SEDGWICK
ARTICLE
APRIL 2016
Illinois Breach Decisions Show
It’s Not Just About Standing
In the wake of the recent decisions in the Seventh Circuit holding in favor of standing in consumer lawsuits arising from credit and debit
card breaches, the focus of attention in early motions to dismiss will now likely be shifting to whether the consumer plaintiffs have
asserted viable state causes of action, and in particular a breach of contract claim.
Most data breach cases are filed in
federal courts (or removed to federal
court), usually with multicount
complaints that often include a
claim for breach of implied contract.
The opening defense strategy has
generally been to file motions to
dismiss under Rule 12(b) (1) for lack
of jurisdiction, which raise issues of
existence of Article III standing, and
under Rule (12) (b) (6) for failure
to state a claim. Attention in the
past has often been more on the
standing issue and its requirement
of a showing of actual or imminent
injury to the plaintiffs.
The Seventh Circuit’s recent rash
of decisions upholding standing
demonstrate that defendants
cannot rely only on challenges to
standing. See, Remijas v. Neiman
Marcus Grp. LCC, 794 F.23d 688
(7th Cir. 2015); Lewert v. P.F.
Chang’s China Bistro Inc. No. 143700, 2016 WL 1459226 (7th Cir.,
April 14, 2016); see also, Irwin
v. Jimmy John’s Franchise LLC,
et.al., No. 1:14-cv-2275, 2016 WL
1355570 (N.D. Ill. March 29, 2016).
Going forward, increasing attention
is likely to be placed on the prong
of failure to state a claim in motions
to dismiss, and on pursing the
appropriate appeal on that ground
as well as on standing. While the
Seventh Circuit’s decisions finding
standing have been a challenge to
defendants’ efforts to obtain early
dismissals, the court has not yet
addressed the viability of breach
of contact claims. Statements in
those decisions indicate that this
same court, as well as others,
do not assume that plaintiffs will
ultimately prevail on their claims of
right to recovery; in fact, they may
be skeptical of the likelihood of
ultimate success.
In its recent decision in Lewert v.
P.F. Chang’s China Bistro Inc., No.
14-3700, 2016 WL 1459226 (7th
Cir., April 14, 2016), for example,
the Seventh Circuit reversed the
district court’s dismissal of the case
and concluded that plaintiffs had
standing. The court also noted that
because P.F. Chang’s did not file a
cross-appeal, it could not consider
whether the plaintiffs failed to state
a claim. The court noted that a
dismissal of a plaintiff’s claims for
lack of subject matter jurisdiction
is a dismissal without prejudice,
while a dismissal for failure to state
a claim would have been with
prejudice. The lower court did not
address the latter once it found
no standing, and neither could the
appellate court in light of the lack of
a cross-appeal by defendant.
The Seventh Circuit decision also
noted that in ruling in support
of standing, “we express no
opinion on the merits or on the
suitability of this case for class
certification,” and remanded it for
further proceedings. Thus, the
decision leaves open the glimmer
Originally published on Law360, April 21, 2016. Posted with permission.
of hope that this court would have
considered a dismissal on failure
to state a claim grounds, and may
ultimately dismiss on the merits
(although, to date, breach cases
often settle when faced with the
cost of discovery following a denial
of a motion to dismiss).
While the focus on failure to state
a claim, versus on standing, may
seem new in light of the Seventh
Circuit’s recent decisions, breach
of contract claims are not new in
the data breach context. There is
conflicting authority on whether
they can be successfully asserted
in a case arising out of a data
breach of credit/debit cards, with
most decisions still at the lower
court level. Even before this,
some courts have side-stepped
the standing issue and dismissed
cases with prejudice for failure to
state a viable state law claims.
See, e.g., Willingham v. Global
Payments, 1:12-cv-01157, 2013
WL 440702 (N.D. Ga. Feb. 5,
2013), dismissed with prejudice,
March 5, 2013 (case voluntarily
dismissed following magistrate
report and recommendation for
dismissal of the plaintiffs’ federal
and state statutory claims and
state common law claims, including
one for negligence based on the
application of the economic loss
rule and one for breach of implied
contract based on lack of reliance
on privacy statements and lack of
actual contract).
SEDGWICK
ARTICLE
APRIL 2016
Moreover, when standing is or
is likely to be found, the issue of
whether there is a viable state law
claim becomes critical. Particularly
until the United States Supreme
Court issues its decision in Spokeo
Inc. v. Robins. 742 F.2d 409 (9th
Cir. 2014), cert. granted, 135 S. Ct.
1892 (2015), addressing whether
statutory claims alone may continue
to be sufficient to confer standing,
the viability of a breach of contact
claim may determine the viability of
a consumer breach action.
The recent decision of the Northern
District of Illinois in the Jimmy Johns
data breach litigation shows how
the battleground may be to moving
to the viability of implied breach
of contract claims, and indicates
how courts evaluate the types
of state law claims that plaintiffs
can pursue when data breaches
involve compromise of credit card
information occur. Irwin v. Jimmy
John’s Franchise LLC, et.al. , No.
1:14-cv-2275, 2016 WL 1355570,
(N.D. Ill. March 29, 2016).
Judge Harold A. Baker let proceed
the plaintiff’s claims for breach
of implied contract and breach of
Arizona’s Consumer Fraud Act
(the plaintiff, an Arizona citizen,
apparently thought she would have
a greater chance of success in
Illinois, and filed there based on
the corporate headquarters of the
defendant). As have many other
courts in this context, Judge Baker
dismissed the plaintiff’s claims
for negligence (as barred by the
economic loss rule) and unjust
enrichment; he also dismissed the
claims brought under the Illinois
Personal Information Protection
Act and Illinois Consumer Fraud
and Deceptive Practices Act (as
a nonresident, the plaintiff did not
have standing to assert a claim
under the latter). The court also
dismissed plaintiff’s claims under
2
|
the Arizona data breach statute
and for bailment after plaintiff
failed to respond to the defense
arguments for dismissal of those
claims.
While allowing the breach of
implied contract and Arizona
statutory claims to proceed, the
court found that the plaintiff did
not have Article III standing to
pursue a claim for declaratory
relief for remedies for future injury
she claimed due to unspecified
weaknesses in Jimmy John’s
current security measures. That
analysis indicates that even courts
in the Seventh Circuit will make a
distinction between claims based
on past conduct and fraudulent
charges which may support
standing, versus ones based on
the speculation of future risk from
post breach conduct.
In allowing the breach of implied
contract claim to proceed, “under
the circumstances, and under
Illinois law,” the court noted there
had been an offer, acceptance,
consideration, and a meeting of
the minds. The court noted that
when a customer uses a credit
card for a commercial transaction,
the customer intends to provide
the data to the merchant and not
to an unauthorized third party, and
that there is an implicit agreement
to safeguard the customer’s
information to effectuate the
contract and to timely notify her of
a security breach.
In rendering his decision, Judge
Baker relied on dicta in another
lower court decision, Lovell v.
P.F. Chang’s China Bistro Inc.,
2015 WL 4940371 (W.D. Wash.
Mar. 27, 2015). Jimmy John’s had
cited to that case for the district
court’s rejection of a claim for
breach of implied contract under
Washington law, where the claim
Illinois Breach Decisions Show It’s Not Just About Standing
was based on plaintiff’s “unilateral,
specific expectations of a particular
cyber security standard and daily
auditing.” In reaching the opposite
conclusion in Irwin v. Jimmy John’s,
Judge Baker relied on dicta in
Lovell that “offer and acceptance
of a credit card as payment of
a consumer debt necessarily
involves certain implied promises.”
Based on this, and under Illinois
law, Judge Baker found that Irwin
had stated a claim for breach of
implied contract. He also cited to
another lower court decision, In re
Michaels Stores Pin Pad Litigation,
830 F. Supp. 2d 518 (N.D. Ill. 2011)
( which alleged the existence of
an implied contractual relationship
that obligated Michaels to take
reasonable measures to protect
the plaintiffs’ financial information
and notify the plaintiffs of a security
breach within a reasonable amount
of time) and the appellate decision
in Anderson v. Hannaford Bros.,
659 F.3d 161 (1st Cir. 2011)
(affirming, under Maine law, a
district court’s finding that jury
could reasonably find an implied
contract between the defendant
and its customers that defendant
would take reasonable measures
to protect the customer’s financial
information).
While not discussing the specific
claims asserted, in Allen v.
Schnuck Markets Inc., No. 15-cv0061, 2015 WL 5076966 (S.D.
Ill. 2015), another federal court
sitting in Illinois denied a motion
to dismiss a complaint based on
a retail data breach that included,
among others, a claim for breach of
implied contract. As noted above,
other courts have also addressed
the issue, with varying results,
e.g., In re Target Corp. Data Sec.
Breach Litigation, 66 F. Supp. 3d
1154 (D. Minn. Dec. 18, 2014)
(adopting the rationale of Anderson
v. Hannaford Bros. and finding that
SEDGWICK
ARTICLE
APRIL 2016
plaintiffs had plausibly alleged the
existence of an implied contract)
versus Global Payment, supra
(dismissing breach of contract
claims, noting no reliance could be
demonstrated).
resulting in dismissal of the action.
Longenecker-Wells v. Benecard
Services Inc., 1:15-cv-00422, 2015
WL 5576753 (M.D. Penn. 2015),
appeal docketed, No. 15-3538 (3d
Cir. Oct. 21, 2015).
Courts have also addressed such
breach of contract claims in the
context of employment-related
breaches. In Enslin v. The CocaCola Company, No. 2:14-cv-06476,
2015 WL 5729241 (E.D. Penn.
9/30/15), for example, an employee
brought a putative class action
against his employer alleging the
employer failed to maintain security
of his personally identifiable
information in connection with
the theft of company laptops by
other employees. In addition
to holding that the plaintiff had
satisfied the standing requirement
of injury-in-fact and causation, the
court concluded that the plaintiff
had stated claims for breach of
express and implied contract. In
this case, the alleged contract was
based on the defendants’ privacy
policies, code of conduct, company
security practices and other
conduct, and the assertion that the
defendant employer had implicitly
promised to safeguard the plaintiff
employee’s PII in exchange for his
employment.
Decisions to allow a breach of an
implied contract claim are likely to
increase and support consumer
litigation arising from data breaches
involving credit card information or
other situations where there are
“implicit promises” to safeguard
sensitive personal information. This
is especially true in the consumer
friendly jurisdiction of the Seventh
Circuit. However, the Seventh
Circuit has yet to expressly address
its view of the viability of breach of
implied contract claims in consumer
data breach litigation, as the issue
was not before it in its recent
standing decisions. In Remijas v.
Neiman Marcus Group LLC, supra,
as well as in Lewart v. P.F. Chang’s
China Bistro, supra, the appellate
court noted that while it was finding
standing, there had been no cross
appeal by defendants that would
allow it to consider in its decision
whether the plaintiffs had failed
to state a claim. Thus, among the
lessons to be learned from these
decisions is for defendants to
pursue dismissal of, and for parties
to appeal when warranted, issues of
viability of state law claims as well
as of standing.
However, in this context as well,
courts are not uniform in their
views of the viability of breach
of implied contracts claims. In
a recent decision by a federal
court in Pennsylvania, a claim
by employees of implied contact
with their employees based on
allegations that they were required
to provide private information
to commence employment and
reasonably expected protection
from a breach was rejected. The
court found standing, but dismissed
the state law claims with prejudice
for failure to state a claim,
3
|
Also yet to be determined is the
extent to which implied breach of
contract claims would be subject
to dismissal on the merits at a later
stage in the proceeding, or the
value of such claims especially if
class certification is not granted.
As learned in the Hannaford
data breach litigation, a plaintiff’s
success in defeating a motion
to dismiss a breach of implied
contract claim can be a pyrrhic
Illinois Breach Decisions Show It’s Not Just About Standing
victory if class certification is
denied. Anderson v. Hannaford
Bros. 659 F.3d 161 (1st Cir. 2011).
Litigation strategy is likely to
continue to shift, as the various
federal courts take positions on
standing, the viability of alleged
state causes of action, and on
class certification in consumer
data breach claims. Strategies of
plaintiffs and defendants are also
likely be revisited once the U.S.
Supreme Court issues its ruling
in Spokeo Inc. v. Robins, supra.
Meanwhile, plaintiffs in consumer
breach litigation will likely continue
to assert breach of contract claims
while defendants still have the
prospect of potentially viable
challenges to such state law claims
even in jurisdictions that favor
findings of standing.
Authors
Carol Gerner
Counsel
Chicago
312.849.1959
[email protected]
Laurie Kamaiko
Partner
New York
212.898.4015
[email protected]
© 2016 Sedgwick LLP