Florence v. Order Express, Inc.
| Decision Date | 23 May 2023 |
| Docket Number | 22 C 7210 |
| Parties | ERIC FLORENCE and AISHA BUNDAGE, on behalf of themselves and all others similarly situated, Plaintiffs,v. v. ORDER EXPRESS, INC., Defendant. |
| Court | U.S. District Court — Northern District of Illinois |
Plaintiffs Eric Florence and Aisha Bundage were customers of Defendant Order Express, Inc.'s money-services business. After a data breach, Plaintiffs' personal information appeared for sale on the dark web. Plaintiffs sued Order Express bringing claims of negligence, breach of implied contract and violation of the California Consumer Protection Act (CCPA). Order Express now moves to dismiss Plaintiffs' amended complaint for lack of standing and argues further that the CCPA claim is insufficiently pleaded. (Dkt. 17). For the reasons below, Order Express's motion is denied.
Unless otherwise noted, the following factual allegations are taken from Plaintiffs' Amended Class Action Complaint (Dkt. 15) and are assumed true for purposes of this motion. W. Bend Mut. Ins. Co. v. Schumacher, 844 F.3d 670, 675 (7th Cir. 2016); Ctr. For Dermatology & Skin Cancer, Ltd. v Burwell, 770 F.3d 586, 588 (7th Cir. 2014).
Order Express is a money-services business, which collected personal identifying information-including names, social security numbers, and driver's license numbers-from over 63,000 customers. (Dkt. 15 ¶¶ 1-3). Order Express stored customers' personal identifying information on an unencrypted and internet-accessible network. (Id. at ¶ 4). By September 7, 2022, Order Express discovered an ongoing data breach, implicating the personal identifying information. (Id. at ¶¶ 5-6). Due to the breach, six gigabytes of customer data appeared for sale on the “dark web.” (Id. at ¶¶ 7-10).[1]The data included names, addresses, phone numbers, order histories, social security numbers, identity documents, driver's licenses, payment information, “and much more.” (Id. at ¶ 10). Reports emerged in October 2022 that the “CL0P” ransomware gang had orchestrated the attack on Order Express's network. (Id. at ¶ 7). One website stated that the stolen data was subject to a “[r]ansom deadline” of September 19, 2023. (Id. at ¶ 8).
Around December 15, 2022, Order Express began to notify state attorneys general and customers about the data breach. (Id. at ¶¶ 11-12). Order Express explained to customers that an “unknown party accessed parts of [its] computer network without authorization” and that their personal identifying information had been exposed. (Id. at ¶ 33). But Order Express's notices to customers and attorneys general did not disclose that an unauthorized actor had in fact acquired customers' personal identifying information. (Id. at ¶ 13). Nor did Order Express disclose that the personal identifying information was for sale on the dark web and subject to a ransom demand. (Id.)
Florence, a California resident, and Bundage, a Texas resident-both of whom had used Order Express to send or receive money before the data breach-were among the affected customers. (Id. at ¶¶ 21-22, 75, 83). Florence received a notice from Order Express stating that his driver's license number was subject to the data breach. (Id. at ¶¶ 34, 75). Order Express notified Bundage that her social security or tax identification numbers were exposed. (Id. at ¶ 83). After receiving the data-breach notice, Florence and Bundage attempted to mitigate the risks of the breach by verifying the notice's legitimacy and monitoring their accounts. (Id. at ¶¶ 77, 85). They spent time and money on credit monitoring, identity-theft insurance, scrutinizing bank and credit card statements and credit reports, and setting up fraud alerts. (Id. at ¶ 143). The exposure of their personal information in the data breach, Plaintiffs assert, has nonetheless left them vulnerable to “fraud, identify theft, and misuse” by unauthorized third parties or criminals. (Id. at ¶¶ 81, 89).
On the dark web, personal information sells for $40 to $200, and bank details sell for $50 to $200. (Id. at ¶ 64). Fraudulent uses of personal information include obtaining driver's licenses, government benefits, medical services, or housing. (Id. at ¶ 67). Identity thieves can also give false information to police. (Id.) Plaintiffs' stolen information is “difficult, if not impossible, to change.” (Id. at ¶ 65). And fraudulent activity may not become apparent until years after a data breach. (Id. at ¶¶ 68-69). Order Express offered Plaintiffs two years of credit monitoring and identity-theft protection, which Plaintiffs allege is insufficient. (Id. at ¶¶ 71, 73).
Florence brought this putative class action on December 28, 2022. (Dkt. 1). In their Amended Class Action Complaint, Florence and Bundage allege negligence (Count I) and breach of implied contract (Count II), seeking declaratory and injunctive relief (Count III) in addition to damages. (Dkt. 15). Florence brings an additional claim under the CCPA, Cal. Civ. Code §§ 1798.100, et seq. (Id.).[2] Order Express now moves to dismiss the amended complaint for lack of standing under Federal Rule of Civil Procedure 12(b)(1) and to dismiss Florence's CCPA claim under Rule 12(b)(6). (Dkt. 17).
Rule 12(b)(1) motions “are meant to test the sufficiency of the complaint, not to decide the merits.” Ctr. for Dermatology & Skin Cancer, 770 F.3d at 588. While the plaintiffs bear the burden of showing that subject-matter jurisdiction is proper, the Court accepts the well-pleaded factual allegations in the plaintiffs' complaint as true and draws reasonable inferences in their favor. Id. at 588-89. If the Court lacks subject-matter jurisdiction, it must dismiss the action without reaching the merits. MAO-MSO Recovery II, LLC v. State Farm Mut. Auto. Ins. Co., 935 F.3d 573, 581 (7th Cir. 2019).
To survive a motion to dismiss under Rule 12(b)(6), the complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Kaminski v. Elite Staffing, 23 F.4th 774, 776 (7th Cir. 2022) (quoting Fed.R.Civ.P. 8(a)(2)). The plaintiffs “must allege ‘enough facts to state a claim that is plausible on its face.'” Allen v. Brown Advisory, LLC, 41 F.4th 843, 850 (7th Cir. 2022) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is facially plausible when the plaintiffs plead “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. (quoting Ashcroft v. Iqbal, 566 U.S. 662, 678 (2009)). Again, the Court accepts the plaintiffs' well-pleaded factual allegations as true, drawing reasonable inferences in their favor. Id. (citing W. Bend, 844 F.3d at 675).
Article III of the Constitution limits federal jurisdiction to “cases” and “controversies.” U.S. Const. art. III § 2; TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2203 (2021). Thus, the party “invoking the power of a federal court must demonstrate standing to do so.” Hero v. Lake Cnty. Election Bd., 42 F.4th 768, 772 (7th Cir. 2022) (quoting Hollingsworth v. Perry, 570 U.S. 693, 704 (2013)). To have standing, a plaintiff must show: (1) an injury in fact; (2) traceable to the defendant; and (3) redressable by judicial relief. Pierre v. Midland Credit Mgmt., Inc., 29 F.4th 934, 937 (7th Cir. 2022); Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992). Plaintiffs need “standing for each claim that they press and for each form of relief that they seek.” TransUnion, 141 S.Ct. at 2208. And in a putative class action, each named plaintiff must demonstrate “that they personally have been injured, not that injury has been suffered by other, unidentified members of the class.” Warth v. Seldin, 422 U.S. 490, 502 (1975).
Important here, an adequate injury in fact is “concrete, particularized, and actual or imminent.” Ewing v. MED-1 Sols., LLC, 24 F.4th 1146, 1151 (7th Cir. 2022). Although a concrete injury need not be tangible, it must be “real,” rather than “abstract.” Id. (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 340 (2016)); see also Markakos v. Medicredit, Inc., 997 F.3d 778, 781 (7th Cir. 2021) (). Concreteness is essential: “No concrete harm, no standing.” Ewing, 24 F.4th at 1151 (quoting TransUnion, 141 S.Ct. at 2200). Then, the actual-or-imminent element “ensure[s] that the alleged injury is not too speculative.” Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409 (2013). An injury is therefore imminent if the threat of future harm is “certainly impending”; the mere possibility of a future injury is not enough. Id.
The Seventh Circuit considered concreteness and imminence in the data-breach context in Remijas v. Neiman Marcus Group LLC, 794 F.3d 688 (7th Cir. 2015). There, customers sued a department store after hackers stole their credit card numbers-some which had already been fraudulently used. Id. at 690. The Court held that the not-yet-defrauded customers alleged imminent injuries because the exposure of their credit card numbers created an “objectively reasonable likelihood” of identity theft and fraudulent charges. Id. at 693 (quoting Clapper, 568 U.S. at 410). If not to make fraudulent charges or steal customers' identities, “[w]hy else would hackers break into a store's database and steal consumers' private information?” Id. “Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.” Id. at 694 (quotation omitted). Considering the “substantial risk” of identity theft, the customers' mitigation expenses-specifically, the costs of credit monitoring- reflected an additional concrete harm. Id.; see also Clapper, 568 U.S. at...
To continue reading
Request your trial