insufficient to show damages. McGlenn does
not dispute that, under Illinois law, an increased risk of future
harm alone is insufficient to show damages. See also, Rowe v.
UniCare Life & Health Ins. Co., No. 09 C 2286, 2010 WL 86391, at
*6 (N.D. Ill. Jan. 5, 2010) (applying Illinois law and concluding that
the plaintiff in a data breach action “may collect damages based on
the increased risk of future harm he incurred, but only if he can
Page 26 of 35
2:18-cv-02097-SEM-TSH # 90
Page 27 of 35
show that he suffered from some present injury beyond the mere
exposure of his information to the public.”); Williams v. Manchester,
228 Ill. 2d 404, 425, 888 N.E.2d 1, 13 (2008) (“[A]n increased risk of
future harm is an element of damages that can be recovered for a
present injury—it is not the injury itself.” (emphasis in original)).
Accordingly, standing alone, McGlenn’s allegation that she is at an
increased risk of future identity theft is insufficient to show
damages.
Nonetheless, McGlenn argues that she has suffered two
incidents of identity theft that qualify as present injuries: First, six
months after receiving the notice of the data breach from Driveline,
Plaintiff was alerted that someone used her PII to open a new credit
card account with Capital One. Second, approximately eleven
months after the breach, a fraudulent charge of $252.79 was made
on her debit card. However, the Court agrees that McGlenn has not
shown that Driveline caused these present injuries.
In tort law, as well as with breaches of contracts, a defendant
is only liable for damages the breach caused. See In re: Emerald
Casino, Inc., 867 F.3d 743, 755 (7th Cir. 2017). In Illinois,
causation is referred to as proximate causation and has two
Page 27 of 35
2:18-cv-02097-SEM-TSH # 90
Page 28 of 35
components: legal cause and cause in fact. Id. (citing Young v.
Bryco Arms, 213 Ill.2d 433, 290 Ill.Dec. 504, 821 N.E.2d 1078,
1085–1086 (2004)). Here, only cause in fact is at issue. To show
cause in fact, a plaintiff must show that “there is a reasonable
certainty that a defendant’s acts caused the injury or damage.” In
re: Emerald Casino, Inc., 867 F.3d at 755. In Illinois, two tests are
used to determine cause in fact. First, under the traditional “butfor” test, “a defendant’s breach is a cause in fact of damages if the
damages would not have occurred had the defendant not breached
the contract” or breached its duty. Id. Second, “a defendant’s
breach is a cause in fact of damages ‘if it was a material element
and a substantial factor in bringing the event about.’” Id. (internal
citations omitted). McGlenn argues that the substantial-factor test
applies here, which is used “when multiple defendants caused the
damages so that no one defendant could be considered a but-for
cause.” Id.
Driveline argues that McGlenn has not produced sufficient
evidence for a jury to find that Driveline’s Disclosure caused the two
incidents of identity theft. The only evidence McGlenn has
presented tying the Driveline Disclosure to the incidents of identity
Page 28 of 35
2:18-cv-02097-SEM-TSH # 90
Page 29 of 35
theft is that the identity theft incidents occurred a few months after
the Driveline Disclosure. Driveline highlights that McGlenn was
also involved in the Equifax breach, which revealed more of
McGlenn’s PII than the Driveline Disclosure did and included the
identity of her financial institutions and credit card companies.
Moreover, Driveline highlights that the individual who attempted to
open a new credit card at Capital One used her former last name,
her current telephone number, and her date of birth—none of
which was included in the Driveline Disclosure. Further,
Driveline’s Disclosure did not reveal the identity of her credit union,
the debit-card number, or account information used in the
fraudulent charge on McGlenn’s debit card
At the initial pleading stage, allegations that data was
disclosed and that McGlenn later suffered identity theft would be
sufficient to survive a motion to dismiss. See, e.g., Remijas v.
Neiman Marcus Grp., LLC, 794 F.3d 688, 696 (7th Cir. 2015)
(finding that to survive a motion to dismiss, it is sufficient that
defendant “admitted that 350,000 cards might have been exposed
and that it contacted members of the class to tell them they were at
risk. Those admissions and actions by the store adequately raise
Page 29 of 35
2:18-cv-02097-SEM-TSH # 90
Page 30 of 35
the plaintiffs’ right to relief above the speculative level.”); Lewert v.
P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 969 (7th Cir. 2016).
See also In re Zappos.com, Inc., 888 F.3d 1020, 1029 (9th Cir.
2018) (“That hackers might have stolen Plaintiffs’ PII in unrelated
breaches, and that Plaintiffs might suffer identity theft or fraud
caused by the data stolen in those other breaches (rather than the
data stolen from Zappos), is less about standing and more about
the merits of causation and damages.”).
However, at the summary judgment phase more than these
allegations is needed. Under Illinois law, at the summary judgment
phase, facts cannot “be established from circumstantial evidence
where more than one conclusion can be drawn. . . If plaintiff relies
upon circumstantial evidence to establish proximate cause to defeat
a motion for summary judgment, the circumstantial evidence must
be of such a nature and so related as to make the conclusion more
probable as opposed to merely possible.” Majetich v. P.T. Ferro
Const. Co., 389 Ill. App. 3d 220, 224–25, 906 N.E.2d 713, 718
(2009) (internal citations omitted); Garland v. Sybaris Clubs Int’l,
Inc., 141 N.E.3d 730, 764 (Ill. Ct. App. 2019) (“Cause in fact exists
Page 30 of 35
2:18-cv-02097-SEM-TSH # 90
Page 31 of 35
where there is a reasonable certainty that a defendant's acts caused
the injury or damage.”).
As McGlenn notes, “[i]f there are multiple companies that
could have exposed the plaintiffs’ private information to the
hackers, then the common law of torts has long shifted the burden
of proof to defendants to prove that their negligent actions were not
the “but-for” cause of the plaintiff's injury.” Remijas v. Neiman
Marcus Grp., LLC, 794 F.3d 688, 696 (7th Cir. 2015) (citation and
internal quotation marks omitted). But, McGlenn’s incidents of
identity theft necessarily relied on PII that was not disclosed in
Driveline’s Disclosure. The obvious implication is that the thieves
could not have relied on Driveline’s Disclosure alone to commit the
incidents of identity theft. And McGlenn does not dispute that at
least the Equifax data breach would have exposed all the
information that was needed to commit these incidents of identity
theft. Moreover, data breaches have become increasingly common.
McGlenn has not presented any evidence that Driveline’s Disclosure
was involved in her incidents of identity theft beyond the fact that
Driveline’s Disclosure happened prior to these incidents.
Page 31 of 35
2:18-cv-02097-SEM-TSH # 90
Page 32 of 35
Understandably, neither McGlenn nor Driveline has been able
to determine who committed the identity thefts and determine
where they got the information used. But, especially in light of the
fact that Driveline’s Disclosure did not provide all the information
used to commit the incidents of identity theft, McGlenn needed to
present some evidence of causation other than temporal proximity
for a reasonable jury to find Driveline responsible for her injuries.
Any finding in McGlenn’s favor would be merely speculative. See
also Walker v. Macy’s Merchandising Group, Inc., 288 F. Supp. 3d
840, 856 (N.D. Ill. 2017) (under Illinois law, “[p]roximate cause is
not established, however, where the causal connection is
contingent, speculative or merely possible.” (internal citations
omitted)). See also, Nolan v. Weil-McLain, 233 Ill. 2d 416, 431, 910
N.E.2d 549, 557 (2009) (“Illinois courts have, as a matter of law,
refused to allow a plaintiff to take the causation question to the jury
when there is insufficient evidence for the jury to reasonably find
that the defendant’s conduct was a cause of the plaintiff’s harm or
injury.”).
Because McGlenn’s only remaining alleged harm is her alleged
increased risk of future identity theft, which she concedes is
Page 32 of 35
2:18-cv-02097-SEM-TSH # 90
Page 33 of 35
insufficient on its own to entitle her to damages, Driveline is
entitled to summary judgment on McGlenn’s tort and contract
claims under Illinois law.
C. Driveline is Entitled to Summary Judgment on
McGlenn’s Statutory Claims.
McGlenn also claims that Driveline violated the Illinois
Personal Information Protection Act (“PIPA”) and the Illinois
Consumer Fraud and Deceptive Business Practices Act (“ICFA”).
Driveline argues that it met the Notice requirements of PIPA and,
therefore, McGlenn cannot prove a violation of PIPA. In her
response, McGlenn clarifies that the basis of her PIPA claim is not
the notice requirements but, rather, the 2017 amendments. As
stated above, these amendments require that a data collector that
“maintains or stores . . . records that contain personal information
concerning an Illinois resident shall implement and maintain
reasonable security measures to protect those records from
unauthorized access, acquisition, destruction, use, modification, or
disclosure.” 815 ILCS § 530/45(a) (emphasis added).
However, McGlenn fails to respond to Driveline’s other
argument regarding PIPA: McGlenn is a North Carolina resident.
Page 33 of 35
2:18-cv-02097-SEM-TSH # 90
Page 34 of 35
Even if McGlenn can show that Driveline failed to “implement and
maintain reasonable security measures to protect” her PII from
disclosure, she will not have shown a PIPA violation because she is
not an Illinois resident.
Driveline is also entitled to summary judgment for McGlenn’s
final claim: a violation ICFA. McGlenn argues that Driveline
violated ICFA because a violation of PIPA “constitutes an unlawful
practice under the Consumer Fraud and Deceptive Business
Practices Act.” 815 ILCS § 530/20. However, because the Court
finds that Driveline did not violated PIPA as to McGlenn, McGlenn
also cannot show a violation of ICFA. Accordingly, the Court finds
that Driveline is entitled to summary judgment on McGlenn’s
Illinois statutory claims as well.
VI. CONCLUSION
For the reasons set forth above, the Court GRANTS
Defendant’s Motion for Summary Judgment (d/e 84). The Court
DIRECTS the Clerk to enter judgment in favor of Defendant
Driveline. This order terminates the case.
Page 34 of 35
2:18-cv-02097-SEM-TSH # 90
Page 35 of 35
ENTERED: September 21, 2021
FOR THE COURT:
/s/ Sue E. Myerscough
SUE E. MYERSCOUGH
UNITED STATES DISTRICT JUDGE
Page 35 of 35
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?