Opinion
1:23-cv-00527-HAB-SLC
09-23-2024
JUSTIN MCLAUGHLIN and ATURINA ESHW, on behalf of themselves, and all others similarly situated, Plaintiffs, v. TAYLOR UNIVERSITY Defendant,
OPINION AND ORDER
HOLLY A. BRADY UNITED STATES DISTRICT COURT CHIEF JUDGE
Plaintiffs Justin McLaughlin and Aturina Eshw, on behalf of themselves and all other similarly situated (collectively hereafter “Plaintiffs”), sued Defendant, Taylor University (“Taylor”), because hackers infiltrated Taylor's network and stole Plaintiffs' personal information. (ECF No. 1). Plaintiffs allege that Taylor failed to implement reasonable measures to safeguard their information and failed to promptly notify Plaintiffs of the data breach. Plaintiffs' suit asserts claims for negligence, negligence per se, breach of contract, unjust enrichment, invasion of privacy, and breach of bailment. Before the Court is Taylor's Motion to Dismiss Plaintiffs' Complaint (ECF No. 12) in its entirety. Taylor's Motion is now fully briefed (ECF Nos. 13, 19, 22) and ripe for ruling.
I. Standard or Review
Federal Rule of Civil Procedure 12(b)(6) provides for the dismissal of a complaint, or any portion of a complaint, for failure to state a claim upon which relief can be granted. Fed.R.Civ.P. 12(b)(6). “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citations and internal quotation marks omitted); see also Ray v. City of Chi., 629 F.3d 660, 662-63 (7th Cir. 2011). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. When analyzing a motion to dismiss a claim under Rule 12(b)(6), the factual allegations in the complaint must be accepted as true and viewed in the light most favorable to the plaintiff. Brokaw v. Mercer Cnty., 235 F.3d 1000, 1006 (7th Cir. 2000).
That said, the Court is not “obliged to accept as true legal conclusions or unsupported conclusions of fact.” Bielanski v. Cty. Of Kane, 550 F.3d 632 Cir. 2008). And “[t]hreadbare recitals of the elements of a cause of action, supported by merely conclusory statements do not suffice.” Iqbal, 556 U.S. at 678.
II. Factual Background
Taylor is a private university located in Upland, Indiana. (ECF No. 1, ¶ 20). In the ordinary course of providing educational services, Taylor requires students, employees, and others to provide their personal information to conduct their business. (Id. ¶ 25). Taylor stores that information on its servers. (Id. ¶ 26). Plaintiff Mclaughlin is a graduate of Taylor and Plaintiff Eshw is a former prospective student that applied to Taylor in 2020. (Id. ¶¶ 13, 17). Both provided and entrusted Taylor with their personal information. (Id. ¶ 31).
On or around May 18, 2023, Taylor was subject to a sophisticated cybersecurity incident in which hackers got their hands on Plaintiffs' personal information (“the “Incident”). (ECF No. 1-1). Once Taylor identified the Incident, it secured the systems involved, alerted law enforcement, and launched an investigation. (Id.). Through the investigation, Taylor learned that hackers accessed the affected systems between February 26 and May 18, 2023. (Id.) Taylor's Notice Letter indicates that those systems may have contained the personal information of current and former students, prospective students, employees, donors, and other individuals, including their names, Social Security numbers, driver's license/state ID numbers, and/or financial account information (collectively “PII”). (ECF No. 1, ¶ 39; ECF No. 1-1). And in the Notice Letter Taylor offers a year of free credit monitoring services and encouraged the victims to remain vigilant in monitoring their affairs. (ECF No. 1-1). Taylor sent the Notice Letter to the victims on December 4, 2023. (Id.).
Plaintiffs McLaughlin and Eshw received the Notice Letter and filed suit in this forum seeking to certify a class of “[a]ll individuals whose Personal Information was compromised as a result of the [Incident] with [Taylor] which was announced on or about December 4, 2023.” (Id. ¶ 79.). Plaintiffs allege that the Incident “was preventable and a direct result of [Taylor's] failure to implement adequate and reasonable cyber-security procedures and protocol necessary to protect individual's [PII].” (Id. ¶ 43). Plaintiffs state that they “have been required to take the time and effort...to mitigate the actual and potential impact of the [Incident] including.. .placing ‘freezes' and ‘alerts' with credit reporting agencies, contacting their financial institutions, closing or modifying financial accounts, and closely reviewing and monitoring” various sources for unauthorized activity. (Id. ¶ 7). Other injuries Plaintiffs contend that they have suffered include: misuse or theft of their PII; diminution in value of their PII; and loss of the benefit of the bargain with Taylor to adequately protect their PII. (Id. ¶¶ 72, 102). Plaintiffs also claim that they incurred out-of-pocket expenses, suffered emotional distress and anxiety, and now forever face an amplified risk of further misuse, fraud, and identity theft because the hackers' receipt of their PII. (Id. ¶¶ 4, 101).
Plaintiffs thus sued Taylor under theories of negligence (Count I), negligence per se under Section 5 of the Federal Trade Commission Act (Count II), breach of contract (Count III), unjust enrichment (Count IV), invasion of privacy (Count V), and breach of bailment (Count VI). (Id. at 23-35).
III. Discussion
Taylor seeks dismissal of all claims asserted in Plaintiffs' Complaint. (ECF No. 13). It starts by broadly alleging that Plaintiffs' damages do not amount to a cognizable loss sufficient for any cause of action under Indiana law. (Id. at 5-10). Taylor then hones in on Plaintiffs' causes of action individually and contends that they have failed to state a claim for each. The Court will first address Taylor's argument that Plaintiffs' alleged injuries are insufficient and will then address each of Plaintiffs' substantive causes of action specifically below.
a. Cognizable Loss
Indiana law requires Plaintiffs to plead a cognizable loss or actual injury as an indispensable element of their common law claims. Taylor asserts three arguments to support their assertion that Plaintiffs fail to plead a cognizable loss: (1) increased risk of future harm and identity theft as well as anticipated mitigation and remediation costs are insufficient; (2) injuries based on the diminished value of PII are routinely rejected; and (3) future anxiety related theories are not cognizable injuries.
E.g., Bader v. Johnson, 732 N.E.2d 1212, 1217 (Ind. 2000) (negligence claim requires a “compensable injury proximately caused by defendant's breach of duty.”); Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 635 (7th Cir. 2007) (“Compensable damages are an element of a breach of contract cause of action”); Reed v. Reid, 980 N.E.2d 277, 296 (Ind. 2012) (unjust enrichment requires a benefit rendered and unjustly retained); Henry v. Cmty. Healthcare Sys. Cmty. Hosp., 184 N.E.3d 645, 651 (Ind.Ct.App.), transfer denied, 188 N.E.3d 845 (Ind. 2022), and abrogated by Cmty. Health Network, Inc. v. McKenzie, 185 N.E.3d 368 (Ind. 2022) (requiring injury in the form of publication of private facts to the public at large); Norris Auto. Serv. v. Melton, 526 N.E.2d 1023, 1027 (Ind.Ct.App. 1988) (finding bailment only when plaintiff could show “(1) bailment was created, (2) [defendant] negligently stored the vehicle, and (3) as a result the [property] was damaged.”).
Taylor also contends that Plaintiffs' “Benefit of the Bargain Theory does not amount to a cognizable loss.” (ECF No. 13 at 9-10). Such damages are specific to Plaintiffs' claim for breach of contract and the Court will address that issue when addressing that cause of action below.
While Taylor encourages this Court not to “conflate Article III's requirement of injury in fact with [the Plaintiffs'] potential causes of action,” Debernardis v. IQ Formulations, LLC, 942 F.3d 1076, 1084 (11th Cir. 2019), “‘cause of action' and ‘standing' [as] distinct concepts can be difficult to keep separate[.]” Bond v. United States, 564 U.S. 211, 218-19 (2011). “A plaintiff to have standing must have an injury, and a plaintiff to have an Indiana cause of action for negligence or breach of contract must have an injury.” Krupa v. TIC International Corp., 2023 WL 143140, at *3 (S.D. Ind. Jan. 10, 2023). Taylor cites no in-circuit authority to support that the standard for injury-in-fact under Article III is higher than that of a compensable injury under Indiana law. And like other courts in this Circuit have said, the Court sees no difference as applied here. See Johnson v. Nice Pak Prod., Inc., 2024 WL 2845928, at *14 (S.D. Ind. June 5, 2024). Taylor argues that Plaintiffs were not injured by the theft of their PII and reasons that the only injuries Plaintiffs can show are future injuries or the risk of future harm. Taylor therefore contends that Plaintiffs' alleged injuries are insufficiently definite to pursue a claim under Indiana law.
See TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2203, 210 L.Ed.2d 568 (2021); Robertson v. B.O., 977 N.E.2d 341, 344 (Ind. 2012) (“injury” as an element of negligence); Berg v. Berg, 170 N.E.3d 224, 231 (Ind. 2021) (“damages” as an element of breach of contract)
The Court begins with Taylor's argument that the increased risk of future harm and anticipated mitigation costs are not injuries. Taylor relies heavily on Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007). In Pisciotta, the issue was “whether Indiana would consider that the harm caused by identity information exposure . . . constitutes an existing compensable injury and consequent damages required to state a claim for negligence or for breach of contract.” Id. at 635 (emphasis in original). At that time, the answer was no. Id. But the Seventh Circuit and Indiana courts alike have done well with chipping away at Pisciotta's commands. See, e.g., Paul v. Ardagh Glass, Inc., No. 49D07-2209-CT-031302, 2023 WL 5153147, at *7 (Ind. Super. Ct. Jan. 23, 2023); In re Eskenazi Health Data Incident Litig., No. 49D01-2111-PL-038870, 2022 WL 20505180, at *11 (Ind. Super. Ct. Sep. 2, 2022); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015); Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016).
Since Pisciotta, the Seventh Circuit has recognized the imminent and concrete injuries data breach victims suffer. Those victims, for example, are “at risk for both fraudulent charges and identity theft,” even if those events have not yet manifested. Lewert, 819 F.3d at 967. In the same vein, they must “spen[d] time and effort monitoring both [their] card statements and [their] other financial information as a guard against fraudulent charges and identity theft.” Id. And it seems that Taylor “implicitly acknowledge[s] this” by offering and encouraging credit monitoring services because “[i]t is unlikely that [Taylor] did so because the risk is so ephemeral that it can safely be disregarded.” Remijas, 794 F.3d at 694. When posed as a question, it almost seems commonsensical: “[w]hy else would hackers break in . . . and steal . . . private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those . . . identities.” Id. at 693.
Although those cases concerned Article III's standing requirement, Indiana law on compensable injuries is consistent. For example, Indiana law explicitly allows as damages “the value of [lost time].” Ind. Model Civ. Jury Inst. 703(3) (brackets in original); See also Johnson, 2024 WL 2845928, at *14. The time and effort that data breach victims must expend is a real injury. And recently, one Indiana Court found that further proceedings are necessary “to determine the extent to which those damages can be compensated as arising from the Data Breach at issue in [that] case.” Paul, 2023 WL 5153147, at *6. That said, the Court finds that the increased risk of identity theft that Plaintiffs now face and the costs to mitigate those risks are cognizable injuries.
The extent to which those injuries can be compensated remains to be seen.
Moreover, Taylor glosses over a significant aspect of Plaintiffs' Complaint-the actual misuse of Plaintiffs' PII that Plaintiffs allege resulted in fraudulent charges. (ECF No. 1, ¶¶ 7274). Following the Incident, Plaintiff Eshw had a fraudulent charge on her Chase debit card. (Id. ¶ 74). While true that “[v]ictims affected by those retailer breaches [impacting card information] could avoid much of the potential future harm by simply cancelling credit or debit cards and obtaining replacements,” (ECF No. 1, ¶ 46) that too takes time and effort to resolve. Plaintiffs' time, effort, and money to combat identity theft and fraud in the wake of the Incident is a cognizable injury. At least at this early stage in litigation, the Court will not dismiss Plaintiffs' causes of action on that basis.
Taylor also argues that the diminished value of Plaintiffs' PII is not a cognizable injury. In support, it points the Court to Silha v. ACT, Inc., where the Seventh Circuit affirmed the Illinois District Court's “reject[ion of] the claimed injury of diminished value of PII because Plaintiffs failed to ‘allege that they have the ability to sell their personal information or that Defendants' conduct foreclosed them from entering into a ‘value for value transaction' relating to their PII.” 807 F.3d 169, 172 (7th Cir. 2015). Plaintiffs counter that, under Indiana law, at least one court found that diminished value allegations can confer harm. (ECF No. 19 at 7 (citing In re Eskenazi Health Data Incident Litig., 2022 WL 20505180, at *10 (“the diminution of value in the PII has been deemed a credible harm by at least some federal courts”))).
While PII may have some value, the Court agrees with Defendant insofar as it is hard to see how the value of Plaintiffs' PII has been diminished. Plaintiffs fail to “explain how the hackers' possession of . . . information has diminished its value, nor d[o] [they] assert that [they] would ever actually sell [their] own personal information.” Khan v. Children's Nat'l Health Sys., 188 F.Supp.3d 524, 531 (D. Md. 2016) (rejecting diminished value of PII theory in the standing context). Instead, Plaintiffs rely on a litany of general allegations highlighting PII's value on the black market. (ECF No. 1, ¶¶ 46-49). None of those allegations suggest that Plaintiffs' PII lost value in legitimate markets. Nor do they suggest that they cannot continue to enter value-for-value transactions using their PII on such markets. See Griffey v. Magellan Health Inc., 562 F.Supp.3d 34, 46 (D. Ariz. Sept. 27, 2021) (“[W]ithout identifying a market in which they can or could and intend or intended to sell their information, Plaintiffs here fail to demonstrate a loss in value of their PII or PHI.”).
Although In re Eskinazi established that the risk of immediate harm alleged by those plaintiffs conferred standing, it made little mention of the plaintiffs' claims that their PII's diminished value is an adequate injury under Indiana law. Indeed, the Court said only that “the diminution of value in the PII has been deemed a credible harm by at least some federal courts.” In re Eskinazi, 2022 WL 20505180, at *4 (citing In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 460-62 (D. Md. 2020); Bass v. Facebook, Inc., 394 F.Supp.3d 1024, 1034 (N.D. Cal. 2019)). The out-of-circuit cases relied upon on In re Eskanazi do not speak to Indiana law, and the Seventh Circuit presents contrary authority which the Court follows. See Silha, 807 F.3d at 172. The diminished value of Plaintiffs' PII is simply “too speculative” to establish a cognizable injury, let alone standing in this Circuit. See Kylie S. v. Pearson PLC, 475 F.Supp.3d 841, 849 (N.D. Ill. 2020).
As for Plaintiffs' emotional distress and anxiety related damages, such damages are plausible and adequately plead. Taylor posits that “if these emotional injuries alone were sufficient to invoke the jurisdiction of federal courts, ‘then everyone would have standing to litigate about everything'” Kim v. McDonald's USA, LLC, 2022 WL 4482826, at *7 (N.D. Ill. Sept. 27, 2022) (quoting Wadsworth v. Kross, Lieberman & Stone, Inc., 12 F.4th 665, 668 (7th Cir. 2021)) (emphasis added). But the emotional toll of having their PII stolen is not the only harm that Plaintiffs allege. Having found that Plaintiffs' mitigation efforts and the accompanying time spent is a cognizable injury under Indiana law, the emotional toll stemming from the Incident too is cognizable.
Taylor cannot rely on Wadsworth. 12 F.4th 665. There, the Court held that general allegations that plaintiff “has suffered, and continues to suffer, personal humiliation, embarrassment, mental anguish and emotional distress” did not establish standing for an FDCPA claim, nothing more. See id. at 668-69. That case has little bearing on this case especially in light of Plaintiffs' other injuries.
b. Negligence (Count I)
Under Indiana law, common law negligence claims consist of three elements: “(1) duty owed to plaintiff by defendant, (2) breach of duty by allowing conduct to fall below the applicable standard of care, and (3) compensable injury proximately caused by defendant's breach of duty.” Bader v. Johnson, 732 N.E.2d 1212, 1217 (Ind. 2000). Taylor moves to dismiss Plaintiffs' common law negligence claim on virtually all fronts: (1) “Taylor does not owe a duty to protect Plaintiffs' personal information from cyberattacks”; (2) even if Taylor does owe such a duty, Plaintiffs fail to allege that “Taylor's alleged breach…proximately caused” their injuries; and (3) Plaintiffs' negligence claim is barred by the economic loss doctrine.
Starting with the first element, the issue is whether Taylor owed a duty to protect Plaintiffs' PII. “[Businesses have the common-law duty to exercise ordinary and reasonable care in the conduct of their operations . . . for the safety of others whose injuries should reasonably have been foreseen or anticipated.” WEOC, Inc. v. Niebauer, 226 N.E.3d 771, 778 (Ind. Feb. 12, 2024). But “[a] defendant cannot be found negligent where there is no duty to the plaintiff.” Jaffri v. JPMorgan Chase Bank, N.A., 26 N.E.3d 635, 638 (Ind.Ct.App. 2015). “Whether a duty exists is generally a question of law for the court.” Id.
Taylor cites Trenton v. Schnuck Markets, 887 F.3d 803, 817 (7th Cir. 2018), for the notion that there is no “independent common law duty to safeguard personal information.” The Court finds that case unpersuasive as Trenton interpreted Illinois and Missouri law, not Indiana law. Id. Taylor also argues that Plaintiffs must “actually explain where this independent duty comes from, but fails to do so[,]” relying on Aspen Am. Ins. v. Blackbaud, Inc., 624 F.Supp.3d 982, 998 (N.D. Ind. 2022). (ECF No. 13 at 11).
But Plaintiffs do not come empty handed. The Southern District of Indiana, addressing a similar issue in the employee-to-employer context, reasoned that “generally, employees reasonably expect their employers to keep their personal information safe. Even in the era before digital recordkeeping, if an employer kept its employees' Social Security numbers in an unlocked box on the sidewalk for anyone to take, no one would question that the employer would be negligent.” Johnson, 2024 WL 2845928, at *13. And Indiana common law has adapted to the digital age. See, e.g., Paul, 2023 WL 5153147, at *7 (holding that Defendant owed a duty to protect Plaintiff's PII in a reasonably secure manner); In re Eskenazi Health Data Incident Litig., 2022 WL 20505180, at *11 (same).
As in Paul, Taylor took the affirmative act of collecting and maintaining students' and employees' information. “[B]y taking the affirmative act of collecting the PII, [Taylor] assumes a duty to maintain that information in a reasonable manner. Restatement (Second) of Torts section 302.” Paul, 2023 WL 5153147, at *7. That duty “includes protecting against unauthorized misappropriation of the PII because the general harm of unauthorized disclosure of the sensitive PII could reasonably be expected to occur against the class of persons such as [Plaintiffs] who provided their PII to [Taylor].” Id. (citing Rogers v. Martin, 63 N.E.3d 316, 325 (Ind. 2016)). The Court holds that Taylor owed a duty to Plaintiffs to keep their PII safe and that Plaintiffs adequately pled that element in their Complaint.
Taylor next contends that Plaintiffs “fail to plausibly allege that Taylor's alleged breach of such duty proximately caused them to suffer a cognizable loss.” (ECF No. 13 at 11). The Court discussed Plaintiffs' injuries at length above and determined that they were sufficient to support an Indiana cause of action. Taylor thus argues that “Plaintiffs assume a causal connection between [those injuries] and Taylor's alleged failure to implement measures to protect their PII.” (Id.). That kind of speculation, Taylor cries, “is insufficient to plausibly plead that Taylor is the proximate cause of Plaintiffs' alleged injuries.” (Id. (citing Scott Cty. Fam. YMCA, Inc. v. Hobbs, 817 N.E.2d 603, 604 (Ind.Ct.App. 2004) (“Negligence cannot be inferred from the mere fact of an accident, absent special circumstances.”)).
This argument is a nonstarter. “Breach and proximate cause are almost always questions of fact to be resolved by a factfinder.” Smith v. Walsh Constr. Co. II, LLC, 95 N.E.3d 78 (Ind.Ct.App. 2018) (citing Megenity v. Dunn, 68 N.E.3d 1080, 1083 (Ind. 2017)). And Plaintiffs alleged in great detail that Taylor breached its duty by failing to: (1) exercise reasonable care in supervising its employees and agents; (2) maintain an adequate data security system to reduce the risk of data breaches and cyber-attacks; (3) implement its promised Privacy Policy; (4) adhere to industry standards (5) properly monitor its own data security systems for existing intrusions; (6) exercise reasonable care in supervising its employees and agents; and (7) provide reasonably timely notice of the Incident. (ECF No. 1, ¶¶ 71, 83, 100, 110). And Plaintiffs allege viable harms caused by such breaches. The Court needs to go outside the Complaint to determine whether these alleged breaches did, in-fact, cause Plaintiffs' injuries. Summary Judgment is the appropriate vehicle to make such a determination.
Lastly, Taylor alleges that Plaintiffs' negligence claim is barred by the economic loss doctrine. Under Indiana law, “a defendant is not liable under a tort theory for any purely economic loss caused by its negligence.” U.S. Bank, N.A. v. Integrity Land Title Corp., 929 N.E.2d 742, 745 (Ind. 2010). “[C]ontract is the only available remedy where the loss is solely economic in nature. . . in the absence of damage to other property or person.” Aspen, 624 F.Supp.3d at 1002 (quoting Gunkel v. Renovations, Inc., 822 N.E.2d 150, 152 (Ind. 2005)). But “the economic loss doctrine's preclusive effect must yield if the plaintiff has set forth any set of circumstances under which it would be entitled to relief-a relatively low bar.” Residences of Ivy Quad Unit Owners Ass'n, Inc. v. Ivy Quad Dev., LLC, 179 N.E.3d 977, 983 (Ind. 2022) (emphasis added).
Plaintiffs allege more than purely economic losses here. Their alleged damages include- among other things-lost time, embarrassment, humiliation, frustration, and emotional distress. (ECF No. 1, ¶¶ 101, 102). In Residences, the Indiana Supreme Court held that, though the economic loss doctrine may preclude the plaintiffs' negligence claim as the facts developed, dismissal was inappropriate because the plaintiffs' alleged damages were not purely economic. 79 N.E.3d at 982; See also Johnson, 2024 WL 2845928, *16 (“In any event, at least some of the harms experienced by the Plaintiffs are not solely economic, such as lost time and worry”). Plaintiffs plead similarly here and have set forth a set of circumstances under which tort law would be the appropriate remedy. Because Plaintiffs have plausibly alleged non-economic harms, dismissal is inappropriate at this juncture.
In short, Plaintiffs' Complaint checks all the boxes for a negligence claim under Indiana law, and the economic loss doctrine does not warrant dismissal. The Court thus DENIES Taylor's Motion to Dismiss as to Plaintiffs' negligence claim.
c. Negligence Per Se (Count II)
Along with their common law negligence claim, Plaintiffs allege negligence per se under Section 5 of the Federal Trade Commission Act (“FTCA”). (ECF No. 1, ¶¶ 103-115). The FTCA prohibits “unfair.. .practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). Plaintiffs allege that this provision imposes a duty on Taylor “to provide fair and adequate computer systems and data security practices to safeguard Plaintiffs'.PII.” (ECF No. 1, ¶ 104). Plaintiffs believe that the Incident indicates a breach of that duty. (Id. ¶ 110). Taylor's only argument for dismissing Plaintiffs' negligence per se claim is that the FTCA does not provide a private right of action. (ECF No. 13 at 12 (citing Merriam v. GC Servs., 2018 WL 3068857, at *1 (N.D. Ind. June 21, 2018) (“The FTC Act does not create a private right of action.”)).
Taylor appears to conflate a negligence per se claim with a private right of action under the FTCA. And the confusion is common. See Gresser v. Reliable Exterminators, Inc., 160 N.E.3d 184, 191 (Ind.Ct.App. 2020) (“[T]hese two forms of tort claim are often confused[.]”). But negligence per se claims and private right of action claims, though similar, are distinct. Stachowski v. Est. of Radman, 95 N.E. 3d 542, 545 (Ind.Ct.App. 2018) (“whether a statute or ordinance confers a ‘private right of action'” is “a concept that is related to but distinct from the doctrine of negligence per se.”).
A private right of action assumes that an alleged “violation of a statute or ordinance gives rise to civil liability even in the absence of a common-law duty.” Stachowski, 95 N.E.3d at 545. Negligence per se, on the other hand, “assumes the existence of a common-law duty of reasonable care, and the court is asked to adopt the standard of conduct set forth in a statute or ordinance . . . as the standard of conduct required under that preexisting duty, so that a violation of the statute or ordinance serves to satisfy the breach element of a negligence action.” Id. at 544. Negligence per se claims “differ in that a violation of certain statutes or ordinances serves to satisfy the breach element.” Johnson, 2024 WL 2845928, at *18 (quoting WEOC, Inc. v. Niebauer, 226 N.E.3d 771, 778 (Ind. 2024)).
With these differences in mind, an “unexcused violation of a statutory duty constitutes negligence per se if the statute or ordinance is intended to protect the class of persons in which the plaintiff is included and to protect against the risk of the type of harm which has occurred as a result of its violation.” Erwin v. Roe, 928 N.E.2d 609, 619 (Ind.Ct.App. 2010) (internal quotations omitted). Thus, “[t]he question for the jury is not whether the [FTCA] was violated but whether [Defendants] breached [their] duty to protect [Plaintiffs'] PII by failing to meet the standard of care articulated in the [FTCA].” Paul, 2023 WL 5153147, at *9.
Plaintiffs are not pursuing a private cause of action for violations of the FTCA; they assert that Taylor's violations of those statutes evince a breach of its duty to protect Plaintiffs' PII. (ECF No. 1, ¶¶ 104-115). The FTCA prohibits unfair acts that affect commerce. 15 U.S.C. § 45. “Data breaches affect commerce, and Plaintiffs benefit from protections against the kinds of harms that proper data security would avoid.” Johnson, 2024 WL 2845928, at *18. “[T]he non-existence of [a private right of action] under. ..the [FTCA],. .does not preclude Plaintiffs' claims.” In re Eskanazi, 2022 WL 20505180, at *24.
That said, “the [FTCA] can serve as the basis of a negligence per se claim[,]” Perdue v. Hy-Vee, Inc., 455 F.Supp.3d 749, 760-61 (C.D. Ill. 2020), and Plaintiffs have plausibly alleged such a claim. The Court thus DENIES Taylor's Motion to Dismiss as to Plaintiffs' negligence per se claim.
d. Breach of Contract (Count III)
Plaintiffs' next cause of action is for “breach of express/implied contractual duty.” (ECF No. 1 at 28-30). Plaintiffs allege that Taylor offered educational services in exchange for payment and labor in exchange for employment. (Id. ¶¶ 117-18). In both scenarios, Taylor required Plaintiffs to provide their PII. (Id.). In turn, Plaintiffs allege that Taylor promised to “not disclose [Plaintiffs' PII] to unauthorized persons” and “to maintain safeguards to protect their [PII].” (Id. ¶ 119). Plaintiffs therefore believe that these promises support the existence of a contract, and that Taylor breached that contract through the Incident. In turn, Taylor argues that Plaintiffs' allegations fall short for several reasons: (1) “Plaintiffs fail to plausibly allege.mutual assent to terms of a contract for certain data protections[;]” (2) there is no “consideration for such an agreement[;]” and (3) there was no breach. (ECF No. 13 at 13).
“The elements of an implied-in-fact contract are the same as an express contract: offer, acceptance, and consideration.” Wakley v. Sustainable Loc. Foods LLC, 2017 WL 1880814, at *3 (S.D. Ind. May 9, 2017) (internal citations omitted). Unlike express contracts, “[a]n implied in fact contract refers to the class of obligations which arises from mutual agreement and intent to promise, when the agreement and promise have simply not been expressed in words.” McCart v. Chief Exec. Officer in Charge, Indep. Fed. Credit Union, 652 N.E.2d 80, 85 (Ind.Ct.App. 1995). Accordingly, “a contract implied in fact arises out of acts and conduct of the parties, coupled with a meeting of the minds and a clear intent of the parties in the agreement.” Id.
While Taylor urges the Court that there is no mutual assent or consideration, “[n]o general rule can be set forth as to what facts are necessary to prove the existence of an implied contract.” Johnson, 2024 WL 2845928, at *23 (citing Wilhoite v. Beck, 141 Ind.App. 543, 230 N.E.2d 616, 623 (Ind.Ct.App. 1967)). And Plaintiffs' Complaint sufficiently alleges mutual assent through offer and acceptance. Plaintiffs assert that Taylor offered educational services and employment with the condition that Plaintiffs would provide their PII. Plaintiffs accepted those services and provided their PII. Plaintiffs' provision of their PII is sufficient consideration. See Perry v. Bay & Bay Transp. Servs., Inc., 650 F.Supp.3d 743, 757 (D. Minn. 2023) (“Bay & Bay provided consideration by promising to consider Perry for employment, while Perry provided consideration by providing valuable property, his PI.”). In exchange for that PII, Plaintiffs allege that Taylor agreed to not disclose their PII, to maintain proper safeguards for the PII's protection, and to provide prompt notice of unauthorized access to Plaintiffs' PII. (ECF No. 1 ¶¶ 119-20). As evidence of Taylor's promise to protect their PII, Plaintiffs point to Taylor's privacy policy where it states that Taylor “takes the issue of data security seriously” and has “employed various technologies and policies to keep your data safe.” See In re Arthur J. Gallagher Data Breach Litig., 631 F.Supp.3d 573, 591 (N.D. Ill. 2022) (finding statement in privacy policy “that Defendant would ‘restrict access to your personal information to those who require access to such information for legitimate, relevant business purposes'” sufficient to support an implied contract).
Plaintiffs have further alleged that they value the confidentiality of their PII, that they would not have provided it to Defendant absent an agreement to protect it, and that Defendant did not implement the anticipated data security protections. See In re Marriott, 440 F.Supp.3d at 466 (“it is enough to allege that there was an explicit or implicit contract for data security, that plaintiffs placed value on that data security, and that Defendant failed to meet their representations about data security”). And although the terms of the implied contract alleged here are not perfectly defined at the pleading stage, “[t]he question as to whether or not there was either an express contract or an implied contract to pay for the services is [a] matter of fact.” Johnson, 2024 WL 2845928, at *23 (quoting Wilhoite, 230 N.E.2d at 623). Whether Taylor breached the alleged agreement is also a question of fact. Trustees of Indiana Univ. v. Spiegel, 186 N.E.3d 1151, 1158 (Ind.Ct.App. 2022) (“Whether the defendant breached the contract is a question of fact.”).
Whether the relationship is employer-to-employee or university-to-student, there is a general understanding that PII should be kept private. Such an understanding is plausibly implicit in the terms of Plaintiffs' employment or educational contracts. The precise terms of the alleged agreement “can be fleshed out in discovery.” Speigel, 186 N.E.3d at 1160 (“The terms of the implied contracts and the parties' intentions can be fleshed out in discovery.”). The Court thus finds that it would be premature to dismiss Plaintiffs' breach of contract claim at the pleading stage.
The Court must also address Taylor's argument that Plaintiffs' benefit of the bargain theory is not a cognizable loss under Indiana law. (ECF No. 13 at 9). In response, Plaintiffs point out that Taylor only supports this theory with out-of-circuit precedent, none of which addresses Indiana law. At least one Indiana Court declined dismissal on that basis at the pleading stage. See In re Eskinazi, 2022 WL 20505180, at *4 (standing context). Similar to In re Eskanazi, “Plaintiffs' have adequately pleaded a basis to bring contract claims to receive the full benefit of the bargain from [Taylor]...due to [Taylor's] alleged failure to provide the data security services as part of Plaintiffs'” provision of labor and purchase of educational services. Id. at *26. Plaintiffs may therefore proceed on this theory of recovery at least at this point.
Having found that Plaintiffs sufficiently plead a breach of contract claim, Taylor makes one last argument on damages. It argues that Plaintiffs' contract claims should be dismissed because Plaintiffs would otherwise be placed in a more advantageous position than before the alleged breach. (ECF No. 13 at 15-16). Under Indiana law, “a party injured by a breach of contract may not be placed in a better position than it would have enjoyed if the breach had not occurred” and “the law disfavors a windfall or a double recovery.” Sheek v. Mark A. Morin Logging, Inc., 993 N.E.2d 280, 289 (Ind.Ct.App. 2013). Taylor notes that Plaintiffs do not allege that they did not receive the services or compensation that they bargained for.
Plaintiffs respond that they have alleged cognizable damages resulting from Taylor's alleged breach. Indeed, Plaintiffs contend that they are entitled to compensation for data security that they paid for but did not receive. But that is not the only damages sought which Plaintiffs attribute to Taylor's alleged breach. They also claim as damages their mitigation efforts and the heightened risk of identity theft which the Court has already determined are cognizable losses. The extent that those damages are attributable to Taylor's alleged breach remains to be seen, but Plaintiffs need not plead damages “with mathematical certainty” at this stage. In re Eskinazi, 2022 WL 20505180, at *26 (quoting Newland N. Am. Foods, Inc. v. Zentis N. Am. Operating, LLC, 2013 WL 1870652, at *4 (N.D. Ind. May 3, 2013)). Accordingly, it would also “be premature for the Court to find that Plaintiffs would receive a windfall as a result of this claim.” Id.
The Court thus DENIES Taylor's Motion to Dismiss as to Plaintiffs' breach of contract claim.
e. Unjust Enrichment (Count IV)
Taylor argues that Plaintiffs fail to state a claim for unjust enrichment. (ECF No. 13 at 1618). It posits that the facts do not suggest “a measurable benefit on Taylor.. .related in any way to data security.” (Id. at 18). Nor, Taylor argues, does Plaintiffs' Complaint plausibly suggest “that payments for applications and tuition include[] a portion reserved for data privacy and security practices[.]” (Id.). Taylor also contends that, “in the Seventh Circuit, ‘such arguments have been adopted by courts only where the product itself was defective or dangerous and consumers claim they would not have bought it (or paid a premium for it) had they known of the defect.'” (Id. at 17 (quoting Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 968 (7th Cir. 2016)). To that end, Taylor argues that Plaintiffs do not allege that their services were defective or dangerous. Plaintiffs respond that they “clearly conferred a benefit...first in the form of the PII itself” and through payments for tuition or labor. (ECF No 19 at 22).
Under Indiana law, unjust enrichment claims have three elements: “(1) [Plaintiff] rendered a measurable benefit to the defendant at the defendant's express or implied request; (2) [Plaintiff] expected payment from the defendant; and (3) allowing the defendant to retain the benefit without restitution would be unjust.” Neibert v. Perdomo, 54 N.E.3d 1046, 1051 (Ind.Ct.App. 2016). The parties disagree as to the first element-whether Plaintiffs conferred a measurable benefit to Taylor.
Taylor first points out that “Plaintiffs do not cite any Indiana law to support their argument that they conferred a benefit upon Taylor, that Taylor recognized, in the context of providing tuition or employment.” (ECF No. 22 at 9). While Indiana recognizes data as property which this Court concedes has value, it is difficult to see how Taylor benefited from Plaintiffs' PII other than benefits incidental to running its business operations. In the employment context, “Plaintiffs have not alleged that [Taylor] benefited from the PII information other than as incidental to benefitting from Plaintiffs' compensated labor.” Johnson, 2024 WL 2845928, at *25-26 (dismissing unjust enrichment claim). And as for the Plaintiffs who were students or prospective students, the only benefits Taylor received were incidental to running a university and maintaining a student body. Plaintiffs do not allege that Taylor sold their PII or retained any other benefit outside the PII itself. As applied here, “[t]he PII is better understood as necessary to conduct business operations, not a good whose inherent value was extracted by [Taylor].” Id. at *26.
Having found that the PII did not cast a measurable benefit, that leaves Plaintiffs' tuition and application fees or labor as the only potential sources. But using these sources as a measurable benefit give Plaintiffs fits too. As for labor, this Court follows the guidance of Judge Magnus-Stinson who determined that “the provision of labor” was an insufficient benefit in the employer- to-employee context. Id. As for the tuition and application fees, the Court finds Plaintiffs' Complaint wanting.
Plaintiffs do not allege that any portion of their payments would go to data security. See Perdue v. Hy-Vee, Inc. 455 F.Supp.3d 749, 766 (C.D. Ill. 2020) (dismissing unjust enrichment claim where “Plaintiffs have not alleged that any specific portion of their payments went toward data protection; rather, they state that their payments were for food and gas.”). Faced with similar allegations against a restaurant, a Central District of Illinois Court dismissed the plaintiff's unjust enrichment claim because the plaintiff “paid for food products. She did not pay for a side order of data security and protection; it was merely incident to her food purchase.” Irwin v. Jimmy John's Franchise, LLC, 175 F.Supp.3d 1064, 1072 (C.D. Ill. 2016). Bearing in mind that “the court must draw on its judicial experience and common sense,” Iqbal, 556 U.S. at 678-79, Plaintiffs paid for and received educational services. Plaintiffs received those services and data security is properly couched as incidental to Plaintiffs' purchase. And without knowing what portion of those fees were allocated to data security (if at all), Plaintiffs' unjust enrichment claim is too speculative to survive dismissal.
The Court thus GRANTS Taylor's Motion to Dismiss as to Plaintiffs' unjust enrichment claim.
f. Invasion of Privacy (Count V)
Taylor contends that Plaintiffs' invasion of privacy claim must be dismissed because “Plaintiffs fail to allege essential elements of [their] claim.” (ECF No. 13 at 18). Invasion of privacy claims encompasses four theories of wrongdoing: (1) intrusion upon seclusion; (2) appropriation of a person's name or likeness; (3) public disclosure of private facts; and (4) publicity placing a person in a false light. See Pucillo v. Nat'l Credit Sys., Inc., 66 F.4th 634, 639 (7th Cir. 2023). Plaintiffs' claim is for public disclosure of private facts which, under Indiana law, consists of four elements: “(1) the information disclosed must be private in nature; (2) the disclosure must be made to the public; (3) the disclosure must be one that would be highly offensive to a reasonable person; and (4) the information disclosed is not of legitimate public concern.” Cmty. Health Network, Inc. v. McKenzie, 185 N.E.3d 368, 382 (Ind. 2022). Taylor asserts that Plaintiffs' Complaint fails to allege the second and third elements.
As to the second element, also known as the publicity element, Taylor contends that it “made no disclosure, nor did a disclosure occur, to the public at large.” (ECF No. 13 at 19). Relying on McKenzie, it is Taylor's position that “[t]he publicity element means that the information must be communicated [by the defendant] in a way that either reaches or is sure to reach the public in general or a large enough number of persons such that the matter is sure to become public knowledge.” 185 N.E.3d at 382. While that is the rule, Taylor added the bracketed language. To that end, Taylor's argument is that the public disclosure must be made by the defendant, not some unauthorized third party. Taylor also suggests that there has been no public disclosure at all.
Plaintiffs respond that, “[w]ithout saying so, [Taylor] seems to be arguing that a disclosure must be intentional to be tortious.” (ECF No 19 at 23). Plaintiffs believe that Taylor did make a disclosure by maintaining data security practices which allowed hackers to access Plaintiffs' PII. And Plaintiffs contend that their allegation that Taylor disclosed Plaintiffs' PII “to enough people that it is reasonably likely those facts have and/or will become known to the public at large, including, without limitation, on the dark web and elsewhere” satisfies the publicity requirement. (ECF No. 1, ¶ 141).
Indeed, “Indiana's public-disclosure tort is not an intentional tort.” Z.D. v. Cmty. Health Network, Inc., 217 N.E.3d at 531 (Ind. 2023). But the Court does not construe Taylor's argument to mean that some mental state was required under the tort. Public-disclosure cases “uniformly hold that the publicity requirement is met only if said publicization is attributable to the defendant-i.e., defendant must have caused, precipitated or permitted the publicity.” Id. at 536 (quoting David A. Elder, Privacy Torts § 3.3 (2022)). To that end, Taylor seems to be arguing that there is no public disclosure attributable to them. In analyzing the facts of Z.D., the Court agrees that Indiana's public-disclosure tort should not be wrapped around data breach cases such as this.
In Z.D., the plaintiff received medical care from one of the defendant's facilities. Id. at 530. After her visit, the defendant's employee tried to call the plaintiff to discuss her health matters. Id. Unable to reach the plaintiff, the employee prepared a letter documenting Z.D. 's private health information. Id. Although the letter was properly addressed, the envelope in which it was placed was addressed to the wrong person and mailed to that person. Id. That person ended up being a teenager who attended the same school as the plaintiff's daughter. Id. When the improper person received the letter, she posted the letter to Facebook. Id.
From this, the Indiana Supreme Court determined that “[t]he public-disclosure tort embodies dual imperatives, neither of which are served by imposing an intent requirement.” Id. at 534. “First, from individuals and entities alike, the tort demands protection for private information” and “serves to deter the unauthorized disclosure of private information.” Id. Such deterrence may be achieved by implementing security measures. Id. Recognizing that “such measures may fall short[,]” the second imperative is “when failures occur, injured individuals deserve a remedy.” Id.
Although these dual imperatives may be served by allowing the cause of action here, the Court doubts that the Indiana Supreme Court would stretch its bounds so far. See Republic Servs. of Indiana Ltd. P'ship v. Coe Heating & Air Conditioning, Inc., 700 F.Supp.3d 676 (N.D. Ind. 2023) (“[F]ederal district courts must act as a prognosticator of what a state court would decide when a state's Supreme Court is silent.”). An alteration in the facts of Z.D. demonstrates why. Say, for example, the defendant's employee properly addressed the envelope and placed it in a safe at the defendant's facility. Overnight, a third-party burglar broke into the facility, cracked the safe, and stole the letter. The burglar then posted that letter to Facebook. That does not sound like the defendant publicly disclosed the plaintiff's private health information. If anything, that sounds like negligence. Such is the case here. And this Court has already stated that Plaintiffs can proceed on their negligence claim at this stage.
Plaintiffs' Complaint also does not provide a basis for the Court to believe that Plaintiffs' PII was communicated in a manner that is sure to reach the public. “The information must be communicated in a way that either reaches or is sure to reach the public in general or a large enough number of persons such that the matter is sure to become public knowledge.” McKenzie, 185 N.E.3d at 382. Plaintiffs state that Taylor disclosed Plaintiffs' PII “to enough people that it is reasonably likely those facts have and/or will become known to the public at large, including, without limitation, on the dark web and elsewhere.” (ECF No. 1, ¶ 141). Although the Court must take that statement as true under Rule 12(b)(6), “a formulaic recitation of a cause of action's elements will not do.” BellAtl. Corp. v. Twombly, 550 U.S. 544, 545 (2007). The Complaint does not establish that Plaintiffs' PII has reached the public at large. Nor is there anything to suggest that Plaintiffs' PII will swrely become public knowledge. In that vein, the Court finds Plaintiffs' Complaint wanting. Having found Plaintiffs' Complaint insufficient on the second element, the Court need not address offensiveness.
The Court thus GRANTS Taylor's Motion to Dismiss Plaintiffs' claim for invasion of privacy.
g. Bailment (Count VI)
Lastly, Plaintiffs assert a claim for breach of bailment that Taylor contends must fail because “there are no facts showing the existence of a bailment under Indiana law.” (ECF No. 13 at 19). Taylor states that a bailment requires full transfer of the property to the sole custody of the bailee such as to exclude the owner-or bailor-and all others. (Id.). It's Taylor's position that “Plaintiffs' bailment theory.. .cannot stand because Taylor did not have sole custody and control of [Plaintiffs' PII].” (Id. at 20). Relying on Krupa, 2023 WL 143140, Plaintiffs respond that it is a “reasonable inference” that Taylor did exclusively possess Plaintiffs' PII because, once it was on Taylor's servers, Plaintiffs could not manipulate the information. (ECF No. 19 at 25). From Plaintiffs' perspective, Taylor was in full control of their PII. (Id.).
In Indiana, “[a] bailment arises when: (1) personal property belonging to a bailor is delivered into the exclusive possession of the bailee and (2) the property is accepted by the bailee.” Winters v. Pike, 171 N.E.3d 690, 697 (Ind.Ct.App. 2021). “For delivery to occur, there must be a full transfer of the property, either actually or constructively, to the sole custody of the bailee such as to exclude the owner/bailor and others.” Id. at 699. The Court agrees with Taylor that it is difficult to see how there was a full transfer of Plaintiffs' PII.
Two cases from the Southern District of Indiana are at odds. Krupa is the only case to allow a bailment claim in the data breach context under Indiana law. And in Krupa, Judge Sweeney II held that the plaintiff “avoid[ed] the ‘exclusive possession' problem” because “[Krupa] was unable to manipulate his personal data on [the defendant's] servers; [the defendant] was in full control.” 2023 WL 143140, at *10. No doubt Krupa supports the application of a bailment claim to this case. But more recently and under similar facts, Judge Magnus-Stinson held the opposite of Judge Sweeney II: “[I]n this case, Plaintiffs' PII was not in Defendants' exclusive possession. Plaintiffs were free to use or disseminate their PII as they pleased and deliver it to limitless others.” Johnson, 2024 WL 2845928, at *8. Although Judge Magnus-Stinson acknowledged Krupa's holding, the departure is telling.
As the Court has said, Plaintiffs' PII is property. But due to the nature of the property, the Court sees no avenue for Plaintiffs to argue that Taylor exclusively possessed it. Under Indiana law, delivery of the property to the bailee is essential to a bailment's creation and “sufficient delivery” requires “such a full transfer.. .as to exclude the owner and all other persons.” Stubbs v. Hook, 467 N.E.2d 29, 31 (Ind.Ct.App. 1984). Plaintiffs here were not excluded from their PII. Even if Plaintiffs could not manipulate their PII once on Taylor's servers, Plaintiffs still had uninhibited access to their PII insofar as they could “deliver it to limitless others.” Johnson, 2024 WL 2845928, at *8. Holding otherwise here would render the exclusive possession requirement essentially meaningless in data breach cases; a bailor/bailee relationship would exist anytime somebody provides their personal information to a party in order to receive services or employment. In line with Judge Magnus-Stinson, the Court declines to stretch the laws of bailment so far.
Further, in examining Krupa's holding, it is an outlier case. The predominant view across the country is that bailment is not a viable theory in data breach cases. See e.g., Galaria v. Nationwide Mut. Ins., 2017 WL 4918634, at *1 (S.D. Ohio Oct. 31, 2017) (collecting cases) (“A number of courts across the country have considered bailment claims in the context of data security breaches and concluded that the scenario in which a person provides personally identifiable information to a business and the information is stolen does not give rise to bailment liability.”). And, as stated above, for good reason. Under no set of facts can Plaintiffs show that they were somehow excluded from possession of their own data. Indeed, Plaintiffs were and are free to do whatever they want with their PII. The Court cannot say Taylor exclusively possessed it. Lacking that essential element, Plaintiffs' bailment claim should be dismissed.
The Court thus GRANTS Taylor's Motion to Dismiss as to Plaintiffs' bailment claim.
IV. Conclusion
For these reasons, Taylor's Motion to Dismiss (ECF No. 12) is DENIED as to Plaintiffs' claims for negligence, negligence per se, and breach of contract; the motion is GRANTED as to all other claims. Plaintiffs' claims for unjust enrichment, invasion of privacy, and bailment are DISMISSED.
SO ORDERED