McLaughlin et al v. Taylor University
Filing
32
OPINION AND ORDER DENYING 12 Motion to Dismiss for Failure to State a Claim as to Plaintiffs' claims for negligence, negligence per se, and breach of contract; GRANTING the motion as to all other claims. Plaintiffs' claims for unjust enrichment, invasion of privacy, and bailment are DISMISSED. Signed by Chief Judge Holly A Brady on 9/23/2024. (mrm)
UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF INDIANA
FORT WAYNE DIVISION
JUSTIN MCLAUGHLIN and ATURINA
ESHW, on behalf of themselves, and all
others similarly situated,
)
)
)
)
)
)
) CASE NO.: 1:23-cv-00527-HAB-SLC
)
)
)
)
)
Plaintiffs,
v.
TAYLOR UNIVERSITY
Defendant,
OPINION AND ORDER
Plaintiffs Justin McLaughlin and Aturina Eshw, on behalf of themselves and all other
similarly situated (collectively hereafter “Plaintiffs”), sued Defendant, Taylor University
(“Taylor”), because hackers infiltrated Taylor’s network and stole Plaintiffs’ personal information.
(ECF No. 1). Plaintiffs allege that Taylor failed to implement reasonable measures to safeguard
their information and failed to promptly notify Plaintiffs of the data breach. Plaintiffs’ suit asserts
claims for negligence, negligence per se, breach of contract, unjust enrichment, invasion of
privacy, and breach of bailment. Before the Court is Taylor’s Motion to Dismiss Plaintiffs’
Complaint (ECF No. 12) in its entirety. Taylor’s Motion is now fully briefed (ECF Nos. 13, 19,
22) and ripe for ruling.
I.
Standard or Review
Federal Rule of Civil Procedure 12(b)(6) provides for the dismissal of a complaint, or any
portion of a complaint, for failure to state a claim upon which relief can be granted. Fed. R. Civ.
P. 12(b)(6). “To survive a motion to dismiss, a complaint must contain sufficient factual matter,
1
accepted as true, to state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S.
662, 678 (2009) (citations and internal quotation marks omitted); see also Ray v. City of Chi., 629
F.3d 660, 662-63 (7th Cir. 2011). “A claim has facial plausibility when the plaintiff pleads factual
content that allows the court to draw the reasonable inference that the defendant is liable for the
misconduct alleged.” Id. When analyzing a motion to dismiss a claim under Rule 12(b)(6), the
factual allegations in the complaint must be accepted as true and viewed in the light most favorable
to the plaintiff. Brokaw v. Mercer Cnty., 235 F.3d 1000, 1006 (7th Cir. 2000).
That said, the Court is not “obliged to accept as true legal conclusions or unsupported
conclusions of fact.” Bielanski v. Cty. Of Kane, 550 F.3d 632 Cir. 2008). And “[t]hreadbare recitals
of the elements of a cause of action, supported by merely conclusory statements do not suffice.”
Iqbal, 556 U.S. at 678.
II.
Factual Background
Taylor is a private university located in Upland, Indiana. (ECF No. 1, ¶ 20). In the ordinary
course of providing educational services, Taylor requires students, employees, and others to
provide their personal information to conduct their business. (Id. ¶ 25). Taylor stores that
information on its servers. (Id. ¶ 26). Plaintiff Mclaughlin is a graduate of Taylor and Plaintiff
Eshw is a former prospective student that applied to Taylor in 2020. (Id. ¶¶ 13, 17). Both provided
and entrusted Taylor with their personal information. (Id. ¶ 31).
On or around May 18, 2023, Taylor was subject to a sophisticated cybersecurity incident
in which hackers got their hands on Plaintiffs’ personal information (“the “Incident”). (ECF No.
1-1). Once Taylor identified the Incident, it secured the systems involved, alerted law enforcement,
and launched an investigation. (Id.). Through the investigation, Taylor learned that hackers
accessed the affected systems between February 26 and May 18, 2023. (Id.) Taylor’s Notice Letter
2
indicates that those systems may have contained the personal information of current and former
students, prospective students, employees, donors, and other individuals, including their names,
Social Security numbers, driver’s license/state ID numbers, and/or financial account information
(collectively “PII”). (ECF No. 1, ¶ 39; ECF No. 1-1). And in the Notice Letter Taylor offers a year
of free credit monitoring services and encouraged the victims to remain vigilant in monitoring their
affairs. (ECF No. 1-1). Taylor sent the Notice Letter to the victims on December 4, 2023. (Id.).
Plaintiffs McLaughlin and Eshw received the Notice Letter and filed suit in this forum
seeking to certify a class of “[a]ll individuals whose Personal Information was compromised as a
result of the [Incident] with [Taylor] which was announced on or about December 4, 2023.” (Id. ¶
79.). Plaintiffs allege that the Incident “was preventable and a direct result of [Taylor’s] failure to
implement adequate and reasonable cyber-security procedures and protocol necessary to protect
individual’s [PII].” (Id. ¶ 43). Plaintiffs state that they “have been required to take the time and
effort…to mitigate the actual and potential impact of the [Incident] including…placing ‘freezes’
and ‘alerts’ with credit reporting agencies, contacting their financial institutions, closing or
modifying financial accounts, and closely reviewing and monitoring” various sources for
unauthorized activity. (Id. ¶ 7). Other injuries Plaintiffs contend that they have suffered include:
misuse or theft of their PII; diminution in value of their PII; and loss of the benefit of the bargain
with Taylor to adequately protect their PII. (Id. ¶¶ 72, 102). Plaintiffs also claim that they incurred
out-of-pocket expenses, suffered emotional distress and anxiety, and now forever face an amplified
risk of further misuse, fraud, and identity theft because the hackers’ receipt of their PII. (Id. ¶¶ 4,
101).
Plaintiffs thus sued Taylor under theories of negligence (Count I), negligence per se under
Section 5 of the Federal Trade Commission Act (Count II), breach of contract (Count III), unjust
3
enrichment (Count IV), invasion of privacy (Count V), and breach of bailment (Count VI). (Id. at
23-35).
III.
Discussion
Taylor seeks dismissal of all claims asserted in Plaintiffs’ Complaint. (ECF No. 13). It
starts by broadly alleging that Plaintiffs’ damages do not amount to a cognizable loss sufficient for
any cause of action under Indiana law. (Id. at 5-10). Taylor then hones in on Plaintiffs’ causes of
action individually and contends that they have failed to state a claim for each. The Court will first
address Taylor’s argument that Plaintiffs’ alleged injuries are insufficient and will then address
each of Plaintiffs’ substantive causes of action specifically below.
a. Cognizable Loss
Indiana law requires Plaintiffs to plead a cognizable loss or actual injury as an
indispensable element of their common law claims.1 Taylor asserts three arguments to support
their assertion that Plaintiffs fail to plead a cognizable loss: (1) increased risk of future harm and
identity theft as well as anticipated mitigation and remediation costs are insufficient; (2) injuries
based on the diminished value of PII are routinely rejected; and (3) future anxiety related theories
are not cognizable injuries.2
While Taylor encourages this Court not to “conflate Article III’s requirement of injury in
E.g., Bader v. Johnson, 732 N.E.2d 1212, 1217 (Ind. 2000) (negligence claim requires a “compensable injury
proximately caused by defendant’s breach of duty.”); Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 635 (7th Cir. 2007)
(“Compensable damages are an element of a breach of contract cause of action”); Reed v. Reid, 980 N.E.2d 277, 296
(Ind. 2012) (unjust enrichment requires a benefit rendered and unjustly retained); Henry v. Cmty. Healthcare Sys.
Cmty. Hosp., 184 N.E.3d 645, 651 (Ind. Ct. App.), transfer denied, 188 N.E.3d 845 (Ind. 2022), and abrogated by
Cmty. Health Network, Inc. v. McKenzie, 185 N.E.3d 368 (Ind. 2022) (requiring injury in the form of publication of
private facts to the public at large); Norris Auto. Serv. v. Melton, 526 N.E.2d 1023, 1027 (Ind. Ct. App. 1988) (finding
bailment only when plaintiff could show “(1) bailment was created, (2) [defendant] negligently stored the vehicle, and
(3) as a result the [property] was damaged.”).
2
Taylor also contends that Plaintiffs’ “Benefit of the Bargain Theory does not amount to a cognizable loss.” (ECF
No. 13 at 9-10). Such damages are specific to Plaintiffs’ claim for breach of contract and the Court will address that
issue when addressing that cause of action below.
1
4
fact with [the Plaintiffs’] potential causes of action,” Debernardis v. IQ Formulations, LLC, 942
F.3d 1076, 1084 (11th Cir. 2019), “‘cause of action’ and ‘standing’ [as] distinct concepts can be
difficult to keep separate[.]” Bond v. United States, 564 U.S. 211, 218-19 (2011). “A plaintiff to
have standing must have an injury, and a plaintiff to have an Indiana cause of action for negligence
or breach of contract must have an injury.” Krupa v. TIC International Corp., 2023 WL 143140,
at *3 (S.D. Ind. Jan. 10, 2023).3 Taylor cites no in-circuit authority to support that the standard for
injury-in-fact under Article III is higher than that of a compensable injury under Indiana law. And
like other courts in this Circuit have said, the Court sees no difference as applied here. See Johnson
v. Nice Pak Prod., Inc., 2024 WL 2845928, at *14 (S.D. Ind. June 5, 2024). Taylor argues that
Plaintiffs were not injured by the theft of their PII and reasons that the only injuries Plaintiffs can
show are future injuries or the risk of future harm. Taylor therefore contends that Plaintiffs’ alleged
injuries are insufficiently definite to pursue a claim under Indiana law.
The Court begins with Taylor’s argument that the increased risk of future harm and
anticipated mitigation costs are not injuries. Taylor relies heavily on Pisciotta v. Old Nat’l
Bancorp, 499 F.3d 629 (7th Cir. 2007). In Pisciotta, the issue was “whether Indiana would consider
that the harm caused by identity information exposure . . . constitutes an existing compensable
injury and consequent damages required to state a claim for negligence or for breach of contract.”
Id. at 635 (emphasis in original). At that time, the answer was no. Id. But the Seventh Circuit and
Indiana courts alike have done well with chipping away at Pisciotta’s commands. See, e.g., Paul
v. Ardagh Glass, Inc., No. 49D07-2209-CT-031302, 2023 WL 5153147, at *7 (Ind. Super. Ct. Jan.
3
See TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2203, 210 L. Ed. 2d 568 (2021); Robertson v. B.O., 977 N.E.2d
341, 344 (Ind. 2012) (“injury” as an element of negligence); Berg v. Berg, 170 N.E.3d 224, 231 (Ind.
2021) (“damages” as an element of breach of contract)
5
23, 2023); In re Eskenazi Health Data Incident Litig., No. 49D01-2111-PL-038870, 2022 WL
20505180, at *11 (Ind. Super. Ct. Sep. 2, 2022); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d
688, 694 (7th Cir. 2015); Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 967 (7th Cir.
2016).
Since Pisciotta, the Seventh Circuit has recognized the imminent and concrete injuries data
breach victims suffer. Those victims, for example, are “at risk for both fraudulent charges and
identity theft,” even if those events have not yet manifested. Lewert, 819 F.3d at 967. In the same
vein, they must “spen[d] time and effort monitoring both [their] card statements and [their] other
financial information as a guard against fraudulent charges and identity theft.” Id. And it seems
that Taylor “implicitly acknowledge[s] this” by offering and encouraging credit monitoring
services because “[i]t is unlikely that [Taylor] did so because the risk is so ephemeral that it can
safely be disregarded.” Remijas, 794 F.3d at 694. When posed as a question, it almost seems
commonsensical: “[w]hy else would hackers break in . . . and steal . . . private information?
Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those
. . . identities.” Id. at 693.
Although those cases concerned Article III’s standing requirement, Indiana law on
compensable injuries is consistent. For example, Indiana law explicitly allows as damages “the
value of [lost time].” Ind. Model Civ. Jury Inst. 703(3) (brackets in original); See also Johnson,
2024 WL 2845928, at *14. The time and effort that data breach victims must expend is a real
injury. And recently, one Indiana Court found that further proceedings are necessary “to determine
the extent to which those damages can be compensated as arising from the Data Breach at issue in
[that] case.” Paul, 2023 WL 5153147, at *6. That said, the Court finds that the increased risk of
identity theft that Plaintiffs now face and the costs to mitigate those risks are cognizable injuries.
6
The extent to which those injuries can be compensated remains to be seen.
Moreover, Taylor glosses over a significant aspect of Plaintiffs’ Complaint—the actual
misuse of Plaintiffs’ PII that Plaintiffs allege resulted in fraudulent charges. (ECF No. 1, ¶¶ 7274). Following the Incident, Plaintiff Eshw had a fraudulent charge on her Chase debit card. (Id. ¶
74). While true that “[v]ictims affected by those retailer breaches [impacting card information]
could avoid much of the potential future harm by simply cancelling credit or debit cards and
obtaining replacements,” (ECF No. 1, ¶ 46) that too takes time and effort to resolve. Plaintiffs’
time, effort, and money to combat identity theft and fraud in the wake of the Incident is a
cognizable injury. At least at this early stage in litigation, the Court will not dismiss Plaintiffs’
causes of action on that basis.
Taylor also argues that the diminished value of Plaintiffs’ PII is not a cognizable injury. In
support, it points the Court to Silha v. ACT, Inc., where the Seventh Circuit affirmed the Illinois
District Court’s “reject[ion of] the claimed injury of diminished value of PII because Plaintiffs
failed to ‘allege that they have the ability to sell their personal information or that Defendants’
conduct foreclosed them from entering into a ‘value for value transaction’ relating to their PII.”
807 F.3d 169, 172 (7th Cir. 2015). Plaintiffs counter that, under Indiana law, at least one court
found that diminished value allegations can confer harm. (ECF No. 19 at 7 (citing In re Eskenazi
Health Data Incident Litig., 2022 WL 20505180, at *10 (“the diminution of value in the PII has
been deemed a credible harm by at least some federal courts”))).
While PII may have some value, the Court agrees with Defendant insofar as it is hard to
see how the value of Plaintiffs’ PII has been diminished. Plaintiffs fail to “explain how the hackers’
possession of . . . information has diminished its value, nor d[o] [they] assert that [they] would
ever actually sell [their] own personal information.” Khan v. Children’s Nat’l Health Sys., 188 F.
7
Supp. 3d 524, 531 (D. Md. 2016) (rejecting diminished value of PII theory in the standing context).
Instead, Plaintiffs rely on a litany of general allegations highlighting PII’s value on the black
market. (ECF No. 1, ¶¶ 46-49). None of those allegations suggest that Plaintiffs’ PII lost value in
legitimate markets. Nor do they suggest that they cannot continue to enter value-for-value
transactions using their PII on such markets. See Griffey v. Magellan Health Inc., 562 F. Supp. 3d
34, 46 (D. Ariz. Sept. 27, 2021) (“[W]ithout identifying a market in which they can or could and
intend or intended to sell their information, Plaintiffs here fail to demonstrate a loss in value of
their PII or PHI.”).
Although In re Eskinazi established that the risk of immediate harm alleged by those
plaintiffs conferred standing, it made little mention of the plaintiffs’ claims that their PII’s
diminished value is an adequate injury under Indiana law. Indeed, the Court said only that “the
diminution of value in the PII has been deemed a credible harm by at least some federal courts.”
In re Eskinazi, 2022 WL 20505180, at *4 (citing In re Marriott Int'l, Inc., Customer Data Sec.
Breach Litig., 440 F. Supp. 3d 447, 460-62 (D. Md. 2020); Bass v. Facebook, Inc., 394 F. Supp.
3d 1024, 1034 (N.D. Cal. 2019)). The out-of-circuit cases relied upon on In re Eskanazi do not
speak to Indiana law, and the Seventh Circuit presents contrary authority which the Court follows.
See Silha, 807 F.3d at 172. The diminished value of Plaintiffs’ PII is simply “too speculative” to
establish a cognizable injury, let alone standing in this Circuit. See Kylie S. v. Pearson PLC, 475
F. Supp. 3d 841, 849 (N.D. Ill. 2020).
As for Plaintiffs’ emotional distress and anxiety related damages, such damages are
plausible and adequately plead. Taylor posits that “if these emotional injuries alone were sufficient
to invoke the jurisdiction of federal courts, ‘then everyone would have standing to litigate about
everything’” Kim v. McDonald's USA, LLC, 2022 WL 4482826, at *7 (N.D. Ill. Sept. 27, 2022)
8
(quoting Wadsworth v. Kross, Lieberman & Stone, Inc., 12 F.4th 665, 668 (7th Cir. 2021))
(emphasis added). But the emotional toll of having their PII stolen is not the only harm that
Plaintiffs allege. Having found that Plaintiffs’ mitigation efforts and the accompanying time spent
is a cognizable injury under Indiana law, the emotional toll stemming from the Incident too is
cognizable.4
b. Negligence (Count I)
Under Indiana law, common law negligence claims consist of three elements: “(1) duty
owed to plaintiff by defendant, (2) breach of duty by allowing conduct to fall below the applicable
standard of care, and (3) compensable injury proximately caused by defendant’s breach of duty.”
Bader v. Johnson, 732 N.E.2d 1212, 1217 (Ind. 2000). Taylor moves to dismiss Plaintiffs’ common
law negligence claim on virtually all fronts: (1) “Taylor does not owe a duty to protect Plaintiffs’
personal information from cyberattacks”; (2) even if Taylor does owe such a duty, Plaintiffs fail
to allege that “Taylor’s alleged breach…proximately caused” their injuries; and (3) Plaintiffs’
negligence claim is barred by the economic loss doctrine.
Starting with the first element, the issue is whether Taylor owed a duty to protect Plaintiffs’
PII. “[B]usinesses have the common-law duty to exercise ordinary and reasonable care in the
conduct of their operations . . . for the safety of others whose injuries should reasonably have been
foreseen or anticipated.” WEOC, Inc. v. Niebauer, 226 N.E.3d 771, 778 (Ind. Feb. 12, 2024). But
“[a] defendant cannot be found negligent where there is no duty to the plaintiff.” Jaffri v.
JPMorgan Chase Bank, N.A., 26 N.E.3d 635, 638 (Ind. Ct. App. 2015). “Whether a duty exists is
Taylor cannot rely on Wadsworth. 12 F.4th 665. There, the Court held that general allegations that plaintiff “has
suffered, and continues to suffer, personal humiliation, embarrassment, mental anguish and emotional distress” did
not establish standing for an FDCPA claim, nothing more. See id. at 668-69. That case has little bearing on this case
especially in light of Plaintiffs’ other injuries.
4
9
generally a question of law for the court.” Id.
Taylor cites Trenton v. Schnuck Markets, 887 F.3d 803, 817 (7th Cir. 2018), for the notion
that there is no “independent common law duty to safeguard personal information.” The Court
finds that case unpersuasive as Trenton interpreted Illinois and Missouri law, not Indiana law. Id.
Taylor also argues that Plaintiffs must “actually explain where this independent duty comes from,
but fails to do so[,]” relying on Aspen Am. Ins. v. Blackbaud, Inc., 624 F. Supp. 3d 982, 998 (N.D.
Ind. 2022). (ECF No. 13 at 11).
But Plaintiffs do not come empty handed. The Southern District of Indiana, addressing a
similar issue in the employee-to-employer context, reasoned that “generally, employees
reasonably expect their employers to keep their personal information safe. Even in the era before
digital recordkeeping, if an employer kept its employees’ Social Security numbers in an unlocked
box on the sidewalk for anyone to take, no one would question that the employer would be
negligent.” Johnson, 2024 WL 2845928, at *13. And Indiana common law has adapted to the
digital age. See, e.g., Paul, 2023 WL 5153147, at *7 (holding that Defendant owed a duty to protect
Plaintiff’s PII in a reasonably secure manner); In re Eskenazi Health Data Incident Litig., 2022
WL 20505180, at *11 (same).
As in Paul, Taylor took the affirmative act of collecting and maintaining students’ and
employees’ information. “[B]y taking the affirmative act of collecting the PII, [Taylor] assumes a
duty to maintain that information in a reasonable manner. Restatement (Second) of Torts section
302.” Paul, 2023 WL 5153147, at *7. That duty “includes protecting against unauthorized
misappropriation of the PII because the general harm of unauthorized disclosure of the sensitive
PII could reasonably be expected to occur against the class of persons such as [Plaintiffs] who
provided their PII to [Taylor].” Id. (citing Rogers v. Martin, 63 N.E.3d 316, 325 (Ind. 2016)). The
10
Court holds that Taylor owed a duty to Plaintiffs to keep their PII safe and that Plaintiffs adequately
pled that element in their Complaint.
Taylor next contends that Plaintiffs “fail to plausibly allege that Taylor’s alleged breach of
such duty proximately caused them to suffer a cognizable loss.” (ECF No. 13 at 11). The Court
discussed Plaintiffs’ injuries at length above and determined that they were sufficient to support
an Indiana cause of action. Taylor thus argues that “Plaintiffs assume a causal connection between
[those injuries] and Taylor’s alleged failure to implement measures to protect their PII.” (Id.). That
kind of speculation, Taylor cries, “is insufficient to plausibly plead that Taylor is the proximate
cause of Plaintiffs’ alleged injuries.” (Id. (citing Scott Cty. Fam. YMCA, Inc. v. Hobbs, 817 N.E.2d
603, 604 (Ind. Ct. App. 2004) (“Negligence cannot be inferred from the mere fact of an accident,
absent special circumstances.”)).
This argument is a nonstarter. “Breach and proximate cause are almost always questions
of fact to be resolved by a factfinder.” Smith v. Walsh Constr. Co. II, LLC, 95 N.E.3d 78 (Ind. Ct.
App. 2018) (citing Megenity v. Dunn, 68 N.E.3d 1080, 1083 (Ind. 2017)). And Plaintiffs alleged
in great detail that Taylor breached its duty by failing to: (1) exercise reasonable care in supervising
its employees and agents; (2) maintain an adequate data security system to reduce the risk of data
breaches and cyber-attacks; (3) implement its promised Privacy Policy; (4) adhere to industry
standards (5) properly monitor its own data security systems for existing intrusions; (6) exercise
reasonable care in supervising its employees and agents; and (7) provide reasonably timely notice
of the Incident. (ECF No. 1, ¶¶ 71, 83, 100, 110). And Plaintiffs allege viable harms caused by
such breaches. The Court needs to go outside the Complaint to determine whether these alleged
breaches did, in-fact, cause Plaintiffs’ injuries. Summary Judgment is the appropriate vehicle to
make such a determination.
11
Lastly, Taylor alleges that Plaintiffs’ negligence claim is barred by the economic loss
doctrine. Under Indiana law, “a defendant is not liable under a tort theory for any purely economic
loss caused by its negligence.” U.S. Bank, N.A. v. Integrity Land Title Corp., 929 N.E.2d 742, 745
(Ind. 2010). “[C]ontract is the only available remedy where the loss is solely economic in nature.
. . in the absence of damage to other property or person.” Aspen, 624 F. Supp. 3d at 1002 (quoting
Gunkel v. Renovations, Inc., 822 N.E.2d 150, 152 (Ind. 2005)). But “the economic loss doctrine’s
preclusive effect must yield if the plaintiff has set forth any set of circumstances under which it
would be entitled to relief—a relatively low bar.” Residences of Ivy Quad Unit Owners Ass’n, Inc.
v. Ivy Quad Dev., LLC, 179 N.E.3d 977, 983 (Ind. 2022) (emphasis added).
Plaintiffs allege more than purely economic losses here. Their alleged damages include—
among other things—lost time, embarrassment, humiliation, frustration, and emotional distress.
(ECF No. 1, ¶¶ 101, 102). In Residences, the Indiana Supreme Court held that, though the
economic loss doctrine may preclude the plaintiffs’ negligence claim as the facts developed,
dismissal was inappropriate because the plaintiffs’ alleged damages were not purely economic. 79
N.E.3d at 982; See also Johnson, 2024 WL 2845928, *16 (“In any event, at least some of the harms
experienced by the Plaintiffs are not solely economic, such as lost time and worry”). Plaintiffs
plead similarly here and have set forth a set of circumstances under which tort law would be the
appropriate remedy. Because Plaintiffs have plausibly alleged non-economic harms, dismissal is
inappropriate at this juncture.
In short, Plaintiffs’ Complaint checks all the boxes for a negligence claim under Indiana
law, and the economic loss doctrine does not warrant dismissal. The Court thus DENIES Taylor’s
Motion to Dismiss as to Plaintiffs’ negligence claim.
c. Negligence Per Se (Count II)
12
Along with their common law negligence claim, Plaintiffs allege negligence per se under
Section 5 of the Federal Trade Commission Act (“FTCA”). (ECF No. 1, ¶¶ 103-115). The FTCA
prohibits “unfair…practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). Plaintiffs allege that
this provision imposes a duty on Taylor “to provide fair and adequate computer systems and data
security practices to safeguard Plaintiffs’…PII.” (ECF No. 1, ¶ 104). Plaintiffs believe that the
Incident indicates a breach of that duty. (Id. ¶ 110). Taylor’s only argument for dismissing
Plaintiffs’ negligence per se claim is that the FTCA does not provide a private right of action. (ECF
No. 13 at 12 (citing Merriam v. GC Servs., 2018 WL 3068857, at *1 (N.D. Ind. June 21, 2018)
(“The FTC Act does not create a private right of action.”)).
Taylor appears to conflate a negligence per se claim with a private right of action under the
FTCA. And the confusion is common. See Gresser v. Reliable Exterminators, Inc., 160 N.E.3d
184, 191 (Ind. Ct. App. 2020) (“[T]hese two forms of tort claim are often confused[.]”). But
negligence per se claims and private right of action claims, though similar, are distinct. Stachowski
v. Est. of Radman, 95 N.E. 3d 542, 545 (Ind. Ct. App. 2018) (“whether a statute or ordinance
confers a ‘private right of action’” is “a concept that is related to but distinct from the doctrine of
negligence per se.”).
A private right of action assumes that an alleged “violation of a statute or ordinance gives
rise to civil liability even in the absence of a common-law duty.” Stachowski, 95 N.E.3d at 545.
Negligence per se, on the other hand, “assumes the existence of a common-law duty of reasonable
care, and the court is asked to adopt the standard of conduct set forth in a statute or ordinance . . .
as the standard of conduct required under that preexisting duty, so that a violation of the statute or
ordinance serves to satisfy the breach element of a negligence action.” Id. at 544. Negligence per
se claims “differ in that a violation of certain statutes or ordinances serves to satisfy the breach
13
element.” Johnson, 2024 WL 2845928, at *18 (quoting WEOC, Inc. v. Niebauer, 226 N.E.3d 771,
778 (Ind. 2024)).
With these differences in mind, an “unexcused violation of a statutory duty constitutes
negligence per se if the statute or ordinance is intended to protect the class of persons in which the
plaintiff is included and to protect against the risk of the type of harm which has occurred as a
result of its violation.” Erwin v. Roe, 928 N.E.2d 609, 619 (Ind. Ct. App. 2010) (internal quotations
omitted). Thus, “[t]he question for the jury is not whether the [FTCA] was violated but whether
[Defendants] breached [their] duty to protect [Plaintiffs’] PII by failing to meet the standard of
care articulated in the [FTCA].” Paul, 2023 WL 5153147, at *9.
Plaintiffs are not pursuing a private cause of action for violations of the FTCA; they assert
that Taylor’s violations of those statutes evince a breach of its duty to protect Plaintiffs’ PII. (ECF
No. 1, ¶¶ 104-115). The FTCA prohibits unfair acts that affect commerce. 15 U.S.C. § 45. “Data
breaches affect commerce, and Plaintiffs benefit from protections against the kinds of harms that
proper data security would avoid.” Johnson, 2024 WL 2845928, at *18. “[T]he non-existence of
[a private right of action] under…the [FTCA]…does not preclude Plaintiffs’ claims.” In re
Eskanazi, 2022 WL 20505180, at *24.
That said, “the [FTCA] can serve as the basis of a negligence per se claim[,]” Perdue v.
Hy-Vee, Inc., 455 F. Supp. 3d 749, 760-61 (C.D. Ill. 2020), and Plaintiffs have plausibly alleged
such a claim. The Court thus DENIES Taylor’s Motion to Dismiss as to Plaintiffs’ negligence per
se claim.
d. Breach of Contract (Count III)
Plaintiffs’ next cause of action is for “breach of express/implied contractual duty.” (ECF
No. 1 at 28-30). Plaintiffs allege that Taylor offered educational services in exchange for payment
14
and labor in exchange for employment. (Id. ¶¶ 117-18). In both scenarios, Taylor required
Plaintiffs to provide their PII. (Id.). In turn, Plaintiffs allege that Taylor promised to “not disclose
[Plaintiffs’ PII] to unauthorized persons” and “to maintain safeguards to protect their [PII].” (Id. ¶
119). Plaintiffs therefore believe that these promises support the existence of a contract, and that
Taylor breached that contract through the Incident. In turn, Taylor argues that Plaintiffs’
allegations fall short for several reasons: (1) “Plaintiffs fail to plausibly allege…mutual assent to
terms of a contract for certain data protections[;]” (2) there is no “consideration for such an
agreement[;]” and (3) there was no breach. (ECF No. 13 at 13).
“The elements of an implied-in-fact contract are the same as an express contract: offer,
acceptance, and consideration.” Wakley v. Sustainable Loc. Foods LLC, 2017 WL 1880814, at *3
(S.D. Ind. May 9, 2017) (internal citations omitted). Unlike express contracts, “[a]n implied in fact
contract refers to the class of obligations which arises from mutual agreement and intent to
promise, when the agreement and promise have simply not been expressed in words.” McCart v.
Chief Exec. Officer in Charge, Indep. Fed. Credit Union, 652 N.E.2d 80, 85 (Ind. Ct. App. 1995).
Accordingly, “a contract implied in fact arises out of acts and conduct of the parties, coupled with
a meeting of the minds and a clear intent of the parties in the agreement.” Id.
While Taylor urges the Court that there is no mutual assent or consideration, “[n]o general
rule can be set forth as to what facts are necessary to prove the existence of an implied contract.”
Johnson, 2024 WL 2845928, at *23 (citing Wilhoite v. Beck, 141 Ind. App. 543, 230 N.E.2d 616,
623 (Ind. Ct. App. 1967)). And Plaintiffs’ Complaint sufficiently alleges mutual assent through
offer and acceptance. Plaintiffs assert that Taylor offered educational services and employment
with the condition that Plaintiffs would provide their PII. Plaintiffs accepted those services and
provided their PII. Plaintiffs’ provision of their PII is sufficient consideration. See Perry v. Bay &
15
Bay Transp. Servs., Inc., 650 F. Supp. 3d 743, 757 (D. Minn. 2023) (“Bay & Bay provided
consideration by promising to consider Perry for employment, while Perry provided consideration
by providing valuable property, his PI.”). In exchange for that PII, Plaintiffs allege that Taylor
agreed to not disclose their PII, to maintain proper safeguards for the PII’s protection, and to
provide prompt notice of unauthorized access to Plaintiffs’ PII. (ECF No. 1 ¶¶ 119-20). As
evidence of Taylor’s promise to protect their PII, Plaintiffs point to Taylor’s privacy policy where
it states that Taylor “takes the issue of data security seriously” and has “employed various
technologies and policies to keep your data safe.” See In re Arthur J. Gallagher Data Breach Litig.,
631 F. Supp. 3d 573, 591 (N.D. Ill. 2022) (finding statement in privacy policy “that Defendant
would ‘restrict access to your personal information to those who require access to such information
for legitimate, relevant business purposes’” sufficient to support an implied contract).
Plaintiffs have further alleged that they value the confidentiality of their PII, that they
would not have provided it to Defendant absent an agreement to protect it, and that Defendant did
not implement the anticipated data security protections. See In re Marriott, 440 F. Supp. 3d at 466
(“it is enough to allege that there was an explicit or implicit contract for data security, that plaintiffs
placed value on that data security, and that Defendant failed to meet their representations about
data security”). And although the terms of the implied contract alleged here are not perfectly
defined at the pleading stage, “[t]he question as to whether or not there was either an express
contract or an implied contract to pay for the services is [a] matter of fact.” Johnson, 2024 WL
2845928, at *23 (quoting Wilhoite, 230 N.E.2d at 623). Whether Taylor breached the alleged
agreement is also a question of fact. Trustees of Indiana Univ. v. Spiegel, 186 N.E.3d 1151, 1158
(Ind. Ct. App. 2022) (“Whether the defendant breached the contract is a question of fact.”).
Whether the relationship is employer-to-employee or university-to-student, there is a
16
general understanding that PII should be kept private. Such an understanding is plausibly implicit
in the terms of Plaintiffs’ employment or educational contracts. The precise terms of the alleged
agreement “can be fleshed out in discovery.” Speigel, 186 N.E.3d at 1160 (“The terms of the
implied contracts and the parties’ intentions can be fleshed out in discovery.”). The Court thus
finds that it would be premature to dismiss Plaintiffs’ breach of contract claim at the pleading
stage.
The Court must also address Taylor’s argument that Plaintiffs’ benefit of the bargain theory
is not a cognizable loss under Indiana law. (ECF No. 13 at 9). In response, Plaintiffs point out that
Taylor only supports this theory with out-of-circuit precedent, none of which addresses Indiana
law. At least one Indiana Court declined dismissal on that basis at the pleading stage. See In re
Eskinazi, 2022 WL 20505180, at *4 (standing context). Similar to In re Eskanazi, “Plaintiffs’ have
adequately pleaded a basis to bring contract claims to receive the full benefit of the bargain from
[Taylor]…due to [Taylor’s] alleged failure to provide the data security services as part of
Plaintiffs’” provision of labor and purchase of educational services. Id. at *26. Plaintiffs may
therefore proceed on this theory of recovery at least at this point.
Having found that Plaintiffs sufficiently plead a breach of contract claim, Taylor makes
one last argument on damages. It argues that Plaintiffs’ contract claims should be dismissed
because Plaintiffs would otherwise be placed in a more advantageous position than before the
alleged breach. (ECF No. 13 at 15-16). Under Indiana law, “a party injured by a breach of contract
may not be placed in a better position than it would have enjoyed if the breach had not occurred”
and “the law disfavors a windfall or a double recovery.” Sheek v. Mark A. Morin Logging, Inc.,
993 N.E.2d 280, 289 (Ind. Ct. App. 2013). Taylor notes that Plaintiffs do not allege that they did
not receive the services or compensation that they bargained for.
17
Plaintiffs respond that they have alleged cognizable damages resulting from Taylor’s
alleged breach. Indeed, Plaintiffs contend that they are entitled to compensation for data security
that they paid for but did not receive. But that is not the only damages sought which Plaintiffs
attribute to Taylor’s alleged breach. They also claim as damages their mitigation efforts and the
heightened risk of identity theft which the Court has already determined are cognizable losses. The
extent that those damages are attributable to Taylor’s alleged breach remains to be seen, but
Plaintiffs need not plead damages “with mathematical certainty” at this stage. In re Eskinazi, 2022
WL 20505180, at *26 (quoting Newland N. Am. Foods, Inc. v. Zentis N. Am. Operating, LLC, 2013
WL 1870652, at *4 (N.D. Ind. May 3, 2013)). Accordingly, it would also “be premature for the
Court to find that Plaintiffs would receive a windfall as a result of this claim.” Id.
The Court thus DENIES Taylor’s Motion to Dismiss as to Plaintiffs’ breach of contract
claim.
e. Unjust Enrichment (Count IV)
Taylor argues that Plaintiffs fail to state a claim for unjust enrichment. (ECF No. 13 at 1618). It posits that the facts do not suggest “a measurable benefit on Taylor…related in any way to
data security.” (Id. at 18). Nor, Taylor argues, does Plaintiffs’ Complaint plausibly suggest “that
payments for applications and tuition include[] a portion reserved for data privacy and security
practices[.]” (Id.). Taylor also contends that, “in the Seventh Circuit, ‘such arguments have been
adopted by courts only where the product itself was defective or dangerous and consumers claim
they would not have bought it (or paid a premium for it) had they known of the defect.’” (Id. at 17
(quoting Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 968 (7th Cir. 2016)). To that
end, Taylor argues that Plaintiffs do not allege that their services were defective or dangerous.
Plaintiffs respond that they “clearly conferred a benefit…first in the form of the PII itself” and
18
through payments for tuition or labor. (ECF No 19 at 22).
Under Indiana law, unjust enrichment claims have three elements: “(1) [Plaintiff] rendered
a measurable benefit to the defendant at the defendant’s express or implied request; (2) [Plaintiff]
expected payment from the defendant; and (3) allowing the defendant to retain the benefit without
restitution would be unjust.” Neibert v. Perdomo, 54 N.E.3d 1046, 1051 (Ind. Ct. App. 2016). The
parties disagree as to the first element—whether Plaintiffs conferred a measurable benefit to
Taylor.
Taylor first points out that “Plaintiffs do not cite any Indiana law to support their argument
that they conferred a benefit upon Taylor, that Taylor recognized, in the context of providing
tuition or employment.” (ECF No. 22 at 9). While Indiana recognizes data as property which this
Court concedes has value, it is difficult to see how Taylor benefited from Plaintiffs’ PII other than
benefits incidental to running its business operations. In the employment context, “Plaintiffs have
not alleged that [Taylor] benefited from the PII information other than as incidental to benefitting
from Plaintiffs' compensated labor.” Johnson, 2024 WL 2845928, at *25-26 (dismissing unjust
enrichment claim). And as for the Plaintiffs who were students or prospective students, the only
benefits Taylor received were incidental to running a university and maintaining a student body.
Plaintiffs do not allege that Taylor sold their PII or retained any other benefit outside the PII itself.
As applied here, “[t]he PII is better understood as necessary to conduct business operations, not a
good whose inherent value was extracted by [Taylor].” Id. at *26.
Having found that the PII did not cast a measurable benefit, that leaves Plaintiffs’ tuition
and application fees or labor as the only potential sources. But using these sources as a measurable
benefit give Plaintiffs fits too. As for labor, this Court follows the guidance of Judge MagnusStinson who determined that “the provision of labor” was an insufficient benefit in the employer19
to-employee context. Id. As for the tuition and application fees, the Court finds Plaintiffs’
Complaint wanting.
Plaintiffs do not allege that any portion of their payments would go to data security. See
Perdue v. Hy-Vee, Inc. 455 F. Supp. 3d 749, 766 (C.D. Ill. 2020) (dismissing unjust enrichment
claim where “Plaintiffs have not alleged that any specific portion of their payments went toward
data protection; rather, they state that their payments were for food and gas.”). Faced with similar
allegations against a restaurant, a Central District of Illinois Court dismissed the plaintiff’s unjust
enrichment claim because the plaintiff “paid for food products. She did not pay for a side order of
data security and protection; it was merely incident to her food purchase.” Irwin v. Jimmy John’s
Franchise, LLC, 175 F. Supp. 3d 1064, 1072 (C.D. Ill. 2016). Bearing in mind that “the court must
draw on its judicial experience and common sense,” Iqbal, 556 U.S. at 678-79, Plaintiffs paid for
and received educational services. Plaintiffs received those services and data security is properly
couched as incidental to Plaintiffs’ purchase. And without knowing what portion of those fees
were allocated to data security (if at all), Plaintiffs’ unjust enrichment claim is too speculative to
survive dismissal.
The Court thus GRANTS Taylor’s Motion to Dismiss as to Plaintiffs’ unjust enrichment
claim.
f. Invasion of Privacy (Count V)
Taylor contends that Plaintiffs’ invasion of privacy claim must be dismissed because
“Plaintiffs fail to allege essential elements of [their] claim.” (ECF No. 13 at 18). Invasion of
privacy claims encompasses four theories of wrongdoing: (1) intrusion upon seclusion; (2)
appropriation of a person's name or likeness; (3) public disclosure of private facts; and (4) publicity
placing a person in a false light. See Pucillo v. Nat’l Credit Sys., Inc., 66 F.4th 634, 639 (7th Cir.
20
2023). Plaintiffs’ claim is for public disclosure of private facts which, under Indiana law, consists
of four elements: “(1) the information disclosed must be private in nature; (2) the disclosure must
be made to the public; (3) the disclosure must be one that would be highly offensive to a reasonable
person; and (4) the information disclosed is not of legitimate public concern.” Cmty. Health
Network, Inc. v. McKenzie, 185 N.E.3d 368, 382 (Ind. 2022). Taylor asserts that Plaintiffs’
Complaint fails to allege the second and third elements.
As to the second element, also known as the publicity element, Taylor contends that it
“made no disclosure, nor did a disclosure occur, to the public at large.” (ECF No. 13 at 19). Relying
on McKenzie, it is Taylor’s position that “[t]he publicity element means that the information must
be communicated [by the defendant] in a way that either reaches or is sure to reach the public in
general or a large enough number of persons such that the matter is sure to become public
knowledge.” 185 N.E.3d at 382. While that is the rule, Taylor added the bracketed language. To
that end, Taylor’s argument is that the public disclosure must be made by the defendant, not some
unauthorized third party. Taylor also suggests that there has been no public disclosure at all.
Plaintiffs respond that, “[w]ithout saying so, [Taylor] seems to be arguing that a disclosure
must be intentional to be tortious.” (ECF No 19 at 23). Plaintiffs believe that Taylor did make a
disclosure by maintaining data security practices which allowed hackers to access Plaintiffs’ PII.
And Plaintiffs contend that their allegation that Taylor disclosed Plaintiffs’ PII “to enough people
that it is reasonably likely those facts have and/or will become known to the public at large,
including, without limitation, on the dark web and elsewhere” satisfies the publicity requirement.
(ECF No. 1, ¶ 141).
Indeed, “Indiana’s public-disclosure tort is not an intentional tort.” Z.D. v. Cmty. Health
Network, Inc., 217 N.E.3d at 531 (Ind. 2023). But the Court does not construe Taylor’s argument
21
to mean that some mental state was required under the tort. Public-disclosure cases “uniformly
hold that the publicity requirement is met only if said publicization is attributable to the
defendant—i.e., defendant must have caused, precipitated or permitted the publicity.” Id. at 536
(quoting David A. Elder, Privacy Torts § 3.3 (2022)). To that end, Taylor seems to be arguing that
there is no public disclosure attributable to them. In analyzing the facts of Z.D., the Court agrees
that Indiana’s public-disclosure tort should not be wrapped around data breach cases such as this.
In Z.D., the plaintiff received medical care from one of the defendant’s facilities. Id. at 530.
After her visit, the defendant’s employee tried to call the plaintiff to discuss her health matters. Id.
Unable to reach the plaintiff, the employee prepared a letter documenting Z.D.’s private health
information. Id. Although the letter was properly addressed, the envelope in which it was placed
was addressed to the wrong person and mailed to that person. Id. That person ended up being a
teenager who attended the same school as the plaintiff’s daughter. Id. When the improper person
received the letter, she posted the letter to Facebook. Id.
From this, the Indiana Supreme Court determined that “[t]he public-disclosure tort
embodies dual imperatives, neither of which are served by imposing an intent requirement.” Id. at
534. “First, from individuals and entities alike, the tort demands protection for private
information” and “serves to deter the unauthorized disclosure of private information.” Id. Such
deterrence may be achieved by implementing security measures. Id. Recognizing that “such
measures may fall short[,]” the second imperative is “when failures occur, injured individuals
deserve a remedy.” Id.
Although these dual imperatives may be served by allowing the cause of action here, the
Court doubts that the Indiana Supreme Court would stretch its bounds so far. See Republic Servs.
of Indiana Ltd. P'ship v. Coe Heating & Air Conditioning, Inc., 700 F. Supp. 3d 676 (N.D. Ind.
22
2023) (“[F]ederal district courts must act as a prognosticator of what a state court would decide
when a state’s Supreme Court is silent.”). An alteration in the facts of Z.D. demonstrates why. Say,
for example, the defendant’s employee properly addressed the envelope and placed it in a safe at
the defendant’s facility. Overnight, a third-party burglar broke into the facility, cracked the safe,
and stole the letter. The burglar then posted that letter to Facebook. That does not sound like the
defendant publicly disclosed the plaintiff’s private health information. If anything, that sounds like
negligence. Such is the case here. And this Court has already stated that Plaintiffs can proceed on
their negligence claim at this stage.
Plaintiffs’ Complaint also does not provide a basis for the Court to believe that Plaintiffs’
PII was communicated in a manner that is sure to reach the public. “The information must be
communicated in a way that either reaches or is sure to reach the public in general or a large enough
number of persons such that the matter is sure to become public knowledge.” McKenzie, 185
N.E.3d at 382. Plaintiffs state that Taylor disclosed Plaintiffs’ PII “to enough people that it is
reasonably likely those facts have and/or will become known to the public at large, including,
without limitation, on the dark web and elsewhere.” (ECF No. 1, ¶ 141). Although the Court must
take that statement as true under Rule 12(b)(6), “a formulaic recitation of a cause of action’s
elements will not do.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 545 (2007). The Complaint does
not establish that Plaintiffs’ PII has reached the public at large. Nor is there anything to suggest
that Plaintiffs’ PII will surely become public knowledge. In that vein, the Court finds Plaintiffs’
Complaint wanting. Having found Plaintiffs’ Complaint insufficient on the second element, the
Court need not address offensiveness.
The Court thus GRANTS Taylor’s Motion to Dismiss Plaintiffs’ claim for invasion of
privacy.
23
g. Bailment (Count VI)
Lastly, Plaintiffs assert a claim for breach of bailment that Taylor contends must fail
because “there are no facts showing the existence of a bailment under Indiana law.” (ECF No. 13
at 19). Taylor states that a bailment requires full transfer of the property to the sole custody of the
bailee such as to exclude the owner—or bailor—and all others. (Id.). It’s Taylor’s position that
“Plaintiffs’ bailment theory…cannot stand because Taylor did not have sole custody and control
of [Plaintiffs’ PII].” (Id. at 20). Relying on Krupa, 2023 WL 143140, Plaintiffs respond that it is a
“reasonable inference” that Taylor did exclusively possess Plaintiffs’ PII because, once it was on
Taylor’s servers, Plaintiffs could not manipulate the information. (ECF No. 19 at 25). From
Plaintiffs’ perspective, Taylor was in full control of their PII. (Id.).
In Indiana, “[a] bailment arises when: (1) personal property belonging to a bailor is
delivered into the exclusive possession of the bailee and (2) the property is accepted by the
bailee.” Winters v. Pike, 171 N.E.3d 690, 697 (Ind. Ct. App. 2021). “For delivery to occur, there
must be a full transfer of the property, either actually or constructively, to the sole custody of the
bailee such as to exclude the owner/bailor and others.” Id. at 699. The Court agrees with Taylor
that it is difficult to see how there was a full transfer of Plaintiffs’ PII.
Two cases from the Southern District of Indiana are at odds. Krupa is the only case to allow
a bailment claim in the data breach context under Indiana law. And in Krupa, Judge Sweeney II
held that the plaintiff “avoid[ed] the ‘exclusive possession’ problem” because “[Krupa] was unable
to manipulate his personal data on [the defendant’s] servers; [the defendant] was in full control.”
2023 WL 143140, at *10. No doubt Krupa supports the application of a bailment claim to this
case. But more recently and under similar facts, Judge Magnus-Stinson held the opposite of Judge
Sweeney II: “[I]n this case, Plaintiffs’ PII was not in Defendants’ exclusive possession. Plaintiffs
24
were free to use or disseminate their PII as they pleased and deliver it to limitless others.” Johnson,
2024 WL 2845928, at *8. Although Judge Magnus-Stinson acknowledged Krupa’s holding, the
departure is telling.
As the Court has said, Plaintiffs’ PII is property. But due to the nature of the property, the
Court sees no avenue for Plaintiffs to argue that Taylor exclusively possessed it. Under Indiana
law, delivery of the property to the bailee is essential to a bailment’s creation and “sufficient
delivery” requires “such a full transfer…as to exclude the owner and all other persons.” Stubbs v.
Hook, 467 N.E.2d 29, 31 (Ind. Ct. App. 1984). Plaintiffs here were not excluded from their PII.
Even if Plaintiffs could not manipulate their PII once on Taylor’s servers, Plaintiffs still had
uninhibited access to their PII insofar as they could “deliver it to limitless others.” Johnson, 2024
WL 2845928, at *8. Holding otherwise here would render the exclusive possession requirement
essentially meaningless in data breach cases; a bailor/bailee relationship would exist anytime
somebody provides their personal information to a party in order to receive services or
employment. In line with Judge Magnus-Stinson, the Court declines to stretch the laws of bailment
so far.
Further, in examining Krupa’s holding, it is an outlier case. The predominant view across
the country is that bailment is not a viable theory in data breach cases. See e.g., Galaria v.
Nationwide Mut. Ins., 2017 WL 4918634, at *1 (S.D. Ohio Oct. 31, 2017) (collecting cases) (“A
number of courts across the country have considered bailment claims in the context of data security
breaches and concluded that the scenario in which a person provides personally identifiable
information to a business and the information is stolen does not give rise to bailment liability.”).
And, as stated above, for good reason. Under no set of facts can Plaintiffs show that they were
somehow excluded from possession of their own data. Indeed, Plaintiffs were and are free to do
25
whatever they want with their PII. The Court cannot say Taylor exclusively possessed it. Lacking
that essential element, Plaintiffs’ bailment claim should be dismissed.
The Court thus GRANTS Taylor’s Motion to Dismiss as to Plaintiffs’ bailment claim.
IV.
Conclusion
For these reasons, Taylor’s Motion to Dismiss (ECF No. 12) is DENIED as to Plaintiffs’
claims for negligence, negligence per se, and breach of contract; the motion is GRANTED as to
all other claims. Plaintiffs’ claims for unjust enrichment, invasion of privacy, and bailment are
DISMISSED.
SO ORDERED on September 23, 2024.
s/ Holly A. Brady
CHIEF JUDGE HOLLY A. BRADY
UNITED STATES DISTRICT COURT
26
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?