2023 IL App (1st) 230140
No. 1-23-0140
Opinion filed September 29, 2023
FIFTH DIVISION
IN THE
APPELLATE COURT OF ILLINOIS
FIRST JUDICIAL DISTRICT
MARIA FLORES, DEANNA DUBE, MISTY ) Appeal from the
WILLIAMS, and SHARON RUSHING, ) Circuit Court of
) Cook County.
Plaintiffs-Appellants, )
) No. 2022 CH 6132
v. )
) Honorable
AON CORPORATION, ) Neil H. Cohen,
) Judge presiding.
Defendant-Appellee. )
PRESIDING JUSTICE MITCHELL delivered the judgment of the court, with opinion.
Justices Lyle and Justice Navarro concurred in the judgment and opinion.
OPINION
¶1 Plaintiffs Maria Flores, Deanna Dube, Misty Williams, and Sharon Rushing appeal the
dismissal of their class action complaint in this data breach case against defendant Aon
Corporation. Plaintiffs raise a number of issues on appeal, chief among them are as follows: (1) did
the circuit court err in dismissing plaintiffs’ complaint for lack of standing (735 ILCS 5/2-
619(a)(9) (West 2022)); (2) did the circuit court err in dismissing plaintiffs’ claims for negligence,
negligence per se, breach of implied contract, unjust enrichment, a violation of Illinois’s Consumer
Fraud and Deceptive Business Practices Act (815 ILCS 505/1 et seq. (West 2022)), a violation of
the Florida Deceptive and Unfair Trade Practices Act (Fla. Stat.§ 501.201 et seq. (2022)), and
No. 1-23-0140
invasion of privacy for failure to state a claim (735 ILCS 5/2-615 (West 2022)); and (3) did the
circuit court err in dismissing plaintiffs’ claims for economic loss under the Moorman doctrine?
See Moorman Manufacturing Co. v. National Tank Co., 91 Ill. 2d 69 (1982). For the reasons
below, we affirm in part and reverse in part.
¶2 I. BACKGROUND
¶3 Defendant is a global professional services company headquartered in Chicago that
provides a wide range of services, including cybersecurity services, to its commercial clients. In
February 2022, defendant discovered that an unauthorized third party had been repeatedly
accessing some of defendant’s systems since late December 2020. Defendant prevented any further
unauthorized access, conducted an investigation concerning the data breach, and informed law
enforcement of the incident.
¶4 Plaintiffs Flores, Rushing, Williams and Dube allege that they provided defendant with
their personal information, including their names, social security numbers, dates of birth, e-mail
addresses, and benefit-enrollment information. Flores and Williams provided their personal
information to defendant because defendant managed the employee benefits program offered by
their employers, while Rushing provided defendant with her personal information because she was
formerly employed by defendant. Dube does not specify why she provided her personal
information to defendant. Plaintiffs all reside in different states, with Flores being a resident of
Illinois, Williams being a resident of Florida, Rushing being a resident of Texas, and Dube being
a resident of Nevada.
¶5 Three months after the data breach was discovered, defendant sent a notice letter to
everyone who was potentially impacted by the data breach. Plaintiffs all received this notice
-2-
No. 1-23-0140
sometime in June 2022. The notice letter stated that an unauthorized third party had access to some
of defendant’s systems between December 2020 and February 2022 and that the unauthorized third
party therefore had access to plaintiffs’ personal information, including their names, social security
numbers, driver’s license numbers, and benefit enrollment information.
¶6 In June 2022, Flores filed a class action complaint against defendant. Flores later filed an
amended class action complaint to add Dube, Rushing, and Williams as plaintiffs. Plaintiffs stated
claims of relief for negligence, negligence per se, breach of implied contract, unjust enrichment,
violation of Illinois’s Consumer Fraud Act, violation of the Florida Deceptive and Unfair Trade
Practices Act, and invasion of privacy.
¶7 All plaintiffs alleged that they suffered actual injury in the form of (1) damages to and
diminution in the value of their personal information; (2) lost time, annoyance, interference, and
inconvenience dealing with the consequences of the data breach; and (3) anxiety and increased
concerns for the loss of their privacy due to the data breach. Plaintiffs also alleged that they
suffered imminent and impending injury arising from the substantially increased risk of fraud and
identity theft by unauthorized third parties due to the data breach. Additionally, Flores, Rushing,
and Williams alleged that they have received increased spam and targeted marketing after the data
breach occurred and that the increase in spam was caused by the data breach. After the data breach
occurred, Williams alleged that she experienced an attempt to process a $499.99 charge to her
PayPal account, while Dube alleged that she was charged for a prescription from Express Scripts
that she did not order.
¶8 Defendant moved to dismiss plaintiffs’ first amended class action complaint for lack of
standing (735 ILCS 5/2-619(a)(9) (West 2022)) and failure to state a claim upon which relief can
-3-
No. 1-23-0140
be granted (id. § 2-615). The circuit court granted defendant’s motion and dismissed plaintiffs’
complaint in its entirety. This timely appeal followed. Ill. S. Ct. R. 303 (eff. July 1, 2017).
¶9 II. ANALYSIS
¶ 10 A. Standing
¶ 11 Plaintiffs argue that the circuit court erred in dismissing their complaint due to lack of
standing. They contend that they have demonstrated an injury-in-fact due to their allegations
concerning (1) their imminent risk of future identity theft or fraud, (2) the unauthorized charges
experienced by Williams and Dube, (3) the diminishment in the value of plaintiffs’ personal
information, (4) their emotional distress due to the data breach, and (5) the lost time they have
spent responding to the data breach, including the increased number of spam and targeted
marketing messages they have received. Defendant argues that none of these allegations are
sufficient to establish injury-in-fact for standing purposes and that plaintiffs have not adequately
established a connection between the data breach and the unauthorized charges experienced by
Williams and Dube.
¶ 12 A motion to dismiss pursuant to section 2-619 of the Code of Civil Procedure (735 ILCS
5/2-619 (West 2022)) admits the legal sufficiency of the complaint, but raises defects, defenses,
or some other affirmative matter that defeats the plaintiff’s claim. Ball v. County of Cook, 385 Ill.
App. 3d 103, 107 (2008). The phrase “affirmative matter” encompasses any defense other than a
negation of the essential allegations of the plaintiff’s cause of action. Piser v. State Farm Mutual
Automobile Insurance Co., 405 Ill. App. 3d 341, 344 (2010). A defendant may properly raise lack
of standing in a motion to dismiss brought under section 2-619(a)(9). 735 ILCS 5/2-619(a)(9)
-4-
No. 1-23-0140
(West 2022); Glisson v. City of Marion, 188 Ill. 2d 211, 220 (1999). We review a dismissal under
section 2-619 de novo. Glisson, 188 Ill. 2d at 220-21.
¶ 13 Under Illinois law, to have standing to bring a claim a plaintiff must only demonstrate
“some injury in fact to a legally cognizable interest.” Messenger v. Edgar, 157 Ill. 2d 162, 170
(1993). “The claimed injury must be (1) distinct and palpable; (2) fairly traceable to defendant’s
actions; and (3) substantially likely to be prevented or redressed by the grant of the requested
relief.” Wexler v. Wirtz Corp., 211 Ill. 2d 18, 23 (2004). The claimed injury can be actual or
threatened. Greer v. Illinois Housing Development Authority, 122 Ill. 2d 462, 492 (1988). Illinois
courts are generally more willing than federal courts to recognize standing on the part of any person
“who shows that he is in fact aggrieved.” Id. at 491. While a court’s determination of whether a
plaintiff has standing depends on the allegations in the complaint, the plaintiff’s lack of standing
is an affirmative defense and therefore must be proven by the defendant. Maglio v. Advocate
Health & Hospitals Corp., 2015 IL App (2d) 140782, ¶ 21. A putative class action requires that
the named plaintiff allege an injury-in-fact. A named plaintiff cannot rely upon injuries suffered
by other unidentified members of the claimed class to establish standing. I.C.S. Illinois, Inc. v.
Waste Management of Illinois, Inc., 403 Ill. App. 3d 211, 221 (2010).
¶ 14 In dismissing the plaintiffs’ complaint for lack of standing, the circuit court relied heavily
on Maglio, the only Illinois case addressing standing in a data breach lawsuit. Maglio, 2015 IL
App (2d) 140782. The plaintiffs in Maglio filed negligence, invasion of privacy, and statutory
claims against defendant Advocate Health and Hospitals Corporation after four password-
protected computers containing patient information were stolen from Advocate’s offices. Id. ¶¶ 1-
3. The plaintiffs did not allege that anyone had improperly accessed or used their personal
-5-
No. 1-23-0140
information on the stolen computers, nor did they allege that they had suffered identity theft or
fraud because of the burglary. Id. ¶ 5. The appellate court affirmed the dismissal of the plaintiffs’
claims due to lack of standing, holding that the plaintiffs had failed to allege a distinct and palpable
injury and that the plaintiffs’ allegations of increased risk of identity theft were speculative and
conclusory since none of the plaintiffs had experienced any identity theft. Id. ¶ 24. Plaintiffs’
claims of emotional injury were similarly rejected, “given the speculative and conclusory nature
of their allegations and the lack of imminent, certainly impending, or a substantial risk of harm.”
Id. ¶ 30. Therefore, under Maglio, the risk of identity theft or fraud can create standing, but only
if the risk of identity theft is imminent or certainly impending. Id. ¶¶ 29-30. A mere increased risk
of identity theft is not enough. Id. ¶ 26.
¶ 15 Here, plaintiffs have alleged that their personal information has been obtained by
unauthorized third parties and that this caused plaintiffs to experience identity theft and fraud.
Williams and Dube each alleged that they experienced an attempted fraudulent charge after the
data breach occurred, and Williams, Rushing, and Flores alleged that they have received increased
spam messages and targeted marketing since the data breach. Plaintiffs also allege that these spam
messages and unauthorized charges were caused by the data breach because personal information
stolen in data breaches is compiled in “Fullz” packages that are then sold to unsavory parties that
use the information for telemarketer operations or to commit fraud. Plaintiffs are not relying solely
on speculative allegations concerning an increased risk of future identity theft or fraud like in
Maglio. Instead, plaintiffs have clearly alleged that they face imminent, certainly impending, or a
substantial risk of harm due to the data breach, since they allege that they have already experienced
fraudulent charges and spam messaging. Unchageri v. Carefirst of Maryland, Inc., No. 16-1068,
-6-
No. 1-23-0140
2016 WL 8255012, at *6-7 (C.D. Ill. Aug. 23, 2016) (plaintiff lacked standing because he did not
allege any present injuries that would show that the risk of future harm is certainly impending).
Additionally, the risk of future identity theft and fraud is evident from the defendant’s statements,
offering plaintiffs free enrollment in a two-year credit-monitoring service to protect against
identity theft. The alleged injuries suffered by plaintiffs (the fraudulent charges and the lost time
spent dealing with increased spam messages and targeting marketing) are distinct and palpable
injuries that satisfy standing. Craftwood II, Inc. v. Generac Power Systems, Inc., 920 F.3d 479,
481 (7th Cir. 2019) (holding that the time lost reading a junk fax before discarding it is a concrete
injury satisfying standing). Since plaintiffs’ allegations are sufficient to establish that, due to the
data breach, they have already experienced harm and are at imminent risk of future identity theft
and fraudulent charges, plaintiffs have standing to pursue their claims.
¶ 16 Defendant argues that plaintiffs have not alleged that defendant collected their payment
information and therefore they have not established that the unauthorized charges alleged by
Williams and Dube are fairly traceable to defendant’s conduct and the data breach. However,
Williams and Dube alleged that defendant informed both plaintiffs that their “benefit enrollment
information” was obtained during the data breach. Defendant never defined what the term benefit
enrollment information encompassed; therefore, it is possible that it included Williams’s and
Dube’s payment information. Additionally, when personal information is obtained in a targeted
data breach, it is reasonable to assume that the data thieves will use the stolen data for fraudulent
purposes. Galaria v. Nationwide Mutual Insurance Co., 663 F. App’x 384, 388 (6th Cir. 2016).
Plaintiffs have alleged that, even if the stolen data did not contain payment information, data
thieves can compile “Fullz” packages with the personal information that can be sold to third parties
-7-
No. 1-23-0140
to be later used for illegal purposes. In re Mednax Services, Inc., Customer Data Security Breach
Litigation, 603 F. Supp. 3d 1183, 1206 (S.D. Fla. 2022) (“Even if the data accessed in the Data
Breaches did not provide all the information necessary to inflict these harms, they very well could
have been enough to aid therein.”); Sweet v. BJC Health System, No. 3:20-CV-00947-NJR, 2021
WL 2661569, at *4 (S.D. Ill. June 29, 2021) (“while credit card information may not have been
exposed, information such as dates of birth, Social Security numbers, and addresses would likely
be sufficient to permit identity theft”). Plaintiffs have set forth sufficient allegations to establish
that the fraudulent payments were fairly traceable to the data breach for the purposes of standing.
¶ 17 Finally, defendant argues that the fraudulent charges experienced by Williams and Dube
were unsuccessful, and therefore the charges are not actual injuries. However, the fact that the
alleged fraudulent charges were unsuccessful is immaterial and does not stop them from being
actual injuries, nor does it stop them from showing that future fraudulent charges are imminent.
¶ 18 Since plaintiffs have sufficiently alleged that they are experiencing imminent and certainly
impending risk of identity theft and fraud, we need not analyze plaintiffs’ claims that they also
have standing due to the diminishment in the value of plaintiffs’ personal information or their
emotional distress resulting from the loss of their privacy due to the data breach. The circuit court
erred in dismissing plaintiffs’ claims due to lack of standing under section 2-619.
¶ 19 B. Sufficiency of the Complaint
¶ 20 A motion to dismiss pursuant to section 2-615 of the Code of Civil Procedure (735 ILCS
5/2-615 (West 2022)) challenges the legal sufficiency of the complaint based upon defects
apparent on its face. Beacham v. Walker, 231 Ill. 2d 51, 57 (2008). The critical inquiry is whether
the well-pleaded facts of the case, “taken as true and construed in a light most favorable to the
-8-
No. 1-23-0140
plaintiff, are sufficient to state a cause of action upon which relief may be granted.” Loman v.
Freeman, 229 Ill. 2d 104, 109 (2008). The complaint need only set forth the ultimate facts to be
proved—not the evidentiary facts tending to prove such ultimate facts. City of Chicago v. Beretta
U.S.A. Corp., 213 Ill. 2d 351, 369 (2004). In ruling on a section 2-615 motion to dismiss, exhibits
attached to the complaint are included as part of the complaint and control over inconsistent factual
allegations within. Lipinski v. Martin J. Kelly Oldsmobile, Inc., 325 Ill. App. 3d 1139, 1147 (2001).
“Where unsupported by allegations of fact, legal and factual conclusions may be disregarded.”
Kagan v. Waldheim Cemetery Co., 2016 IL App (1st) 131274, ¶ 29. “Unless it is clearly apparent
that the plaintiff could prove no set of facts that would entitle him to relief, a complaint should not
be dismissed.” Id. We review a dismissal under section 2-615 de novo. Randall v. Lemke, 311 Ill.
App. 3d 848, 850 (2000).
¶ 21 1. Negligence
¶ 22 Plaintiffs argue that defendant had a common law duty to protect their personal information
and that they have sufficiently alleged that the data breach was the proximate cause of plaintiffs’
injuries. Defendant argues that there is no common law duty to safeguard personal information in
Illinois. Cooney v. Chicago Public Schools, 407 Ill. App. 3d 358, 363 (2010). Additionally,
defendant argues that plaintiffs have not alleged any facts that would show that their injuries were
proximately caused by the data breach.
¶ 23 To state a claim for negligence, a plaintiff must allege facts showing that (1) the defendant
owed a duty of care to the plaintiff, (2) that the defendant breached that duty, and (3) that the
breach was the proximate cause of plaintiff’s injuries. Cowper v. Nyberg, 2015 IL 117811, ¶ 13.
In Cooney v. Chicago Public Schools, the court declined to recognize a new common law duty to
-9-
No. 1-23-0140
safeguard personal information. Cooney, 407 Ill. App. 3d at 363. The court pointed out that the
legislature had recently addressed this issue in the Personal Information Protection Act (815 ILCS
530/1 et seq. (West 2022)). In the case of a data breach, the Information Protection Act only
required the collector of the personal information to provide “timely notice of a security breach to
the parties affected.” Id. at 362; 815 ILCS 530/10 (West 2022). Given that the legislature had
recently addressed the issue, the court declined to create a new common law duty beyond the
legislative requirements of the Information Protection Act. Cooney, 407 Ill. App. 3d at 363. In
2017, the Information Protection Act was amended in order to require data collectors in possession
of the personal information of Illinois residents to “implement and maintain reasonable security
measures to protect those records from unauthorized access, acquisition, destruction, use,
modification, or disclosure.” Pub. Act 99-503 (eff. Jan. 1, 2017) (adding 815 ILCS 530/45). Given
that the legislature has now created a duty to maintain reasonable security measures under the
Information Protection Act, the reasoning of the Cooney court no longer applies. See In re Arthur
J. Gallagher Data Breach Litigation, 631 F. Supp. 3d 573, 590 (N.D. Ill. 2022).
¶ 24 The existence of a common law duty is a question of law and is shaped by public policy
considerations. Grant v. South Roxana Dad’s Club, 381 Ill. App. 3d 665, 669 (2008). “The
touchstone of the duty analysis is to ask whether the plaintiff and defendant stood in such a
relationship to one another that the law imposes on the defendant an obligation of reasonable
conduct for the benefit of the plaintiff.” Krywin v. Chicago Transit Authority, 238 Ill. 2d 215, 226
(2010). When determining whether there is a duty of care under the common law, we look at (1) the
reasonable foreseeability of the injury, (2) the likelihood of the injury, (3) the magnitude of the
burden of guarding against the injury, and (4) the consequences of placing that burden on the
- 10 -
No. 1-23-0140
defendant. Bogenberger v. Pi Kappa Alpha Corp., Inc., 2018 IL 120951, ¶ 46. Here, it is
foreseeable that a failure to maintain reasonable security measures would allow unauthorized third
parties to gain access to stored personal information, and it is likely that a data breach of this
information would cause injury to the individuals that the personal information belongs to.
Additionally, defendant is a sophisticated company that provides cyber security services to its
clients, so it is well aware of the risks of providing inadequate security measures for personal
information. Providing reasonable security measures for the storage of personal information would
not be a large burden for defendant, given its experience and expertise in cyber security. All four
factors support the conclusion that defendant has a common law duty to protect the personal
information of its clients, in addition to its duty under the Information Protection Act.
¶ 25 Defendant argues that plaintiffs have failed to allege that defendant’s conduct was the
proximate cause of any actual injury. Plaintiffs have alleged that they carefully safeguard their
personal information and that after the data breach they began to be targeted more frequently by
spam messages and targeted marketing, as well as two fraudulent charges. They have also alleged
that the data breach is the cause of these injuries because personal information stolen in data
breaches is used to cross-reference other available information and to compile “Fullz” packages
used to further identity theft and fraud attempts. These allegations of proximate cause and injury
are sufficient at the pleading stage. The circuit court erred in dismissing plaintiffs’ negligence
claim.
¶ 26 2. Negligence Per Se
¶ 27 Plaintiffs assert a claim for negligence per se based upon defendant’s alleged violations of
section 45 of the Federal Trade Commission Act. 15 U.S.C. § 45(a) (2018) (declaring “unfair or
- 11 -
No. 1-23-0140
deceptive acts or practices in or affecting commerce” as unlawful). “A violation of a statute or
ordinance designed to protect human life or property is prima facie evidence of negligence.”
Kalata v. Anheuser-Busch Cos., 144 Ill. 2d 425, 434 (1991). A party injured by such a violation
may only recover by showing that “the violation proximately caused his injury and the statute or
ordinance was intended to protect a class of persons to which he belongs from the kind of injury
that he suffered.” Id. However, such a violation does not constitute negligence per se and so “the
defendant may prevail by showing that he acted reasonably under the circumstances.” Bier v.
Leanna Lakeside Property Ass’n, 305 Ill. App. 3d 45, 58 (1999).
¶ 28 A violation of a statute only constitutes negligence per se (which would mean strict
liability) if the legislature clearly intends for the act to impose strict liability. Abbasi v.
Paraskevoulakos, 187 Ill. 2d 386, 395 (1999). We find no support for the notion that the legislature
clearly intended to impose strict liability for FTC Act violations. 15 U.S.C. § 45. While
defendant’s alleged violations of the FTC Act could be offered as prima facie evidence of
defendant’s negligence, they do not constitute negligence per se. Therefore, we uphold the circuit
court’s dismissal of plaintiffs’ separate negligence per se claim.
¶ 29 3. Breach of Implied Contract
¶ 30 Plaintiffs allege that they entered into an implied contract with defendant in which, in return
for providing defendant with their personal information, defendant would use reasonable security
measures to prevent disclosure of that personal information to unauthorized persons. Defendant
argues that there is no independent cause of action for a breach of the implied covenant of good
faith and fair dealing and therefore plaintiffs’ claim fails as a matter of law.
- 12 -
No. 1-23-0140
¶ 31 An implied contract can be created as a result of the parties’ actions, even if there is no
express contract between them. Trapani Construction Co. v. The Elliot Group, Inc., 2016 IL App
(1st) 143734, ¶ 41. Under Illinois law, a contract in fact can be implied from the facts and
circumstances that demonstrate the parties’ intent to be bound. Heavey v. Ehret, 166 Ill. App. 3d
347, 354 (1988). Unlike an express contract, in which the parties arrive at an agreement using
words, agreement in an implied-in-fact contract is created through the actions and conduct of the
parties. Trapani Construction, 2016 IL App (1st) 143734, ¶ 41. Every contract contains an implied
covenant of good faith and fair dealing. Eckhardt v. The Idea Factory, LLC, 2021 IL App (1st)
210813, ¶ 28; McCleary v. Wells Fargo Securities, L.L.C., 2015 IL App (1st) 141287, ¶ 19;
Northern Trust Co. v. VIII S. Michigan Associates, 276 Ill. App. 3d 355, 367 (1995).
¶ 32 The circuit court correctly stated that there is no independent cause of action for a breach
of the implied covenant of good faith and fair dealing. Voyles v. Sandia Mortgage Corp., 196 Ill.
2d 288, 295-98 (2001); Northern Trust Co., 276 Ill. App. 3d at 367. However, plaintiffs’ claim
rests on the alleged breach of an implied contract, not a breach of the implied covenant of good
faith and fair dealing.
¶ 33 Plaintiffs have alleged sufficient facts to show that an implied contract existed between
plaintiffs and defendant. Defendant made representations in its privacy policy that it would
safeguard plaintiffs’ personal information using reasonable security measures. On top of
defendant’s representations in its privacy policy, it is implied from the relationship between the
parties that defendant would take reasonable steps to ensure that plaintiffs’ personal information
would be protected from unauthorized disclosure. Doe v. Fertility Centers of Illinois, S.C., No. 21
C 579, 2022 WL 972295, at *4 (N.D. Ill. Mar. 31, 2022); Castillo v. Seagate Technology, LLC,
- 13 -
No. 1-23-0140
No. 16-CV-01958-RS, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016) (“it is difficult to
imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security
numbers or other sensitive personal information would not imply the recipient’s assent to protect
the information sufficiently”).
¶ 34 Although defendant contends that plaintiffs failed to allege that they reviewed or relied
upon any of the claimed representations made by defendant in its privacy policy, this does not
require dismissal of plaintiffs’ breach of implied contract claim because the facts and
circumstances between the parties were sufficient to imply a contract between them for the security
of plaintiffs’ personal information. However, plaintiffs’ claim for breach of implied contract
ultimately must be dismissed because plaintiffs fail to allege an adequate injury-in-fact. To
successfully make a breach of implied contract claim, a plaintiff must allege actual monetary
damages. Avery v. State Farm Mutual Automobile Insurance Co., 216 Ill. 2d 100, 149 (2005); In re
Illinois Bell Telephone Link-Up II & Late Charge Litigation, 2013 IL App (1st) 113349, ¶ 19.
Plaintiffs’ alleged injuries, while sufficient to establish standing, do not amount to actual monetary
damages. While plaintiffs argue that lost time responding to a data breach meets the standard of
actual monetary damages, they rely on federal law rather than Illinois case law. In re Arthur J.
Gallagher Data Breach Litigation, 631 F. Supp. 3d at 587. We decline to hold that the alleged
diminution in value of plaintiffs’ personal information amounts to actual monetary damages.
Plaintiffs have failed to allege adequate damages for a breach of implied contract claim. We affirm
the circuit court’s dismissal of plaintiffs’ breach of implied contract claim.
- 14 -
No. 1-23-0140
¶ 35 4. Unjust Enrichment
¶ 36 Plaintiffs allege, in the alternative to their breach of implied contract claim, a claim for
unjust enrichment. Plaintiffs argue that they conferred a benefit upon defendant in the form of their
(1) employment with defendant, (2) payment of premiums for defendant’s insurance products and
services through their employment, and (3) the value of plaintiffs’ personal information. Plaintiffs
contend that defendant should not be permitted to retain the full value of these benefits due to
defendant’s alleged failure to adequately protect plaintiffs’ personal information. Defendant argues
that plaintiffs fail to allege any benefit retained by defendant to plaintiffs’ detriment.
¶ 37 “To state a cause of action based on a theory of unjust enrichment, a plaintiff must allege
that the defendant has unjustly retained a benefit to the plaintiff’s detriment, and that defendant’s
retention of the benefit violates the fundamental principles of justice, equity, and good
conscience.” HPI Health Care Services, Inc. v. Mt. Vernon Hospital, Inc., 131 Ill. 2d 145, 160
(1989). Unjust enrichment is not an independent cause of action. Gagnon v. Schickel, 2012 IL App
(1st) 120645, ¶ 25. “Rather, it is a condition that may be brought about by unlawful or improper
conduct as defined by law, such as fraud, duress or undue influence, and may be redressed by a
cause of action based upon that improper conduct.” Charles Hester Enterprises, Inc. v. Illinois
Founders Insurance Co., 137 Ill. App. 3d 84, 90-91 (1985), aff’d, 114 Ill. 2d 278 (1986).
¶ 38 Plaintiffs fail to allege that defendant unjustly retained a benefit to plaintiffs’ detriment.
The labor that plaintiff Rushing provided for defendant does not satisfy this requirement, because
defendant adequately compensated Rushing through her wages. Additionally, the payments of
premiums for defendant’s insurance services were made by plaintiffs’ employers, not plaintiffs
themselves, and therefore were not benefits conferred by plaintiffs. Finally, plaintiffs argue that
- 15 -
No. 1-23-0140
defendant benefited from the receipt of plaintiffs’ personal information, since the personal
information was used to purchase insurance through defendant. However, plaintiffs’ personal
information was not the payment for defendant’s insurance services. Instead, defendant
incidentally received plaintiffs’ personal information as an administrative necessity for providing
their insurance services. Perdue v. Hy-Vee, Inc., 455 F. Supp. 3d 749, 766 (C.D. Ill. 2020).
Plaintiffs have failed to allege that defendant has unjustly retained any benefit provided by
plaintiffs. Therefore, we uphold the circuit court’s dismissal of plaintiffs’ unjust enrichment claim.
¶ 39 5. The Consumer Fraud Act
¶ 40 Plaintiff Flores and the putative Illinois class members allege that defendant violated the
Information Protection Act by failing to maintain reasonable security measures to protect
plaintiffs’ personal information, and that a violation of the Information Protection Act constitutes
an unlawful practice under the Consumer Fraud Act. 815 ILCS 530/20, 45 (West 2022). Defendant
argues that Flores has not alleged an actual economic injury under the Consumer Fraud Act.
¶ 41 In order to plead a private cause of action for a violation of the Consumer Fraud Act, a
plaintiff must allege: “(1) a deceptive act or practice by the defendant, (2) the defendant’s intent
that the plaintiff rely on the deception, (3) the occurrence of the deception in the course of conduct
involving trade or commerce, and (4) actual damage to the plaintiff (5) proximately caused by the
deception.” Oliveira v. Amoco Oil Co., 201 Ill. 2d 134, 149 (2002). The Consumer Fraud Act
provides remedies for purely economic injuries. Morris v. Harvey Cycle & Camper, Inc., 392 Ill.
App. 3d 399, 402 (2009). “Actual damages must be calculable and ‘measured by the plaintiff’s
loss.’ ” Id. (quoting City of Chicago v. Michigan Beach Housing Cooperative, 297 Ill. App. 3d
317, 326 (1998)). The failure to allege specific economic damages precludes a claim brought under
- 16 -
No. 1-23-0140
the Consumer Fraud Act. Id. at 402; White v. DaimlerChrysler Corp., 368 Ill. App. 3d 278, 287
(2006).
¶ 42 Flores has failed to allege the specific economic damages necessary to bring a claim under
the Consumer Fraud Act. Flores’s alleged injuries are her emotional distress due to her loss of
privacy, her lost time dealing with the consequences of the data breach, the increase in spam
messages she has received, and the imminent risk of fraud and identity theft. None of these are the
specific economic damages required for a claim under the Consumer Fraud Act. Williams v.
Manchester, 228 Ill. 2d 404, 425 (2008) (“an increased risk of future harm is an element of
damages that can be recovered for a present injury—it is not the injury itself” (emphasis in
original)); Morris, 392 Ill. App. 3d at 402 (emotional damages are not specific economic injuries
under the Consumer Fraud Act). Flores also alleges that she suffered damages in the form of
diminution of the value of her personal information, but we decline to hold that diminution in the
value of personal information is a specific economic injury under the Consumer Fraud Act. Morris,
392 Ill. App. 3d at 402 (“[a]ctual damages must be calculable” (emphasis added)).
¶ 43 Plaintiffs cite to federal cases in which plaintiffs who experienced a data breach were able
to claim economic losses under the Consumer Fraud Act. However, these cases are distinguishable
because they all involved actual economic losses. Dieffenbach v. Barnes & Noble, Inc., 887 F.3d
826, 829-30 (7th Cir. 2018) (plaintiff spent $17 per month on a credit-monitoring service); In re
Arthur J. Gallagher Data Breach Litigation, 631 F. Supp. 3d at 587-88 (plaintiff experienced
fraudulent credit card charges); Worix v. MedAssets, Inc., 869 F. Supp. 2d 893, 901 (N.D. Ill. 2012)
(plaintiff alleged lost wages and money spent on credit monitoring). Plaintiffs also cite to Perdue
v. Hy-Vee, Inc., in which the court held that a plaintiff’s time spent monitoring his account due to
- 17 -
No. 1-23-0140
the data breach was an economic injury; however, this holding was based on federal law and we
decline to follow it. 455 F. Supp. 3d at 761. Because Flores fails to allege any specific economic
injury, we affirm the circuit court’s dismissal of plaintiffs’ claim under the Consumer Fraud Act.
¶ 44 6. The Florida Deceptive and Unfair Trade Practices Act
¶ 45 Plaintiff Williams and the putative Florida class members assert a claim for violation of
the Florida Deceptive and Unfair Trade Practices Act. Plaintiffs argue that defendant engaged in
deceptive and unfair trade practices against Florida residents and that there is a sufficient nexus
between defendant’s actions and Florida for the Florida Trade Practices Act to apply. Defendant
argues that plaintiffs’ claim fails since the Florida Trade Practices Act only applies to actions that
occurred within the state of Florida, and the data breach occurred in Illinois. Alternatively,
defendant argues that plaintiffs’ claim under the Florida Trade Practices Act is limited to injunctive
relief because plaintiffs fail to allege actual damages.
¶ 46 A claim for damages under the Florida Trade Practices Act requires: “(1) a deceptive act
or unfair practice; (2) causation; and (3) actual damages.” Rollins, Inc. v. Butland, 951 So. 2d 860,
869 (Fla. Dist. Ct. App. 2006). The Florida Trade Practices Act prohibits unfair and deceptive
trade practices that occur anywhere within the territorial boundaries of Florida. Millennium
Communications & Fulfillment, Inc. v. Office of Attorney General, Dept. of Legal Affairs, State of
Florida, 761 So. 2d 1256, 1262 (Fla. Dist. Ct. App. 2000). Therefore, the Florida Trade Practices
Act applies at least to all actions that occurred within the state of Florida. Hakim-Daccach v. Knauf
International GmbH, No. 17-20495-CIV, 2017 WL 5634629, at *7 (S.D. Fla. Nov. 22, 2017).
¶ 47 Williams has alleged that her injury was caused by wrongful acts that occurred in Florida.
She alleged that she provided her personal information to defendant based on its promises to her
- 18 -
No. 1-23-0140
and to other Florida residents to keep that information safe. She also alleged that defendant omitted
material information concerning the adequacy of its data security and that had she known about
the true state of defendant’s cyber-security procedures, she would not have provided defendant
with her personal information. Williams’s allegations are sufficient to establish a claim under the
Florida Trade Practices Act. Federal Trade Comm’n v. All US Marketing LLC, No. 6:15-cv-1016-
Orl-28KRS, 2017 WL 9398643, at *11 n.7 (M.D. Fla. Apr. 13, 2017) (“The amended complaint
alleges that Defendants’ misrepresentations actually misled consumers within the State of Florida.
[Citation.] This provides a nexus between the State of Florida and acts that allegedly violate [the
Florida Trade Practices Act].”), report & recommendation adopted by Federal Trade Comm’n v.
All US Marketing LLC, No. 6:15-cv-1016-Orl-28KRS, 2017 WL 2256650 (M.D. Fla. May 22,
2017). Although defendant argues that the data breach itself did not occur within Florida, this
misses the point. Williams has alleged that defendant has made misrepresentations within the
territorial boundaries of Florida to Florida residents.
¶ 48 However, plaintiffs’ Florida Trade Practices Act claim is limited to injunctive relief. The
Florida Trade Practices Act only allows for the recovery of actual damages, meaning the
diminished value of the goods or services due to the Florida Trade Practices Act violation. Farmer
v. Humana, Inc., 582 F. Supp. 3d 1176, 1191 (M.D. Fla. 2022). The Florida Trade Practices Act
expressly does not allow recovery for consequential damages, meaning damages to “property other
than the property that is the subject of the consumer transaction.”(Internal quotation marks
omitted.) Id.; Fla. Stat. § 501.212(3) (West 2022). This includes “damages arising from identity
theft and fraud” as well as the “increased risk of future identity theft and fraud, and the costs
associated therewith; and time spent monitoring, addressing, and correcting the current and future
- 19 -
No. 1-23-0140
consequences of the data breach.” (Internal quotation marks omitted.) Farmer, 582 F. Supp. 3d at
1191. Here, the subject of the consumer transaction was the insurance services defendant was
providing Williams through her employer. None of Williams’s alleged injuries, including the
fraudulent PayPal charge, the diminution in the value of her personal information, and her
emotional distress, are considered actual damages under the Florida Trade Practices Act. In re
Mednax Services, Inc., Customer Data Security Breach Litigation, 603 F. Supp. 3d at 1212-13;
In re Brinker Data Incident Litigation, No. 3:18-CV-686-J-32MCR, 2020 WL 691848, at *13
(M.D. Fla. Jan. 27, 2020); In re American Medical Collection Agency, Inc. Customer Data Security
Breach Litigation, No. CV 19-MD-2904, 2021 WL 5937742, at *28 (D.N.J. Dec. 16, 2021).
Without any actual damages, Williams’s Florida Trade Practices Act claim is limited to injunctive
relief.
¶ 49 7. Invasion of Privacy
¶ 50 Finally, plaintiffs assert a claim for invasion of privacy based upon intrusion into seclusion.
Plaintiffs argue that the personal information accessed by third parties during the data breach
(names, driver’s license numbers, social security numbers, and benefit enrollment information)
consisted of private facts, while defendant argues that this information should be categorized as
personal, non-private facts that are insufficient to establish an invasion of privacy claim.
¶ 51 There are four ways to state a cause of action for invasion of privacy in Illinois:
(1) intrusion upon the seclusion of another, (2) appropriation of another’s name or likeness,
(3) public disclosure of private facts, and (4) publicity placing another in a false light. Busse v.
Motorola, Inc., 351 Ill. App. 3d 67, 71 (2004). The elements of intrusion upon seclusion are “(1)
the defendant committed an unauthorized intrusion or prying into the plaintiff’s seclusion; (2) the
- 20 -
No. 1-23-0140
intrusion would be highly offensive or objectionable to a reasonable person; (3) the matter intruded
on was private; and (4) the intrusion caused the plaintiff anguish and suffering.” Id. The third
element is the most significant in this case. The facts must be private, not merely personal. Id. at
72. Personal information such as names, addresses, telephone numbers, social security numbers,
or dates of birth are not considered to be private facts. Id.
¶ 52 The names, driver’s license numbers, and social security numbers that plaintiffs have
alleged were accessed due to the data breach are not private facts necessary to establish a claim
for intrusion upon the seclusion of another. Id. However, plaintiffs have alleged that the data breach
included some of the plaintiffs’ “benefit enrollment information.” Since this is a term used by
defendant, plaintiffs have no way of knowing what kind of personal information is included within
this category until discovery occurs. Since the benefit enrollment information could contain private
facts about plaintiffs, such as their financial history, medical history, and beneficiary information,
we find that plaintiffs have adequately alleged a claim for invasion of privacy. Johnson v. K mart
Corp., 311 Ill. App. 3d 573, 579 (2000); Green v. Chicago Tribune Co., 286 Ill. App. 3d 1, 18
(1996) (Cahill, J., dissenting).
¶ 53 Defendant argues that plaintiffs have forfeited their argument concerning benefit
enrollment information because plaintiffs cannot raise new factual theories of recovery for the first
time on appeal. Wilson v. Gorski’s Food Fair, 196 Ill. App. 3d 612, 617 (1990). However, plaintiffs
alleged in their complaint that the data breach contained benefit enrollment information and
beneficiary information. See Grund v. Donegan, 298 Ill. App. 3d 1034, 1037 (1998) (stating that
a plaintiff may rely on any allegations of fact made in the complaint). The circuit court erred in
dismissing plaintiffs’ claim for invasion of privacy.
- 21 -
No. 1-23-0140
¶ 54 C. Moorman Doctrine
¶ 55 Plaintiffs argue that their common law tort claims (negligence, negligence per se, unjust
enrichment, and invasion of privacy) are not barred by the Moorman doctrine because the duty
that defendant allegedly breached arose out of the common law, implied contract, and statutes
rather than through an express contract. Defendant argues that plaintiffs’ allegations of emotional
distress are conclusory and must be dismissed and that the rest of plaintiffs’ alleged injuries are
purely economic and are thus barred by the Moorman doctrine.
¶ 56 The Moorman doctrine, also known as the economic loss doctrine, states that there can be
no recovery in tort for purely economic losses. Moorman Manufacturing Co. v. National Tank Co.,
91 Ill. 2d 69, 88 (1982). Economic loss is defined as “damages for inadequate value, costs of repair
and replacement of the defective product, or consequent loss of profits—without any claim of
personal injury or damage to other property.” (Internal quotation marks omitted.) Id. at 82. The
Moorman doctrine is founded on the theory that “parties to a contract may allocate their risks by
agreement and do not need the special protections of tort law to recover damages caused by a
breach of contract.” Mars, Inc. v. Heritage Builders of Effingham, Inc., 327 Ill. App. 3d 346, 351
(2002). However, the Illinois Supreme Court later held that the doctrine applies to the service
industry only where the duty of the party performing the service is defined by a contract executed
with the client. Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 159 Ill.
2d 137, 162 (1994). If the duty arises outside of a contract between the parties, then recovery in
tort for the negligent breach of that duty is not barred by the Moorman doctrine. Id. Although the
Congregation of the Passion decision concerned a professional malpractice claim against an
accounting firm, its reasoning equally applies to data breach cases.
- 22 -
No. 1-23-0140
¶ 57 Here, plaintiffs allege no express contract between the parties that would establish a duty
by defendant to safeguard plaintiffs’ personal information. Additionally, the “product” of the
transaction between the parties was the insurance services plaintiffs were receiving through their
employers, not the protection of the personal information defendant needed to provide the
insurance services. Applying the Moorman doctrine to this data breach case would stretch the
applicability of the doctrine far beyond its products liability roots, given that there is no express
contract between the parties and the injuries allegedly suffered by plaintiffs were not caused by
any defect in the actual product of the transaction. See In re Marriott International, Inc., Customer
Data Security Breach Litigation, 440 F. Supp. 3d 447, 468-76 (D. Md. 2020) (thoroughly
analyzing the history of the Moorman doctrine and the potential applicability of the doctrine to
data breach cases under Illinois law); McGlenn v. Driveline Retail Merchandising, Inc., No. 18-
CV-2097, 2021 WL 4301476, at *8-9 (C.D. Ill. Sept. 21, 2021). Instead, plaintiffs’ injuries arose
from defendant’s alleged breach of its duty to safeguard personal information incidental to the
transaction itself. Since plaintiffs’ common law tort claims are based on defendant’s common law
duty to safeguard personal information rather than any express contractual duty, the Moorman
doctrine does not prohibit plaintiffs from bringing their claims.
¶ 58 Defendant’s contention that plaintiffs’ injuries are economic is irrelevant since the
Moorman doctrine does not apply to plaintiffs’ claims in the first place. The circuit court erred in
dismissing plaintiffs’ negligence, negligence per se, unjust enrichment, and invasion of privacy
claims under the Moorman doctrine.
¶ 59 Plaintiffs argue that the trial court abused its discretion in dismissing its various claims
- 23 -
No. 1-23-0140
“with prejudice” because the fault found by the trial court—the failure to allege sufficient facts—
could be cured by amending the complaint. However, in fairness to the trial court, its ruling under
section 2-615 was an alternative holding to its conclusion (albeit mistaken) that plaintiffs lacked
standing—a legal impediment that could not be cured by repleading. The standard for repleading,
of course, is a generous one. Leave to replead should be “freely” given (People v. Brown, 336 Ill.
App. 3d 711, 716 (2002)), and a claim should be dismissed with prejudice only when it becomes
clear that a plaintiff can plead no set of facts entitling him or her to relief. Loyola Academy v. S&S
Roof Maintenance, Inc., 146 Ill. 2d 263, 273 (1992); Mills v. County of Cook, 338 Ill. App. 3d 219,
224 (2003).
¶ 60 Aside from plaintiffs’ negligence per se claim, which is deficient as a matter of law, on
those claims where we affirm the trial court’s dismissal under section 2-615, the pleading defects
may well be cured by repleading. For example, the dismissal of the breach of implied contract and
consumer fraud claims are predicated on a failure to allege a monetary loss or economic injury.
The dismissal of the unjust enrichment claim is based on the failure to allege an unjustly retained
benefit. Whether plaintiffs can or will seek to replead to cure these and other defects is a matter to
be taken up on remand.
¶ 61 III. CONCLUSION
¶ 62 The circuit court’s dismissal of plaintiffs’ complaint for lack of standing and its dismissal
of plaintiffs’ negligence, Florida Trade Practices Act, and invasion of privacy claims for failure to
state a claim are reversed. The circuit court’s dismissal of plaintiffs’ negligence per se claim is
affirmed, and its dismissal of the breach of implied contract, unjust enrichment and Consumer
- 24 -
No. 1-23-0140
Fraud Act claims are affirmed, but modified to be without prejudice. The matter is remanded for
further proceedings.
¶ 63 Affirmed in part and reversed in part; cause remanded.
- 25 -
No. 1-23-0140
Flores v. Aon Corp., 2023 IL App (1st) 230140
Decision Under Review: Appeal from the Circuit Court of Cook County, No. 2022-CH-
6132; the Hon. Neil H. Cohen, Judge, presiding.
Attorneys Kenneth A. Wexler, Bethany R. Turke, and Eaghan S. Davis, of
for Wexler Boley & Elgersma LLP, and Gary M. Klinger, of Milberg
Appellant: Coleman Bryson Phillips Grossman, PLLC, both of Chicago,
Raina C. Borrelli, Samuel J. Strauss (pro hac vice), Brittany Resch
(pro hac vice), and Alex Phillips (pro hac vice), of Turke & Strauss
LLP, of Madison, Wisconsin, Joseph M. Lyon, of Lyon Law Firm,
LLC, and Terence R. Coates (pro hac vice), of Markovits, Stock
& Demarco, LLC, both of Cincinnati, Ohio, Bryan L. Bleichner
(pro hac vice), of Chestnut Cambronne PA, of Minneapolis,
Minnesota, Patrick N. Keegan (pro hac vice), of Keegan & Baker,
LLP, of Carlsbad, California, and Ryan A. Stygar (pro hac vice),
of Centurion Trial Attorneys, APC, of San Diego, California, for
appellants.
Attorneys Craig C. Martin, LaRue L. Robinson, Mengjie Zou, Bianca L.
for Valdez, and Elizabeth P. Astrup, of Willkie Farr & Gallagher LLP,
Appellee: of Chicago, for appellee.
- 26 -