Cooney v. Chicago Pub. Sch.

• Decision Date: 30 December 2010
• Docket Number: No. 1–09–1215.,1–09–1215.
• Citation: 943 N.E.2d 23,407 Ill.App.3d 358,347 Ill.Dec. 733
• Parties: Jacqueline COONEY, Emma Martin, Michele Hardin, Gwendolyn Jones, Karen Soprych, Thomas Balek, Robert Giancarlo and Eulett Cox, on Behalf of Themselves and All Others Similarly Situated, Plaintiffs–Appellants,v.CHICAGO PUBLIC SCHOOLS; The Board of Education of the City of Chicago; and All Printing and Graphics, Inc., Defendants–Appellees.Jan Morgan–Wulf; Allison Padelford and Paul Rieger et al., Indiv. and on Behalf of All Persons and Entities Similarly Situated, Plaintiffs–Appellants,v.The Board Of Education of the City of Chicago and All Printing and Graphics, Inc., Defendants–Appellees.
• Court: United States Appellate Court of Illinois

407 Ill.App.3d 358

943 N.E.2d 23

347 Ill.Dec. 733

160 Lab.Cas. P 61,101

Jacqueline COONEY, Emma Martin, Michele Hardin, Gwendolyn Jones, Karen Soprych, Thomas Balek, Robert Giancarlo and Eulett Cox, on Behalf of Themselves and All Others Similarly Situated, Plaintiffs–Appellants,

v.CHICAGO PUBLIC SCHOOLS; The Board of Education of the City of Chicago; and All Printing and Graphics, Inc., Defendants–Appellees.Jan Morgan–Wulf; Allison Padelford and Paul Rieger et al., Indi

v. and on Behalf of All Persons and Entities Similarly Situated, Plaintiffs–Appellants,

v.The Board Of Education of the City of Chicago and All Printing and Graphics, Inc., Defendants–Appellees.

No. 1–09–1215.

Appellate Court of Illinois, First District, Sixth Division.

Dec. 30, 2010.

Keith L. Hunt, Hunt & Associates, P.C., Chicago, for Appellants.Mare N. Blumenthal, Law Office of Marc N. Blumenthal, Chicago, for the Morgan–Wulf Appellants.Rick J. Rocks, William A. Morgan, Lisa D. Hugé, Board of Education of the City of Chicago, Chicago, for Appellee Board of Education of the City of Chicago.Karen L. Kendall, Heyl Royster, Voelker & Allen, Peoria; Marion Victoria Cruz, James D. Montgomery & Associates, Ltd., Chicago, for Appellee All Printing & Graphics, Inc. Justice CAHILL delivered the opinion of the court:

[347 Ill.Dec. 737 , 407 Ill.App.3d 360] Plaintiffs appeal the circuit court's order dismissing claims stemming from disclosure of the personal information of approximately 1,700 former Chicago Public School (CPS) employees. We affirm.

Defendant All Printing & Graphics, Inc., was retained by the Board of Education of the City of Chicago (Board) to print, package and mail a “Chicago Public Schools–COBRA Open Enrollment List” to over 1,700 former CPS employees. The mailing, sent sometime between November 23, 2006, and November 27, 2006, informed the former employees that as COBRA participants, they could change their insurance benefit plans. The list sent to each plaintiff contained the names of all 1,750 plaintiffs, along with their addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information (COBRA list).

On November 26, 2006, the Board learned of the disclosure of the personal information. The following day the Board sent a letter to the former employees, asking them to return the COBRA list or destroy it.

On December 8, 2006, the Board mailed the former employees a letter offering one year of free credit protection insurance.

Some of the former employees filed individual and class action lawsuits, and the cases were later consolidated. The complaints allege: (1) violation of the Personal Information Protection Act (the Act) (815 ILCS 530/1 et seq. (West 2006)); (2) violation of the Consumer Fraud and Deceptive Business Practices Act (Consumer Fraud Act) (815 ILCS 505/1 et seq. (West 2006)); (3) violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (42 U.S.C. 1320d–6 (2006)) under 42 U.S.C. § 1983; (4) violation of the common law right to privacy; (5) violation of the Illinois Constitution's privacy clause (Ill. Const.1970, art. I, § 6); (6) negligent infliction of emotional distress; (7) negligence; and (8) breach of fiduciary duty. Defendants moved to dismiss the complaints under sections 2–615 and 2–619 of the Illinois Code of Civil Procedure (735 ILCS 5/2–615, 2–619 (West 2006)). The trial court dismissed the complaints with prejudice.

Plaintiffs appeal the dismissal of all claims with the exception of the alleged violation of the Illinois Constitution's privacy clause.

We review de novo a dismissal under sections 2–615 and 2–619 of the Code. Solaia Technology, LLC v. Specialty Publishing Co., 221 Ill.2d 558, 578–79, 304 Ill.Dec. 369, 852 N.E.2d 825 (2006). A complaint is properly dismissed under section 2–615 of the Code where there is no set of facts that if proven would entitle the plaintiff to recovery. Marshall v. Burger King Corp., 222 Ill.2d 422, 429, 305 Ill.Dec. 897, 856 N.E.2d 1048 (2006). A complaint is properly dismissed under section 2–619 of the Code where no genuine issue of material fact exists and the defendant is entitled to judgment as a matter of law. Doyle v. Holy Cross Hospital, 186 Ill.2d 104, 109–10, 237 Ill.Dec. 100, 708 N.E.2d 1140 (1999).

Plaintiffs first argue that the trial court erred in dismissing their common law and statutory negligence claims. To succeed on their negligence claims, plaintiffs must allege and prove that (1) defendants owed a duty to plaintiffs; (2) defendants breached that duty; and (3) the breach caused injury to plaintiffs. First Springfield Bank & Trust v. Galman, 188 Ill.2d 252, 256, 242 Ill.Dec. 113, 720 N.E.2d 1068 (1999).

[943 N.E.2d 28 , 347 Ill.Dec. 738]

We must first decide whether the Board had a duty to safeguard plaintiffs' personal information under a statutory directive, because where no duty is owed, there is no negligence. Washington v. City of Chicago, 188 Ill.2d 235, 239, 242 Ill.Dec. 75, 720 N.E.2d 1030 (1999). Plaintiffs argue that HIPAA (42 U.S.C. § 1320d–6 (2006)) provides a statutory basis for the creation of a new duty. A violation of a statute designed to protect human life and property may be used as prima facie evidence of negligence. Kalata v. Anheuser–Busch Cos., 144 Ill.2d 425, 434–35, 163 Ill.Dec. 502, 581 N.E.2d 656 (1991). HIPAA prohibits the disclosure of “individually identifiable health information to another person.” 42 U.S.C. 1320d–6(a)(3) (2006). But, “employment records held by a covered entity in its role as employer” are specifically excluded from HIPAA protection. 45 C.F.R. § 160.103 (2006). Because the Board held plaintiffs' health insurance elections in its role as an employer, the Board's disclosure falls outside HIPAA's coverage.

Plaintiffs also contend that the Act (815 ILCS 530/1 et seq. (West 2006)) creates a legal duty. The Act provides:

“Any data collector that maintains computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” 815 ILCS 530/10(b) (West 2006).

The “ ‘[b]reach of the security of the system data’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information [including social security numbers] maintained by the data collector.” 815 ILCS 530/5 (West 2006). In defining “data collector,” the Act includes “government agencies * * * and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information.” 815 ILCS 530/5 (West 2006).

Plaintiffs claim that the Board, as a data collector, violated the Act because a “breach of the security of the system data” occurred. Plaintiffs are correct, but while the statute defines what a breach of system security is, it also codifies the remedy: the data collector must provide timely notice of a security breach to the parties affected. 815 ILCS 530/10 (West 2006). The Board complied with the statute by timely notifying plaintiffs of the breach.

Plaintiffs suggest that we adopt an expansive reading of the Act. The argument can be summarized as follows: in enacting the Act, the legislature intended to protect personal information from disclosure. If the only obligation imposed by the Act is to provide notice of a breach, its purpose would be defeated because entities could repeatedly disclose personal information and then exonerate themselves by providing notice. So, the statute's purpose can only be realized by penalizing the disclosure itself.

Because the provisions in the Act are clear, we must assume it reflects legislative intent to limit defendants' duty to providing notice. See Comprehensive Community Solutions, Inc. v. Rockford School District No. 205, 216 Ill.2d 455, 473, 297 Ill.Dec. 221, 837 N.E.2d 1 (2005) (“[t]he plain language of a statute remains the best indication of [the legislature's] intent”).

Plaintiffs next contend that we should recognize a “new common law duty” to safeguard information. They claim a duty is justified by the sensitivenature

[347 Ill.Dec. 739 , 943 N.E.2d 29]

of personal data such as dates of birth and social security numbers. Plaintiffs do not cite to an Illinois case that supports this argument. While we do not minimize the importance of protecting this information, we do not believe that the creation of a new legal duty beyond legislative requirements already in place is part of our role on appellate review. As noted, the legislature has specifically addressed the issue and only required the Board to provide notice of the disclosure.

All Printing also had no duty to protect plaintiffs' information from disclosure. All Printing met its contractual obligations by printing and mailing the Board's information packets. Plaintiffs cite to no authority for the proposition that All Printing had a duty to inspect the contents of the packets or inform the Board of any irregularity. Absent a duty, there is no negligence. Washington, 188 Ill.2d at 239, 242 Ill.Dec. 75, 720 N.E.2d 1030. We affirm the trial court's dismissal of plaintiffs' negligence claims.

Plaintiffs next seek recovery for negligent infliction of emotional distress. A plaintiff claiming to be a direct victim of negligently inflicted emotional distress must establish the traditional elements of negligence: duty, breach, causation and injury. Corgan v. Muehling, 143 Ill.2d 296, 306, 158 Ill.Dec. 489, 574 N.E.2d 602 (1991). Because plaintiffs failed to establish a duty on the part of either defendant, their negligent infliction of emotional distress claim must fail with their general negligence claims.

Plaintiffs next assert that the Board, as their former employer, had a...