Flores v. Bryan Cave Leighton Paisner LLP, et al
Filing
45
MEMORANDUM Opinion and Order: Defendants' motions to dismiss [Case No. 23 C 3999, ECF No. 35; Case No. 23 C 4249, ECF No. 41 ] are granted in part and denied in part. The motions are denied as to standing and as to failure to state a claim of n egligence or for declaratory or injunctive relief. Plaintiffs' negligence claims survive in both consolidated actions. The motions to dismiss are otherwise granted. Plaintiffs shall file an amended complaint, if desired, by July 3, 2024. The par ties shall file a joint status report by July 10, 2024. The Court sets a telephonic status hearing in both consolidated actions for July 17, 2024 at 9:30 a.m. Members of the public and media will be able to call in to listen to this hearing. The cal l-in number is 888-808-6929 and the access code is 4911854. Counsel of record will receive an email 30 minutes prior to the start of the telephonic hearing with instructions to join the call. Persons granted remote access to proceedings are reminded of the general prohibition against photographing, recording, and rebroadcasting of court proceedings. Violation of these prohibitions may result in sanctions, including removal of court issued media credentials, restricted entry to future hearings, denial of entry to future hearings, or any other sanctions deemed necessary by the Court. Signed by the Honorable Jorge L. Alonso on 6/3/2024. Notice mailed by Judge's staff (lf, )
<![CDATA[
IN THE UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
IN RE: MONDELEZ DATA BREACH
LITIGATION,
)
)
)
)
)
)
)
)
Case No. 23 C 3999
Hon. Jorge L. Alonso
____________________________________________________________________________
IN RE: BRYAN CAVE LEIGHTON
PAISNER, LLP DATA BREACH
LITIGATION,
)
)
)
)
)
)
)
)
Case No. 23 C 4249
Hon. Jorge L. Alonso
MEMORANDUM OPINION AND ORDER
These consolidated class-action cases arise out of a data breach incident involving the law
firm Bryan Cave Leighton Paisner, LLP (“Bryan Cave”), which detected unauthorized access to
its information systems in February 2023. Plaintiffs are all employees of Mondelez Global LLC
(“Mondelez”), one of Bryan Cave’s clients, and they assert claims of negligence and other statelaw causes of action against defendants Mondelez and Bryan Cave, based on the exposure of their
personal information in the data breach. Defendants have moved to dismiss for lack of standing
and failure to state a claim under Federal Rule of Civil Procedure 12(b)(1) and (6). For the
following reasons, the motions are granted in part and denied in part. They are denied as to
standing, as to the negligence claims, and as to any accompanying right to declaratory or injunctive
relief, but otherwise granted.
I.
Background
The following facts are taken from the complaints in these consolidated actions. Mondelez
makes snack food products for retail sale. It operates in countries all over the world, with its
principal place of business in Chicago, Illinois. It retained Bryan Cave to provide legal services,
and, in the course of the representation, Mondelez provided certain of its employees’ personally
identifiable information to Bryan Cave, including names, dates of birth, Social Security numbers,
and addresses. In February 2023, Bryan Cave detected unauthorized access to its information
systems, and a forensic investigation revealed that the hackers obtained the personal information
of 51,100 current and former Mondelez employees. Each of the seven named plaintiffs received a
letter from Mondelez to notify employees of the data breach and that their personal information
had been exposed. Plaintiffs allege that they are at an increased risk of identity theft, and they have
taken prudent actions to mitigate the risk of identity theft, such as “signing up for credit monitoring
and identity theft insurance, closing and opening new credit cards, and securing their financial
accounts.” (In Re: Mondelez Data Breach Litigation, Case No. 23 C 3999, Consol. Compl. ¶ 106,
ECF No. 24; see id. at ¶ 108; see also In Re: Bryan Cave Data Breach Litigation, Case No. 23 C
4249, Am. Compl. ¶¶ 84.d. & e., 111, ECF No. 34.) They filed a number of lawsuits in which they
assert various state-law claims under the diversity jurisdiction, see 28 U.S.C. § 1332(d). The Court
has consolidated these actions so that two consolidated class actions remain, one against Mondelez
and another against Bryan Cave.
2
II.
Legal Standards
Defendants move to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(1) and (6).
“Rule 12(b)(1) is the means by which a defendant raises a defense that the court lacks subjectmatter jurisdiction,” such as a challenge to the plaintiff’s standing. Bazile v. Fin. Sys. of Green
Bay, Inc., 983 F.3d 274, 279 (7th Cir. 2020). “Standing” refers to the “‘personal stake in the
outcome’” of the case that all plaintiffs must have in order to invoke the “judicial power” wielded
by the federal courts. Warth v. Seldin, 422 U.S. 490, 499 (1975) (quoting Baker v. Carr, 390 U.S.
186, 204 (1962)). Where a defendant seeks dismissal under Rule 12(b)(1) for failure to set forth
allegations sufficient to establish standing on the face of the complaint, courts must “accept all
well-pleaded factual allegations as true and draw all reasonable inferences in favor of the plaintiff.”
Prairie Rivers Network v. Dynegy Midwest Generation, LLC, 2 F.4th 1002, 1007 (7th Cir. 2021)
(citing Silha v. ACT, Inc., 807 F.3d 169, 173 (7th Cir. 2015)).
A motion under Federal Rule of Civil Procedure 12(b)(6) tests whether the complaint states
a claim on which relief may be granted. Richards v. Mitcheff, 696 F.3d 635, 637 (7th Cir. 2012).
Under Rule 8(a)(2), a complaint must include “a short and plain statement of the claim showing
that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). The short and plain statement under
Rule 8(a)(2) must “give the defendant fair notice of what . . . the claim is and the grounds upon
which it rests.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (internal quotation marks
omitted). The complaint’s “[f]actual allegations must be enough to raise a right to relief above the
speculative level,” Twombly, 550 U.S. at 555; that is, the “complaint must contain sufficient factual
matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal,
556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 570). “A claim has facial plausibility
when the plaintiff pleads factual content that allows the court to draw the reasonable inference that
3
the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. The Court must
“construe the complaint in the light most favorable to plaintiff, accept all well-pleaded facts as
true, and draw reasonable inferences in plaintiff’s favor.” Taha v. Int’l Bhd. of Teamsters, Loc.
781, 947 F.3d 464, 469 (7th Cir. 2020); see also Silha, 807 F.3d at 174 (noting that courts apply
the same standard to facial challenges to standing). However, it need not “accept as true legal
conclusions, or threadbare recitals of the elements of a cause of action, supported by mere
conclusory statements.” Brooks v. Ross, 578 F.3d 574, 581 (7th Cir. 2009).
III.
Standing
The Court begins with standing—as it must, because standing is jurisdictional, and “it [is]
improper for courts to skip over jurisdictional issues in order to reach the merits.” Yassan v. J.P.
Morgan Chase & Co., 708 F.3d 963, 967 n.1 (7th Cir. 2013) (citing Steel Co. v. Citizens for a
Better Env’t, 523 U.S. 83, 93-94 (1998)). “To establish standing, a plaintiff must show that he has
suffered or is at imminent risk of suffering an injury caused by the defendant and that the injury
could likely be redressed by favorable judicial relief.” Patterson v. Howe, 96 F.4th 992, 996 (7th
Cir. 2024) (citing TransUnion LLC v. Ramirez, 594 U.S. 413, 423 (2021)). An injury only confers
standing to sue if it is an “injury in fact,” which means it must be “concrete, particularized, and
actual or imminent.” Id.
Defendants argue that plaintiffs lack standing because they have not suffered an injury in
fact. According to defendants, although plaintiffs’ personal information was exposed in a data
breach, plaintiffs allege nothing to indicate that their information has been misused in any way.
That is, despite the fact that the data breach occurred over a year ago, plaintiffs do not allege that
they have been sent fraudulent bills, that unauthorized accounts have been opened in their names,
4
that their information has been posted on the dark web, or that there are any other indicia of identity
theft or fraud.
Years ago, the Seventh Circuit held that plaintiffs “whose data has been compromised, but
not yet misused,” have suffered an injury-in-fact sufficient to confer standing, explaining that a
plaintiff may have standing if the defendant’s actions leave her under a “threat of future harm” or
“increase[e] the risk of future harm that the plaintiff would have otherwise faced, absent the
defendant’s actions.” Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 634 (7th Cir. 2007). Since then,
the Supreme Court has explained that, to confer standing, a threatened injury must be “certainly
impending,” not merely feared based on “speculation” that a “highly attenuated chain of
possibilities” might occur. Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409-10 (2013). But the
Seventh Circuit has warned courts “not to overread Clapper,” which was “addressing speculative
harm based on something that may not even have happened to some or all of the plaintiffs.”
Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015). When the plaintiffs are
victims of an “alleged data theft” that has “already occurred,” there is—unlike in Clapper— “‘no
need to speculate as to whether . . . information has been stolen.’” Lewert v. P.F. Chang’s China
Bistro, Inc., 819 F.3d 963, 966 (7th Cir. 2016) (quoting Remijas, 794 F.3d at 693). Similarly, it is
common sense that hackers steal personal information to profit from it, so there is no need “‘to
wait until hackers commit identity theft or credit-card fraud in order to give the class standing,
because there is an objectively reasonable likelihood that such injury will occur.’” Id. at 966-67
(quoting Remijas, 794 F.3d at 693). Further, if the plaintiffs incur “mitigation expenses” to
minimize the risk of harm from their stolen data being used for fraudulent purposes, these expenses
qualify as “actual injuries” for standing purposes, because and to the extent that the data breach
has “already occurred.” Lewert, 819 F.3d at 967.
5
Since Remijas and Lewert, the Supreme Court has addressed standing again, explaining
that, “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a
concrete harm—at least unless the exposure to the risk of future harm itself causes a separate
concrete harm.” TransUnion, 594 U.S. at 436. Some district courts have since concluded that the
mere exposure of personal information in a data breach, absent some reason apart from the breach
itself to believe that identity theft or fraud is imminent, does not suffice to confer standing to sue
for damages based on a risk of future harm. See, e.g., Kim v. McDonald’s USA, LLC, No. 21-CV05287, 2022 WL 4482826, at *5 (N.D. Ill. Sept. 27, 2022). It follows, these courts reason, that
mitigation-related injuries cannot confer standing because otherwise plaintiffs could
“‘manufacture standing merely by inflicting harm on themselves based on their fears of
hypothetical future harm that is not certainly impending.’” Id. at * 6 (quoting Clapper, 568 U.S.
at 416).
Other courts reason, however, that a plaintiff who “has already lost time mitigating the risk
of identity theft” following a data breach has suffered an injury-in-fact—namely, the lost time
itself— and TransUnion is not to the contrary, as it merely “emphasized that whether a harm is
concrete turns on whether it . . . already occurred.” Linman v. Marten Transp., Ltd., No. 22-CV204-JDP, 2023 WL 2562712, at *3 (W.D. Wis. Mar. 17, 2023). These courts do not consider an
injury to be speculative merely because it is “related to a risk of harm,” Linman, 2023 WL
2562712, at *3, where TransUnion held only that “the mere risk of future harm, standing alone,
cannot qualify as a concrete harm,” 594 U.S. at 436 (emphasis added), while holding open the
possibility that “the exposure to a risk of harm” might confer standing if it also “causes a separate
harm,” id. These decisions conclude that “[t]he time spent mitigating the risk of identity theft is a
separate harm from the risk of identity theft itself.” Linman, 2023 WL 2562712, at *3; see also
6
Roper v. Rise Interactive Media & Analytics, LLC, No. 23 CV 1836, 2023 WL 7410641, at *4
(N.D. Ill. Nov. 9, 2023), Florence v. Ord. Express, Inc., 674 F. Supp. 3d 472, 481 (N.D. Ill. 2023),
Doe v. Fertility Centers of Illinois, S.C., No. 21 C 579, 2022 WL 972295, at *2 (N.D. Ill. Mar. 31,
2022).
The Court finds the reasoning of Linman and like cases to be persuasive. While TransUnion
may have “marked a shift in the Court’s standing jurisprudence,” this Court is not convinced that
it cut the ground out from underneath Remijas and Lewert as they apply to this case, and the
Seventh Circuit has stopped short of retreating from them, as yet. See Dinerstein v. Google, LLC,
73 F.4th 502, 516 (7th Cir. 2023). Further, the Court does not read Remijas and Lewert to depend
on whether there are other facts, separate from and in addition to the data breach itself, to show
that plaintiffs whose personal information has been acquired without authorization suffer a
particular risk of future identity theft or fraud. Rather, those cases provide that a plaintiff who is
the victim of a data breach has suffered a harm that has “already occurred,” and that harm satisfies
the injury-in-fact requirement by putting him at a “substantial risk” of further “future harm,”
because hackers steal personal information for the “primary purpose” of committing fraud or
“assuming consumers’ identities.” Dinerstein, 73 F.4th at 516 (cleaned up). Even if, under
TransUnion, some “separate harm” is required, the time plaintiffs spent mitigating the risk of
identify theft is that “separate harm,” as explained in Linman, Florence, Doe, and other such cases.
Plaintiffs have sufficiently alleged an injury-in-fact, and their claims therefore survive defendants’
motion to dismiss for lack of standing under Rule 12(b)(1).
IV.
Failure to State a Claim
In the consolidated action against Mondelez, the complaint contains six counts, for claims
of negligence, negligence per se, unjust enrichment, breach of implied contract, invasion of
7
privacy, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act
(“ICFA”), 815 ILCS 505/1 et seq. In the consolidated action against Bryan Cave, the complaint
contains nine counts, for claims of negligence, negligence per se, unjust enrichment, violation of
the ICFA, violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code § 17200,
violation of the California Computer Protection Act, Cal. Civ. Code § 1798.100, injunctive and
declaratory relief, breach of contract as third-party beneficiaries, and bailment. In response to the
motions to dismiss, plaintiffs have withdrawn their ICFA claims and the California statutory
claims.
Although defendants are separately represented and have filed separate motions to dismiss,
they make similar arguments in support of dismissal of the negligence, negligence per se, and
unjust enrichment claims, and the Court will begin by addressing defendants’ common arguments
on those issues. The Court will then address the issues raised by Mondelez and Bryan Cave
individually.
A. Common Issues
1. Negligence
To state a claim for negligence under Illinois law, “a plaintiff must allege facts showing
that (1) the defendant owed a duty of care to the plaintiff, (2) that the defendant breached that duty,
and (3) that the breach was the proximate cause of plaintiff’s injuries.” Flores v. Aon Corp., 2023
IL App (1st) 230140, ¶ 23. In both of these consolidated actions, defendants argue that they had
no duty to protect plaintiffs’ personal information and that plaintiffs’ claims are barred by the
economic loss doctrine.
8
a. Duty
In arguing that they had no duty to protect plaintiffs’ personal information, defendants rely
on Community Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 816 (7th Cir. 2018), which,
in turn, relied on Cooney v. Chicago Public Schools, 943 N.E.2d 23, 28-29 (Ill. App. Ct. 2010). In
Cooney, the defendant sent out a mailing that mistakenly exposed the plaintiffs’ personal
identifying information, and the plaintiffs argued that defendant had a duty to protect this
information under the Illinois Personal Information Protection Act (“PIPA”), 815 ILCS 530/1 et
seq. Id. at 27-28; see id. at 28 (citing Kalata v. Anheuser-Busch Cos., Inc., 581 N.E.2d 656, 661
(Ill. 1991) (“A violation of a statute or ordinance designed to protect human life or property is
prima facie evidence of negligence.”)). The Illinois Appellate Court ruled that the PIPA imposed
no such duty; it only required data collectors who leak data or suffer a data breach to notify anyone
whose personal information has been exposed. Id. at 28. Further, the court declined to recognize
any common-law duty to safeguard personal information. Id. at 28-29. Defendants argue that
Cooney forecloses plaintiffs’ negligence claims.
The trouble with this argument is that the PIPA was amended in 2017 to require data
collectors to “implement and maintain reasonable security measures to protect” records from
“unauthorized access, acquisition, destruction, use, modification, or disclosure.” 815 ILCS
530/45(a); see In re Arthur J. Gallagher Data Breach Litig., 631 F. Supp. 3d 573, 590 (N.D. Ill.
2022). The Illinois Appellate Court has recently recognized that, based on this amendment, “the
reasoning of the Cooney court no longer applies.” Flores, 2023 IL App (1st) 230140, ¶ 23; see
Wittmeyer v. Heartland All. for Hum. Needs & Rts., No. 23 CV 1108, 2024 WL 182211, at *2
(N.D. Ill. Jan. 17, 2024), Gallagher, 631 F. Supp. 3d at 590. With the ground thus cut out from
9
under defendants’ argument, the Court is in no position to conclude that, as a matter of law,
defendants had no duty to safeguard plaintiffs’ personal information.
b. Economic Loss Doctrine
The economic loss doctrine, known in Illinois as the Moorman doctrine, after Moorman
Manufacturing Co. v. National Tank Co., 435 N.E.2d 443 (Ill. 1982), generally bars tort liability
“for purely economic losses . . . where [the parties] have already ordered their duties, rights, and
remedies by contract.” Schnuck Markets, 887 F.3d at 812-13. The traditional rationale for the
doctrine is that courts can “trust the commercial parties interested in a particular activity to work
out an efficient allocation of risks among themselves in their contracts,” id., without having to
resort to tort law, which is better reserved for “a sudden, calamitous accident as distinct from a
mere failure to perform up to commercial expectations,” Rardin v. T&D Mach. Handling, Inc.,
890 F.2d 24, 29 (7th Cir. 1989). The Moorman doctrine arose in the context of products liability,
but “Illinois applies Moorman to services as well as the sale of goods because both business
contexts provide ‘the ability to comprehensively define a relationship’ by contract.” Schnuck
Markets, 887 F.3d at 813 (quoting Fireman’s Fund Ins. Co. v. SEC Donohue, Inc., 679 N.E.2d
1197, 1200 (Ill. 1997)).
“In the context of the service industry, however, the Illinois Supreme Court has held that
the economic loss doctrine applies only where the duty of the party performing the service is
defined by contract executed with the client.” Wittmeyer, 2024 WL 182211, at *3 (citing
Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 636 N.E.2d 503, 514
(Ill. 1994)). “If the duty arises outside of a contract between the parties, then recovery in tort for
the negligent breach of that duty is not barred by the Moorman doctrine.” Flores, 2023 IL App
(1st) 230140, ¶ 56. The Illinois Appellate Court recently opined that, although the Congregation
10
of the Passion decision is not factually analogous to data breach cases, “its reasoning applies
equally to them,” and that applying the economic loss doctrine to data breach cases “would stretch
. . . the doctrine far beyond its products liability roots,” an extension the court was not prepared to
make. Flores, 2023 IL App (1st) 230140, ¶ 56. It follows that this federal Court, sitting in diversity
and applying Illinois law, is in no position to make it, either. The economic loss doctrine does not
apply. The motions to dismiss are denied as to defendants’ arguments based on the economic loss
doctrine.
2. Negligence Per Se
In each consolidated action, plaintiffs assert a second negligence count, captioned as
“negligence per se,” alleging that the exposure of their personal information resulted from
defendants’ violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C.
§ 45(a)(1), which makes unlawful “[u]nfair methods of competition” and “unfair or deceptive acts
or practices.”
As stated above, a violation of a statute may serve as prima facie evidence of negligence.
Kalata, 581 N.E. 2d at 661. A person injured by a violation of a statute that protects life or property
may assert a negligence claim against the violator if the violation “proximately caused his injury
and the statute or ordinance was intended to protect a class of persons to which he belongs from
the kind of injury he suffered.” Id.
But such a statutory violation “only constitutes negligence per se (which would mean strict
liability) if the legislature clearly intends for the act to impose strict liability.” Flores, 2023 IL App
(1st) 230140, ¶ 28. The Illinois Appellate Court recently explained in a data breach case that there
was “no support for the notion that the legislature clearly intended to impose strict liability for
FTC Act violations.” Id. Thus, while a violation of the FTC Act might, conceivably, establish a
11
prima facie case of negligence, which defendants could then rebut with evidence that they acted
reasonably under the circumstances, see Bier v. Leanna Lakeside Property Ass’n, 711 N.E.2d 773,
785 (Ill. App. Ct. 1999), it cannot support a claim of negligence per se. See Flores, 2023 IL App
(1st) 230140, ¶¶ 27-28; see also Wittmeyer, 2024 WL 182211, at *3-4. Plaintiffs’ negligence per
se claims are dismissed.
3. Unjust Enrichment
Both consolidated complaints include counts of “unjust enrichment,” which is not an
independent cause of action, but which may provide a theory of recovery where “the defendant
has unjustly retained a benefit to the plaintiff’s detriment,” in violation of “fundamental principles
of justice, equity, and good conscience.” HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc.,
545 N.E.2d 672, 679 (Ill. 1989); see Gagnon v. Schickel, 983 N.E.2d 1044, 1052 (Ill. App. Ct.
2012). Defendants argue that any claims based on an unjust enrichment theory should be dismissed
because they never unjustly retained any benefit conferred by plaintiffs to their detriment.
The Court agrees with defendants. Plaintiffs provided personal information to Mondelez
not as part of some transaction that enriched Mondelez but merely as an “administrative necessity”
incidental to their employment. See Flores, 2023 IL App (1st) 230140, ¶ 38. And Bryan Cave
similarly obtained the data incidentally to its representation of Mondelez. Given that the exposed
personal information here was entrusted to defendants only in the ordinary course of plaintiffs’
employment by Mondelez, the allegations do not support any conclusion that defendants have
“unjustly retained any benefit provided by plaintiffs.” Id. The motions to dismiss are granted as to
any claim of unjust enrichment.
12
B. Mondelez’s Motion to Dismiss
In addition to the above, Mondelez argues that the negligence claim should be dismissed
for failure to plausibly allege any breach by Mondelez or that the breach was the proximate cause
of any injury, and that the implied breach of contract and invasion of privacy claims should
similarly be dismissed for failure to plausibly allege certain elements of the causes of action.
1. Negligence—Breach and Proximate Cause
Mondelez argues that, even if it had any duty to safeguard plaintiffs’ personal information,
plaintiffs have not plausibly alleged that it proximately caused the exposure of plaintiffs’ personal
information by way of any breach of that duty, when all Mondelez is alleged to have done is turn
plaintiffs’ personal information over to its counsel, Bryan Cave. Bryan Cave’s information
systems, not Mondelez’s, were hacked, and Mondelez argues that there are no plausible allegations
to support the claim that Mondelez should be held responsible for a breach not of its own systems,
but Bryan Cave’s. In response, plaintiffs point out that they have alleged that Mondelez should
have ensured that its counsel followed proper data security practices, and it should have deleted
certain personal information that it no longer needed to maintain, rather than share it unnecessarily
with counsel.
Neither side cites cases in which courts have directly addressed the viability of such a
theory in a similar context, much less approved or rejected it. Plaintiffs argue that Mondelez’s
arguments about breach and proximate cause turn on questions of fact that make a ruling
inappropriate at the pleading stage, and the Court tends to agree. To the extent that there is little
precedent to guide the parties and the Court as to plaintiffs’ precise legal theory, there is all the
more reason to develop the facts first, rather than to hastily proceed to a dispositive ruling:
To the extent Plaintiffs’ claims do “not fall within the four corners of our prior case
law,” this “does not justify dismissal under Rule 12(b)(6). On the contrary, Rule
13
12(b)(6) dismissals ‘are especially disfavored in cases where the complaint sets
forth a novel legal theory that can best be assessed after factual development.’”
McGary v. City of Portland, 386 F.3d 1259, 1270 (9th Cir. 2004) (quoting Baker v.
Cuomo, 58 F.3d 814, 818-19 (2d Cir. 1995), vacated in part on other grounds, 85
F.3d 919 (2d Cir. 1996) (en banc)). See also 5B Charles Alan Wright & Arthur R.
Miller et al., Federal Practice & Procedure § 1357 (3d ed. 2015) (noting that courts
should “be especially reluctant to dismiss on the basis of the pleadings when the
asserted theory of liability” is “novel” and thus should be “explored”). Indeed, as
the law “firm[s] up” in unsettled areas, “it may be more feasible to dismiss weaker
cases on the pleadings;” otherwise, plaintiffs should be given “an opportunity to
develop evidence before the merits are resolved.” Metts v. Murphy, 363 F.3d 8, 11
(1st Cir. 2004).
Wright v. North Carolina, 787 F.3d 256, 263 (4th Cir. 2015); see also Cohesive Techs. v. Waters
Corp., 130 F. Supp. 2d 157, 160 (D. Mass. 2001) (similar reasoning at summary judgment stage).
Therefore, the motion to dismiss is denied as to the negligence claim.
2. Breach of Implied Contract
“An implied-in-fact contract must contain all the elements of an express contract, but
unlike an express contract or other contracts, its terms are inferred from the conduct of the parties.”
Gociman v. Loyola Univ. of Chicago, 41 F.4th 873, 883 (7th Cir. 2022). Mondelez argues that
plaintiffs have not plausibly alleged the existence of any valid enforceable contract, implied or
otherwise, between it and plaintiffs concerning their personal information. Plaintiffs respond that
a reasonable factfinder could infer from the circumstances the existence of a contract that required
Mondelez to protect the data its employees had entrusted it with. In particular, they point to
Mondelez’s “Privacy Policy,” which affirmed that “protecting . . . personal information is
important” to Mondelez, and, to that end, it “maintain[ed] administrative, technical, and physical
safeguards designed to help protect against unauthorized use, disclosure, alteration, or destruction
of the personal information” collected on its “Sites.” (Mondelez Consol. Compl. ¶ 31.) See
Gallagher, 631 F. Supp. 3d at 591.
14
Mondelez replies that the Privacy Policy addresses the collection of data from users of
Mondelez’s “Sites” (i.e. websites), not its employees, so it provides little support for any inference
of an implied contract between Mondelez and its employees. Mondelez is correct that the Privacy
Policy does not precisely address the collection of data in the context of the employee/employer
relationship. This is clear from the plain language of the Policy; for example, as both sides point
out, the Policy states, “if you apply for employment with us,” Mondelez “may provide you with
additional disclosures or notices.” Nevertheless, Mondelez’s argument strikes the Court as
misplaced. The Court does not understand plaintiffs’ claim to be that the Privacy Policy itself
represents the contract. It understands the claim, as in Gallagher and like cases, to be that the
existence of a Privacy Policy, even one addressed primarily to customers, demonstrates
Mondelez’s commitment to protecting personal information generally, and it is one of the
circumstances that might support an inference of “an implicit promise to protect employees’
personal information in exchange for their employment.” Gallagher, 631 F. Supp. 3d at 591; see
Tjahjono v. Westinghouse Air Brake Techs. Corp., No. 2:23-CV-531, 2024 WL 1287085, at *7
(W.D. Pa. Mar. 26, 2024); Enslin v. The Coca-Cola Co., 136 F. Supp. 3d 654, 675 (E.D. Pa. 2015);
see also Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739, 751 (S.D.N.Y. 2017) (“While
[the defendant] may not have explicitly promised to protect [personal information] from hackers
in Plaintiffs’ employment contracts, it is difficult to imagine how, in our day and age of data and
identity theft, the mandatory receipt of Social Security numbers or other sensitive personal
information would not imply the recipient’s assent to protect the information sufficiently.”)
(internal quotation marks omitted). Thus, the Court is not persuaded to dismiss the claim at this
early stage. Plaintiffs will have to flesh this claim out as the case proceeds, but the allegations,
15
considered in context, amount to more than “naked assertions,” Tjahjono, 2024 WL 1287085, at
*7, and they suffice to state a plausible claim to relief.
3. Invasion of Privacy
“Traditionally, the tort of invasion of privacy encompassed four theories of wrongdoing:
intrusion upon seclusion, appropriation of a person’s name or likeness, publicity given to private
life, and publicity placing a person in a false light.” Persinger v. Sw. Credit Sys., L.P., 20 F.4th
1184, 1192 (7th Cir. 2021). Mondelez argues that plaintiffs’ invasion of privacy claim should be
dismissed because plaintiffs do not plausibly allege sufficient facts to support any such claim under
any recognized legal theory. Plaintiffs respond that they state a claim under either of two theories—
intrusion upon seclusion and public disclosure of private facts—because they allege that Mondelez
recklessly disregarded their privacy rights by exposing their personal information to unauthorized
persons, who thereby “acquired” it. (Consol. Compl. ¶ 35.)
The Court agrees with Mondelez that plaintiffs do not state a claim of invasion of privacy
under either asserted theory. First, plaintiffs have not alleged that Mondelez itself intruded upon
their “seclusion” by unearthing private facts about plaintiffs without their authorization; to the
contrary, the allegation is that plaintiffs voluntarily disclosed the personal information at issue to
Mondelez. See Gallagher, 631 F. Supp. 3d at 598 (citing Bonilla v. Ancestry.com Operations Inc.,
574 F. Supp. 3d 582, 597 (N.D. Ill. 2021)). And they have not explained, nor does the Court see,
how the mere acquisition of their personal information by hackers amounts to “public disclosure”
of private facts. See Doe, 2022 WL 972295, at *6; see also Roper v. Rise Interactive Media &
Analytics, LLC, No. 23 CV 1836, 2024 WL 1556298, at *3 (N.D. Ill. Apr. 10, 2024) (citing and
following cases, including Doe, in which courts found similar allegations “insufficient to qualify
as a ‘public disclosure’”). The invasion of privacy claim is dismissed.
16
C. Bryan Cave’s Motion to Dismiss
Bryan Cave argues that the Court should dismiss all of plaintiffs’ common-law claims
because they have not alleged that Bryan Cave’s actions caused plaintiffs to suffer any actionable
damages, and the breach of contract and bailment claims should be dismissed for failure to
plausibly allege all elements of the causes of action.
1. No Common Law Damages
Bryan Cave argues that plaintiffs have not pleaded sufficient facts to support any valid
theory of damages on any of their common-law claims. The Court disagrees as to the negligence
claims, which are viable for the reasons stated above and in Gallagher, in which the court
explained that allegations supporting a finding of “emotional harms such as anxiety and increased
concerns for the loss of privacy” suffice for a recovery of “non-economic damages.” 631 F. Supp.
3d at 587; see Roper, 2024 WL 1556298, at *2.
The contract claim may be more complicated, to the extent that plaintiffs rely on a “losttime damages theory” in this case. Flores, 2023 IL App (1st) 230140, ¶ 34. In Flores, the Illinois
Appellate Court explained that, although the district court recognized the same theory as viable in
Gallagher, 631 F. Supp. at 587, its reasoning was “a product of federal law, not state law.” 2023
IL App (1st) 230140, ¶ 34. Flores held that the plaintiffs’ breach of contract claim was properly
dismissed to the extent it was premised only on a “lost-time damages theory” instead of allegations
of “actual monetary damages.” Id. At least one federal district court has applied Flores in a data
breach case and dismissed a contract claim on this basis. See Wittmeyer, 2024 WL 182211, at *56. The same reasoning would seem to apply to this case.
What gives the Court pause before following Flores and rejecting Gallagher’s reasoning
is that the Gallagher court relied on the Seventh Circuit’s decision in Dieffenbach v. Barnes &
17
Noble, Inc., 887 F.3d 826, 828, 830 (7th Cir. 2018), which is, of course, binding on this Court.
Flores cited only pre-Dieffenbach decisions of the Illinois Supreme Court, and the Court hesitates
to diverge from Dieffenbach without a clearer indication that the Illinois Supreme Court would
decide the issue differently. See Reiser v. Residential Funding Corp., 380 F.3d 1027, 1029 (7th
Cir. 2004) (explaining that “decisions of intermediate state courts,” which are themselves “just
prognostications,” do not “liberate district judges from the force of” an interpretation of state law
in a binding decision of the United States Court of Appeals). Ultimately, the Court need not decide
the issue, however, because plaintiffs’ contract claim, as well as their only other remaining
common-law claim, the bailment claim, must be dismissed on other grounds, as the Court will
explain below.
2. Breach of Contract—Intended Beneficiaries
Plaintiffs assert a claim for breach of contract against Bryan Cave as third-party
beneficiaries of its contract with Mondelez. Bryan Cave argues that plaintiffs do not state a claim
because they have not plausibly alleged that they are intended beneficiaries of any contract
between Bryan Cave and Mondelez.
“Under Illinois law, not every third party who benefits from a contract can sue for its
breach”; the third-party must be “someone whom the parties intended to directly benefit by the
performance of the contract,” as evidenced by “the language of the contract and the circumstances
surrounding its execution.” Crawford v. Belhaven Realty LLC, 109 N.E.3d 763, 776 (Ill. App. Ct.
2018). “Because parties typically enter into contracts to benefit themselves rather than third parties,
there is a presumption against intended beneficiary status that can only be overcome by an
implication so strong as to be practically an express declaration.” Id. (internal quotation marks
omitted).
18
Plaintiffs have not alleged circumstances sufficient to overcome the presumption here.
They have not alleged the terms of the contract or that it was made with reference to any impact it
might have on the rights, privileges, or welfare of any particular third parties. A vague awareness
that the transaction might have consequences for non-contracting parties is not enough. See
Altevogt v. Brinkoetter, 421 N.E.2d 182, 188 (Ill. 1981); Barney v. Unity Paving, Inc., 639 N.E.2d
592, 596 (Ill. App. Ct. 1994). This is not a case, like Crawford, 109 N.E.3d at 776, in which the
parties contemplated rendering “a performance directly to a third party,” which typically shows an
intent to benefit that party. See Advanced Concepts Chicago, Inc. v. CDW Corp., 938 N.E.2d 577,
582-83 (Ill. App. Ct. 2010). Without more, plaintiffs allege no more than the mere possibility that
Mondelez and Bryan Cave intended to benefit Mondelez’s employees by their agreement for legal
services, and that possibility does not suffice to elevate the right to relief above the speculative
level and over the plausibility threshold. Therefore, this breach of contract claim is dismissed.
3. Bailment
“A bailment is ‘the delivery of goods for some purpose, upon a contract, express or implied,
that after the purpose has been fulfilled they shall be redelivered to the bailor, or otherwise dealt
with according to his directions, or kept till he reclaims them.’” Kirby v. Chicago City Bank & Tr.
Co., 403 N.E.2d 720, 723 (Ill. App. Ct. 1980) (quoting Knapp, Stout & Co. v. McCaffrey, 52 N.E.
898, 898 (Ill. 1899)). “Among the necessary elements of a bailment are an agreement by the bailor
to transfer or deliver and the bailee to accept exclusive possession of goods for a specified purpose,
the actual delivery or transfer of exclusive possession of the property of the bailor to the bailee,
and acceptance of exclusive possession by the bailee.” Kirby, 403 N.E. 2d at 723.
Bryan Cave argues that plaintiffs’ bailment claim must be dismissed because plaintiffs
have not alleged that it was in “exclusive possession” of plaintiffs’ personal information. The Court
19
agrees. The law of bailment in Illinois does not map onto the circumstances of this case, as no one
can have “exclusive possession” of another person’s personal information.
True, the Court has recognized above that, in borderline cases, it may be preferable to deny
a motion to dismiss and permit the parties to develop the record before ruling on the availability
of an untried legal theory. But plaintiffs’ bailment claim does not present a question of
foreseeability that might benefit from further factual development. Rather, the bailment claim
would be a stretch under any conceivable version of the facts, and “‘federal court is not the place
to press innovative theories of state law.’” Cima v. WellPoint Health Networks, Inc., 556 F. Supp.
2d 901, 907 (S.D. Ill. 2008) (quoting Anderson v. Marathon Petroleum Co., 801 F.2d 936, 942
(7th Cir. 1986)); see Great N. Ins. Co. v. Amazon.com, Inc., 524 F. Supp. 3d 852, 856 (N.D. Ill.
2021) (“[T]his court must bear in mind the Seventh Circuit’s admonition that, “[w]hen given a
choice between an interpretation of Illinois law which reasonably restricts liability, and one which
greatly expands liability, [a federal court] should choose the narrower and more reasonable path
(at least until the Illinois Supreme Court [says] differently).’”) (quoting Todd v. Societe Bic, S.A.,
21 F.3d 1402, 1412 (7th Cir. 1994)).
Bryan Cave also moves for dismissal of any claim for injunctive or declaratory relief,
arguing that any such claim must fail to the extent that each substantive claim fails. Despite the
fact that plaintiffs assert their right to injunctive or declaratory relief in its own count, the Court
does not consider this a separate claim; it is merely a separate form of relief. Regardless, the Court
does not conclude that each substantive claim fails; the negligence claim survives Bryan Cave’s
motion to dismiss, so whatever right to injunctive or declaratory relief plaintiffs may have on that
claim, if any, likewise survives.
20
CONCLUSION
Defendants’ motions to dismiss [Case No. 23 C 3999, ECF No. 35; Case No. 23 C 4249,
ECF No. 41] are granted in part and denied in part. The motions are denied as to standing and as
to failure to state a claim of negligence or for declaratory or injunctive relief. Plaintiffs’ negligence
claims survive in both consolidated actions. The motions to dismiss are otherwise granted.
Plaintiffs shall file an amended complaint, if desired, by July 3, 2024. The parties shall file a joint
status report by July 10, 2024. The Court sets a status hearing in both consolidated actions for July
17, 2024.
SO ORDERED.
ENTERED: June 3, 2024
_________________________________
JORGE L. ALONSO
United States District Judge
21
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
