Krupa v. TIC Int'l Corp.

• Docket Number: 1:22-cv-01951-JRS-MG
• Decision Date: 10 January 2023
• Parties: RODNEY KRUPA individually, and on behalf of all others similarly situated, Plaintiff, v. TIC INTERNATIONAL CORPORATION, Defendant.
• Court: U.S. District Court — Southern District of Indiana

RODNEY KRUPA individually, and on behalf of all others similarly situated, Plaintiff,
v.
TIC INTERNATIONAL CORPORATION, Defendant.

No. 1:22-cv-01951-JRS-MG

United States District Court, S.D. Indiana, Indianapolis Division

January 10, 2023

ORDER ON MOTION TO DISMISS

JAMES R. SWEENEY II, JUDGE

I. Introduction

This is a data breach case and a putative class action. TIC International Corporation, a benefits administration company, allegedly exposed Rodney Krupa's name and social security number to hackers in a March 30, 2022, data breach. Some 187,340 other customers were allegedly subject to the same breach.

TIC has filed a motion to dismiss, (ECF No. 13), under Rules 12(b)(1) and 12(b)(6), arguing that Krupa has neither standing nor a cause of action. Fed.R.Civ.P. 12(b)(1), 12(b)(6).

II. Legal Standard

"A motion to dismiss under Rule 12(b)(1) tests the jurisdictional sufficiency of the complaint, accepting as true all well-pleaded factual allegations and drawing reasonable inferences in favor of the plaintiffs." Bultasa Buddhist Temple of Chicago v. Nielsen, 878 F.3d 570, 573 (7th Cir. 2017) (citing Ezekiel v. Michel, 66 F.3d 894, 897 (7th Cir. 1995)).

1

"A Rule 12(b)(6) motion tests 'the legal sufficiency of a complaint,' as measured against the standards of Rule 8(a)." Gunn v. Cont'l Cas. Co., 968 F.3d 802, 806 (7th Cir. 2020) (quoting Runnion v. Girl Scouts of Greater Chi. & Nw. Ind., 786 F.3d 510, 526 (7th Cir. 2015)). Rule 8(a) requires that the complaint contain a short and plain statement showing that the pleader is entitled to relief. Fed.R.Civ.P. 8(a)(2). "To meet this standard, a plaintiff is not required to include 'detailed factual allegations,'" but the factual allegations must "state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible if it "pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 556).

Because the defendant must ultimately be liable, "Rule 12(b)(6) authorizes a court to dismiss a claim on the basis of a dispositive issue of law." Neitzke v. Williams, 490 U.S. 319, 326-27 (1989). That applies "without regard to whether [the claim] is based on an outlandish legal theory or on a close but ultimately unavailing one." Id. But "[a] complaint need not identify legal theories, and specifying an incorrect legal theory is not a fatal error." Rabe v. United Air Lines, Inc., 636 F.3d 866, 872 (7th Cir. 2011).

When considering a motion to dismiss for failure to state a claim, courts "take all the factual allegations in the complaint as true," Iqbal, 556 U.S. at 678, and draw all reasonable inferences in the plaintiff's favor, Roberts v. City of Chicago, 817 F.3d 561, 564 (7th Cir. 2016). Courts need not, however, accept the truth of legal conclusions,

2

and "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Iqbal, 556 U.S. at 678.

III. Discussion

TIC's two arguments are basically one argument. Cf. Bond v. United States, 564 U.S. 211, 218-19 (2011) ("'[C]ause of action' and 'standing' [as] distinct concepts can be difficult to keep separate[.]") A plaintiff to have standing must have an injury, TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2203 (2021), and a plaintiff to have an Indiana cause of action for negligence or breach of contract must have an injury, Robertson v. B.O., 977 N.E.2d 341, 344 (Ind. 2012) ("injury" as an element of negligence), Berg v. Berg, 170 N.E.3d 224, 231 (Ind. 2021) ("damages" as an element of breach of contract). TIC argues that Krupa has not been injured by the theft of his personal data. (Def.'s Br. Supp. M. Dismiss 11-12, 17-20, ECF No. 14.) Therefore, TIC reasons, the only injuries he can show are future injuries (or present risks of future injuries), and those are insufficiently definite for recovery here. (Id. at 12-14.)

At first glance, this seems an odd case to be arguing about standing and damages. Krupa is not a random plaintiff speculating about future risks of harm or seeking to assert the rights of others-he personally is a victim of a data breach that actually happened. His social security number was stolen, and he alleges that TIC had it been more careful could have prevented the theft. If this were a bank robbery no one would blink. It is a classic adversarial case. The only way TIC can prevail on its motion to

3

dismiss, then, is if it can show that the exposure of Krupa's social security number to hackers was not an injury at all.^[1]

And, again at first glance, that seems an odd position to take. Having one's social security number stolen seems an obvious harm. If it were not a harm, why should TIC (or anyone else) take any data security measures? TIC might as well leave its customer lists in a spreadsheet on its website. Then there would be no data breach to report; potential plaintiffs would likely never learn their social security numbers were exposed by TIC; and anyone who did identify and sue TIC over the resulting identity theft could be stymied by proof-of-fact issues as to where the thief got the victim's number. See Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015) (quoting In re Adobe Sys., Inc. Privacy Litig., 66 F.Supp.3d 1197, 1215 n. 5 (N.D.Cal.2014)) ("[T]he more time that passes between a data breach and an instance of identity theft, the more latitude a defendant has to argue that the identity theft is not 'fairly traceable' to the defendant's data breach."). That offends all reason. There is a common-sense expectation-which TIC implicitly recognizes through its attempts at data security-that social security numbers are best kept private and

4

that their exposure to hackers is a harm (whether or not identity theft has yet occurred). Consumers are willing to give out their social security numbers in exchange for the benefits and services TIC and others provide, but that willingness is conditioned on the understanding that the business will take at least reasonable steps to ensure that their personal data is not misused. The picture, then, is one of entrustment: consumers entrust their data to firms with the expectation that those firms take reasonable care against data breaches. Sounds like common sense, and sounds like common law: fortunately, the two align.^[2]

The relevant law here is that of bailment.

Entrusting your stuff to others is a bailment. A bailment is the "delivery of personal property by one person (the bailor) to another (the bailee) who holds the property for a certain purpose." Black's Law Dictionary 169 (10th ed. 2014); J. Story, Commentaries on the Law of Bailments § 2, p. 2 (1832) ("a bailment is a delivery of a thing in trust for some special object or purpose, and upon a contract, expressed or implied, to conform to the object or purpose of the trust"). A bailee normally owes a legal duty to keep the item safe, according to the terms of the parties' contract

5

if they have one, and according to the "implication[s] from their conduct" if they don't. 8 C.J.S. Bailments § 36, pp. 468-469 (2017).

Carpenter v. United States, 138 S.Ct. 2206, 2268-69 (2018) (Gorsuch, J., dissenting) (discussing, in a Fourth Amendment context, whether cell companies' cell phone location data is subject to an involuntary (or "implied") bailment on the customer's behalf). See also William LaRosa, New Legal Problems, Old Legal Solutions: Bailment Theory As the Baseline Data Security Standard of Care Owed to an Opponent's Data in E-Discovery, 167 U. PA. L. REV. 775 (2019) (arguing law of bailment is correct theory for data breaches); Miles Christian Skedvold, A Duty to Safeguard: Data Breach Litigation Through a Quasi-Bailment Lens, 25 J. INTELL. PROP. L. 201 (2018) (likewise).

Indiana law has long recognized bailment. Winters v. Pike, 171 N.E.3d 690, 697 (Ind.Ct.App. 2021) (noting "200 years" of history and collecting cases). In Indiana, "[a] bailment arises when: (1) personal property belonging to a bailor is delivered into the exclusive possession of the bailee and (2) the property is accepted by the bailee." Id. at 699 (quoting Cox v. Stoughton Trailers, Inc., 837 N.E.2d 1075, 1082 (Ind.Ct.App. 2005)). "[A] bailment may be implied, delivery may be constructive, and acceptance may be made other than by express contract." Kroger Co. v. Hammond, 877 N.E.2d 228 (Ind.Ct.App. 2007). One example of an implied bailment is a "constructive or involuntary bailment, [which] arises . . . (3) if a person lawfully acquired the possession of personal property of another and holds it under circumstances whereby she should, on principles of justice, keep it safely and restore it or deliver it to the owner." 8 C.J.S. Bailments § 14. As the constructive bailment

6

cases illustrate, "[t]he bailee relationship will not be affected by the fact that a third person, and not the owner of the property, was the one who delivered the property to the bailee." 8 C.J.S. Bailments § 20. The requirement that the bailee have "exclusive possession" distinguishes bailments from leases or cases of shared control. 8 C.J.S. Bailm...