2025 IL App (1st) 241126 No. 1-24-1126 Opinion filed June 25, 2025 Third Division

______________________________________________________________________________ IN THE APPELLATE COURT OF ILLINOIS FIRST DISTRICT ______________________________________________________________________________ ERVIN OLSON, and SHAWN WESSON, on Behalf of ) Appeal from the Themselves and All Others Similarly Situated, ) Circuit Court of ) Cook County.

Plaintiffs-Appellants, ) ) v. ) No. 22 CH 6866 ) FERRARA CANDY COMPANY, ) Honorable ) Joel Chupack, Defendant-Appellee. ) Judge, presiding.

PRESIDING JUSTICE LAMPKIN delivered the judgment of the court, with opinion.

Justices Martin and D.B. Walker concurred in the judgment and opinion.

OPINION ¶1 Plaintiffs Ervin Olson and Shawn Wesson filed a data breach class-action complaint against their former employer, defendant Ferrara Candy Company (Ferrara). Plaintiffs alleged that Ferrara negligently failed to use reasonable means to protect its current and former employees’ “personally identifiable information” (PII)—including Social Security numbers, driver’s license numbers, and bank account and routing numbers—from unauthorized access by an unknown third party, who stole the PII and committed fraud. Ferrara filed a combined motion to dismiss the No. 1-24-1126

complaint pursuant to section 2-619.1 of the Code of Civil Procedure (Code) (735 ILCS 5/2-619.1 (West 2022)), arguing that plaintiffs lacked standing and failed to plead adequate facts to support their claims. The circuit court granted the motion to dismiss under section 2-615 of the Code (id. § 2-615), ruling that plaintiffs failed to adequately plead facts to support their claims.

¶2 On appeal, plaintiffs argue that the circuit court erred by dismissing their negligence claims under the Moorman doctrine (see Moorman Manufacturing Co. v. National Tank Co., 91 Ill. 2d 69 (1982)) and by ruling that they failed to plead damages under their negligence claims.

Furthermore, plaintiff Wesson argues that the circuit court erred by ruling that he failed to plead damages under his implied contract claim and he failed to adequately plead damages and causation regarding his claim under the Consumer Fraud and Deceptive Business Practices Act (Consumer Fraud Act) (815 ILCS 505/1 et seq. (West 2022)).

¶3 For the reasons that follow, we affirm in part and reverse in part the judgment of the circuit court.

¶4 I. BACKGROUND ¶5 Defendant Ferrara is a Chicago-based manufacturer of candies and other sweets. Ferrara posted a notice of data event to its website (website notice), which plaintiffs attached to their operative complaint and incorporated therein. The website notice stated that from October 2, 2021, to October 9, 2021, “an unauthorized actor accessed the Ferrara network and removed certain files from the network.” Ferrara undertook an investigation to identify the information potentially contained in the files at issue. Ferrara completed its review on March 30, 2022 “and determined that certain personal information could have been impacted by this event.” Based on its investigation, Ferrara “determined that the following types of information were present in the potentially impacted files: certain individuals’ names, dates of birth, financial account information, -2- No. 1-24-1126

Social Security numbers, driver’s license numbers, birth certificates, passport numbers or other government issued identification numbers, digital/electronic signatures, mother’s maiden name, and/or medical information.” Ferrara encouraged individuals to remain vigilant against incidents of identity theft and fraud by reviewing their account statements and monitoring their free credit reports for suspicious activity and to detect errors over the next 12 to 24 months. Further, Ferrara offered credit monitoring to impacted individuals at no cost to them. In about April 2022, Ferrara notified individuals whose personal information potentially was impacted. Plaintiffs Olson and Wesson alleged that they received this notice from Ferrara in about May 2022.

¶6 In July 2022, Olson filed a class action complaint against Ferrara, arising out of the data breach event. Ferrara moved to dismiss, arguing that Olson lacked standing and did not state a claim because he did not allege an actual injury, only the risk of future injury. In response, Olson and Wesson filed an amended complaint adding Wesson as a plaintiff and his additional allegations of injury. Ferrara moved to dismiss again, contending that plaintiffs lacked standing and neither plaintiff alleged sufficient facts to satisfy the elements of any of their alleged claims.

¶7 The circuit court granted Ferrara’s motion to dismiss under section 2-615 of the Code and gave plaintiffs leave to amend their complaint. The court did not address the standing issue portion of Ferrara’s motion to dismiss under section 2-619 of the Code (735 ILCS 5/2-619 (West 2022)).

¶8 Plaintiffs filed a second amended complaint wherein Wesson alleged that he already experienced identity theft and fraud following the data breach because in December 2021 he “suffered fraudulent charges on his credit union account.” Wesson alleged that he was not aware of other data breaches aside from Ferrara’s or reasons criminals would have his credit union checking account or debit card information.

-3- No. 1-24-1126

¶9 In its motion to dismiss, Ferrara again argued that plaintiffs lacked standing and failed to plead sufficient facts to state a claim. Ferrara provided the supporting sworn declaration of David Fagan, Ferrara’s director of cybersecurity. The declaration stated that “Ferrara never maintained information on any credit union account held by Mr. Wesson.

The only information on a financial account held by Mr. Wesson that Ferrara has ever maintained was his routing number and account number for a Chase bank account, which Ferrara maintained for purposes of paying him by direct deposit. However, even this information was maintained on a third-party system that was not subject to the cybersecurity incident.”

¶ 10 After briefing, the circuit court dismissed the second amended complaint under section 2- of the Code based on plaintiffs’ failure to plead legally sufficient claims. The court did not address the standing issue portion of Ferrara’s motion to dismiss under section 2-619 of the Code. ¶ 11 Plaintiffs then filed a third amended complaint (the operative complaint), which asserted claims on behalf of themselves and the putative class for (1) negligence, (2) negligence per se, (3) breach of implied contract, (4) unjust enrichment, and (5) violation of the Consumer Fraud Act.

Regarding their injuries, Olson alleged that he expended effort monitoring his account, suffered anxiety about the data breach, sustained damages to and diminution in the value of his PII, and remained at an increased risk of fraud, identity theft, and misuse. Wesson alleged the same injuries as Olson, plus fraudulent charges to his credit union account. Wesson also alleged that sometime after receiving notice of the data breach, he bought a credit monitoring service, for which he paid $24.99 monthly for several months and then $4.99 monthly for a couple of months.

-4- No. 1-24-1126

¶ 12 Plaintiffs alleged that Ferrara required its employees to disclose their PII as part of their employment with Ferrara. On its website, Ferrara stated that it protects employees’ PII “from loss, misuse, or unauthorized disclosure”; takes its obligations to employees seriously; and collects, uses, and processes any PII only for legitimate business purposes and only in accordance with Ferrara’s privacy policy. Plaintiffs alleged that, despite recognizing its duty to protect employees’ PII, Ferrara failed to implement reasonable cybersecurity safeguards or a privacy policy; failed to train its “IT” or data security employees to prevent, detect, and stop breaches of Ferrara’s systems; and stopped operating key cybersecurity infrastructure during evening hours in August 2021— only two months before the data breach—running it only during Ferrara’s day shifts. Furthermore, plaintiffs alleged that they faced a significant risk of identity theft and fraud because cybercriminals compile the plaintiffs’ stolen PII into Fullz packages that are then sold to unsavory parties that use the information for telemarketer operations or to commit fraud.

¶ 13 Plaintiffs’ complaint sought, inter alia, monetary damages for themselves and the other putative class members, including compensatory damages, which included the costs of future monitoring of their credit history for identity theft and fraud, plus attorney fees, prejudgment interest, and costs.

¶ 14 The circuit court dismissed the case with prejudice under section 2-615 of the Code for failure to state a claim.

¶ 15 Plaintiffs appealed.

¶ 16 II. ANALYSIS ¶ 17 A section 2-615 motion to dismiss tests the legal sufficiency of the complaint based on defects apparent on its face. Doe-3 v. McLean County Unit District No. 5 Board of Directors, 2012 IL 112479, ¶ 15. A section 2-615 motion presents the question of whether the facts alleged in the -5- No. 1-24-1126

complaint—viewed in the light most favorable to the plaintiff, and taking all well-pleaded facts and all reasonable inferences that may be drawn from those facts as true—are sufficient to state a cause of action upon which relief may be granted. Id. ¶ 16. “[A] cause of action should not be dismissed pursuant to section 2-615 unless it is clearly apparent that no set of facts can be proved that would entitle the plaintiff to recovery.” Marshall v. Burger King Corp., 222 Ill. 2d 422, 429 (2006). In ruling on a section 2-615 motion, the court considers only “those facts apparent from the face of the pleadings, matters subject to judicial notice, and judicial admissions in the record.”

Gillen v. State Farm Mutual Automobile Insurance Co., 215 Ill. 2d 381, 385 (2005). A section 2- motion dismissal is reviewed de novo. Doe-3, 2012 IL 112479, ¶ 15.

¶ 18 Section 2-619(a)(9) of the Code provides that a defendant may file a motion for dismissal of the action on the grounds that “the claim asserted against defendant is barred by other affirmative matter avoiding the legal effect of or defeating the claim.” 735 ILCS 5/2-619(a)(9) (West 2022). Section 2-619(a)’s purpose is to provide litigants with a method of disposing of issues of law and easily proved issues of fact—relating to the affirmative matter—early in the litigation.

Van Meter v. Darien Park District, 207 Ill. 2d 359, 367 (2003). A motion for involuntary dismissal under section 2-619(a)(9) of the Code admits the legal sufficiency of the complaint, admits all well-pleaded facts and all reasonable inferences therefrom, and asserts an affirmative matter outside the complaint that bars or defeats the cause of action. Kean v. Wal-Mart Stores, Inc., 235 Ill. 2d 351, 361 (2009). When ruling on the section 2-619(a)(9) motion, the court construes the pleadings “in the light most favorable to the nonmoving party” (Sandholm v. Kuecker, 2012 IL 111443, ¶ 55) and should grant the motion only “if the plaintiff can prove no set of facts that would support a cause of action” (Snyder v. Heidelberger, 2011 IL 111052, ¶ 8). A section 2-619(a)(9) motion dismissal is reviewed de novo. Kean, 235 Ill. 2d at 361.

-6- No. 1-24-1126

¶ 19 A. Standing ¶ 20 Ferrara argues that plaintiffs lack standing because they failed to allege any distinct and palpable injury fairly traceable to Ferrara. Plaintiffs allege five categories of injuries, namely (1) the increased risk that their information could be misused, (2) the diminished value of their PII, (3) the lost time and effort they incurred to safeguard their data or identity, (4) their emotional distress and worry about the status of their information and possibly compromised privacy, and (5) as to only Wesson, fraudulent charges on his credit union account and money spent on credit monitoring services.

¶ 21 Standing in Illinois requires only that the plaintiff demonstrate “some injury in fact to a legally cognizable interest.” Greer v. Illinois Housing Development Authority, 122 Ill. 2d 462, 492 (1988). A legally cognizable interest exists when that injury, whether actual or threatened, is (1) distinct and palpable, (2) fairly traceable to the defendant’s actions, and (3) substantially likely to be prevented or redressed by the grant of the requested relief. Id. at 492-93. “The injury alleged by the plaintiff must be concrete; a plaintiff alleging only a purely speculative future injury or where there is no immediate danger of sustaining a direct injury lacks a sufficient interest to have standing.” (Internal quotation marks omitted.) Petta v. Christie Business Holdings Company, P.C., 2025 IL 130337, ¶ 18. “In a complaint seeking monetary damages, [plaintiffs’ allegation that they faced only] an increased risk of harm is insufficient to confer standing.” Id. ¶ 21.

¶ 22 Under federal law, to establish article III standing under the United States Constitution (U.S. Const., art. III), “an injury must be concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling. [Citations.] Although imminence

-7- No. 1-24-1126

is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes—that the injury is certainly impending. [Citation.] Thus, [the Supreme Court has] repeatedly reiterated that [the] threatened injury must be certainly impending to constitute injury in fact, and that [a]llegations of possible future injury are not sufficient. [Citations.]”

(Emphases in original and internal quotation marks omitted.) Clapper v. Amnesty International USA, 568 U.S. 398, 409 (2013).

¶ 23 Under federal law, “traditional tangible harms, such as physical harms and monetary harms,” are the most obvious harms that “readily qualify as concrete injuries.” TransUnion LLC v. Ramirez, 594 U.S. 413, 425 (2021). Intangible harms can also be concrete, including “injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,” such as “reputational harms, disclosure of private information, and intrusion upon seclusion.” Id. This “inquiry asks whether plaintiffs have identified a close historical or common-law analogue for their asserted injury,” but “does not require an exact duplicate.” Id. at 424. “ ‘[A] material risk of future harm can [also] satisfy the concrete-harm requirement,’ but only as to injunctive relief, not damages.” Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365, 372 (1st Cir. 2023) (quoting TransUnion LLC, 594 U.S. at 435). “To have standing to pursue damages based on a risk of future harm, plaintiffs must demonstrate a separate concrete harm caused ‘by [the] exposure to the risk [of future harm] itself.’ ” (Emphasis in original.) Webb, 72 F.4th at 372 (quoting TransUnion LLC, 594 U.S. at 437). This standing requirement of a separate concrete harm when seeking monetary damages based on a risk of future harm was cited approvingly by the Illinois Supreme Court in Petta, 2025 IL 130337, ¶ 21 (citing TransUnion LLC, 594 U.S. at

-8- No. 1-24-1126

436-37, Pierre v. Midland Credit Management, Inc., 29 F.4th 934, 938 (7th Cir. 2022), and Maddox v. Bank of New York Mellon Trust Co., N.A., 19 F.4th 58, 64 (2d Cir. 2021)). Accordingly, we apply this separate concrete harm requirement here because plaintiffs seek monetary damages based on the risk of future harm.

¶ 24 “Illinois courts are generally more willing than federal courts to recognize standing on the part of any person ‘who shows that he is in fact aggrieved.’ ” Flores v. Aon Corp., 2023 IL App (1st) 230140, ¶ 13 (quoting Greer, 122 Ill. 2d at 491). To determine standing in a class action, the court’s focus must be on the named plaintiffs themselves and not on the unidentified members of the general class they purport to represent. Id.; I.C.S. Illinois, Inc. v. Waste Management of Illinois, Inc., 403 Ill. App. 3d 211, 221 (2010). When a plaintiff files a class action, he must allege and show that he was personally injured; if the named plaintiff has no injury, the plaintiff has no standing, and no case or controversy arises. I.C.S. Illinois, Inc., 403 Ill. App. 3d at 223. Lack of standing is an affirmative matter that is properly raised in a section 2-619(a)(9) motion to dismiss, and our review of this issue is de novo. Petta, 2025 IL 130337, ¶ 18.

¶ 25 We begin with Wesson’s standing to pursue damages. We conclude that the operative complaint sufficiently alleged a concrete injury in fact as to Wesson based on the allegation that the data breach resulted in the misuse of his PII by an unauthorized third party who made charges to his credit union account. Illinois data breach precedent supports the conclusion that actual misuse of PII may constitute an injury in fact. In Flores, 2023 IL App (1st) 230140, ¶ 7, three of the four named plaintiffs alleged that, after the data breach, they received increased spam and targeted marketing. One plaintiff alleged an attempt for a fraudulent charge to a PayPal account, and one plaintiff alleged a charge for a prescription that the plaintiff did not order. The Flores

-9- No. 1-24-1126

court held that the plaintiffs had standing because, inter alia, they clearly alleged that they faced an imminent, a certainly impending, or a substantial risk of harm from the data breach since they alleged that they already had experienced fraudulent charges and spam messaging. Id. ¶ 15. Cf. Petta, 2025 IL 130337, ¶¶ 24-25 (no concrete injury or standing where a plaintiff seeking monetary damages speculatively alleged only that she faced an increased risk that her PII had been exposed to an unauthorized third party but did not allege that any of her PII was used for a fraudulent loan application, which had used readily available public information); Maglio v. Advocate Health & Hospitals Corp., 2015 IL App (2d) 140782, ¶¶ 5, 24, 27 (plaintiffs lacked standing where they did not allege that anyone improperly accessed or used their PII from four stolen password-protected computers, nor did they allege that they had suffered identity theft or fraud because of the burglary).

¶ 26 Furthermore, several federal courts “consider actual misuse of a plaintiff’s PII resulting from a data breach to itself be a concrete injury.” Webb, 72 F.4th at 374 (actual misuse of the plaintiff’s stolen PII to file a fraudulent tax return sufficed to state a concrete injury under article III); see In re Equifax Inc. Customer Data Security Breach Litigation, 999 F.3d 1247, 1262 (11th Cir. 2021) (the “identity theft and damages resulting from such theft” were concrete injuries); Attias v. CareFirst, Inc., 865 F.3d 620, 627 (D.C. Cir. 2017) (“Nobody doubts that identity theft, should it befall one of these plaintiffs, would constitute a concrete and particularized injury.”).

¶ 27 Olson’s standing to pursue damages is a more difficult issue because the operative complaint does not allege actual misuse of his PII. Nevertheless, we conclude that plaintiffs allege a concrete injury in fact based on an imminent, a certainly impending, or a substantial risk of future misuse of Olson’s PII and a concrete harm caused by exposure to this risk. This analysis also

- 10 - No. 1-24-1126

applies to Wesson and provides an additional basis to conclude that he sufficiently alleged standing.

¶ 28 In determining when the risk of future misuse of PII following a data breach is imminent and substantial, relevant considerations include, first, whether the PII was exposed as the result of a targeted attempt to obtain that data. See Petta, 2025 IL 130337, ¶¶ 20, 24-25 (harm was not imminent or substantial where the unauthorized third party attempted to intercept a financial transaction, not steal the patients’ private information); Maglio, 2015 IL App (2d) 140782, ¶¶ 1-3, 5 (harm not imminent or substantial where plaintiffs did not allege that anyone had improperly accessed or used their PII on the stolen password-protected computers). A second consideration is whether any portion of the stolen or accessed PII has already been misused. See Flores, 2023 IL App (1st) 230140, ¶¶ 7, 15 (imminent and substantial harm where, altogether, the four named plaintiffs alleged that, after the data breach, they received increased spam, targeted marketing, an attempt to process a fraudulent charge to a PayPal account, and a charge for a prescription that the plaintiff did not order); Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693-94 (7th Cir. 2015) (the actual misuse of a portion of the stolen information increased the risk that other information will be misused in the future); Maglio, 2015 IL App (2d) 140782, ¶¶ 5, 24 (harm not imminent or substantial where the plaintiffs did not allege that they had suffered identity theft or fraud because of the burglary). A third consideration is whether the PII at issue is sensitive, such that there is a high risk of identity theft or fraud. See Petta, 2025 IL 130337, ¶¶ 24-25 (harm not imminent or substantial where the allegation that an unauthorized third party actually accessed the plaintiff’s PII was purely speculative and conclusory and the fraudulent loan application used readily available public information); Flores, 2023 IL App (1st) 230140, ¶¶ 4-5, 16 (imminent and substantial harm where the stolen PII included the plaintiffs’ names, Social Security numbers, - 11 - No. 1-24-1126

driver’s license numbers, and benefit enrollment information); see Webb, 72 F.4th at 375 (discussing these three nonexclusive factors and supporting cases).

¶ 29 We conclude that plaintiffs sufficiently allege an imminent and substantial risk of future misuse of Olson’s and Wesson’s PII. Specifically, the complaint alleged that the data breach was the result of an attack by thieves who accessed Ferrara’s network and stole the plaintiffs’ PII over a seven-day period. Furthermore, it is alleged that some of the stolen PII has already been misused to make fraudulent charges to Wesson’s credit union account. In addition, the stolen PII includes highly sensitive information, such as plaintiffs’ names, birth dates, financial account information, Social Security numbers, driver’s license numbers, birth certificates, passport numbers or other government issued identification numbers, digital/electronic signatures, mother’s maiden names, and medical information.

¶ 30 To establish standing to pursue damages, the complaint must also sufficiently allege a separate concrete harm caused by the plaintiffs’ exposure to the alleged risk of future harm.

TransUnion, 594 U.S. at 436. Here, plaintiffs alleged the harm of lost time based on the time and effort they spent monitoring their accounts to protect themselves from identity theft and fraud.

“The loss of this time is equivalent to a monetary injury, which is indisputably a concrete injury.”

Webb, 72 F.4th at 376 (citing TransUnion, 594 U.S. at 425); Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018) (“the value of one’s own time needed to set things straight [after a data theft] is a loss from an opportunity-cost perspective” which “can justify money damages *** [and] support standing”)). Furthermore, “[b]ecause this alleged injury was a response to a substantial and imminent risk of harm, this is not a case where the plaintiffs seek to ‘manufacture standing by incurring costs in anticipation of non-imminent harm.’ ” Webb, 72 F.4th at 377 (quoting Clapper, 568 U.S. at 422). We conclude that the complaint sufficiently alleged a separate - 12 - No. 1-24-1126

concrete harm caused by plaintiffs’ exposure to the risk of future harm based on their allegations of their lost time spent monitoring their accounts to protect against identity theft and fraud.

¶ 31 In addition, Wesson alleged the additional concrete injury of paying money for credit monitoring services, which serves as another basis for standing. Specifically, he paid $24.99 monthly for several months and then $4.99 monthly for a couple of months for a credit monitoring service to protect his accounts and safeguard himself from further fraud and identity theft. See In re Mondelez Data Breach Litigation, Nos. 23 C 3999, 23 C 4249, 2024 WL 2817489, at *2 (N.D. Ill. June 3, 2024) (explaining that mitigation expenses to minimize the risk of harm establishes standing); Florence v. Order Express, Inc., 674 F. Supp. 3d 472, 482 (N.D. Ill. 2023) (holding that “spent time and money on credit monitoring and identity-theft insurance” establishes standing); Doe v. Fertility Centers of Illinois, S.C., No. 21 C 579, 2022 WL 972295, at *2 (N.D. Ill. Mar. 31, 2022) (holding that out-of-pocket costs establish standing); Remijas, 794 F.3d at 694 (explaining that “credit-monitoring services come at a price that is more than de minimis” and spending “$4.95 a month for the first month [of credit monitoring], and then $19.95 per month thereafter” “easily qualifies as a concrete injury”).

¶ 32 Regarding traceability, Ferrara argues that the alleged harm of the unauthorized charges to Wesson’s credit union account is not fairly traceable to the data breach because, as stated in the declaration from Ferrara’s director of cybersecurity, Ferrara never had any information concerning Wesson’s credit union account. We disagree. Drawing all reasonable inferences from the operative complaint at the motion to dismiss stage, we conclude that plaintiffs allege a sufficient connection between the actual misuse of Wesson’s PII and the data breach. Wesson alleged that two short months after the data breach, he was the victim of attempted fraudulent charges to his credit union account. Moreover, he was not aware of any other data breaches or reasons why criminals would - 13 - No. 1-24-1126

have his credit union account information other than because of Ferrara’s data breach that exposed certain of his PII. Plaintiffs also alleged that, as a result of Ferrara’s data breach, cybercriminals were now able to cross reference multiple sources of plaintiffs’ PII to compile Fullz packages that can be used for further identity theft and fraud, as experienced by Wesson. The risk of future identity theft and fraud was evident where Ferrara warned of possible identity theft and offered free credit monitoring services and the stolen PII—including names, dates of birth, and Social Security numbers—would likely be sufficient to permit identity theft.

¶ 33 We find support for this conclusion in Flores, 2023 IL App (1st) 230140, ¶ 16, where the court rejected the defendant’s argument that the unauthorized charges were not fairly traceable to the data breach because the defendant did not collect the plaintiffs’ payment information. Unlike the instant case, in Flores, the defendant never defined the type of information encompassed in the plaintiffs’ stolen benefit enrollment information. Nevertheless, the court held that “when personal information is obtained in a targeted data breach, it is reasonable to assume that the data thieves will use the stolen data for fraudulent purposes.” Id. (citing Galaria v. Nationwide Mutual Insurance Co., 663 F. App’x 384, 388 (6th Cir. 2016)). Even if that data breach did not provide all the information necessary to inflict the alleged harms, the accessed data could have been enough to aid the infliction of the alleged harms. Id.; In re Mednax Services, Inc., Customer Data Security Breach Litigation, 603 F. Supp. 3d 1183, 1206 (S.D. Fla. 2022) (the defendants’ failure to protect the plaintiffs’ information from a security breach, whereby unauthorized persons gained access to the plaintiffs’ health information and PII, was sufficiently traceable to the plaintiffs’ alleged injuries of identity theft, economic losses, lost time, and emotional distress); Sweet v. BJC Health System, No. 3:20-CV-00947-NJR, 2021 WL 2661569, at *4 (S.D. Ill. June 29, 2021) (“while credit

- 14 - No. 1-24-1126

card information may not have been exposed, information such as dates of birth, Social Security numbers, and addresses would likely be sufficient to permit identity theft”).

¶ 34 There is an obvious temporal connection between the attempted fraudulent charges to Wesson’s credit union account and the data breach. Moreover, Wesson’s allegations are substantially similar to those in Flores. Like the analysis in Flores, we conclude that it is reasonable to infer that the data thieves will use the information stolen from Ferrara—which included the plaintiffs’ names, dates of birth, Social Security numbers, birth certificates, digital/electronic signatures, and mothers’ maiden names—for fraudulent purposes.

¶ 35 We conclude that the complaint’s allegations satisfy the traceability and redressability standing requirements. The complaint alleged that Ferrara’s actions led to the exposure and actual or potential misuse of plaintiffs’ PII, making their injuries fairly traceable to Ferrara’s conduct.

Moreover, monetary relief would compensate plaintiffs for their injuries.

¶ 36 Because we have concluded that plaintiffs have supported their causes of action for damages with at least one injury in fact caused by Ferrara and redressable by a court order, we decline to address plaintiffs’ additional arguments urging standing based on their alleged injuries of the diminished value of their PII and their emotional distress and worry about the status of their information and possibly compromised privacy. See Flores, 2023 IL App (1st) 230140, ¶ 18.

¶ 37 B. Negligence ¶ 38 To state a claim for negligence, a plaintiff must allege facts showing that (1) the defendant owed a duty of care to the plaintiff, (2) the defendant breached that duty, and (3) the breach was the proximate cause of the plaintiff’s injuries. Cowper v. Nyberg, 2015 IL 117811, ¶ 13. Legal cause is “ ‘essentially a question of foreseeability.’ ” City of Chicago v. Beretta U.S.A. Corp., 213 Ill. 2d 351, 395, 406 (2004) (quoting Lee v. Chicago Transit Authority, 152 Ill. 2d 432, 456 (1992)).

- 15 - No. 1-24-1126

Where the subsequent acts of third parties constitute an intervening cause of the injury, the court must assess whether that intervening cause “was of a type that a reasonable person would see as a likely result of his or her conduct,’ ” or whether the intervening cause breaks the connection between the defendant’s conduct and the ultimate injury. Id. at 407 (quoting First Springfield Bank & Trust v. Galman, 188 Ill. 2d 252, 259 (1999)).

¶ 39 Ferrara challenges plaintiffs’ negligence claims on three bases. First, Ferrara argues that plaintiffs did not adequately plead proximate cause because several other subsequent, independent acts by third parties had to occur before plaintiffs ever suffered any purported injury and the lack of factual allegations showing how the injury occurred renders plaintiffs’ allegations of causation nothing more than speculation and conjecture. Regarding Wesson, Ferrara argues that his allegations about fraudulent charges to his credit union account and criminals using the data from the Ferrara data breach to assemble Fullz packages that were then used to harm him are not sufficient to show proximate cause because (1) he never alleged that Ferrara had the relevant financial information or that any information obtained about him from Ferrara was ever misused in any way and (2) numerous intervening causes break the causal chain. We disagree.

¶ 40 Plaintiffs alleged that it was reasonably foreseeable that Ferrara, an employer that collected sensitive information from thousands of its employees, would be subject to a data breach, given its failure to use adequate cybersecurity. Wesson alleged that he was not aware of any other incidents whereby fraudulent actors would have obtained his credit union information aside from Ferrara’s data breach and that unauthorized charges were made to his credit union account only two months after the data breach. Wesson also alleged that the loss from the fraudulent charges prompted him to mitigate his chances of suffering fraud again by purchasing credit monitoring services. Furthermore, plaintiffs alleged that they would spend considerable time and effort - 16 - No. 1-24-1126

monitoring their accounts to protect themselves from identity theft. In addition, they alleged that, as a result of Ferrara’s data breach, cybercriminals were now able to cross reference multiple sources of their PII to compile Fullz packages that can be used for further identity theft and fraud, as experienced by Wesson. We conclude that these allegations of proximate cause are sufficient at the pleading stage. See Flores, 2023 IL App (1st) 230140, ¶ 25 (the timing of the harm suffered following the breach was enough to plausibly plead causation where the plaintiffs alleged that they carefully safeguarded their personal information and were targeted more frequently after the breach by spam messages and marketing and suffered two fraudulent charges).

¶ 41 Second, Ferrara argues that plaintiffs do not state an injury sufficient to support a negligence claim because they “may not recover solely for the defendant’s creation of an increased risk of harm.” Berry v. City of Chicago, 2020 IL 124999, ¶ 38; see Williams v. Manchester, 228 Ill. 2d 404, 425 (2008) (“an increased risk of future harm is an element of damages that can be recovered for a present injury—it is not the injury itself” (emphases in original)). “[A]n increased risk of harm is not itself, an injury ***. *** The long-standing and primary purpose of tort law is not to punish or deter the creation of this risk but rather to compensate victims when the creation of risk tortiously manifests into harm.” Berry, 2020 IL 124999, ¶ 33 (absent manifested injury, residents could not sue for increased lead in drinking water even though the city conceded that lead in the water increased the risk of lead poisoning).

¶ 42 Ferrara’s argument lacks merit. Wesson alleged that he already suffered from identify theft or fraud because some unauthorized actor made fraudulent charges to his credit union account, which event forced him to pay out-of-pocket for credit monitoring services. As discussed above, because Wesson’s payment for credit monitoring services was a response to a substantial and imminent risk of harm, this is not a matter of self-inflicted harm arising from a mere subjective - 17 - No. 1-24-1126

fear of injury. Additionally, both plaintiffs alleged that they spent time and resources to protect themselves from fraud and identity theft after the data breach. The lost time Olson and Wesson spent monitoring their accounts to prevent fraud or identity theft is not a self-inflicted harm arising from a mere subjective fear of injury because the alleged fraudulent charges to Wesson’s credit union account showed that a portion of the stolen PII has allegedly already been misused. We conclude that both plaintiffs alleged an injury sufficient to support their negligence claims. See Flores, 2023 IL App (1st) 230140, ¶ 25 (allegations of two fraudulent charges and being subject to an increase of spam messages were sufficient to demonstrate injuries); Dieffenbach, 887 F.3d at 828 (“the value of one’s own time needed to set things straight” after a data breach is an injury and “can justify money damages”).

¶ 43 Third, Ferrara argues that the Moorman doctrine applies and forecloses plaintiffs’ negligence claims for purported economic losses. The Moorman doctrine, also known as the economic loss doctrine, states that there can be no recovery in tort for purely economic losses.

Moorman, 91 Ill. 2d 69 at 88; see Community Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 812 (7th Cir. 2018) (Moorman doctrine generally bars tort liability “for purely economic losses *** where [the parties] have already ordered their duties, rights, and remedies by contract.”).

Economic loss is defined as “damages for inadequate value, costs of repair and replacement of the defective product, or consequent loss of profits—without any claim of personal injury or damage to other property.” (Internal quotation marks omitted.) Moorman, 91 Ill. 2d at 82.

¶ 44 The traditional rationale for the Moorman doctrine is that courts can “trust the commercial parties interested in a particular activity to work out an efficient allocation of risks among themselves in their contracts” (Schnuck Markets, Inc., 887 F.3d at 812), without having to resort to tort law, which is better reserved for “a sudden, calamitous accident as distinct from a mere - 18 - No. 1-24-1126

failure to perform up to commercial expectations” (Rardin v. T&D Machine Handling, Inc., 890 F.2d 24, 29 (7th Cir. 1989)). See Mars, Inc. v. Heritage Builders of Effingham, Inc., 327 Ill. App. 3d 346, 351 (2002) (Moorman doctrine is founded on the theory that “parties to a contract may allocate their risks by agreement and do not need the special protections of tort law to recover damages caused by a breach of contract”).

¶ 45 The Moorman doctrine arose in the context of products liability, but “Illinois applies Moorman to services as well as the sale of goods because both business contexts provide ‘[ “]the ability to comprehensively define a relationship[” ]’ by contract.” Schnuck Markets, Inc., 887 F.3d at 813 (quoting Fireman’s Fund Insurance Co. v. SEC Donohue, Inc., 176 Ill. 2d 160, 166 (1997), quoting Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 159 Ill. 2d 137, 161-62 (1994)).

¶ 46 Ferrara contends that plaintiffs’ alleged damages are purely economic losses and, thus, barred by the Moorman doctrine. Ferrara contends that plaintiffs try to allege (1) a breach of implied contract claim for the protection of personal information, seeking economic damages for that injury, and (2) a negligence claim for the same alleged conduct, also seeking economic damages for that injury. Ferrara argues that plaintiffs cannot have it both ways, contending that Moorman bars them from seeking economic damages through a tort claim while simultaneously seeking contract damages for the same injury. Ferrara also argues that no exception to the Moorman doctrine applies.

¶ 47 Plaintiffs respond that their common law tort claims of negligence are not barred by the Moorman doctrine because the duty that Ferrara allegedly breached arose out of the common law duty to safeguard personal information, there is no express contract between the parties, and plaintiffs’ alleged injuries were not caused by a defect in any actual product of the transaction.

- 19 - No. 1-24-1126

Plaintiffs state that their alleged injuries contemplate a host of noneconomical injuries that render the Moorman doctrine inapplicable, including anxiety, sleep disturbance, stress, fear, and frustration. In the alternative, plaintiffs argue that if the Moorman doctrine applies, their claims qualify for the doctrine’s exceptions because (1) Ferrara’s data breach was a sudden event that harmed plaintiffs and caused emotional distress, and the damage was calamitous because the breach compromised the PII of thousands of employees, and (2) plaintiffs’ damages were proximately caused by Ferrara’s intentional, false representation that it would protect plaintiffs’ PII from loss, misuse, or unauthorized disclosure, but Ferrara never implemented the necessary security to meet that promise.

¶ 48 There are three exceptions to Moorman: (1) “where the plaintiff sustained damage, i.e., personal injury or property damage, resulting from a sudden or dangerous occurrence,” (2) where the plaintiff’s damages are proximately caused by a defendant’s “intentional, false representation, i.e., fraud,” and (3) “where the plaintiff’s damages are proximately caused by a negligent misrepresentation by a defendant in the business of supplying information for the guidance of others in their business transactions.” (Emphasis omitted.) In re Chicago Flood Litigation, 176 Ill. 2d 179, 199 (1997). None of these exceptions apply here.

¶ 49 As to exception (1), plaintiffs did not suffer personal injury or property damages resulting from a sudden or dangerous occurrence. Illinois courts have applied this exception to calamitous events, such as sudden roof collapses, sudden floods, and fires. See Hecktman v. Pacific Indemnity Co., 2016 IL App (1st) 151459, ¶ 18 (collecting cases). Plaintiffs make no allegation of a sudden, calamitous occurrence; to the contrary, they allege that the data breach occurred over several days, followed by misuse of Wesson’s data about two months after the data breach.

- 20 - No. 1-24-1126

¶ 50 As to exception (2), plaintiffs have not sufficiently alleged an intentional, false representation by Ferrara.

“In a claim of fraudulent misrepresentation, a plaintiff must establish the following elements: (1) a false statement of material fact (2) known or believed to be false by the person making it, (3) an intent to induce the plaintiff to act, (4) action by the plaintiff in justifiable reliance on the truth of the statement, and (5) damage to the plaintiff resulting from such reliance. [Citation.] Courts have long considered an actual injury to be an essential element of fraud, which a plaintiff must establish to a reasonable degree of certainty.” Lewis v. Lead Industries Ass’n, 2020 IL 124107, ¶ 30.

¶ 51 Plaintiffs’ allegations that Ferrara engaged in wrongful conduct by failing to inform plaintiffs and members of the class that it did not maintain computer software and other security procedures and precautions fail to identify a specific actionable fraudulent statement under Illinois law. See Perdue v. Hy-Vee, Inc., 455 F. Supp. 3d 749, 761 (C.D. Ill. 2020); see also Schnuck Markets, Inc., 887 F.3d at 817 (Although the plaintiffs “suggested in their complaint that [the defendant] engaged in ‘wrongful conduct’ or ‘wrongful actions *** [and] omissions’ by not immediately announcing the data breach [citation], these allegations fail to identify specifically an actionable fraudulent statement under Illinois law.”).

¶ 52 As to exception (3), Ferrara is in the business of making candy. Plaintiffs do not allege that Ferrara was in the business of supplying information for the guidance of others in their business transactions. Cf. Flores, 2023 IL App (1st) 230140, ¶¶ 56-57 (the defendant was a professional services company that provided a wide range of services—including cybersecurity services—to its commercial clients, and the plaintiffs, who were the clients’ employees, alleged no express

- 21 - No. 1-24-1126

contract between the parties that would establish a duty by the defendant to safeguard the plaintiffs’ personal information).

¶ 53 Even though none of the Moorman doctrine’s three exceptions are applicable here, we conclude that the Moorman doctrine does not bar plaintiffs’ negligence claims. In the context of the service industry, the Illinois Supreme Court has held that the Moorman doctrine applies only where the duty of the party performing the service is defined by a contract executed with the client.

Congregation of the Passion, Holy Cross Province, 159 Ill. 2d at 164 (Moorman doctrine did not bar recovery in tort for accountant malpractice because the alleged negligent breach of duty arose outside of the parties’ contract). “If the duty arises outside of a contract between the parties, then recovery in tort for the negligent breach of that duty is not barred by the Moorman doctrine.”

Flores, 2023 IL App (1st) 230140, ¶ 56. Flores opined that, although the Congregation of the Passion decision is not factually analogous to data breach cases, “its reasoning equally applies to data breach cases” and that applying the economic loss doctrine to data breach cases, “would stretch the applicability of the doctrine far beyond its products liability roots,” an extension the court was not prepared to make. Id., ¶¶ 56-57; In re Marriott International, Inc., Customer Data Security Breach Litigation, 440 F. Supp. 3d 447, 468-76 (D. Md. 2020) (thoroughly analyzing the history of the Moorman doctrine and the potential applicability of the doctrine to data breach cases under Illinois law); McGlenn v. Driveline Retail Merchandising, Inc., No. 18-cv-2097, 2021 WL 4301476, at *8-9 (C.D. Ill. Sept. 21, 2021) (noting that, in the context of a data breach at the plaintiff’s former employer, where the plaintiff provided her PII as a legal condition of employment, application of the Moorman doctrine would significantly stretch it further from its product liability roots). Similarly, here, we do not extend the application of the Moorman doctrine to this data breach case, where plaintiffs’ alleged injuries were not caused by any defect in an - 22 - No. 1-24-1126

actual product of a transaction and their common law tort claim is based on Ferrara’s “common law duty to safeguard personal information rather than any express contractual duty.” Flores, 2023 IL App (1st) 230140, ¶ 57; see In re Mondelez Data Breach Litigation, 2024 WL 2817489, at *5 (declining to apply the Moorman doctrine to bar a negligence claim based on a law firm’s data breach that disclosed the PII of the client’s employees).

¶ 54 Finally, Ferrara’s “contention that plaintiffs’ injuries are economic is irrelevant since the Moorman doctrine does not apply to plaintiffs’ claims in the first place.” See Flores, 2023 IL App (1st) 230140, ¶ 58.

¶ 55 Because both plaintiffs Olson and Wesson adequately pled proximate cause and an injury sufficient to support their negligence claims, and because the Moorman doctrine does not bar their negligence claims, we conclude that the circuit court erred in dismissing their negligence claims.

¶ 56 C. Implied Contract ¶ 57 Plaintiff Olson has forfeited review of his breach of implied contract claim by not raising this issue on appeal. Ill. S. Ct. R. 341(h)(7) (eff. Oct. 1, 2020) (points not argued in an appellant’s brief are forfeited). Accordingly, our analysis focuses on Wesson, who argues that the parties had an implied contract under which Ferrara had a duty to safeguard plaintiffs’ information as shown in Ferrara’s privacy policy, which acknowledged Ferrara’s duty to “protect [employee] PII from loss, misuse or unauthorized disclosure.” Wesson also argues that the circuit court erred by dismissing his breach of implied contract claim for failure to allege an actual loss or measurable damages resulting from the data breach. Wesson argues that his allegations that he incurred $24.99 and then $4.99 monthly in mitigation costs following the data breach are sufficient to allege measurable damages in support of this contract claim.

- 23 - No. 1-24-1126

¶ 58 Ferrara argues that Wesson did not adequately plead that an implied contract was ever formed and, even if one was formed, Wesson did not adequately plead contract damages.

¶ 59 To sustain a complaint for breach of implied contract, a plaintiff must allege that (1) a contract existed, (2) the plaintiff performed his obligations under that contract, (3) the defendant breached the contract, and (4) the plaintiff suffered damages as a result of that breach. In re Estate of Khan, 2021 IL App (1st) 200278, ¶ 28. An implied contract can be created as a result of the parties’ actions, even if there is no express contract between them. Trapani Construction Co. v. The Elliot Group, Inc., 2016 IL App (1st) 143734, ¶ 41. Under Illinois law, a contract in fact can be implied from the facts and circumstances that demonstrate the parties’ intent to be bound.

Heavey v. Ehret, 166 Ill. App. 3d 347, 354 (1988). Unlike an express contract, in which the parties arrive at an agreement using words, an agreement in an implied-in-fact contract is created through the actions and conduct of the parties. Trapani Construction Co., 2016 IL App (1st) 143734, ¶ 41.

¶ 60 Wesson has alleged sufficient facts to show that an implied contract existed with Ferrara.

He alleged that plaintiffs were required to provide their PII while employed and that they provided their information in reliance on the promises Ferrara made in its privacy policy. Ferrara made representations in its privacy policy that it would safeguard plaintiffs’ personal information using reasonable security measures. In addition to Ferrara’s representations in its privacy policy, it is implied from the relationship between the parties that Ferrara would take reasonable steps to ensure that plaintiffs’ personal information would be protected from unauthorized disclosure. See Flores, 2023 IL App (1st) 230140, ¶ 33; Doe, 2022 WL 972295, at *4 (“ ‘[i]t can be implied from the parties’ relationship that [the defendant] would take some steps to ensure that plaintiffs’ sensitive information would be shielded in some manner to prevent unauthorized disclosure of that information.’ ” (quoting Lozada v. Advocate Health & Hospitals Corp., 2018 IL App (1st) 180320- - 24 - No. 1-24-1126

U, ¶ 27)); Castillo v. Seagate Technology, LLC, No. 16-cv-01958, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016) (while the defendant may not have explicitly promised to protect personal information from hackers in plaintiffs’ employment contracts, “it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient’s assent to protect the information sufficiently”).

¶ 61 Ferrara cites Archey v. Osmose Utilities Services, Inc., No. 20-cv-05247, 2022 WL 3543469, at *1 (N.D. Ill. Aug. 18, 2022), where a former employee alleged a breach of contract claim against his former employer after a cyberattack on the company exposed the plaintiff’s PII to an unauthorized third party. The plaintiff alleged that by providing his PII to his employer, he entered into an implied-in-fact contract with the employer whereby it was obligated to take reasonable steps to secure and safeguard his PII and to take reasonable steps following unauthorized disclosures of such information. Id. at *3. The court found that the plaintiff’s subjective inference that a contract was formed was not sufficient to allege the element of mutual assent because the plaintiff was required to allege that his employer showed an intention to be bound. Id. ¶ 62 Archey is distinguishable. In Archey, the pleadings lacked the two crucial allegations that (1) the employer required the plaintiff to provide his personal information and (2) the plaintiff relied on the employer’s privacy policy. Id. at *2-3. Here, both of these crucial allegations are present.

¶ 63 To successfully make a breach of implied contract claim, a plaintiff must allege actual monetary damages. Avery v. State Farm Mutual Automobile Insurance Co., 216 Ill. 2d 100, 149 (2005); In re Illinois Bell Telephone Link-Up II & Late Charge Litigation, 2013 IL App (1st) - 25 - No. 1-24-1126

113349, ¶ 19. Ferrara argues that Wesson’s payment for credit monitoring is too attenuated from the alleged contract and, thus, is unrecoverable as consequential damages. In support of this argument, Ferrara cites 1472 N. Milwaukee, Ltd. v. Feinerman, 2013 IL App (1st) 121191, ¶ 31, for the proposition that consequential damages are recoverable from a breach of contract only when the damages were within the contemplation of the parties at the time they entered into the contract. Ferrara’s argument lacks merit. Paying for credit monitoring is not “attenuated” from the implied contract in which Ferrara promised to protect plaintiffs’ PII with adequate data security measures. We also reject Ferrara’s argument that Wesson’s credit monitoring expenses “are non- cognizable damages because they are ‘self-inflicted’ and flow from the response to a threat that is speculative, at most.” As discussed above in our analysis of the standing issue (supra ¶¶ 28-30), unlike the facts in Maglio and Petta, the threat of identity theft and fraud here was not merely speculative but, rather, was imminent and substantial.

¶ 64 Wesson has alleged adequate damages for a breach of implied contract claim. We reverse the circuit court’s dismissal of Wesson’s breach of implied contract claim but affirm the circuit court’s dismissal of Olson’s breach of implied contract claim on the basis of forfeiture.

¶ 65 D. Consumer Fraud Act ¶ 66 Plaintiff Olson has forfeited review of his Consumer Fraud Act claim by not raising this issue on appeal. Ill. S. Ct. R. 341(h)(7) (eff. Oct. 1, 2020) (points not argued in an appellant’s brief are forfeited). Accordingly, we focus our analysis of this claim on Wesson, who alleged that Ferrara violated the Personal Information Protection Act (815 ILCS 530/1 et seq. (West 2022)) by failing to maintain reasonable security measures to protect plaintiffs’ PII and failing to provide timely notice of the data breach and that a violation of the Personal Information Protection Act constitutes an unlawful practice under the Consumer Fraud Act. See id. §§ 20, 45.

- 26 - No. 1-24-1126

¶ 67 To plead a private cause of action for a violation of the Consumer Fraud Act, a plaintiff must allege “(1) a deceptive act or practice by the defendant, (2) the defendant’s intent that the plaintiff rely on the deception, (3) the occurrence of the deception in the course of conduct involving trade or commerce, and (4) actual damage to the plaintiff (5) proximately caused by the deception.” Oliveira v. Amoco Oil Co., 201 Ill. 2d 134, 149 (2002). The Consumer Fraud Act provides remedies for purely economic injuries. Morris v. Harvey Cycle & Camper, Inc., 392 Ill. App. 3d 399, 402 (2009). “Actual damages must be calculable and ‘measured by the plaintiff’s loss.’ ” Id. (quoting City of Chicago v. Michigan Beach Housing Cooperative, 297 Ill. App. 3d 317, 326 (1998)). The failure to allege specific economic damages precludes a claim brought under the Consumer Fraud Act. Id.; White v. DaimlerChrysler Corp., 368 Ill. App. 3d 278, 287 (2006).

However, if the plaintiff has suffered an economic loss, noneconomic injuries are compensable.

Dieffenbach, 887 F.3d at 830 (citing Morris, 392 Ill. App. 3d at 402-03); Ainsworth v. Jidd Enterprises, LLC, 2024 IL App (1st) 230938-U, ¶ 28 (“Illinois law provides that if the plaintiff has suffered an economic loss, noneconomic injuries such as emotional distress, inconvenience, and aggravation are compensable under the [Consumer Fraud Act]”).

¶ 68 Ferrara argues that Wesson has not alleged an actual economic injury under the Consumer Fraud Act. Regarding the fraudulent charges to Wesson’s credit union account, Ferrara notes that Wesson has not pled that those charges went unreimbursed by his credit union.

¶ 69 In the data breach context, the Flores court held that claims for emotional distress due to loss of privacy, lost time dealing with the consequences of the data breach, increased spam messages, and an imminent risk of fraud and identity theft were not “the specific economic damages required for a claim under the Consumer Fraud Act.” Flores, 2023 IL App (1st) 230140, ¶ 42. Here, however, Wesson alleged that he incurred the costs of $24.99 and $4.99 monthly for - 27 - No. 1-24-1126

credit monitoring and courts have found that this type of loss constitutes the specific economic damages required for a claim under the Consumer Fraud Act. See Dieffenbach, 887 F.3d at 829- (plaintiff spent $17 per month on a credit-monitoring service); Worix v. MedAssets, Inc., 869 F. Supp. 2d 893, 901 (N.D. Ill. 2012) (plaintiff alleged lost wages and money spent on credit monitoring).

¶ 70 Ferrara also argues that Wesson did not adequately plead causation sufficient to support his Consumer Fraud Act claim. We disagree. Our analysis of this issue is materially the same as our analysis for plaintiffs’ negligence claims (supra ¶ 40), wherein we concluded that plaintiffs adequately pled proximate cause.

¶ 71 Because Wesson has sufficiently alleged a specific economic injury and proximate cause, we reverse the circuit court’s dismissal of his claim under the Consumer Fraud Act. We affirm the circuit court’s dismissal of Olson’s Consumer Fraud Act claim on the basis of forfeiture.

¶ 72 III. CONCLUSION ¶ 73 We conclude that plaintiffs have standing to pursue their claims. The circuit court’s dismissal of Olson’s negligence claim for failure to state a claim is reversed. The circuit court’s dismissal of Olson’s breach of implied contract and Consumer Fraud Act claims for failure to state a claim is affirmed. The circuit court’s dismissal of Wesson’s negligence, breach of implied contract, and Consumer Fraud Act claims for failure to state a claim is reversed. The matter is remanded for further proceedings.

¶ 74 Affirmed in part and reversed in part.

¶ 75 Cause remanded.

- 28 - No. 1-24-1126

Olson v. Ferrara Candy Co., 2025 IL App (1st) 241126

Decision Under Review: Appeal from the Circuit Court of Cook County, No. 22-CH- 6866; the Hon. Joel Chupack, Judge, presiding.

Attorneys Alex Phillips and Cassandra Miller, of Strauss Borrelli PLLC, for of Chicago, for appellants.

Appellant:

Attorneys Matthew C. Wolfe, of Shook, Hardy & Bacon L.L.P., of for Chicago, and Shane B. Kolding, of Shook, Hardy & Bacon Appellee: L.L.P., of San Francisco, California, for appellee.

- 29 -