No. 1-23-0140

Opinion filed September 29, 2023

FIFTH DIVISION

IN THE APPELLATE COURT OF ILLINOIS FIRST JUDICIAL DISTRICT

MARIA FLORES, DEANNA DUBE, MISTY ) Appeal from the WILLIAMS, and SHARON RUSHING, ) Circuit Court of ) Cook County. Plaintiffs-Appellants, ) ) No. 2022 CH 6132 v. ) ) Honorable AON CORPORATION, ) Neil H. Cohen, ) Judge presiding. Defendant-Appellee. )

PRESIDING JUSTICE MITCHELL delivered the judgment of the court, with opinion. Justices Lyle and Justice Navarro concurred in the judgment and opinion.

OPINION

¶1 Plaintiffs Maria Flores, Deanna Dube, Misty Williams, and Sharon Rushing appeal the

dismissal of their class action complaint in this data breach case against defendant Aon

Corporation. Plaintiffs raise a number of issues on appeal, chief among them are as follows: (1) did

the circuit court err in dismissing plaintiffs’ complaint for lack of standing (735 ILCS 5/2-

619(a)(9) (West 2022)); (2) did the circuit court err in dismissing plaintiffs’ claims for negligence,

negligence per se, breach of implied contract, unjust enrichment, a violation of Illinois’s Consumer

Fraud and Deceptive Business Practices Act (815 ILCS 505/1 et seq. (West 2022)), a violation of

the Florida Deceptive and Unfair Trade Practices Act (Fla. Stat.§ 501.201 et seq. (2022)), and No. 1-23-0140

invasion of privacy for failure to state a claim (735 ILCS 5/2-615 (West 2022)); and (3) did the

circuit court err in dismissing plaintiffs’ claims for economic loss under the Moorman doctrine?

See Moorman Manufacturing Co. v. National Tank Co.,

(1982). For the reasons

below, we affirm in part and reverse in part.

¶2 I. BACKGROUND

¶3 Defendant is a global professional services company headquartered in Chicago that

provides a wide range of services, including cybersecurity services, to its commercial clients. In

February 2022, defendant discovered that an unauthorized third party had been repeatedly

accessing some of defendant’s systems since late December 2020. Defendant prevented any further

unauthorized access, conducted an investigation concerning the data breach, and informed law

enforcement of the incident.

¶4 Plaintiffs Flores, Rushing, Williams and Dube allege that they provided defendant with

their personal information, including their names, social security numbers, dates of birth, e-mail

addresses, and benefit-enrollment information. Flores and Williams provided their personal

information to defendant because defendant managed the employee benefits program offered by

their employers, while Rushing provided defendant with her personal information because she was

formerly employed by defendant. Dube does not specify why she provided her personal

information to defendant. Plaintiffs all reside in different states, with Flores being a resident of

Illinois, Williams being a resident of Florida, Rushing being a resident of Texas, and Dube being

a resident of Nevada.

¶5 Three months after the data breach was discovered, defendant sent a notice letter to

everyone who was potentially impacted by the data breach. Plaintiffs all received this notice

-2- No. 1-23-0140

sometime in June 2022. The notice letter stated that an unauthorized third party had access to some

of defendant’s systems between December 2020 and February 2022 and that the unauthorized third

party therefore had access to plaintiffs’ personal information, including their names, social security

numbers, driver’s license numbers, and benefit enrollment information.

¶6 In June 2022, Flores filed a class action complaint against defendant. Flores later filed an

amended class action complaint to add Dube, Rushing, and Williams as plaintiffs. Plaintiffs stated

claims of relief for negligence, negligence per se, breach of implied contract, unjust enrichment,

violation of Illinois’s Consumer Fraud Act, violation of the Florida Deceptive and Unfair Trade

Practices Act, and invasion of privacy.

¶7 All plaintiffs alleged that they suffered actual injury in the form of (1) damages to and

diminution in the value of their personal information; (2) lost time, annoyance, interference, and

inconvenience dealing with the consequences of the data breach; and (3) anxiety and increased

concerns for the loss of their privacy due to the data breach. Plaintiffs also alleged that they

suffered imminent and impending injury arising from the substantially increased risk of fraud and

identity theft by unauthorized third parties due to the data breach. Additionally, Flores, Rushing,

and Williams alleged that they have received increased spam and targeted marketing after the data

breach occurred and that the increase in spam was caused by the data breach. After the data breach

occurred, Williams alleged that she experienced an attempt to process a $499.99 charge to her

PayPal account, while Dube alleged that she was charged for a prescription from Express Scripts

that she did not order.

¶8 Defendant moved to dismiss plaintiffs’ first amended class action complaint for lack of

standing (735 ILCS 5/2-619(a)(9) (West 2022)) and failure to state a claim upon which relief can

-3- No. 1-23-0140

be granted (id. § 2-615). The circuit court granted defendant’s motion and dismissed plaintiffs’

complaint in its entirety. This timely appeal followed. Ill. S. Ct. R. 303 (eff. July 1, 2017).

¶9 II. ANALYSIS

¶ 10 A. Standing

¶ 11 Plaintiffs argue that the circuit court erred in dismissing their complaint due to lack of

standing. They contend that they have demonstrated an injury-in-fact due to their allegations

concerning (1) their imminent risk of future identity theft or fraud, (2) the unauthorized charges

experienced by Williams and Dube, (3) the diminishment in the value of plaintiffs’ personal

information, (4) their emotional distress due to the data breach, and (5) the lost time they have

spent responding to the data breach, including the increased number of spam and targeted

marketing messages they have received. Defendant argues that none of these allegations are

sufficient to establish injury-in-fact for standing purposes and that plaintiffs have not adequately

established a connection between the data breach and the unauthorized charges experienced by

Williams and Dube.

¶ 12 A motion to dismiss pursuant to section 2-619 of the Code of Civil Procedure (735 ILCS

5/2-619 (West 2022)) admits the legal sufficiency of the complaint, but raises defects, defenses,

or some other affirmative matter that defeats the plaintiff’s claim. Ball v. County of Cook,

(2008). The phrase “affirmative matter” encompasses any defense other than a

negation of the essential allegations of the plaintiff’s cause of action. Piser v. State Farm Mutual

Automobile Insurance Co.,

(2010). A defendant may properly raise lack

of standing in a motion to dismiss brought under section 2-619(a)(9). 735 ILCS 5/2-619(a)(9)

-4- No. 1-23-0140

(West 2022); Glisson v. City of Marion,

(1999). We review a dismissal under

section 2-619 de novo. Glisson,

.

¶ 13 Under Illinois law, to have standing to bring a claim a plaintiff must only demonstrate

“some injury in fact to a legally cognizable interest.” Messenger v. Edgar,

(1993). “The claimed injury must be (1) distinct and palpable; (2) fairly traceable to defendant’s

actions; and (3) substantially likely to be prevented or redressed by the grant of the requested

relief.” Wexler v. Wirtz Corp.,

(2004). The claimed injury can be actual or

threatened. Greer v. Illinois Housing Development Authority,

(1988). Illinois

courts are generally more willing than federal courts to recognize standing on the part of any person

“who shows that he is in fact aggrieved.”

. While a court’s determination of whether a

plaintiff has standing depends on the allegations in the complaint, the plaintiff’s lack of standing

is an affirmative defense and therefore must be proven by the defendant. Maglio v. Advocate

Health & Hospitals Corp.,

. A putative class action requires that

the named plaintiff allege an injury-in-fact. A named plaintiff cannot rely upon injuries suffered

by other unidentified members of the claimed class to establish standing. I.C.S. Illinois, Inc. v.

Waste Management of Illinois, Inc.,

(2010).

¶ 14 In dismissing the plaintiffs’ complaint for lack of standing, the circuit court relied heavily

on Maglio, the only Illinois case addressing standing in a data breach lawsuit. Maglio,

. The plaintiffs in Maglio filed negligence, invasion of privacy, and statutory

claims against defendant Advocate Health and Hospitals Corporation after four password-

protected computers containing patient information were stolen from Advocate’s offices.

¶¶ 1-

3. The plaintiffs did not allege that anyone had improperly accessed or used their personal

-5- No. 1-23-0140

information on the stolen computers, nor did they allege that they had suffered identity theft or

fraud because of the burglary. Id. ¶ 5. The appellate court affirmed the dismissal of the plaintiffs’

claims due to lack of standing, holding that the plaintiffs had failed to allege a distinct and palpable

injury and that the plaintiffs’ allegations of increased risk of identity theft were speculative and

conclusory since none of the plaintiffs had experienced any identity theft. Id. ¶ 24. Plaintiffs’

claims of emotional injury were similarly rejected, “given the speculative and conclusory nature

of their allegations and the lack of imminent, certainly impending, or a substantial risk of harm.”

Id. ¶ 30. Therefore, under Maglio, the risk of identity theft or fraud can create standing, but only

if the risk of identity theft is imminent or certainly impending. Id. ¶¶ 29-30. A mere increased risk

of identity theft is not enough. Id. ¶ 26.

¶ 15 Here, plaintiffs have alleged that their personal information has been obtained by

unauthorized third parties and that this caused plaintiffs to experience identity theft and fraud.

Williams and Dube each alleged that they experienced an attempted fraudulent charge after the

data breach occurred, and Williams, Rushing, and Flores alleged that they have received increased

spam messages and targeted marketing since the data breach. Plaintiffs also allege that these spam

messages and unauthorized charges were caused by the data breach because personal information

stolen in data breaches is compiled in “Fullz” packages that are then sold to unsavory parties that

use the information for telemarketer operations or to commit fraud. Plaintiffs are not relying solely

on speculative allegations concerning an increased risk of future identity theft or fraud like in

Maglio. Instead, plaintiffs have clearly alleged that they face imminent, certainly impending, or a

substantial risk of harm due to the data breach, since they allege that they have already experienced

fraudulent charges and spam messaging. Unchageri v. Carefirst of Maryland, Inc., No. 16-1068,

-6- No. 1-23-0140

, at *6-7 (C.D. Ill. Aug. 23, 2016) (plaintiff lacked standing because he did not

allege any present injuries that would show that the risk of future harm is certainly impending).

Additionally, the risk of future identity theft and fraud is evident from the defendant’s statements,

offering plaintiffs free enrollment in a two-year credit-monitoring service to protect against

identity theft. The alleged injuries suffered by plaintiffs (the fraudulent charges and the lost time

spent dealing with increased spam messages and targeting marketing) are distinct and palpable

injuries that satisfy standing. Craftwood II, Inc. v. Generac Power Systems, Inc.,

(7th Cir. 2019) (holding that the time lost reading a junk fax before discarding it is a concrete

injury satisfying standing). Since plaintiffs’ allegations are sufficient to establish that, due to the

data breach, they have already experienced harm and are at imminent risk of future identity theft

and fraudulent charges, plaintiffs have standing to pursue their claims.

¶ 16 Defendant argues that plaintiffs have not alleged that defendant collected their payment

information and therefore they have not established that the unauthorized charges alleged by

Williams and Dube are fairly traceable to defendant’s conduct and the data breach. However,

Williams and Dube alleged that defendant informed both plaintiffs that their “benefit enrollment

information” was obtained during the data breach. Defendant never defined what the term benefit

enrollment information encompassed; therefore, it is possible that it included Williams’s and

Dube’s payment information. Additionally, when personal information is obtained in a targeted

data breach, it is reasonable to assume that the data thieves will use the stolen data for fraudulent

purposes. Galaria v. Nationwide Mutual Insurance Co.,

(6th Cir. 2016).

Plaintiffs have alleged that, even if the stolen data did not contain payment information, data

thieves can compile “Fullz” packages with the personal information that can be sold to third parties

-7- No. 1-23-0140

to be later used for illegal purposes. In re Mednax Services, Inc., Customer Data Security Breach

Litigation,

, 1206 (S.D. Fla. 2022) (“Even if the data accessed in the Data

Breaches did not provide all the information necessary to inflict these harms, they very well could

have been enough to aid therein.”); Sweet v. BJC Health System, No. 3:20-CV-00947-NJR,

, at *4 (S.D. Ill. June 29, 2021) (“while credit card information may not have been

exposed, information such as dates of birth, Social Security numbers, and addresses would likely

be sufficient to permit identity theft”). Plaintiffs have set forth sufficient allegations to establish

that the fraudulent payments were fairly traceable to the data breach for the purposes of standing.

¶ 17 Finally, defendant argues that the fraudulent charges experienced by Williams and Dube

were unsuccessful, and therefore the charges are not actual injuries. However, the fact that the

alleged fraudulent charges were unsuccessful is immaterial and does not stop them from being

actual injuries, nor does it stop them from showing that future fraudulent charges are imminent.

¶ 18 Since plaintiffs have sufficiently alleged that they are experiencing imminent and certainly

impending risk of identity theft and fraud, we need not analyze plaintiffs’ claims that they also

have standing due to the diminishment in the value of plaintiffs’ personal information or their

emotional distress resulting from the loss of their privacy due to the data breach. The circuit court

erred in dismissing plaintiffs’ claims due to lack of standing under section 2-619.

¶ 19 B. Sufficiency of the Complaint

¶ 20 A motion to dismiss pursuant to section 2-615 of the Code of Civil Procedure (735 ILCS

5/2-615 (West 2022)) challenges the legal sufficiency of the complaint based upon defects

apparent on its face. Beacham v. Walker,

(2008). The critical inquiry is whether

the well-pleaded facts of the case, “taken as true and construed in a light most favorable to the

-8- No. 1-23-0140

plaintiff, are sufficient to state a cause of action upon which relief may be granted.” Loman v.

Freeman,

(2008). The complaint need only set forth the ultimate facts to be

proved—not the evidentiary facts tending to prove such ultimate facts. City of Chicago v. Beretta

U.S.A. Corp.,

(2004). In ruling on a section 2-615 motion to dismiss, exhibits

attached to the complaint are included as part of the complaint and control over inconsistent factual

allegations within. Lipinski v. Martin J. Kelly Oldsmobile, Inc.,

(2001).

“Where unsupported by allegations of fact, legal and factual conclusions may be disregarded.”

Kagan v. Waldheim Cemetery Co.,

, ¶ 29. “Unless it is clearly apparent

that the plaintiff could prove no set of facts that would entitle him to relief, a complaint should not

be dismissed.” Id. We review a dismissal under section 2-615 de novo. Randall v. Lemke,

(2000).

¶ 21 1. Negligence

¶ 22 Plaintiffs argue that defendant had a common law duty to protect their personal information

and that they have sufficiently alleged that the data breach was the proximate cause of plaintiffs’

injuries. Defendant argues that there is no common law duty to safeguard personal information in

Illinois. Cooney v. Chicago Public Schools,

(2010). Additionally,

defendant argues that plaintiffs have not alleged any facts that would show that their injuries were

proximately caused by the data breach.

¶ 23 To state a claim for negligence, a plaintiff must allege facts showing that (1) the defendant

owed a duty of care to the plaintiff, (2) that the defendant breached that duty, and (3) that the

breach was the proximate cause of plaintiff’s injuries. Cowper v. Nyberg,

.

In Cooney v. Chicago Public Schools, the court declined to recognize a new common law duty to

-9- No. 1-23-0140

safeguard personal information. Cooney,

. The court pointed out that the

legislature had recently addressed this issue in the Personal Information Protection Act (815 ILCS

530/1 et seq. (West 2022)). In the case of a data breach, the Information Protection Act only

required the collector of the personal information to provide “timely notice of a security breach to

the parties affected.”

; 815 ILCS 530/10 (West 2022). Given that the legislature had

recently addressed the issue, the court declined to create a new common law duty beyond the

legislative requirements of the Information Protection Act. Cooney,

. In

2017, the Information Protection Act was amended in order to require data collectors in possession

of the personal information of Illinois residents to “implement and maintain reasonable security

measures to protect those records from unauthorized access, acquisition, destruction, use,

modification, or disclosure.” Pub. Act 99-503 (eff. Jan. 1, 2017) (adding 815 ILCS 530/45). Given

that the legislature has now created a duty to maintain reasonable security measures under the

Information Protection Act, the reasoning of the Cooney court no longer applies. See In re Arthur

J. Gallagher Data Breach Litigation,

, 590 (N.D. Ill. 2022).

¶ 24 The existence of a common law duty is a question of law and is shaped by public policy

considerations. Grant v. South Roxana Dad’s Club,

(2008). “The

touchstone of the duty analysis is to ask whether the plaintiff and defendant stood in such a

relationship to one another that the law imposes on the defendant an obligation of reasonable

conduct for the benefit of the plaintiff.” Krywin v. Chicago Transit Authority,

(2010). When determining whether there is a duty of care under the common law, we look at (1) the

reasonable foreseeability of the injury, (2) the likelihood of the injury, (3) the magnitude of the

burden of guarding against the injury, and (4) the consequences of placing that burden on the

- 10 - No. 1-23-0140

defendant. Bogenberger v. Pi Kappa Alpha Corp., Inc.,

, ¶ 46. Here, it is

foreseeable that a failure to maintain reasonable security measures would allow unauthorized third

parties to gain access to stored personal information, and it is likely that a data breach of this

information would cause injury to the individuals that the personal information belongs to.

Additionally, defendant is a sophisticated company that provides cyber security services to its

clients, so it is well aware of the risks of providing inadequate security measures for personal

information. Providing reasonable security measures for the storage of personal information would

not be a large burden for defendant, given its experience and expertise in cyber security. All four

factors support the conclusion that defendant has a common law duty to protect the personal

information of its clients, in addition to its duty under the Information Protection Act.

¶ 25 Defendant argues that plaintiffs have failed to allege that defendant’s conduct was the

proximate cause of any actual injury. Plaintiffs have alleged that they carefully safeguard their

personal information and that after the data breach they began to be targeted more frequently by

spam messages and targeted marketing, as well as two fraudulent charges. They have also alleged

that the data breach is the cause of these injuries because personal information stolen in data

breaches is used to cross-reference other available information and to compile “Fullz” packages

used to further identity theft and fraud attempts. These allegations of proximate cause and injury

are sufficient at the pleading stage. The circuit court erred in dismissing plaintiffs’ negligence

claim.

¶ 26 2. Negligence Per Se

¶ 27 Plaintiffs assert a claim for negligence per se based upon defendant’s alleged violations of

section 45 of the Federal Trade Commission Act.

(a) (2018) (declaring “unfair or

- 11 - No. 1-23-0140

deceptive acts or practices in or affecting commerce” as unlawful). “A violation of a statute or

ordinance designed to protect human life or property is prima facie evidence of negligence.”

Kalata v. Anheuser-Busch Cos.,

(1991). A party injured by such a violation

may only recover by showing that “the violation proximately caused his injury and the statute or

ordinance was intended to protect a class of persons to which he belongs from the kind of injury

that he suffered.”

However, such a violation does not constitute negligence per se and so “the

defendant may prevail by showing that he acted reasonably under the circumstances.” Bier v.

Leanna Lakeside Property Ass’n,

(1999).

¶ 28 A violation of a statute only constitutes negligence per se (which would mean strict

liability) if the legislature clearly intends for the act to impose strict liability. Abbasi v.

Paraskevoulakos,

(1999). We find no support for the notion that the legislature

clearly intended to impose strict liability for FTC Act violations.

. While

defendant’s alleged violations of the FTC Act could be offered as prima facie evidence of

defendant’s negligence, they do not constitute negligence per se. Therefore, we uphold the circuit

court’s dismissal of plaintiffs’ separate negligence per se claim.

¶ 29 3. Breach of Implied Contract

¶ 30 Plaintiffs allege that they entered into an implied contract with defendant in which, in return

for providing defendant with their personal information, defendant would use reasonable security

measures to prevent disclosure of that personal information to unauthorized persons. Defendant

argues that there is no independent cause of action for a breach of the implied covenant of good

faith and fair dealing and therefore plaintiffs’ claim fails as a matter of law.

- 12 - No. 1-23-0140

¶ 31 An implied contract can be created as a result of the parties’ actions, even if there is no

express contract between them. Trapani Construction Co. v. The Elliot Group, Inc.,

, ¶ 41. Under Illinois law, a contract in fact can be implied from the facts and

circumstances that demonstrate the parties’ intent to be bound. Heavey v. Ehret,

(1988). Unlike an express contract, in which the parties arrive at an agreement using

words, agreement in an implied-in-fact contract is created through the actions and conduct of the

parties. Trapani Construction,

. Every contract contains an implied

covenant of good faith and fair dealing. Eckhardt v. The Idea Factory, LLC,

, ¶ 28; McCleary v. Wells Fargo Securities, L.L.C.,

;

Northern Trust Co. v. VIII S. Michigan Associates,

(1995).

¶ 32 The circuit court correctly stated that there is no independent cause of action for a breach

of the implied covenant of good faith and fair dealing. Voyles v. Sandia Mortgage Corp.,

(2001); Northern Trust Co.,

. However, plaintiffs’ claim

rests on the alleged breach of an implied contract, not a breach of the implied covenant of good

faith and fair dealing.

¶ 33 Plaintiffs have alleged sufficient facts to show that an implied contract existed between

plaintiffs and defendant. Defendant made representations in its privacy policy that it would

safeguard plaintiffs’ personal information using reasonable security measures. On top of

defendant’s representations in its privacy policy, it is implied from the relationship between the

parties that defendant would take reasonable steps to ensure that plaintiffs’ personal information

would be protected from unauthorized disclosure. Doe v. Fertility Centers of Illinois, S.C., No. 21

C 579,

, at *4 (N.D. Ill. Mar. 31, 2022); Castillo v. Seagate Technology, LLC,

- 13 - No. 1-23-0140

No. 16-CV-01958-RS,

, at *9 (N.D. Cal. Sept. 14, 2016) (“it is difficult to

imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security

numbers or other sensitive personal information would not imply the recipient’s assent to protect

the information sufficiently”).

¶ 34 Although defendant contends that plaintiffs failed to allege that they reviewed or relied

upon any of the claimed representations made by defendant in its privacy policy, this does not

require dismissal of plaintiffs’ breach of implied contract claim because the facts and

circumstances between the parties were sufficient to imply a contract between them for the security

of plaintiffs’ personal information. However, plaintiffs’ claim for breach of implied contract

ultimately must be dismissed because plaintiffs fail to allege an adequate injury-in-fact. To

successfully make a breach of implied contract claim, a plaintiff must allege actual monetary

damages. Avery v. State Farm Mutual Automobile Insurance Co.,

(2005); In re

Illinois Bell Telephone Link-Up II & Late Charge Litigation,

.

Plaintiffs’ alleged injuries, while sufficient to establish standing, do not amount to actual monetary

damages. While plaintiffs argue that lost time responding to a data breach meets the standard of

actual monetary damages, they rely on federal law rather than Illinois case law. In re Arthur J.

Gallagher Data Breach Litigation, 631 F. Supp. 3d at 587. We decline to hold that the alleged

diminution in value of plaintiffs’ personal information amounts to actual monetary damages.

Plaintiffs have failed to allege adequate damages for a breach of implied contract claim. We affirm

the circuit court’s dismissal of plaintiffs’ breach of implied contract claim.

- 14 - No. 1-23-0140

¶ 35 4. Unjust Enrichment

¶ 36 Plaintiffs allege, in the alternative to their breach of implied contract claim, a claim for

unjust enrichment. Plaintiffs argue that they conferred a benefit upon defendant in the form of their

(1) employment with defendant, (2) payment of premiums for defendant’s insurance products and

services through their employment, and (3) the value of plaintiffs’ personal information. Plaintiffs

contend that defendant should not be permitted to retain the full value of these benefits due to

defendant’s alleged failure to adequately protect plaintiffs’ personal information. Defendant argues

that plaintiffs fail to allege any benefit retained by defendant to plaintiffs’ detriment.

¶ 37 “To state a cause of action based on a theory of unjust enrichment, a plaintiff must allege

that the defendant has unjustly retained a benefit to the plaintiff’s detriment, and that defendant’s

retention of the benefit violates the fundamental principles of justice, equity, and good

conscience.” HPI Health Care Services, Inc. v. Mt. Vernon Hospital, Inc.,

(1989). Unjust enrichment is not an independent cause of action. Gagnon v. Schickel,

. “Rather, it is a condition that may be brought about by unlawful or improper

conduct as defined by law, such as fraud, duress or undue influence, and may be redressed by a

cause of action based upon that improper conduct.” Charles Hester Enterprises, Inc. v. Illinois

Founders Insurance Co.,

(1985), aff’d,

(1986).

¶ 38 Plaintiffs fail to allege that defendant unjustly retained a benefit to plaintiffs’ detriment.

The labor that plaintiff Rushing provided for defendant does not satisfy this requirement, because

defendant adequately compensated Rushing through her wages. Additionally, the payments of

premiums for defendant’s insurance services were made by plaintiffs’ employers, not plaintiffs

themselves, and therefore were not benefits conferred by plaintiffs. Finally, plaintiffs argue that

- 15 - No. 1-23-0140

defendant benefited from the receipt of plaintiffs’ personal information, since the personal

information was used to purchase insurance through defendant. However, plaintiffs’ personal

information was not the payment for defendant’s insurance services. Instead, defendant

incidentally received plaintiffs’ personal information as an administrative necessity for providing

their insurance services. Perdue v. Hy-Vee, Inc.,

, 766 (C.D. Ill. 2020).

Plaintiffs have failed to allege that defendant has unjustly retained any benefit provided by

plaintiffs. Therefore, we uphold the circuit court’s dismissal of plaintiffs’ unjust enrichment claim.

¶ 39 5. The Consumer Fraud Act

¶ 40 Plaintiff Flores and the putative Illinois class members allege that defendant violated the

Information Protection Act by failing to maintain reasonable security measures to protect

plaintiffs’ personal information, and that a violation of the Information Protection Act constitutes

an unlawful practice under the Consumer Fraud Act. 815 ILCS 530/20, 45 (West 2022). Defendant

argues that Flores has not alleged an actual economic injury under the Consumer Fraud Act.

¶ 41 In order to plead a private cause of action for a violation of the Consumer Fraud Act, a

plaintiff must allege: “(1) a deceptive act or practice by the defendant, (2) the defendant’s intent

that the plaintiff rely on the deception, (3) the occurrence of the deception in the course of conduct

involving trade or commerce, and (4) actual damage to the plaintiff (5) proximately caused by the

deception.” Oliveira v. Amoco Oil Co.,

(2002). The Consumer Fraud Act

provides remedies for purely economic injuries. Morris v. Harvey Cycle & Camper, Inc.,

(2009). “Actual damages must be calculable and ‘measured by the plaintiff’s

loss.’ ”

(quoting City of Chicago v. Michigan Beach Housing Cooperative,

(1998)). The failure to allege specific economic damages precludes a claim brought under

- 16 - No. 1-23-0140

the Consumer Fraud Act.

; White v. DaimlerChrysler Corp.,

(2006).

¶ 42 Flores has failed to allege the specific economic damages necessary to bring a claim under

the Consumer Fraud Act. Flores’s alleged injuries are her emotional distress due to her loss of

privacy, her lost time dealing with the consequences of the data breach, the increase in spam

messages she has received, and the imminent risk of fraud and identity theft. None of these are the

specific economic damages required for a claim under the Consumer Fraud Act. Williams v.

Manchester,

(2008) (“an increased risk of future harm is an element of

damages that can be recovered for a present injury—it is not the injury itself” (emphasis in

original)); Morris,

(emotional damages are not specific economic injuries

under the Consumer Fraud Act). Flores also alleges that she suffered damages in the form of

diminution of the value of her personal information, but we decline to hold that diminution in the

value of personal information is a specific economic injury under the Consumer Fraud Act. Morris,

(“[a]ctual damages must be calculable” (emphasis added)).

¶ 43 Plaintiffs cite to federal cases in which plaintiffs who experienced a data breach were able

to claim economic losses under the Consumer Fraud Act. However, these cases are distinguishable

because they all involved actual economic losses. Dieffenbach v. Barnes & Noble, Inc.,

(7th Cir. 2018) (plaintiff spent $17 per month on a credit-monitoring service); In re

Arthur J. Gallagher Data Breach Litigation, 631 F. Supp. 3d at 587-88 (plaintiff experienced

fraudulent credit card charges); Worix v. MedAssets, Inc.,

(N.D. Ill. 2012)

(plaintiff alleged lost wages and money spent on credit monitoring). Plaintiffs also cite to Perdue

v. Hy-Vee, Inc., in which the court held that a plaintiff’s time spent monitoring his account due to

- 17 - No. 1-23-0140

the data breach was an economic injury; however, this holding was based on federal law and we

decline to follow it. 455 F. Supp. 3d at 761. Because Flores fails to allege any specific economic

injury, we affirm the circuit court’s dismissal of plaintiffs’ claim under the Consumer Fraud Act.

¶ 44 6. The Florida Deceptive and Unfair Trade Practices Act

¶ 45 Plaintiff Williams and the putative Florida class members assert a claim for violation of

the Florida Deceptive and Unfair Trade Practices Act. Plaintiffs argue that defendant engaged in

deceptive and unfair trade practices against Florida residents and that there is a sufficient nexus

between defendant’s actions and Florida for the Florida Trade Practices Act to apply. Defendant

argues that plaintiffs’ claim fails since the Florida Trade Practices Act only applies to actions that

occurred within the state of Florida, and the data breach occurred in Illinois. Alternatively,

defendant argues that plaintiffs’ claim under the Florida Trade Practices Act is limited to injunctive

relief because plaintiffs fail to allege actual damages.

¶ 46 A claim for damages under the Florida Trade Practices Act requires: “(1) a deceptive act

or unfair practice; (2) causation; and (3) actual damages.” Rollins, Inc. v. Butland,

(Fla. Dist. Ct. App. 2006). The Florida Trade Practices Act prohibits unfair and deceptive

trade practices that occur anywhere within the territorial boundaries of Florida. Millennium

Communications & Fulfillment, Inc. v. Office of Attorney General, Dept. of Legal Affairs, State of

Florida,

(Fla. Dist. Ct. App. 2000). Therefore, the Florida Trade Practices

Act applies at least to all actions that occurred within the state of Florida. Hakim-Daccach v. Knauf

International GmbH, No. 17-20495-CIV,

, at *7 (S.D. Fla. Nov. 22, 2017).

¶ 47 Williams has alleged that her injury was caused by wrongful acts that occurred in Florida.

She alleged that she provided her personal information to defendant based on its promises to her

- 18 - No. 1-23-0140

and to other Florida residents to keep that information safe. She also alleged that defendant omitted

material information concerning the adequacy of its data security and that had she known about

the true state of defendant’s cyber-security procedures, she would not have provided defendant

with her personal information. Williams’s allegations are sufficient to establish a claim under the

Florida Trade Practices Act. Federal Trade Comm’n v. All US Marketing LLC, No. 6:15-cv-1016-

Orl-28KRS,

, at *11 n.7 (M.D. Fla. Apr. 13, 2017) (“The amended complaint

alleges that Defendants’ misrepresentations actually misled consumers within the State of Florida.

[Citation.] This provides a nexus between the State of Florida and acts that allegedly violate [the

Florida Trade Practices Act].”), report & recommendation adopted by Federal Trade Comm’n v.

All US Marketing LLC, No. 6:15-cv-1016-Orl-28KRS,

(M.D. Fla. May 22,

2017). Although defendant argues that the data breach itself did not occur within Florida, this

misses the point. Williams has alleged that defendant has made misrepresentations within the

territorial boundaries of Florida to Florida residents.

¶ 48 However, plaintiffs’ Florida Trade Practices Act claim is limited to injunctive relief. The

Florida Trade Practices Act only allows for the recovery of actual damages, meaning the

diminished value of the goods or services due to the Florida Trade Practices Act violation. Farmer

v. Humana, Inc.,

, 1191 (M.D. Fla. 2022). The Florida Trade Practices Act

expressly does not allow recovery for consequential damages, meaning damages to “property other

than the property that is the subject of the consumer transaction.”(Internal quotation marks

omitted.) Id.;

(3) (West 2022). This includes “damages arising from identity

theft and fraud” as well as the “increased risk of future identity theft and fraud, and the costs

associated therewith; and time spent monitoring, addressing, and correcting the current and future

- 19 - No. 1-23-0140

consequences of the data breach.” (Internal quotation marks omitted.) Farmer, 582 F. Supp. 3d at

1191. Here, the subject of the consumer transaction was the insurance services defendant was

providing Williams through her employer. None of Williams’s alleged injuries, including the

fraudulent PayPal charge, the diminution in the value of her personal information, and her

emotional distress, are considered actual damages under the Florida Trade Practices Act. In re

Mednax Services, Inc., Customer Data Security Breach Litigation, 603 F. Supp. 3d at 1212-13;

In re Brinker Data Incident Litigation, No. 3:18-CV-686-J-32MCR,

, at *13

(M.D. Fla. Jan. 27, 2020); In re American Medical Collection Agency, Inc. Customer Data Security

Breach Litigation, No. CV 19-MD-2904,

, at *28 (D.N.J. Dec. 16, 2021).

Without any actual damages, Williams’s Florida Trade Practices Act claim is limited to injunctive

relief.

¶ 49 7. Invasion of Privacy

¶ 50 Finally, plaintiffs assert a claim for invasion of privacy based upon intrusion into seclusion.

Plaintiffs argue that the personal information accessed by third parties during the data breach

(names, driver’s license numbers, social security numbers, and benefit enrollment information)

consisted of private facts, while defendant argues that this information should be categorized as

personal, non-private facts that are insufficient to establish an invasion of privacy claim.

¶ 51 There are four ways to state a cause of action for invasion of privacy in Illinois:

(1) intrusion upon the seclusion of another, (2) appropriation of another’s name or likeness,

(3) public disclosure of private facts, and (4) publicity placing another in a false light. Busse v.

Motorola, Inc.,

(2004). The elements of intrusion upon seclusion are “(1)

the defendant committed an unauthorized intrusion or prying into the plaintiff’s seclusion; (2) the

- 20 - No. 1-23-0140

intrusion would be highly offensive or objectionable to a reasonable person; (3) the matter intruded

on was private; and (4) the intrusion caused the plaintiff anguish and suffering.”

The third

element is the most significant in this case. The facts must be private, not merely personal.

. Personal information such as names, addresses, telephone numbers, social security numbers,

or dates of birth are not considered to be private facts.

¶ 52 The names, driver’s license numbers, and social security numbers that plaintiffs have

alleged were accessed due to the data breach are not private facts necessary to establish a claim

for intrusion upon the seclusion of another.

However, plaintiffs have alleged that the data breach

included some of the plaintiffs’ “benefit enrollment information.” Since this is a term used by

defendant, plaintiffs have no way of knowing what kind of personal information is included within

this category until discovery occurs. Since the benefit enrollment information could contain private

facts about plaintiffs, such as their financial history, medical history, and beneficiary information,

we find that plaintiffs have adequately alleged a claim for invasion of privacy. Johnson v. K mart

Corp.,

(2000); Green v. Chicago Tribune Co.,

(1996) (Cahill, J., dissenting).

¶ 53 Defendant argues that plaintiffs have forfeited their argument concerning benefit

enrollment information because plaintiffs cannot raise new factual theories of recovery for the first

time on appeal. Wilson v. Gorski’s Food Fair,

(1990). However, plaintiffs

alleged in their complaint that the data breach contained benefit enrollment information and

beneficiary information. See Grund v. Donegan,

(1998) (stating that

a plaintiff may rely on any allegations of fact made in the complaint). The circuit court erred in

dismissing plaintiffs’ claim for invasion of privacy.

- 21 - No. 1-23-0140

¶ 54 C. Moorman Doctrine

¶ 55 Plaintiffs argue that their common law tort claims (negligence, negligence per se, unjust

enrichment, and invasion of privacy) are not barred by the Moorman doctrine because the duty

that defendant allegedly breached arose out of the common law, implied contract, and statutes

rather than through an express contract. Defendant argues that plaintiffs’ allegations of emotional

distress are conclusory and must be dismissed and that the rest of plaintiffs’ alleged injuries are

purely economic and are thus barred by the Moorman doctrine.

¶ 56 The Moorman doctrine, also known as the economic loss doctrine, states that there can be

no recovery in tort for purely economic losses. Moorman Manufacturing Co. v. National Tank Co.,

(1982). Economic loss is defined as “damages for inadequate value, costs of repair

and replacement of the defective product, or consequent loss of profits—without any claim of

personal injury or damage to other property.” (Internal quotation marks omitted.)

. The

Moorman doctrine is founded on the theory that “parties to a contract may allocate their risks by

agreement and do not need the special protections of tort law to recover damages caused by a

breach of contract.” Mars, Inc. v. Heritage Builders of Effingham, Inc.,

(2002). However, the Illinois Supreme Court later held that the doctrine applies to the service

industry only where the duty of the party performing the service is defined by a contract executed

with the client. Congregation of the Passion, Holy Cross Province v. Touche Ross & Co.,

(1994). If the duty arises outside of a contract between the parties, then recovery in

tort for the negligent breach of that duty is not barred by the Moorman doctrine.

Although the

Congregation of the Passion decision concerned a professional malpractice claim against an

accounting firm, its reasoning equally applies to data breach cases.

- 22 - No. 1-23-0140

¶ 57 Here, plaintiffs allege no express contract between the parties that would establish a duty

by defendant to safeguard plaintiffs’ personal information. Additionally, the “product” of the

transaction between the parties was the insurance services plaintiffs were receiving through their

employers, not the protection of the personal information defendant needed to provide the

insurance services. Applying the Moorman doctrine to this data breach case would stretch the

applicability of the doctrine far beyond its products liability roots, given that there is no express

contract between the parties and the injuries allegedly suffered by plaintiffs were not caused by

any defect in the actual product of the transaction. See In re Marriott International, Inc., Customer

Data Security Breach Litigation,

, 468-76 (D. Md. 2020) (thoroughly

analyzing the history of the Moorman doctrine and the potential applicability of the doctrine to

data breach cases under Illinois law); McGlenn v. Driveline Retail Merchandising, Inc., No. 18-

CV-2097,

, at *8-9 (C.D. Ill. Sept. 21, 2021). Instead, plaintiffs’ injuries arose

from defendant’s alleged breach of its duty to safeguard personal information incidental to the

transaction itself. Since plaintiffs’ common law tort claims are based on defendant’s common law

duty to safeguard personal information rather than any express contractual duty, the Moorman

doctrine does not prohibit plaintiffs from bringing their claims.

¶ 58 Defendant’s contention that plaintiffs’ injuries are economic is irrelevant since the

Moorman doctrine does not apply to plaintiffs’ claims in the first place. The circuit court erred in

dismissing plaintiffs’ negligence, negligence per se, unjust enrichment, and invasion of privacy

claims under the Moorman doctrine.

¶ 59 Plaintiffs argue that the trial court abused its discretion in dismissing its various claims

- 23 - No. 1-23-0140

“with prejudice” because the fault found by the trial court—the failure to allege sufficient facts—

could be cured by amending the complaint. However, in fairness to the trial court, its ruling under

section 2-615 was an alternative holding to its conclusion (albeit mistaken) that plaintiffs lacked

standing—a legal impediment that could not be cured by repleading. The standard for repleading,

of course, is a generous one. Leave to replead should be “freely” given (People v. Brown,

(2002)), and a claim should be dismissed with prejudice only when it becomes

clear that a plaintiff can plead no set of facts entitling him or her to relief. Loyola Academy v. S&S

Roof Maintenance, Inc.,

(1992); Mills v. County of Cook,

(2003).

¶ 60 Aside from plaintiffs’ negligence per se claim, which is deficient as a matter of law, on

those claims where we affirm the trial court’s dismissal under section 2-615, the pleading defects

may well be cured by repleading. For example, the dismissal of the breach of implied contract and

consumer fraud claims are predicated on a failure to allege a monetary loss or economic injury.

The dismissal of the unjust enrichment claim is based on the failure to allege an unjustly retained

benefit. Whether plaintiffs can or will seek to replead to cure these and other defects is a matter to

be taken up on remand.

¶ 61 III. CONCLUSION

¶ 62 The circuit court’s dismissal of plaintiffs’ complaint for lack of standing and its dismissal

of plaintiffs’ negligence, Florida Trade Practices Act, and invasion of privacy claims for failure to

state a claim are reversed. The circuit court’s dismissal of plaintiffs’ negligence per se claim is

affirmed, and its dismissal of the breach of implied contract, unjust enrichment and Consumer

- 24 - No. 1-23-0140

Fraud Act claims are affirmed, but modified to be without prejudice. The matter is remanded for

further proceedings.

¶ 63 Affirmed in part and reversed in part; cause remanded.

- 25 - No. 1-23-0140

Flores v. Aon Corp.,

Decision Under Review: Appeal from the Circuit Court of Cook County, No. 2022-CH- 6132; the Hon. Neil H. Cohen, Judge, presiding.

Attorneys Kenneth A. Wexler, Bethany R. Turke, and Eaghan S. Davis, of for Wexler Boley & Elgersma LLP, and Gary M. Klinger, of Milberg Appellant: Coleman Bryson Phillips Grossman, PLLC, both of Chicago, Raina C. Borrelli, Samuel J. Strauss (pro hac vice), Brittany Resch (pro hac vice), and Alex Phillips (pro hac vice), of Turke & Strauss LLP, of Madison, Wisconsin, Joseph M. Lyon, of Lyon Law Firm, LLC, and Terence R. Coates (pro hac vice), of Markovits, Stock & Demarco, LLC, both of Cincinnati, Ohio, Bryan L. Bleichner (pro hac vice), of Chestnut Cambronne PA, of Minneapolis, Minnesota, Patrick N. Keegan (pro hac vice), of Keegan & Baker, LLP, of Carlsbad, California, and Ryan A. Stygar (pro hac vice), of Centurion Trial Attorneys, APC, of San Diego, California, for appellants.

Attorneys Craig C. Martin, LaRue L. Robinson, Mengjie Zou, Bianca L. for Valdez, and Elizabeth P. Astrup, of Willkie Farr & Gallagher LLP, Appellee: of Chicago, for appellee.

- 26 -