McLaughlin v. Taylor Univ.

1

JUSTIN MCLAUGHLIN and ATURINA ESHW, on behalf of themselves, and all others similarly situated, Plaintiffs, v. TAYLOR UNIVERSITY Defendant,

No. 1:23-cv-00527-HAB-SLC

United States District Court, N.D. Indiana, Fort Wayne Division

September 23, 2024

OPINION AND ORDER

HOLLY A. BRADY UNITED STATES DISTRICT COURT CHIEF JUDGE

Plaintiffs Justin McLaughlin and Aturina Eshw, on behalf of themselves and all other similarly situated (collectively hereafter “Plaintiffs”), sued Defendant, Taylor University (“Taylor”), because hackers infiltrated Taylor's network and stole Plaintiffs' personal information. (ECF No. 1). Plaintiffs allege that Taylor failed to implement reasonable measures to safeguard their information and failed to promptly notify Plaintiffs of the data breach. Plaintiffs' suit asserts claims for negligence, negligence per se, breach of contract, unjust enrichment, invasion of privacy, and breach of bailment. Before the Court is Taylor's Motion to Dismiss Plaintiffs' Complaint (ECF No. 12) in its entirety. Taylor's Motion is now fully briefed (ECF Nos. 13, 19 22) and ripe for ruling.

I. Standard or Review

Federal Rule of Civil Procedure 12(b)(6) provides for the dismissal of a complaint, or any portion of a complaint, for failure to state a claim upon which relief can be granted. Fed.R.Civ.P 12(b)(6). “To survive a motion to dismiss, a complaint must contain sufficient factual matter accepted as true, to state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citations and internal quotation marks omitted); see also Ray v. City of Chi., 629 F.3d 660, 662-63 (7th Cir. 2011). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. When analyzing a motion to dismiss a claim under Rule 12(b)(6), the factual allegations in the complaint must be accepted as true and viewed in the light most favorable to the plaintiff. Brokaw v. Mercer Cnty., 235 F.3d 1000, 1006 (7th Cir. 2000).

That said, the Court is not “obliged to accept as true legal conclusions or unsupported conclusions of fact.” Bielanski v. Cty. Of Kane, 550 F.3d 632 Cir. 2008). And “[t]hreadbare recitals of the elements of a cause of action, supported by merely conclusory statements do not suffice.” Iqbal, 556 U.S. at 678.

II. Factual Background

Taylor is a private university located in Upland, Indiana. (ECF No. 1, ¶ 20). In the ordinary course of providing educational services, Taylor requires students, employees, and others to provide their personal information to conduct their business. (Id. ¶ 25). Taylor stores that information on its servers. (Id. ¶ 26). Plaintiff Mclaughlin is a graduate of Taylor and Plaintiff Eshw is a former prospective student that applied to Taylor in 2020. (Id. ¶¶ 13, 17). Both provided and entrusted Taylor with their personal information. (Id. ¶ 31).

On or around May 18, 2023, Taylor was subject to a sophisticated cybersecurity incident in which hackers got their hands on Plaintiffs' personal information (“the “Incident”). (ECF No. 1-1). Once Taylor identified the Incident, it secured the systems involved, alerted law enforcement, and launched an investigation. (Id.). Through the investigation, Taylor learned that hackers accessed the affected systems between February 26 and May 18, 2023. (Id.) Taylor's Notice Letter indicates that those systems may have contained the personal information of current and former students, prospective students, employees, donors, and other individuals, including their names, Social Security numbers, driver's license/state ID numbers, and/or financial account information (collectively “PII”). (ECF No. 1, ¶ 39; ECF No. 1-1). And in the Notice Letter Taylor offers a year of free credit monitoring services and encouraged the victims to remain vigilant in monitoring their affairs. (ECF No. 1-1). Taylor sent the Notice Letter to the victims on December 4, 2023. (Id.).

Plaintiffs McLaughlin and Eshw received the Notice Letter and filed suit in this forum seeking to certify a class of “[a]ll individuals whose Personal Information was compromised as a result of the [Incident] with [Taylor] which was announced on or about December 4, 2023.” (Id. ¶ 79.). Plaintiffs allege that the Incident “was preventable and a direct result of [Taylor's] failure to implement adequate and reasonable cyber-security procedures and protocol necessary to protect individual's [PII].” (Id. ¶ 43). Plaintiffs state that they “have been required to take the time and effort...to mitigate the actual and potential impact of the [Incident] including.. .placing ‘freezes' and ‘alerts' with credit reporting agencies, contacting their financial institutions, closing or modifying financial accounts, and closely reviewing and monitoring” various sources for unauthorized activity. (Id. ¶ 7). Other injuries Plaintiffs contend that they have suffered include: misuse or theft of their PII; diminution in value of their PII; and loss of the benefit of the bargain with Taylor to adequately protect their PII. (Id. ¶¶ 72, 102). Plaintiffs also claim that they incurred out-of-pocket expenses, suffered emotional distress and anxiety, and now forever face an amplified risk of further misuse, fraud, and identity theft because the hackers' receipt of their PII. (Id. ¶¶ 4, 101).

Plaintiffs thus sued Taylor under theories of negligence (Count I), negligence per se under Section 5 of the Federal Trade Commission Act (Count II), breach of contract (Count III), unjust enrichment (Count IV), invasion of privacy (Count V), and breach of bailment (Count VI). (Id. at 23-35).

III. Discussion

Taylor seeks dismissal of all claims asserted in Plaintiffs' Complaint. (ECF No. 13). It starts by broadly alleging that Plaintiffs' damages do not amount to a cognizable loss sufficient for any cause of action under Indiana law. (Id. at 5-10). Taylor then hones in on Plaintiffs' causes of action individually and contends that they have failed to state a claim for each. The Court will first address Taylor's argument that Plaintiffs' alleged injuries are insufficient and will then address each of Plaintiffs' substantive causes of action specifically below.

a. Cognizable Loss

Indiana law requires Plaintiffs to plead a cognizable loss or actual injury as an indispensable element of their common law claims.^[1] Taylor asserts three arguments to support their assertion that Plaintiffs fail to plead a cognizable loss: (1) increased risk of future harm and identity theft as well as anticipated mitigation and remediation costs are insufficient; (2) injuries based on the diminished value of PII are routinely rejected; and (3) future anxiety related theories are not cognizable injuries.^[2]

While Taylor encourages this Court not to “conflate Article III's requirement of injury in fact with [the Plaintiffs'] potential causes of action,” Debernardis v. IQ Formulations, LLC, 942 F.3d 1076, 1084 (11th Cir. 2019), “‘cause of action' and ‘standing' [as] distinct concepts can be difficult to keep separate[.]” Bond v. United States, 564 U.S. 211, 218-19 (2011). “A plaintiff to have standing must have an injury, and a plaintiff to have an Indiana cause of action for negligence or breach of contract must have an injury.” Krupa v. TIC International Corp., 2023 WL 143140, at *3 (S.D. Ind. Jan. 10, 2023).^[3] Taylor cites no in-circuit authority to support that the standard for injury-in-fact under Article III is higher than that of a compensable injury under Indiana law. And like other courts in this Circuit have said, the Court sees no difference as applied here. See Johnson v. Nice Pak Prod., Inc., 2024 WL 2845928, at *14 (S.D. Ind. June 5, 2024). Taylor argues that Plaintiffs were not injured by the theft of their PII and reasons that the only injuries Plaintiffs can show are future injuries or the risk of future harm. Taylor therefore contends that Plaintiffs' alleged injuries are insufficiently definite to pursue a claim under Indiana law.

The Court begins with Taylor's argument that the increased risk of future harm and anticipated mitigation costs are not injuries. Taylor relies heavily on Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007). In Pisciotta, the issue was “whether Indiana would consider that the harm caused by identity information exposure . . . constitutes an existing compensable injury and consequent damages required to state a claim for negligence or for breach of contract.” Id. at 635 (emphasis in original). At that time, the answer was no. Id. But the Seventh Circuit and Indiana courts alike have done well with chipping away at Pisciotta's commands. See, e.g., Paul v. Ardagh Glass, Inc., No. 49D07-2209-CT-031302, 2023 WL 5153147, at *7 (Ind. Super. Ct. Jan. 23, 2023); In re Eskenazi Health Data Incident Litig., No. 49D01-2111-PL-038870, 2022 WL 20505180, at *11 (Ind. Super. Ct. Sep. 2, 2022); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015); Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016).

Since Pisciotta, the Seventh Circuit has recognized the imminent and concrete injuries data breach victims suffer. Those victims, for example, are “at risk for both fraudulent charges and identity theft,” even if those events have not yet manifested. Lewert, 819 F.3d at 967. In the same vein, they must “spen[d] time and effort monitoring both [their] card statements and [their] other financial information as a guard against fraudulent charges and identity theft.” Id. And it seems that Taylor “implicitly acknowledge[s] this” by offering and encouraging credit monitoring services because “[i]t is unlikely that [Taylor] did so because...