A New Low(er) Bar for Data Breach Class Actions
A ruling by the Illinois appeals court in Flores v AON Corporation set a new low(er) bar for proof of injury in a data breach class action suit.
In the initial pleadings, the plaintiffs alleged that they had suffered damages in the form of:
(1) damages to and diminution in the value of their personal information; (2) lost time, annoyance, interference, and inconvenience dealing with the consequences of the data breach; and (3) anxiety and increased concerns for the loss of their privacy due to the data breach. Plaintiffs also alleged that they suffered imminent and impending injury arising from the substantially increased risk of fraud and identity theft by unauthorized third parties due to the data breach. Additionally, Flores, Rushing, and Williams alleged that they have received increased spam and targeted marketing after the data breach occurred and that the increase in spam was caused by the data breach.
The trial court dismissed the claim for lack of standing and failure to state a claim and the plaintiffs appealed.
The appellate court reversed the lower court’s decision and rulings under several theories of recovery:
Ruling: “The circuit court erred in dismissing plaintiffs’ negligence claim.”
- Negligence Per Se
Ruling: “[W]e uphold the circuit court’s dismissal of plaintiffs’ separate negligence per se claim.”
- Breach of Implied Contract
Ruling: “We affirm the circuit court’s dismissal of plaintiffs’ breach of implied contract claim.”
- Unjust Enrichment
Ruling: “[W]e uphold the circuit court’s dismissal of plaintiffs’ unjust enrichment claim.”
- The Consumer Fraud Act
Ruling: “[W]e affirm the circuit court’s dismissal of plaintiffs’ claim under the Consumer Fraud Act.”
- The Florida Deceptive and Unfair Trade Practices Act
Ruling: “Without any actual damages, Williams’s Florida Trade Practices Act claim is limited to injunctive relief.”
- Invasion of Privacy Under Illinois Law
Ruling: “The circuit court erred in dismissing plaintiffs’ claim for invasion of privacy.”
- Moorman Doctrine
“The Moorman doctrine, also known as the economic loss doctrine, states that there can be no recovery in tort for purely economic losses.”
Ruling: “Since plaintiffs’ common law tort claims are based on defendant’s common law duty to safeguard personal information rather than any express contractual duty, the Moorman doctrine does not prohibit plaintiffs from bringing their claims.
Defendant’s contention that plaintiffs’ injuries are economic is irrelevant since the Moorman doctrine does not apply to plaintiffs’ claims in the first place. The circuit court erred in dismissing plaintiffs’ negligence, negligence per se, unjust enrichment, and invasion of privacy claims under the Moorman doctrine.”
The key finding in the last ruling regarding the Moorman Doctrine depends upon the court finding that there is a common law duty to protect the information. Without finding a common law duty under the initial claim of negligence, the Moorman Doctrine would apply and a claim for economic loss may not be allowed.
In determining whether the claim for negligence could prevail, the court noted:
“Plaintiffs have alleged that they carefully safeguard their personal information and that after the data breach they began to be targeted more frequently by spam messages and targeted marketing, as well as two fraudulent charges. They have also alleged that the data breach is the cause of these injuries because personal information stolen in data breaches is used to cross-reference other available information … These allegations of proximate cause and injury are sufficient at the pleading stage.”
To summarize, being subjected to more “spam messages” and “target marketing” can be used for damage allegations in a claim under a common law negligence theory.
 2023 IL App (1st) 230140, No. 1-23-0140, Opinion filed September 29, 2023
 ID at p 11
 ID at p 12
 ID at p 14
 ID at p 16
 ID at p 18
 ID at p 20
 ID at p 21
 ID at p 22
 ID at p 24
 ID at p 11