MEMORANDUM OPINION AND ORDER
RUBÉN CASTILLO, Chief District Judge.
Anne Dolmage ("Plaintiff") brings this putative class action against Combined Insurance Company of America ("Defendant"). (R. 36, Am. Compl.) Presently before the Court is Defendant's motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6). (R. 41, Def.'s Mot.) For the reasons stated below, the motion is denied.
Plaintiff is a citizen of Missouri and is employed by the department store Dillard's. (R. 36, Am. Compl. ¶ 10.) Defendant is an insurance provider headquartered in Glenview, Illinois. (Id.. ¶ 11.) Defendant provides a number of insurance products, including disability, accident, health, and life insurance policies. (Id.) Plaintiff and other Dillard's employees purchased insurance coverage from Defendant through their employer. (Id.. ¶ 10.) Plaintiff purchased insurance from Defendant in June 2011, and maintained her coverage until July 2012. (Id. ¶ 10.) The proposed class members are Dillard's employees who purchased insurance policies from Defendant between March 2010 and March 2012, as well as their dependents covered under such policies. (Id. ¶ 41.) In the process of purchasing insurance from Defendant, Plaintiff and the proposed class members provided Defendant with various types of personal information, including their names, addresses, dates of birth, social security numbers, and insurance enrollment and premium information. (Id. ¶ 3.)
Plaintiff alleges that she and other enrollees received from Defendant a document entitled, "Our Privacy Pledge to You" (herein "Privacy Pledge"), along with other materials relating to their policies. (Id. ¶ 49; see also R. 36-1, Privacy Pledge.) The Privacy Pledge describes Defendant's handling of its insureds' personal information, and states that the company "will not disclose personal information about you, or any current or former insured, except as permitted and/or required by law." (R. 36-1, Privacy Pledge.) The Privacy Pledge further states that Defendant "maintain[s] physical, electronic and procedural safeguards that comply with federal regulations to guard your personal information," and that it "restrict[s] access to your personal information to those employees who need to know such information." (Id.)The Privacy Pledge acknowledges that Defendant may sometimes "share your information with a company or business not officially connected to [Defendant] but who may do work on our behalf," but states that "if we do provide your information to any party outside of [Defendant] we will require them to abide by the same privacy standards as indicated here." (Id.)
Defendant hired a third-party company called "Enrolltek" to perform insurance enrollment functions and other tasks relating to Plaintiff's and other class members' applications. (R. 36, Am. Compl. ¶ 12.) Defendant regularly provided Robert Diorio, the principal of Enrolltek, with access to Plaintiff's and the proposed class members' personal information, which was maintained in one or more databases on a server owned and controlled by Defendant. (Id. ¶ 13) On more than one occasion, Defendant granted Diorio access to this personal information so that he could copy it to an external hard drive. (Id. ¶ 14.) This external hard drive was not secure. (Id.) Plaintiff alleges that for a sixteen-month period, proposed class members' personal information was "posted online, unsecure and unprotected," and was "accessible to anyone with an Internet connection." (Id. ¶ 3.) According to the complaint, "[a]ll one had to do was type in the name of Plaintiff or any other Class member into the Google search engine and their [personal information] . . . would be included in the results." (Id.)
On or about July 8, 2013, Defendant was notified about this data breach by some Dillard's employees who, upon entering their names into the Google search bar, had discovered that their personal information was readily available online. (Id. ¶ 19.) In a letter dated July 26, 2013, Defendant formally notified Plaintiff and other class members that their personal information had been "stored on an Internet server by a third party enrollment system vendor since March 2012 without the proper security measures." (Id. ¶ 22.) Defendant offered the class members credit monitoring services for a one-year period. (Id. ¶ 23; see also R. 36-2, Breach Notification Letter.)
Plaintiff alleges that the data breach "was a direct and foreseeable result of [Defendant's] failure to adopt and maintain industry-standard and regulatory-compliant security measures to safeguard and protect Plaintiff's and Class members' [personal information] from unauthorized access, use, and disclosure." (R. 36, Am. Compl. Id. ¶ 36.) Plaintiff alleges that the breach was caused by Defendant's "failure to ensure that Enrolltek implemented similar security measures" to those employed by Defendant. (Id.) According to the complaint, Defendant knew prior to July 2013 that Enrolltek had posted files containing class members' personal information on its unsecured website, "as Diorio emailed [Defendant] links to the files on the Enrolltek website." (Id. ¶ 80.) And yet, the complaint alleges, Defendant allowed class members' personal information to remain on the website for over a year. (Id. ¶ 80.) Plaintiff alleges that these actions and omissions violated the promises Defendant made in its Privacy Pledge to her and other class members. (Id. ¶ 1.)
The complaint alleges that because of Defendant's actions and omissions, Plaintiff and the proposed class members have suffered economic damages and other injuries, including:
(Id. ¶ 83.) Plaintiff claims that because of the data breach, unknown individuals stole her information and submitted a false income tax return in her name to the Internal Revenue Service, allowing them to obtain her tax refund for 2013. (Id. ¶ 38.) She claims that unknown individuals also incurred fraudulent cell phone charges and medical expenses in her name. (Id. ¶¶ 38-39.) She alleges that she has spent time and money addressing these fraudulent charges and also had her tax refund delayed. (Id.) According to the complaint, at least 30 other Dillard's employees have reported being victims of identity theft following the data breach . (Id. ¶ 40.)
On May 22, 2014, Plaintiff filed a ten-count complaint against Defendant alleging claims under the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681 et seq., and state law claims of negligence, breach of fiduciary duty, breach of express contract, breach of implied contract, unjust enrichment, invasion of privacy, and violation of the Illinois Insurance Code, 215 ILL. COMP.STAT 5/1001 et seq. (R. 1, Compl.) Defendant moved to dismiss all counts of the complaint pursuant to Rule 12(b)(6). (R. 20, Def.'s Mot. to Dismiss.) In a memorandum opinion and order issued on January 21, 2015, the Court dismissed all of Plaintiff's claims with prejudice, except for the breach of express contract and breach of fiduciary duty claims. Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2015 WL 292947, at *3-10 (N.D. Ill. Jan. 21, 2015). These two claims were dismissed with leave to replead them in an amended complaint after the parties engaged in certain limited discovery. Id. at *10.
On September 25, 2015, Plaintiff filed her amended complaint asserting only the breach of contract claim. (R. 36, Am. Compl. ¶¶ 47-83.) Defendant now moves for dismissal under Rule 12(b)(6), arguing that Plaintiff has again failed to allege a plausible breach of contract claim. (R. 41, Def's Mot.) Plaintiff opposes the request for dismissal, (R. 48, Pl.'s Resp.), and Defendant has filed a reply in support of its request, (R. 50, Def.'s Reply).
Under federal pleading standards, a complaint must contain a "short and plain statement of the claim showing that the pleader is entitled to relief." FED.R.CIV. P. 8(a)(2). A Rule 12(b)(6) motion "challenges the viability of a complaint by arguing that it fails to state a claim upon which relief may be granted." Camasta v. Jos. A. Bank Clothiers, Inc., 761 F.3d 732, 736 (7th Cir. 2014). In deciding a Rule 12(b)(6) motion, the Court construes the complaint in the light most favorable to the non-movant, accepts all well-pleaded factual allegations as true, and draws all reasonable inferences in the non-movant's favor. Vesely v. Armslist LLC, 762 F.3d 661, 664-65 (7th Cir. 2014). The Court can consider "allegations set forth in the complaint itself, documents that are attached to the complaint, documents that are central to the complaint and are referred to in it, and information that is properly subject to judicial notice."
To survive dismissal, a complaint must "contain sufficient factual matter . . . to `state a claim to relief that is plausible on its face.'" Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. It is not enough for the plaintiff to allege "[t]hreadbare recitals of the elements of a cause of action, supported by conclusory statements." Id.
By the same token, "the Supreme Court has signaled on several occasions that it has not amended the rules of civil procedure sub silentio to abolish notice pleading and return to the old fact pleading standards that pre-dated the modern civil rules." Alexander v. United States, 721 F.3d 418, 422 (7th Cir. 2013). Thus, a plaintiff is not required to include "detailed factual allegations" to survive a motion to dismiss. Id. Nor is "plausibility" the same as "probability," and it is therefore inappropriate for the Court to "stack up inferences side by side and allow the case to go forward only if the plaintiff's inferences seem more compelling than the opposing inferences." Id. (citation omitted). Instead, "the plausibility requirement demands only that a plaintiff provide sufficient detail to present a story that holds together." Id. (internal quotation marks and citation omitted).
This lawsuit now boils down to one claim: that Defendant breached the promises made in its Privacy Pledge in connection with the handling of Plaintiff's personal information, resulting in the theft of this information and attendant damages. (R. 36, Am. Compl. ¶¶ 1-7.) In Plaintiff's view, the Privacy Pledge was part of the insurance policy she and other class members obtained from Defendant. (Id. ¶ 48.) Defendant disagrees that the Privacy Pledge was incorporated into the parties' insurance policy or that is otherwise enforceable in a breach of contract action. (R. 41, Def.'s Mot. at 2-3.)
Under Illinois law, "[a]n insurance policy is a contract, and its construction is reviewed de novo as a question of law."
I. Incorporation of the Privacy Pledge
Defendant first argues that Plaintiff "fails to allege sufficient facts supporting her conclusory contention that [Defendant] entered into an agreement with Plaintiff that incorporated [Defendant's] Privacy Pledge." (R. 41, Def.'s Mot. at 2.) It is worth noting again that under federal pleading standards, Plaintiff does not have to include "detailed factual allegations" to survive dismissal. Alexander, 721 F.3d at 422. Because notice pleading standards apply, the question is whether Plaintiff has alleged enough detail to "present a story that holds together." Id. (citation omitted). In the amended complaint, Plaintiff alleges that Defendant "entered into agreements" with Plaintiff and the proposed class members that "incorporated the terms in [Defendant's] Privacy Pledge." (R. 36, Am. Compl. ¶ 48.) She further alleges that she received a copy of the Privacy Pledge from Defendant "with other materials relating to her application for health insurance." (Id. ¶ 49.) These allegations must be accepted as true at this stage. Vesely, 762 F.3d at 664.
Defendant submits the policy and related documents that were sent to Plaintiff with her policy, and argues that these documents "leave no doubt that the Privacy Pledge, as a matter of law, was not part of the insurance contract between Plaintiff and [Defendant]." (R. 42, Def.'s Mem. at 7; see also R.42-1, Insurance Materials at 1-41.) The documents are not nearly as straightforward as Defendant suggests.
The insurance policy provides in pertinent part: "The policy is a legal contract. It is the entire contract between you and us. . . . Any change to it must be in writing and approved by us. Only our President or one of our Vice-Presidents can give our approval." (R. 42-1, Insurance Materials at 11 (emphasis added).) It would appear that this language was intended as an integration clause, and Plaintiff does not argue otherwise. See Westlake Fin. Grp., Inc. v. CDH-Delnor Health Sys., 25 N.E.3d 1166, 1171 (Ill. App. Ct. 2015) (contract provision stating, "[t]his Agreement is the complete and exclusive agreement between the parties" constituted an integration clause). "[W]here parties formally include an integration clause in their contract, they are explicitly manifesting their intention to protect themselves against misinterpretations which might arise from extrinsic evidence." Air Safety, Inc. v. Teachers Realty Corp., 706 N.E.2d 882, 885 (Ill. 1999).
The matter is complicated, however, because the policy also expressly incorporates by reference certain extraneous documents. Specifically, it defines "policy" as "this policy with any attached application(s), and any riders and endorsements." (R. 42-1, Insurance Materials at 11 (emphasis added).) The policy's table of contents specifies that "[a] copy of the application and any riders and endorsements follow page 17." (Id. at 6.) As the documents have been submitted to the Court, there are several documents following page 17, including the Privacy Pledge. (See id. at 39.) Based on the manner in which the Privacy Pledge was given to her, Plaintiff argues that this document qualifies as an endorsement. (R. 48, Pl.'s Resp. at 12.) Defendant responds that the Privacy Pledge could not possibly constitute an endorsement under the plain meaning of that term.
"[A]n endorsement has been defined as being merely an amendment to an insurance policy; a rider." Alshwaiyat v. Amer. Serv. Ins. Co., 986 N.E.2d 182, 191 (Ill. App. Ct. 2013) (internal quotation marks and citation omitted). A "rider," in turn, is defined as "[a]n attachment to some document, such as . . . an insurance policy, that amends or supplements the document." BLACK'S LAW DICTIONARY (10th ed. 2014). The Court disagrees with Defendant that the Privacy Pledge could not possibly satisfy these definitions. Plaintiff alleges that the Privacy Pledge accompanied the policy that was mailed to her, and this document can be read to supplement the policy by providing additional benefits to insureds regarding the handling of their personal information. The policy does require that endorsements be approved by Defendant's president or one if its vice-presidents, (R. 42-1. Insurance Materials at 11), but the Privacy Pledge states that it was authored by Defendant's "Chairman, President and Chief Executive Officer." (R. 36-1, Privacy Pledge.)
Defendant argues that "an endorsement must be properly attached to the policy so as to indicate that it and the policy are parts of the same contract and must be construed together." (R. 50, Def.'s Reply at 5 (citation omitted).) But again. Plaintiff alleges that the Privacy Pledge was sent to her along with the policy documents, and the Court must accept this allegation as true. (R. 38, Am. Compl. ¶ 49.) The policy itself states that the documents following page 17 are considered part of the policy, which would appear to include the Privacy Pledge. (R. 42-1, Insurance Materials at 6, 39.) Based on Plaintiff's allegations and the language of the policy, her claim that the policy incorporated the Privacy Pledge is not implausible. See W.W. Vincent & Co. v. First Colony Life Ins. Co., 814 N.E.2d 960, 966 (Ill. App. Ct. 2004) (where integration clause included reference to extraneous documents delivered with the contract, plaintiffs were not precluded from stating a claim for breach of contract based upon those extraneous documents).
Defendant could have avoided any ambiguity by clearly labeling the documents sent with the policy that were intended to be incorporated by reference, but it did not do so.
Defendant also argues that Plaintiff's claim fails because she "nowhere alleges that she relied on or read the Privacy Pledge, or even was aware that it existed, before she agreed to the insurance contract." (R. 42, Def.'s Mem. at 8.) However, reliance is not one of the elements of a breach of contract claim under Illinois law. See Barber, 928 N.E.2d at 1270. Defendant cites several cases from other jurisdictions in support of its argument, but aside from the fact that these cases are not binding authority and do not interpret Illinois law, the Court finds them distinguishable on the facts. (See R. 42, Def.'s Mem. at 8 (collecting cases).)
This case is weak support for Defendant's argument here, as this Court is not deciding whether Plaintiff suffered an injury for purposes of Article III standing, nor is there anything in the documents to reflect that the Privacy Pledge was "offered freely and equally to all people." To the contrary, it is apparent from the language of the Privacy Pledge that it was directed exclusively to Defendant's insureds. (See R. 36-1, Privacy Pledge.)
III. Timing of Plaintiff's Receipt of the Privacy Pledge
Defendant also argues that the Privacy Pledge could not possibly be part of the insurance policy because "Plaintiff received the Privacy Pledge after the insurance contract had been entered." (R. 41. Def's Mot. at 2.) As is explained above, the language of the policy and the manner in which Plaintiff alleges that the Privacy Pledge was conveyed to her plausibly suggests that it was intended to be part of the parties' agreement. Indeed, "Nransactions in which the exchange of money precedes the communication of detailed terms are common." ProCD, Inc. v. Zeidenberg, 86 F.3d 1447. 1451 (7th Cir. 1996). The U.S. Court of Appeals for the Seventh Circuit offered the following illustrations:
In Hill v. Gateway 2000, Inc., 105 F.3d 1147 (7th Cir. 1997), the Seventh Circuit extended this reasoning to a case involving computers purchased over the telephone. The computers arrived with a list of terms that was "said to govern unless the customer returned] the computer within 30 days." Id. at 1148. The Seventh Circuit reasoned that because the customer had an opportunity to return the computer after reading the additional terms included with it, those terms were fully enforceable. Id. at 1148-49. This was true even if the customer did not actually read the additional terms. Id. at 1149; see also Kaufman v. Am. Exp. Travel Related Servs. Co., No. 07 C 1707, 2008 WL 687224, at *6 (N.D. Ill. Mar. 7, 2008) ("Courts have held that a consumer accepts terms, read or not, upon using a product . . . where an opportunity to avoid the undesirable terms exists.").
Accepting Plaintiff's allegations as true and affording her all reasonable inferences, the complaint alleges that Plaintiff received the Privacy Pledge at the same time she received her policy and other materials.
Defendant also argues that "[t]he Privacy Pledge is a unilateral statement of company policy and cannot stand as consideration." (R. 41, Def.'s Mot. at 2.) "[C]onsideration is the bargained-for exchange of promises or performances, and may consist of a promise, an act or a forbearance." McInerney v. Charter Golf, Inc., 680 N.E.2d 1347, 1350 (Ill. 1997); see also Johnson v. Maki & Assocs., Inc., 682 N.E.2d 1196, 1199 (Ill. App. Ct. 1997) ("Consideration for a contract consists either of some right, interest, profit, or benefit accruing to one party or some forbearance, detriment, loss of responsibility given, suffered, or undertaken by the other.").
Defendant's argument is somewhat confusing, but to the extent Defendant is arguing that the Privacy Pledge must meet all the independent requirements of a contract, including being supported by adequate consideration, the Court disagrees. Plaintiff is not seeking to enforce the Privacy Pledge as an independent contract; rather, she is claiming that the Privacy Pledge was incorporated into the parties' insurance agreement. (See R. 48, Pl.'s Resp. at 9-10, 13-14.) There was clearly consideration for the insurance agreement (Plaintiffs premiums in exchange for insurance coverage), and Defendant does not argue otherwise.
Within this argument, Defendant also suggests that the Privacy Pledge is unenforceable because it "is nothing more than a statement that [Defendant] is complying with its pre-existing duties to follow applicable federal regulations." (R. 42, Def.'s Mem. at 13.) Defendant is correct that a party's promise to do "what it is already legally obligated to do "does not give rise to contractual rights. See Johnson, 682 N.E.2d at 1199; see also GLS Develop., Inc. v. Wal-Mart Stores, Inc., 3 F.Supp.2d 952, 967 (N.D. Ill. 1998) ("Black letter law teaches that a promise to do or to pay something that the promisor is already bound to do or to pay provides no consideration for the other party's promise in exchange, so that the other party's promise is not legally enforceable."). As Defendant points out, the Privacy Pledge references Defendant's compliance with unspecified "federal regulations."
Breach of the Privacy Pledge
Defendant also argues that even if the Privacy Pledge is enforceable, "Plaintiff has not sufficiently pled that [Defendant] breached the Privacy Pledge, which contemplates that [Defendant] will share personal information with third parties who do work on [Defendant]'s behalf." (R. 41, Def.'s Mot. at 3.) As Defendant points out, the Privacy Pledge does provide that "sometimes, we may . . . share your information with a company . . . who may do work on our behalf." (R. 36-1, Privacy Pledge (emphasis in original).) However, the Privacy Pledge also promises that if insureds' personal information is provided to any third parties, Defendant will "require them to abide by the same privacy standards" that are employed by Defendant. (Id.) Accepting Plaintiff's allegations as true, she has plausibly alleged a series of events showing that Defendant failed to take adequate steps to ensure that Enrolltek limited access of insureds' personal information under the same standards employed by Defendant. (See 36, Am. Compl. ¶¶ 1-5, 13-18. 55.) If Defendant knew the data was not being handled securely and did nothing to remedy the situation, as Plaintiff alleges, it certainly cannot be said that Defendant "required" Enrolltek to comply with its privacy standards. Therefore, the Court finds Defendant's argument unavailing.
Defendant's final argument is that Plaintiff has not sufficiently alleged that Plaintiff's claimed damages were the result of Defendant's conduct. (R. 41, Def.'s Mot. at 3.) Defendant believes that the complaint falls short because "Plaintiff's alleged damages do not arise out of [Defendant's] conduct, but rather out of the acts of third parties—namely, Enrolltek . . . and the unidentified third party thieves who stole her data. (R. 42, Def.'s Mem. at 16.) In Defendant's view, "Plaintiffs' [personal information] could have been compromised by any number of sources (e.g., her use of a department store credit card that is involved in a security breach) entirely unrelated to her [personal information] provided to [Defendant]."
There is no question that Plaintiff will ultimately be required to prove that her damages were caused by Defendant's actions. See In re Illinois Bell Tel. Link-Up II, 994 N.E.2d 553, 558 (Ill. App. Ct. 2013) ("The basic theory of damages in a breach of contract action requires that a plaintiff establish an actual loss or measurable damages resulting from the breach in order to recover. . . . Damages which are not the proximate cause of the breach are not allowed." (internal quotation marks and citations omitted)). But, again, the issue at the pleading stage is solely whether Plaintiff has stated a plausible claim for relief. See Ashcroft, 556 U.S. at 678; Alexander, 721 F.3d at 422.
To that end, Plaintiff alleges that Defendant was contractually obligated to ensure that her personal data was secure, even if Defendant gave it to a third party. (R. 36. Am. Compl. ¶¶ 1-17.) She claims that Defendant's actions and omissions led to her personal information being readily available to "anyone with an Internet connection" from March 2012 to July 2013. (Id. ¶¶ 3, 17-20.) She also claims that Defendant was aware that the data was not being stored securely, because Enrolltek emailed Defendant interne links where the data could be readily accessed, and yet Defendant allegedly did nothing to remedy this issue. (Id. ¶ 17.) Thereafter, an unknown identity thief stole Plaintiff's personal information and used it to obtain her 2013 tax refund. (Id. ¶ 38.) Given the timeline of events, and the fact that at least 30 other Dillard's employees allegedly suffered the same type of identity theft, it is certainly plausible that there is a causal link between Defendant's failure to ensure the confidentiality of the data and the damages alleged. That is all that is required at this stage. Alexander, 721 F.3d at 422; see also Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 696 (7th Cir. 2015) ("It is enough at this stage of the litigation that [the defendant] admitted that 350,000 cards might have been exposed [to a data breach] and that it contacted members of the class to tell them they were at risk. Those admissions and actions by the store adequately raise the plaintiffs' right to relief above the speculative level." (citing Twombly, 550 U.S. at 570)). Therefore, Defendant's motion to dismiss will be denied.
For the foregoing reasons, Defendant's motion to dismiss (R. 41) is DENIED. The parties are DIRECTED to reevaluate their settlement positions in light of this opinion and exhaust all efforts to settle the case. The parties shall appear for a status hearing on March 30, 2016, at 9:45 a.m.