Perdue v. Hy-Vee, Inc.

• Decision Date: 20 April 2020
• Docket Number: Case No. 19-1330
• Citation: 455 F.Supp.3d 749
• Parties: Noreen PERDUE, Elizabeth Davis-Berg, Dustin Murray, Melanie Savoie, Cheryl Ellingson, Angela Trang, Harley Wiliams, Mary Williams, Gordon Grewing, Melissa Ward and Patricia Davis, individually and on behalf of all other similarly situated, Plaintiffs, v. HY-VEE, INC., Defendant.
• Court: U.S. District Court — Central District of Illinois

455 F.Supp.3d 749

Noreen PERDUE, Elizabeth Davis-Berg, Dustin Murray, Melanie Savoie, Cheryl Ellingson, Angela Trang, Harley Wiliams, Mary Williams, Gordon Grewing, Melissa Ward and Patricia Davis, individually and on behalf of all other similarly situated, Plaintiffs,

v.HY-VEE, INC., Defendant.

Case No. 19-1330

United States District Court, C.D. Illinois, Peoria Division.

Signed April 20, 2020

Ben Barnow, Erich P. Schork, Anthony Lee Parkhill, Barnow and Associates PC, Kyle Alan Shamberg, Carlson Lynch LLP, Chicago, IL, Cornelius Pellman Dukelow, Abington Cole & Ellery, Tulsa, OK, William B. Federman, Federman & Sherwood, Oklahoma City, OK, Alex M. Kashurba, Andrew W. Ferich, Benjamin F. Johns, Chimicles Schwartz Kriner & Donaldson-Smith LLP, Haverford, PA, Shpetim Ademi, Ademi & O'Reilly LLP, Cudahy, WI, for Plaintiffs.

George J. Tzanetopoulos, Maria Ann Boelen, Baker & Hostetler LLP, Chicago, IL, Emily Jane Perkins, John P. Heil, Jr., Heyl Royster Voelker & Allen, Peoria, IL, Paul G. Karlsgodt, Baker & Hostetler LLP, Denver, CO, for Defendant.

ORDER AND OPINION

Michael M. Mihm, United States District Judge

This matter is now before the Court on Defendant Hy-Vee, Inc.'s ("Defendant") Motion to Dismiss Plaintiffs' Consolidated Second Amended Class Action Complaint (ECF No. 30). For the reasons stated below, Defendant's Motion is GRANTED IN PART AND DENIED IN PART.

JURISDICTION

The Court exercises subject matter jurisdiction under 28 U.S.C. § 1332(d)(2)(A), because the matter in controversy exceeds $5 million, exclusive of interest and costs, and is a class action in which some members of the class are citizens of states different than Defendant. The Court also exercises supplemental jurisdiction over the state law claims under 28 U.S.C. § 1367(a).

BACKGROUND

Defendant is a large supermarket chain that also operates gas pumps, restaurants, and coffee shops.¹ Between November 2018 and August 2019, Defendant was exposed to a data breach. On July 29, 2019, Defendant detected the breach and alerted its customers on August 14, 2019. On October 3, 2019, Defendant notified its customers that the breach was carried out by the use of "malware designed to access payment card data from cards used on point-of-sale (‘POS’) devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants." (ECF Nos. 21 at 18; 31-2 at 2). Payment card information of customers who made purchases at the affected POS devices were compromised in the data breach. Defendant posted an online tool for customers to determine which locations were affected and during what timeframe.

Plaintiffs claim they each used one or more payment cards at a compromised POS, and as a result, dealt with suffered side effects of the breach. Plaintiff Perdue accessed a gas pump in Galesburg, Illinois, that was impacted by the data breach. She went three weeks without her bank card, which was the only way she could allegedly access her money and pay her bills. Plaintiff Savoie accessed gas pumps in Iowa that were affected by the data breach. She experienced two fraudulent charges for $100.00 and $74.28. She also spent approximately five hours dealing with fraudulent charges on her credit card. Plaintiff Ellingson accessed a restaurant operated by Defendant in Iowa that was affected by the data breach. She was unable to access her bank funds between August 27, 2019, and September 4, 2019, due to her bank cancelling and replacing her debit card. Plaintiff Trang accessed several food retailers and gas pumps operated by Defendant in Minnesota that were affected by the data breach. She experienced $1000.00 in fraudulent charges and spent approximately three hours dealing with those charges, an overdraft fee, and a cancelled card. Plaintiffs Harley and Mary Williams accessed gas pumps in Kansas that were affected by the data breach. They spent approximately three-to-four hours dealing with $700.00 in fraudulent charges on their debit account. They also were unable to access their monies for three weeks. Plaintiff Grewing accessed gas pumps in Missouri that were affected by the data breach. Two fraudulent charges for $7.81 and $25.94 appeared on his debit cards. He also spent time driving to the bank, disputing charges, and cancelling his debit card. Additionally, he purchased a TransUnion Credit Monitoring Plan as a result of the breach. Plaintiff Murray visited restaurants operated by Defendant in Missouri that were affected by the data breach. He spent approximately three hours dealing with the breach after his debit card had been cancelled and replaced. Plaintiff Davis visited a restaurant operated by Defendant in Wisconsin that was affected by the data breach. She had a card cancelled and replaced. Plaintiffs Ward, in Kansas, and Davis-Berg, in Illinois, spent time monitoring their accounts subsequent to the breach.

On October 15, 2019, Plaintiffs filed a Class Action Complaint against Defendant. (ECF No. 1). On November 25, 2019, Plaintiffs filed their First Amended Class Action Complaint against Defendant. (ECF No. 8). On December 30, 2019, Plaintiffs filed a Second Amended Class Action Complaint asserting fifteen claims: negligence (Count I); negligence per se (Count II); breach of implied contract (Count III); breach of contracts to which Plaintiffs and class members were intended third-party beneficiaries (Count IV); ten statutory claims under the laws of Illinois, Iowa, Kansas, Minnesota, Missouri, and Wisconsin (Counts V-XIV); and unjust enrichment (Count XV). (ECF No. 21). On January 31, 2020, Defendant filed a Motion to Dismiss Plaintiffs' Second Amended Class Action Complaint under Federal Rule of Civil Procedure 12(b)(6). On February 28, 2020, Plaintiffs filed their response. (ECF No. 36). On March 17, 2020, Defendant filed its reply. (ECF No. 40). This Opinion follows.

STANDARD OF REVIEW

Dismissal under Federal Rule of Civil Procedure 12(b)(6) is proper if a complaint fails to state a claim upon which relief can be granted. Fed. R. Civ. P. 12(b)(6). To survive a motion to dismiss, a complaint must contain sufficient factual matter, which when accepted as true, states a claim for relief that is plausible on its face. Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). Plausibility means alleging factual content that allows a court to reasonably infer that the defendant is liable for the alleged misconduct. Bell Atlantic Corp. v. Twombly , 550 U.S. 544, 547, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). A plaintiff's claim must "give enough details about the subject matter of the case to present a story that holds together" to be plausible. Swanson v. Citibank, N.A. , 614 F.3d 400, 404 (7th Cir. 2010). A court must draw all inferences in favor of the non-moving party. Bontkowski v. First Nat'l Bank of Cicero , 998 F.2d 459, 461 (7th Cir. 1993).

When evaluating a motion to dismiss, courts must accept as true all factual allegations in the complaint. Ashcroft , 556 U.S. at 678, 129 S.Ct. 1937. However, the court need not accept as true the complaint's legal conclusions; "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. (citing Bell Atlantic Corp. , 550 U.S. at 555, 127 S.Ct. 1955 ). Conclusory allegations are "not entitled to be assumed true." Id.

Federal Rule of Civil Procedure 8(a)(2) requires only "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). The complaint must give fair notice of what the claim is and the grounds upon which it rests. E.E.O.C. v. Concentra Health Servs., Inc. , 496 F.3d 773, 776–77 (7th Cir. 2007). Fair notice is not enough by itself; in addition, the allegations must show that it is plausible, rather than merely speculative, that the plaintiff is entitled to relief. Tamayo v. Blagojevich , 526 F.3d 1074, 1083 (7th Cir. 2008).

ANALYSIS

I. Plaintiffs' Negligence and Negligence Per Se Claims

In Count I, Plaintiffs, under each state class, allege negligence against Defendant claiming that Defendant owed a duty to Plaintiffs to maintain confidentiality and exercise reasonable care in safeguarding their personal information, and it breached that duty. Plaintiffs claim Defendant's conduct created a foreseeable risk of harm, and as a direct and proximate result, they have been injured. In Count II, Plaintiffs, under each state class, allege negligence per se against Defendant claiming that it had a duty to provide adequate computer systems and data security practices to safeguard their personal information. As a result of breaching that duty, Plaintiffs allege they have suffered damages.

Defendant argues that Plaintiffs fail to state a claim for negligence because there is no duty to safeguard personal information under Illinois law. Alternatively, Defendant states that if the Court determines that a duty exists under any of the relevant states' laws, Plaintiffs' negligence and negligence per se claims should be barred by the economic-loss doctrine recognized in Illinois, Iowa, Missouri, and Kansas. Defendant also argues that Plaintiffs fail to plead any damages that are compensable under Minnesota or Wisconsin law. Regarding Plaintiffs' negligence per se claims, Defendant also states that Plaintiffs do not identify any statute or regulation that sets out a standard of conduct specific enough to establish that it is in violation of that statute or regulation. According to Defendant, the one statute that Plaintiffs do reference, Section 5 of the Federal Trade Commission Act ("FTC Act"), does not impose any data security standard. Plaintiffs contend that Defendant is incorrect about Illinois law and that it has ignored the laws of Minnesota, Kansas, Wisconsin, and Missouri, as they relate to a duty to safeguard personal information. Lastly, Plaintiffs argue that Section 5 of the FTC Act was designed to protect consumers from unfair and deceptive trade practices such as failing to protect...