Takeaway: In a data breach class action, the typical panoply of claims asserted include tort claims (such as negligence and negligence per se), contractual claims (such as claims for breach of express and implied contracts), unjust enrichment, and various statutory claims (such as claims under data breach notification statutes and deceptive trade practices acts). Two years ago, we reported on the Seventh Circuit’s ruling in a data breach case where the appellate court applied the economic loss doctrine to bar data breach negligence claims. See Seventh Circuit: the economic loss doctrine precludes tort claims between participants in a contractual network that allocates risk for a data breach (April 30, 2018). The Central District of Illinois recently issued a similar decision in Perdue v. Hy-Vee, Inc., Case No. 19-1330, 2020 WL 1917835 (C.D. Ill. Apr. 20, 2020), providing a roadmap for resolving a motion to dismiss data breach claims governed by the laws of various states.
Hy-Vee is a Midwestern supermarket chain that also operates gas pumps, restaurants, and coffee shops. Between November 2018 and August 2019, Hy-Vee was the victim of an ongoing data breach that allowed the hackers to obtain payment card information of customers. After detecting the breach, Hy-Vee notified its customers, later providing notice that the breach was the result of “malware designed to access payment card data from cards used on point-of-sale (‘POS’) devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants.” 2020 WL 1917835, at *1. Hy-Vee also posted an online tool so its customers could figure out if they made purchases at any of the affected locations.
Eleven named plaintiffs from six states – Illinois, Missouri, Kansas, Minnesota, Wisconsin, and Iowa – filed a putative class action against Hy-Vee in the Central District of Illinois, alleging a number of claims against Hy-Vee. The alleged harms included fraudulent credit card charges, time spent dealing with the fraudulent charges, and so on. The plaintiffs alleged claims for negligence, negligence per se, breach of implied contract, breach of contract (based on a third party beneficiary theory), unjust enrichment, and statutory claims under data breach notification statutes, consumer fraud statutes, and deceptive trade practices acts. Hy-Vee moved to dismiss on a number of grounds.
Starting with the choice-of-law issue, the district court – applying the Illinois choice-of-law rule (the “most significant relationship” test of the Restatement (Second) of Conflict of Laws) – ruled that the law of the state where each plaintiff resided and suffered harm governed the claims of that particular plaintiff. Accordingly, the district court evaluated the respective claims under Illinois, Missouri, Kansas, Minnesota, Wisconsin, and Iowa law.
Applying the Seventh Circuit’s decision in Community Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 816 (7th Cir. 2018), the district court ruled that, under Illinois law, there was no common law duty to safeguard the plaintiffs’ payment card data. Accordingly, the district court dismissed the negligence claims asserted under Illinois law for lack of an actionable duty.
The Illinois plaintiffs’ negligence per se claim was based on Hy-Vee’s alleged breach of the FTC Act (15 U.S.C. § 45(a)(1) (2006)), which prohibits “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” 2020 WL 1917835, at *4. While the district court held that the FTC Act can serve as a basis of a negligence per se claim, the court ruled that the Illinois economic loss rule barred the claim, given that the Illinois plaintiffs were seeking to recover “purely economic losses under a tort theory of negligence.” Id. at *5. In support of this ruling, the court observed “that lost time and an inability to use or access funds due to a data breach are economic losses.” Id. Citing Community Bank of Trenton, the Hy-Vee court found “none of the exceptions to the economic loss doctrine apply” because “[d]ata breaches are a foreseeable risk of participating in card networks, not an unexpected physical hazard.” Id.
The district court reached a similar result under Missouri and Kansas law, ruling that the negligence and negligence per se claims under Missouri law were barred on “no duty” and economic loss grounds, and that claims under Kansas law were precluded by the Kansas economic loss doctrine.
The district court also dismissed the plaintiffs’ negligence and negligence per se claims under Iowa law, stating those claims were “conceded.” Id. at *7. The district court denied the motion to dismiss the negligence claims under Minnesota and Wisconsin law, however. Given the differences in state law governing the Minnesota and Wisconsin negligence claims, Hy-Vee argued that those common law claims were subject to dismissal for failure to allege compensable damages, but the court found that the Minnesota and Wisconsin plaintiffs adequately alleged damages.
The district court applied Illinois law to the plaintiffs’ implied contract claim (because the parties agreed there was no conflict of laws relative to that claim), and denied the motion to dismiss, ruling that the plaintiffs “plausibly alleged the existence of an implied contract obligating [Hy-Vee] to take reasonable measures to protect their private information and to timely notify them of the data breach” and also that plaintiffs “plausibly alleged they would not have entered into transactions with [Hy-Vee] if they had known it would not protect their information.” Id. at *8.
The court dismissed without prejudice (but with leave to amend) the plaintiffs’ breach of contract claims (based on a third-party beneficiary theory), given that the complaint did not identify the contracts allegedly conferring third-party beneficiary status on the respective plaintiffs.
Likewise applying Illinois law to the unjust enrichment claims (because there was no conflict of law relative to that claim), the court dismissed the claim, because plaintiff did not allege “that any specific portion of their payments went toward data protection”; they did not allege “a benefit conferred in exchange for protection of their personal information”; and they did “not allege that the food or gas they received was defective.” Id. at *9.
With the exception of claims for future deception or future harm under the Illinois and Minnesota deceptive trade practices acts, all of the statutory claims survived. The claims for future deception or harm were dismissed because the alleged harm “already occurred” and the plaintiffs were “unlikely to be deceived by a defendant’s misstatements again in the future.” Id. at *15. But the claims for breach of data breach notification statutes survived because those statutes did not clearly preclude a private right of action while the allegations of the complaint were adequate at the pleading stage to state the elements of the various statutory claims for consumer fraud and deceptive trade practices.