JOHNSON v. NICE PAK PRODUCTS, INC.
Filing
45
ORDER - Plaintiffs Darin Johnson and Robert Willey, on behalf of a putative class of similarly situated individuals, are suing Defendants Nice Pak Products, Inc. ("Nice Pak") and Professional Disposables International, Inc. ("Pr ofessional Disposables") for losses they suffered from a data breach due to cybertheft. Defendants have filed a Motion to Dismiss Amended Complaint, which is ripe for the Court's consideration. [Filing No. 26]. As to Plaintiffs' cla ims for negligence, negligence per se, and breach of implied contract, Defendants' Motion to Dismiss, 26 , is DENIED and those claims SHALL PROCEED; As to the Plaintiffs' claims for unjust enrichment, bailment, and violation of the New York Deceptive Trade Practices Act, Defendants' Motion to Dismiss, 26 ,is GRANTED and those claims are DISMISSED WITHOUT PREJUDICE. No partial final judgment shall issue. Signed by Judge Jane Magnus-Stinson on 6/5/2024. *** SEE ORDER *** (CKM)
<![CDATA[
UNITED STATES DISTRICT COURT
SOUTHERN DISTRICT OF INDIANA
INDIANAPOLIS DIVISION
DARIN JOHNSON and ROBERT WILLEY on behalf of )
themselves and all others similarly situated,
)
)
Plaintiffs,
)
)
v.
)
)
NICE PAK PRODUCTS, INC. and PROFESSIONAL
)
DISPOSABLES INTERNATIONAL, INC.,
)
)
Defendants.
)
No. 1:23-cv-01734-JMS-CSW
ORDER
Plaintiffs Darin Johnson and Robert Willey, on behalf of a putative class of similarly
situated individuals, are suing Defendants Nice Pak Products, Inc. ("Nice Pak") and Professional
Disposables International, Inc. ("Professional Disposables") for losses they suffered from a data
breach due to cybertheft. They allege that Defendants failed to use updated cybersecurity measures
to prevent the breach and failed to promptly notify victims about their compromised personally
identifiable information ("PII"). They assert claims for negligence, negligence per se in violation
of the Federal Trade Commission Act ("FTC Act"), breach of implied contract, unjust enrichment,
bailment, and violation of the New York Deceptive Trade Practices Act. Defendants have filed a
Motion to Dismiss Amended Complaint, which is ripe for the Court's consideration. [Filing No.
26].
I.
S TANDARD OF REVIEW
Under Rule 12(b)(6), a party may move to dismiss a claim that does not state a right to
relief. The Federal Rules of Civil Procedure require that a complaint provide the defendant with
"fair notice of what the . . . claim is and the grounds upon which it rests." Erickson v. Pardus, 551
1
U.S. 89, 93 (2007) (quoting Bell Atlantic v. Twombly, 550 U.S. 544, 555 (2007)). In reviewing
the sufficiency of a complaint, the Court must accept all well-pled facts as true and draw all
permissible inferences in favor of the plaintiff. See Active Disposal Inc. v. City of Darien, 635
F.3d 883, 886 (7th Cir. 2011). A Rule 12(b)(6) motion to dismiss asks whether the complaint
"contain[s] sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on
its face.'" Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 570). The
Court will not accept legal conclusions or conclusory allegations as sufficient to state a claim for
relief. See McCauley v. City of Chicago, 671 F.3d 611, 617 (7th Cir. 2011). Factual allegations
must plausibly state an entitlement to relief "to a degree that rises above the speculative level."
Munson v. Gaetz, 673 F.3d 630, 633 (7th Cir. 2012). This plausibility determination is "a contextspecific task that requires the reviewing court to draw on its judicial experience and common
sense." Id.
II.
B ACKGROUND
The following are the factual allegations set forth in the Amended Complaint, the operative
Complaint in this case, which the Court must accept as true at this time:
A.
Defendants Collect Employees' PII
Nice Pak "is a corporation that provides 'quality wet wipes,' and other healthcare products."
[Filing No. 20 at 1.] Professional Disposables "is a health corporation and affiliate of [Nice Pak],
that provides 'products and solutions, educational resources, in-service training, and clinical
support' to . . . healthcare providers or similar companies." [Filing No. 20 at 2.] Mr. Johnson and
Mr. Willey and the putative Class Members are or were employees for one or both Defendants.
[Filing No. 20 at 2.]
2
Pursuant to their employment, Defendants collected Plaintiffs' PII, including "full names,
addresses, Social Security numbers . . . and medical and health insurance information." [Filing
No. 20 at 2.] Plaintiffs allege that "Defendants promised to provide confidentiality and adequate
security for employee data though their applicable privacy policy and through other disclosures in
compliance with data privacy requirements." [Filing No. 20 at 7.]
B.
Cyberthieves Steal Employees' PII from Defendants
Sometime between May 28 and June 15, 2023, "an unauthorized actor viewed and obtained
files" kept by Defendants (the "Data Breach"). [Filing No. 20 at 9.] Among those files were
"names, addresses, Social Security Numbers, health plan member numbers, and health saving
account numbers." [Filing No. 20 at 9-10.] On June 15, 2023, the final day of the Data Breach,
Defendants identified the "unusual activity." [Filing No. 20 at 9.] After nearly two months had
passed, on August 14, 2023, Defendants finally sent letters to Plaintiffs informing them of the Data
Breach. [Filing No. 20 at 8-9 (letter available at https://www.doj.nh.gov/consumer/securitybreaches/documents/nice-pak-products-20230814.pdf)] According to Plaintiffs, missing from the
letter were "details of the root cause of the Data Breach, the vulnerabilities exploited, and the
remedial measures taken to ensure such a breach does not occur again." [Filing No. 20 at 9.]
C.
This Litigation
Plaintiffs filed suit in the Marion Superior Court, and Defendants removed the case to this
Court. [Filing No. 1-1; Filing No. 1.] Plaintiffs allege that "[a]rmed with the [PII] accessed in the
Data Breach, data thieves have . . . engaged in identity theft and fraud . . . and can in the future
commit a variety of crimes including . . . opening new financial accounts, . . . taking out loans, . .
. obtain[ing] government benefits, filing fraudulent tax returns, . . . obtaining driver's licenses, . . .
and giving false information to police during an arrest"—all while posing as Plaintiffs using their
PII. [Filing No. 20 at 4.] As a result of these risks, Plaintiffs allege they must "now and in the
3
future closely monitor their financial accounts," and "purchas[e] credit monitoring services, credit
freezes, credit reports, or other protective measures to deter and detect identity theft." [Filing No.
20 at 4.]
Plaintiffs state that they have since "spent significant time remedying the [Data Breach] . .
. valuable time [that] would have [been] spent on other activities." [Filing No. 20 at 13.] Plaintiffs
state that they have suffered many injuries, including "invasion of privacy"; "theft of PII"; "lost or
diminished value of PII"; "lost time and opportunity costs associated with attempting to mitigate
the actual consequences of the Data Breach"; "loss of benefit of the bargain"; "anxiety and
increased concerns for the loss of . . . privacy, especially . . . Social Security number[s] being in
the hands of criminals"; " impending injury arising from the substantially increased risk of fraud,
identity theft, and misuse resulting from . . . stolen [PII] being placed in the hands of unauthorized
third parties and possibly criminals"; and other damages. [Filing No. 20 at 13-17.]
Plaintiffs allege that Defendants "failed to adhere to industry standards," such as "educating
all employees; strong passwords; multi-layer security, including firewalls, anti-virus, and antimalware software; encryption, making data unreadable without a key; multi-factor authentication;
backup data and limiting which employees can access sensitive data." [Filing No. 20 at 21.]
Plaintiffs also allege that "Defendants failed to adhere to FTC guidelines," which allegedly
admonish businesses to maintain certain standards of data protection, including "protect[ing]
personal customer information that they keep," "encrypt[ing] information stored on computer
networks," and "implement[ing] policies to correct security problems." [Filing No. 20 at 20.]
According to Plaintiffs, businesses falling beneath the standard of care for data security have
historically been subject to legal actions by the FTC pursuant to Section 5 of the Federal Trade
Commission Act. [Filing No. 20 at 20-21 (citing 15 U.S.C. § 45).]
4
Plaintiffs claim that Defendants' alleged actions and omissions amounted to negligence,
negligence per se under Section 5 of the FTC Act, breach of implied contract, unjust enrichment,
violation of bailment, and violation of the New York Deceptive Trade Practices Act, General
Business Law § 349 ("GBL § 349"). [Filing No. 20 at 27-39.]
Pursuant to these claims, Plaintiffs seek remedies, "including, but not limited to,
compensatory damages and injunctive relief including improvements to Defendants' data security
systems, future annual audits, and adequate credit monitoring services funded by Defendants."
[Filing No. 20 at 5.] Plaintiffs note that although Defendants "ma[d]e an offer of 12 months of
identity monitoring services," such compensation is "wholly inadequate" due to the risk of identity
theft extending for "multiple years." [Filing No. 20 at 10.]
Plaintiffs ultimately seek to have the case certified as a class action on behalf of the
following classes:
•
All persons residing in the United States whose PII was accessed and/or
acquired by an unauthorized party as a result of the Data Breach reported by
Defendants in August 2023, including all persons who received the Notice
Letter.
•
All New York citizens whose PII was accessed and/or acquired by an
unauthorized party as a result of the Data Breach reported by Defendants in
August 2023, including all persons who received the Notice Letter.
[Filing No. 20 at 22-23.]
A.
III.
DISCUSSION
Negligence Claim
Defendants argue that Plaintiffs have failed to state a claim for negligence because the
"economic loss rule" prevents their claims, they have not alleged a "breach of any duty recognized
by Indiana law," and "their claim fails for a lack of cognizable injuries." [Filing No. 27 at 4-5.]
Defendants argue that under the economic loss rule, "a defendant is not liable under a tort theory
5
for any purely economic loss caused by its negligence" without "personal injury or damage to
property other than the product or service itself." [Filing No. 27 at 4.] Defendants argue that
instead, "the sole remedy for the failure of a product or service" is the contract itself. [Filing No.
27 at 5.] Defendants state that the negligence claims must necessarily be "governed by contract"
because the Plaintiffs have not pointed to an independent duty of care outside of the contract, since
"no such common-law duty exists in Indiana." [Filing No. 27 at 6.] Defendants further argue that
they did not owe a duty to Plaintiffs, stating that "the Seventh Circuit has specifically determined
that the Indiana data breach statutes create no duty related to safeguarding of personal
information." [Filing No. 27 at 7 (citing Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir.
2007)).] Defendants state further that Plaintiffs have alleged no cognizable damages because
neither "the harm caused by identity information exposure" nor the "attendant costs to guard
against identity theft" "are compensable injuries under Indiana law." [Filing No. 27 at 8.]
Plaintiffs state in their response that they have "adequately pleaded Nice Pak's negligence."
[Filing No. 30 at 5.] Plaintiffs explain that their negligence claims "are not barred by the economic
loss rule" because their damages are not "solely economic" and because Nice Pak owed them an
"independent duty" to protect its employee's PII. [Filing No. 30 at 5.] Plaintiffs further state that
the economic loss doctrine applies only in the context of "products liability and construction."
[Filing No. 30 at 6.] Plaintiffs state that their damages extend beyond the solely economic because
they relate to "increased risk of identity theft and misuse of their" PII, and "time spent monitoring
accounts, protecting against, and mitigating risk of misuse, lost time, annoyance, interference, and
inconvenience." [Filing No. 30 at 6.] Plaintiffs note that a bailment claim "can be styled as one
in contract or in tort," hence under tort law, they have demonstrated that the Defendants owed a
"duty of outside of a contractual relationship." [Filing No. 30 at 7.] Plaintiffs state further that
6
they allege "cognizable damages as [a] result of the data breach." [Filing No. 30 at 8.] Plaintiffs
argue that since the decision of Pisciotta, the Seventh Circuit's later decisions have recognized that
"time and effort spent protecting against and mitigating the risks created by data breaches" are
cognizable injuries. [Filing No. 30 at 8 (citing Remijas v. Neiman Marcus Grp., LLC, 794 F.3d
688, 694 (7th Cir. 2015) and Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 967 (7th Cir.
2016))]. Plaintiffs argue that under several Indiana state court cases, "plaintiffs who are victims
of a data breach are injured by the mere theft of their personal data, and thus have suffered a direct
injury sufficient to confer standing." [Filing No. 30 at 9.]
In reply, Defendants argue that Plaintiffs allege only economic damages. [Filing No. 34 at
4.] Defendants maintain that Plaintiffs' allegations related to "the financial value of their time and
personal information" are either "conclusory," are simply economic injuries, or are otherwise not
specific in "what kind of damages they pled." [Filing No. 34 at 4.] Defendants state that in another
Indiana case, "[t]he same types of damages that were alleged . . . are alleged by Plaintiffs." [Filing
No. 34 at 5.] Defendants state that the economic loss doctrine does extend beyond the contexts of
products liability and construction and prior caselaw was decided in prior plaintiffs' favor because
they alleged non-economic losses and no contractual relationship. [Filing No. 34 at 5.] Defendants
state that a Southern District of Indiana case that permitted a bailment-data-breach claim is
"contrary to Indiana law, not binding, and is unpersuasive," so it "cannot provide the basis of the
'independent tort' or the requisite duty for their negligence claim." [Filing No. 34 at 5 (citing Krupa
v. TIC Int'l Corp., No. 1:22-CV-01951-JRS-MG, 2023 WL 143140 (S.D. Ind. Jan. 10, 2023).]
Defendants further argue that "Plaintiffs have not alleged cognizable damages," arguing that
Indiana state-court cases cited by Plaintiffs are factually distinguishable because they "contain
allegations of actual financial loss or identity theft." [Filing No. 34 at 6.] Defendants argue that
7
"[t]he mere notice of a data incident without additional facts of financial loss or identity theft does
not amount to compensable damages recoverable in tort." [Filing No. 34 at 7.] Defendants
continue to state that "the standard for alleging actual damages is generally higher than that for
plausibly alleging injury in fact." [Filing No. 34 at 7.] Defendants contrast the authorities cited
by Plaintiffs as focusing on Article III standing, while Defendants maintain that this case is
controlled by Seventh Circuit caselaw on compensable injuries. [Filing No. 34 at 7 (comparing
Remijas, 794 F.3d at 697 and Lewert, 819 F.3d at 969-70 with Pisciotta, 499 F.3d at 633).]
The parties dispute whether a common-law negligence duty applies, whether there are
compensable damages, and if there are damages, whether they are precluded by the economic loss
rule. The Court addresses each issue in turn.
Regarding a claim for common-law negligence, such an action "has three elements: (1) a
duty owed to the plaintiff by the defendant, (2) a breach of the duty, and (3) an injury proximately
caused by the breach of duty." Stachowski v. Est. of Radman, 95 N.E.3d 542, 543 (Ind. Ct. App.
2018). "[B]usinesses have the common-law 'duty to exercise ordinary and reasonable care in the
conduct of their operations . . . for the safety of others whose injuries should reasonably have been
foreseen or anticipated." WEOC, Inc. v. Niebauer, No. 23S-CT-184 at 10, __ N.E.3d __ (Ind. Feb.
12, 2024) (slip op). "[T]he existence of a duty in negligence is a question of law." Reed v. Cent.
Soya Co., 621 N.E.2d 1069, 1076 (Ind. 1993). In this case, and generally, employees reasonably
expect their employers to keep their personal information safe. Even in the era before digital
recordkeeping, if an employer kept its employees' Social Security numbers in an unlocked box on
the sidewalk for anyone to take, no one would question that the employer would be negligent. The
Court notes that although Pisciotta interpreted the Indiana data-breach statute, it was decided
before Indiana cases permitting common law data-breach negligence claims. See, e.g., Paul v.
8
Ardagh Glass, Inc., No. 49D07-2209-CT-031302, 2023 WL 5153147, at *7 (Ind. Super. Ct. Jan.
23, 2023); In re Eskenazi Health Data Incident Litig., No. 49D01-2111-PL-038870, 2022 WL
20505180, at *11 (Ind. Super. Ct. Sep. 2, 2022). The Court holds that Defendants owed a duty to
Plaintiffs to keep their PII safe and that Plaintiffs have adequately pled that element of their
negligence claim.
Regarding damages, the Seventh Circuit has recognized the imminent and concrete injuries
that victims of data breaches face. The Seventh Circuit has explained that such victims are "at risk
for both fraudulent charges and identity theft," even if no such occurrences have yet happened.
Lewert, 819 F.3d at 967. Such individuals must "spen[d] time and effort monitoring both [their]
card statements and [their] other financial information as a guard against fraudulent charges and
identity theft." Id. In offering and encouraging credit monitoring to Plaintiffs, Defendants
"implicitly acknowledged this," id. since "[i]t is unlikely that [Defendants] did so because the risk
is so ephemeral that it can safely be disregarded." Remijas, 794 F.3d at 694. After all, "[w]hy else
would hackers break in . . . and steal . . . private information? Presumably, the purpose of the
hack is, sooner or later, to make fraudulent charges or assume those . . . identities." Id. at 693.
While Defendants argue that compensable damages must be higher than standing's injury-in-fact,
they cite no Seventh Circuit authority for that proposition and the out-of-circuit case they do cite
itself cites to no authority. To the extent other authority is used by Defendants to suggest the
contrary, it indicates only that in some circumstances the inquiry for injury-in-fact and
compensable damages yields different results. See Doe v. Chao, 540 U.S. 614, 627 (2004). Here,
there is no difference. For example, Indiana law specifically allows for damages to include "the
value of [lost time]." Ind. Model Civ. Jury Inst. 703(3) (brackets in original). As one Indiana court
explained, further legal proceedings are necessary "to determine the extent to which those damages
9
can be compensated as arising from the Data Breach at issue in this case." Paul, 2023 WL 5153147
at *6. The Court finds that Plaintiffs have plausibly alleged the damages element of their
negligence claim.
Regarding the economic loss doctrine, both the Indiana Supreme Court and the Seventh
Circuit agree that the term "economic loss" is a misnomer which "does not necessarily lead to a
proper understanding of the scope and applicability of the doctrine." Indianapolis-Marion Cnty.
Pub. Libr. v. Charlier Clark & Linard, P.C., 929 N.E.2d 722, 729 n.8 (Ind. 2010). Rather, it is
better understood as "'commercial loss,' not only because personal injuries and especially property
losses are economic losses, . . . which . . . are monetized," but also because in commercial disputes,
contract law is more suitable than tort law. Miller v. U.S. Steel Corp., 902 F.2d 573, 574 (7th Cir.
1990). In this case, the parties' relationship is not one of business-to-business or consumer-tobusiness, but employer-to-employee. In any event, at least some of the harms experienced by the
Plaintiffs are not solely economic, such as lost time and worry. And for the harms Plaintiffs have
mitigated, plaintiffs generally have a duty to mitigate their damages, and were the Plaintiffs to do
otherwise, "the more time that passes between a data breach and an instance of identity theft, the
more latitude a defendant has to argue that the identity theft is not 'fairly traceable' to the
defendant’s data breach." Remijas, 794 F.3d at 693.
The economic loss doctrine does not apply, and Plaintiffs have plausibly alleged
compensable damages. The Court DENIES Defendants' Motion to Dismiss as to Plaintiffs'
negligence claim.
B.
Negligence Per Se Claim
Defendants argue that "Plaintiffs fail to state a claim for negligence per se" under the FTC
Act because the FTC Act "does not provide Plaintiff[s] with a private right of action." [Filing No.
10
27 at 9-10.] Defendants state that "Allowing third-parties like Plaintiffs to enforce the FTC Act
'would be inconsistent'" with its legislative scheme. [Filing No. 27 at 10.]
Plaintiffs respond that "in the context of data breach litigation, "courts routinely reject this
argument" that the FTC Act does not provide a private right of action such that a negligence per
se claim must fail. [Filing No. 30 at 9-10.] They argue that "negligence per se differs from bringing
a private right of action under the statute, so the non-existence of such a right under either the FTC
Act . . . does not preclude Plaintiffs' claims." [Filing No. 30 at 10.] From this, Plaintiffs argue that
they are not "pursuing a private cause of action for violations of . . . the FTC Act; rather, they assert
that Defendants' violations of those statutes evince Nice Pak's breach of its duty to protect
sensitive" PII. [Filing No. 30 at 10.]
According to Plaintiffs, "Indiana courts recognize that
allegations of an 'unexcused violation of a statutory duty constitutes negligence per se 'if the statute
or ordinance is intended to protect the class of persons in which the plaintiff is included and to
protect against the risk of the type of harm which has occurred as a result of its violation." [Filing
No. 30 at 10.]
Defendants reply that "[w]hen a plaintiff alleges that a statute supplies a defendant's duty,
courts must first inquire whether the Legislature intended to make the defendant liable in tort under
that statute." [Filing No. 34 at 8.] Defendants argue that controlling Indiana appellate-court
authority supports that rule and is not bound by Indiana trial-court authority to the contrary. [Filing
No. 34 at 8.]
As Defendants' brief has demonstrated, private-right-of-action claims and negligence-perse claims "are often confused." Gresser v. Reliable Exterminators, Inc., 160 N.E.3d 184, 191 (Ind.
Ct. App. 2020) (referring to each claim alternatively as "Statutory-Duty Claim" and "CommonLaw-Duty Claim). A "private right of action" assumes that an allegation of a "violation of a statute
11
or ordinance gives rise to civil liability even in the absence of a common-law duty.'" Stachowski,
95 N.E.3d at 545. In contrast, "negligence per se" "assumes the existence of a common-law duty
of reasonable care, and the court is asked to adopt the standard of conduct set forth in a statute or
ordinance . . . as the standard of conduct required under that preexisting duty, so that a violation
of the statute or ordinance serves to satisfy the breach element of a negligence action." Id. at 544
Thus, "[t]hough similar, negligence-per-se claims differ in that a violation of certain statutes or
ordinances 'serves to satisfy the breach element.'" Niebauer, No. 23S-CT-184 at 9.
"Generally speaking, 'the unexcused violation of a statute or ordinance constitutes
negligence per se if the provision (1) 'protects the class of persons in which the plaintiff is included'
and (2) 'protects against the type of harm that has occurred as a result of the violation.'" Gresser,
160 N.E.3d at 191. Section 5 of the FTC Act prohibits "unfair . . . acts or practices in or affecting
commerce." 15 U.S.C. § 45. Applied to this case, "[t]he question for the jury is not whether the
FTC Act was violated but whether [Defendants] breached [their] duty to protect [Plaintiffs'] PII
by failing to meet the standard of care articulated in the FTC Act." Paul, 2023 WL 5153147 at *9.
Data breaches affect commerce, and Plaintiffs benefit from protections against the kinds of harms
that proper data security would avoid. As other courts have similarly decided, "the FTC Act can
serve as the basis of a negligence per se claim." Perdue v. Hy-Vee, Inc., 455 F. Supp. 3d 749, 760–
61 (C.D. Ill. 2020); In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d 1130, 1143 (C.D.
Cal. 2021). Plaintiffs have plausibly alleged a claim for negligence per se, so the Court DENIES
Defendants' Motion to Dismiss as to that claim.
C.
Breach of Implied Contract Claim
Defendants argue that "Plaintiffs fail to state a claim for breach of implied contract."
[Filing No. 27 at 10.] Defendants reject the argument that Nice Pak agreed to prevent disclosure
of PII and provide prompt notice of such disclosure only "implicitly." [Filing No. 27 at 11.] They
12
argue that to state a claim for breach of an implied contract, Plaintiffs must show the contract's
terms to be "reasonably definite and certain." [Filing No. 27 at 11.] But according to Defendants,
Plaintiffs do not allege "what Nice Pak implicitly promised to do in the event of, or to protect
against, a third-party cyber security attack, nor do they allege what Nice Pak failed to do that
constitutes a 'material breach.'" [Filing No. 27 at 12.] Defendants argue further that Plaintiffs have
not alleged any damages, stating that "[t]here are no allegations that Plaintiffs suffered any
quantifiable loss or incurred 'any completed direct financial loss' arising from the Data Breach.
[Filing No. 27 at 13.] As an example, Defendants state that "both plaintiffs expressly admit that
they 'sign[ed] up for the credit monitoring and identity theft insurance offered by Defendant,' and
thus have no out-of-pocket damages." [Filing No. 27 at 13.]
Plaintiffs respond that their "implied contract claim is well pleaded." [Filing No. 30 at 11.]
According to Plaintiffs, "[u]nder Indiana law, an implied contract is formed 'if it can be inferred
that the parties mutually intended to be bound by the agreement," which includes implied contracts
"formed by conduct." [Filing No. 30 at 11.] They state that "it is enough to allege that there was
an explicit or implicit contract for data security, that plaintiffs placed value on that data security,
and that Defendants failed to meet their representations about data security." [Filing No. 30 at 12.]
Plaintiffs state that "[a]ccordingly, even standing alone, the provision of PII by an employee to an
employer is accompanied by the implicit understanding that it will be reasonably maintained as
confidential." [Filing No. 30 at 12.] Plaintiffs explain that they have alleged cognizable damages
as "the value of one's own time needed to set things straight is a loss from an opportunity-cost
perspective. These injuries can justify money damages." [Filing No. 30 at 13-14.]
Defendants reply that Plaintiffs have made only "vague allegations of unilateral belief and
assumptions[, which] do not come close to a plausible claim of breach of implied contract." [Filing
13
No. 34 at 9.] Defendants argue that "[t]he essential terms of an agreement to safeguard and protect
[PII] would naturally include terms governing the reasonable and adequate steps that Plaintiffs
contend Nice Pak should have taken to protect their PII," but "Plaintiffs cannot point to any
promise, agreement, or term that would support an implied contract." [Filing No. 34 at 9.]
Defendants assert that Nice Pak's "online privacy policies" likewise do not prevent dismissal.
[Filing No. 34 at 9.] According to Defendants, "[t]here are no allegations that Plaintiffs read those
website privacy policies—let alone read them before they submitted any PII to Nice Pak." [Filing
No. 34 at 9.] Regardless, Defendants point to the policy's express disclaimer of "any specific
promise or expectation [of] data security." [Filing No. 34 at 10.] Defendants reiterate that "[a]
court employs different standards of review in considering injury for standing purposes and
damages for sufficiency of a claim." [Filing No. 34 at 10.] Defendants state that "there are no
allegations that Plaintiffs suffered any quantifiable loss or incurred 'any completed direct financial
loss' arising from the" Data Breach. [Filing No. 34 at 10.]
Under Indiana law, "[a]n implied in fact contract refers to the class of obligations which
arises from mutual agreement and intent to promise, when the agreement and promise have simply
not been expressed in words." McCart v. Chief Exec. Officer in Charge, Indep. Fed. Credit Union,
652 N.E.2d 80, 85 (Ind. Ct. App. 1995). "[A] contract implied in fact arises out of acts and conduct
of the parties, coupled with a meeting of the minds and a clear intent of the parties in the
agreement." Id. "No general rule can be set forth as to what facts are necessary to prove the
existence of an implied contract." Wilhoite v. Beck, 230 N.E.2d 616, 623 (Ind. Ct. App. 1967). As
such, "[t]he question as to whether or not there was either an express contract or an implied contract
to pay for the services is [a] matter of fact." Id. at 622.
14
In this case, employees and employers generally understand that PII—necessary for
business operations like paying employee wages—should be kept private. Such an understanding
is plausibly an implicit term of their employment agreement. "The terms of the implied contracts
and the parties' intentions can be fleshed out in discovery." Trustees of Ind. Univ. v. Spiegel, 186
N.E.3d 1151, 1160 (Ind. Ct. App. 2022). The Court DENIES Defendants' Motion to Dismiss as
to Plaintiffs' claim for breach of implied contract.
D.
Unjust Enrichment Claim
Defendants argue that "Plaintiffs fail to state a claim for unjust enrichment." [Filing No.
27 at 13.] They assert that "[t]o recover for unjust enrichment under Indiana law, a plaintiff 'must
show that . . . he rendered a measurable benefit to the defendant at the defendant's express or
implied request.'" [Filing No. 27 at 13.] Defendants argue that "[e]ven assuming that Plaintiffs
did confer a benefit on Nice Pak by applying for employment, there are no allegations that they
did so 'at the defendant's express or implied request.'" [Filing No. 27 at 14.] Rather, Defendants
state that Plaintiffs "sought out employment with Nice Pak and provided their information in hopes
of gaining employment for themselves" and "[a]ny monies that later flowed from Nice Pak to
[Plaintiffs] were for employment services exchanged, not in return for their personal information."
[Filing No. 27 at 14.]
Plaintiffs respond that they have "stated a claim for unjust enrichment." [Filing No. 30 at
14.] They state that for purposes of the unjust enrichment doctrine, conferring a "benefit" to an
employer includes providing PII and the provision of labor itself. [Filing No. 30 at 14-15.]
Plaintiffs argue that the terms of such unjust enrichment include "the promise to protect sensitive
information acquired as part of a transaction." [Filing No. 15 at 30.]
Defendants argue in their reply that "Plaintiffs do not cite to any Indiana case or Indiana
legal authority in opposing dismissal of their unjust enrichment claim" or make arguments under
15
Indiana law. [Filing No. 34 at 11.] Defendants further argue that "Plaintiffs do not plead, and
cannot plead, that they expected a fee from Nice Pak in exchange for providing their PII for the
purpose of applying [for] or maintaining employment." [Filing No. 34 at 11.] Defendants argue
further that Plaintiffs "do not plead that Nice Pak withheld some portion of their salary to go toward
data security or that Nice Pak ever requested money from Plaintiffs to pay for data security."
[Filing No. 34 at 11.]
Defendants contend that Plaintiffs' cited authority is otherwise
distinguishable because those cases primarily concern plaintiffs who expressly made a purchase in
exchange for some other benefit. [Filing No. 34 at 11-12.]
Under Indiana law, "[t]o prevail on a claim of unjust enrichment, a plaintiff must establish
that a measurable benefit has been conferred on the defendant under such circumstances that the
defendant's retention of the benefit without payment would be unjust." Kohl's Indiana, L.P. v.
Owens, 979 N.E.2d 159, 167 (Ind. Ct. App. 2012). Plaintiffs have not alleged that Defendants
benefited from the PII information other than as incidental to benefitting from Plaintiffs'
compensated labor. The PII is better understood as necessary to conduct business operations, not
a good whose inherent value was extracted by Defendants. Defendants Motion to Dismiss as to
the claim for unjust enrichment is GRANTED.
E.
Bailment Claim
Defendants argue that "Plaintiffs fail to state a claim for bailment." [Filing No. 27 at 15.]
Defendants argue that "[u]nder Indiana law, a bailment arises when personal property belonging
to the bailor is delivered into the exclusive possession of the bailee, and the property is accepted
by the bailee." [Filing No. 27 at 15.] Defendants argue that "[i]t is factually implausible for Nice
Pak to have ever been in the 'exclusive possession or 'sole custody' of Plaintiffs' PII or to have
prevented Plaintiffs from using it." [Filing No. 27 at 15.] According to Defendants, "Plaintiffs
have been free at all relevant times to disseminate their" PII "in any way they wish to whomever
16
they wish" and "there's no allegation that Nice Pak was to 'return' Plaintiffs' PII." [Filing No. 27
at 16.]
Plaintiffs state that "[a]stonishingly, Defendants argue this Court should reject one of its
own recent decisions speaking directly to this point in concluding that Plaintiffs have not stated a
claim for bailment." [Filing No. 30 at 16.] Plaintiffs state that "[i]n Indiana, bailment law is not
reserved for physical goods. Indiana recognizes data as a form of property." [Filing No. 30 at 16.]
Plaintiffs allege that they "entrusted their personal information to Defendants 'on the mutual
understanding that Defendants would protect it against disclosure[,]' and that as a direct result of
Defendants['] failure to implement adequate and reasonable cyber-security procedures, [P]laintiffs'
[PII] was exposed to cybercriminals." [Filing No. 30 at 16.] Plaintiffs explain that they "need
nothing more to state their claim for bailment." [Filing No. 30 at 17.]
Defendants argue in their reply that the Court is not bound by another decision of this Court
and note that other Indiana state courts have rejected bailment claims for data breaches. [Filing
No. 34 at 2-3.] Defendants state that a key distinction between traditional bailment and Plaintiffs'
claims is that "Nice Pak was [not] in exclusive possession of Plaintiffs' [PII]." [Filing No. 34 at
3.] Without such exclusive possession, "[s]ubmitting forms to an employer which contain personal
information does not give rise to a bailment under Indiana law." [Filing No. 34 at 3.]
Under Indiana law, "[a] bailment arises when: (1) personal property belonging to a bailor
is delivered into the exclusive possession of the bailee and (2) the property is accepted by the
bailee." Albanese Confectionary Grp., Inc. v. Cwik, 165 N.E.3d 139, 148 (Ind. Ct. App. 2021).
Although the Court acknowledges the holding in Krupa, 2023 WL 143140, and its reasoning that
PII was delivered and accepted by the Defendants, in this case Plaintiffs' PII was not in Defendants'
exclusive possession. Plaintiffs were free to use or disseminate their PII as they pleased and deliver
17
it to limitless others. Lacking this essential element of bailment, Plaintiffs' bailment claimdoes not
support each essential element and Defendants' Motion to Dismiss as to that claim is GRANTED.
F.
New York Deceptive Trade Practices Act
In support of their Motion to Dismiss, Defendants argue that "Plaintiffs fail to state a claim
under the New York Deceptive Trade Practices Act, General Business Law § 349." [Filing No. 27
at 18.] Defendants argue that to bring such a claim, Plaintiffs "must charge conduct of the
defendant that is consumer-oriented" or "demonstrate that the acts or practices have a broader
impact on consumers at large." [Filing No. 27 at 18.] Defendants argue that Plaintiffs "are not
consumers. They are former employees," and that "[e]ven if the statute could be applied to an
employee-employer relationship," "Plaintiffs do not point to any statement or document made by
Nice Pak that was deceptive and do not allege that they sustained . . . damages." [Filing No. 27 at
18-19.] Further, Defendants argue that "Plaintiffs fail to state what misrepresentation Nice Pak
made regarding its data security practices" that amounts to deception. [Filing No. 27 at 19.]
Further still, Defendants argue that "even if Plaintiff could allege specific misrepresentations from
Nice Pak about keeping personal information secure, the claim would still be insufficient because
there was not an unlimited guaranty that information could not be stolen or hacked." [Filing No.
27 at 19.] Defendants conclude that "as with Plaintiffs' other claims, they fail to plead the requisite
damages caused by the deceptive act." [Filing No. 27 at 20.]
Plaintiffs argue that New York's Deceptive Trade Practices Act "does not require that a
plaintiff be a consumer to have standing but only that the complained of 'acts or practices have a
broader impact on consumers at large.'" [Filing No. 30 at 17.] Plaintiffs state that "at the time
[they] looked for employment and agreed to provide their PII to Defendants, they were not yet
employees of Defendants and were members of the broader consuming public." [Filing No. 30 at
17.] Plaintiffs state further that they have "squarely alleged Defendants' misleading conduct
18
including that they misrepresented their commitment to data security and the adequacy of their
data protection regimen," which amounts to "actionable misrepresentations," as it is under the FTC
Act, which New York courts specifically use as a guide to interpret GBL § 349. [Filing No. 30 at
18.] Finally, Plaintiffs state that they have suffered cognizable damages, including "the lost benefit
of their bargains with Defendants, that they have spent time and effort in response to the Data
Breach, and that the value of their PII has diminished as a result of the Data Breach." [Filing No.
30 at 18.]
In reply, Defendants state that under New York law, for purposes of GBL § 349, consumers
are defined as "those who purchase goods and services for personal, family, or household use."
[Filing No. 34 at 13.] They assert that "Plaintiffs fail to meet the threshold question of being a
'consumer,'" so "New York's consumer protection statute does not apply to the allegations in this
case." [Filing No. 34 at 13.] Defendants state that "[t]o establish the requisite causal connection
[for a GBL § 349 claim] [a] plaintiff must plausibly allege that she actually viewed the misleading
statement prior to making her decision to purchase, and must set forth where, when and how she
came to view it." [Filing No. 34 at 14.] Defendants further argue that "[e]ven assuming Plaintiffs
could point to Nice Pak's privacy policies as the source of the alleged misleading statements, the
privacy policies were not an unlimited guaranty that information could not be stolen or hacked."
[Filing No. 34 at 14.]
Under New York Law "to state a claim under section[] 349 . . ., 'a plaintiff must allege that
a defendant has engaged in (1) consumer-oriented conduct, that is (2) materially misleading, and
that (3) the plaintiff suffered injury as a result of the allegedly deceptive act or practice.'" Plavin
v. Grp. Health Inc., 35 N.Y.3d 1, 10 (N.Y. 2020). This case concerns an employer-employee
relationship, which is not consumer-oriented. Nor have Plaintiffs identified in their allegations the
19
specifically misleading conduct; the allegations concern negligence, not an intentionally
misleading act. Defendants' Motion to Dismiss as to Plaintiffs' claim under the New York
Deceptive Trade Practice Act is GRANTED.
IV.
CONCLUSION
For the foregoing reasons, the Court makes the following rulings:
•
As to Plaintiffs' claims for negligence, negligence per se, and breach of implied
contract, Defendants' Motion to Dismiss, [26], is DENIED and those claims
SHALL PROCEED;
•
As to the Plaintiffs' claims for unjust enrichment, bailment, and violation of the
New York Deceptive Trade Practices Act, Defendants' Motion to Dismiss, [26],
is GRANTED and those claims are DISMISSED WITHOUT PREJUDICE.
No partial final judgment shall issue.
Date: 6/5/2024
Distribution:
Jennifer L. Brumfield
Baker & Hostetler LLP
jbrumfield@bakerlaw.com
Carrie Dettmer Slye
BAKER & HOSTETLER LLP
cdettmerslye@bakerlaw.com
Gary M. Klinger
Milberg Coleman Bryson Phillips Grossman PLLC
gklinger@milberg.com
20
Emily Davin Kopp
Cohen & Malad, LLP
ekopp@cohenandmalad.com
Tyler John Moorhead
BOSE MCKINNEY & EVANS LLP
tmoorhead@boselaw.com
Amina Thomas
COHEN & MALAD LLP
athomas@cohenandmalad.com
Lynn A. Toops
COHEN & MALAD LLP
ltoops@cohenandmalad.com
Philip R. Zimmerly
BOSE MCKINNEY & EVANS, LLP (Indianapolis)
pzimmerly@boselaw.com
21
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
