5 min read
Aon Corporation Faces Class Action Lawsuit Over Data Breach
Joe Whitcomb : January 06, 2024
In a class action lawsuit against Aon Corporation, plaintiffs Maria Flores, Deanna Dube, Misty Williams, and Sharon Rushing allege several claims including negligence, negligence per se, breach of contract, unjust enrichment, invasion of privacy, and violations of consumer protection acts in Illinois and Florida. The lawsuit stems from a data breach that compromised the plaintiffs' personal information. Initially, the case was dismissed by the Circuit Court due to lack of standing and failure to state a claim, but the Appellate Court partially reversed the decision.
Key Concepts in Focus: Negligence, Implied Contracts, and Invasion of Privacy
The Appellate Court determined that the plaintiffs had standing to pursue their claims and that Aon Corporation had a legal duty to protect personal information. The court also found that the plaintiffs' allegations were sufficient to establish that Aon Corporation's actions caused their harm.
Although the alleged violations of the Federal Trade Commission Act by Aon Corporation did not amount to negligence per se, the plaintiffs could not maintain a claim for unjust enrichment. However, their allegations did state a valid claim for invasion of privacy. It is important to note that the plaintiffs' common law tort claims were not barred by the economic loss doctrine.
This case addresses several legal issues, including standing, negligence, and implied contracts. In order to bring a claim for breach of an implied contract, the plaintiff must demonstrate actual monetary damages. The concept of implied-in-fact contracts, which are formed through the parties' actions and conduct, is explored. Additionally, the notion of unjust enrichment, which is not an independent cause of action but can arise from improper or unlawful behavior, is discussed.
The presence of an implied covenant of good faith and fair dealing in every contract is emphasized by the court. Furthermore, the economic loss doctrine is discussed, with the court stating that tort recovery for purely economic losses is not permitted. The requirements for claims under the Consumer Fraud Act and the Florida Trade Practices Act are outlined. Lastly, the court delves into the four methods to establish a cause of action for invasion of privacy in Illinois.
Overview of the Plaintiff's Allegations and the Defendant's Motion to Dismiss
The plaintiffs have alleged that it is the fault of a global professional services company experiencing a data breach that resulted in unauthorized access to their personal information. The defendant sought to dismiss the complaint, arguing that the plaintiffs lacked standing and failed to state a claim. The circuit court granted the defendant's motion and dismissed the complaint.
On appeal, the plaintiffs argued that they had standing due to the injuries they suffered as a result of the data breach. The appellate court examined the concept of standing, emphasizing the need for a plaintiff to demonstrate an injury in fact to a legally recognized interest. Referring to the case of Maglio v. Advocate Health & Hospitals Corp., the court concluded that the risk of identity theft or fraud may confer standing, but only if the risk is imminent or certainly impending. Ultimately, the appellate court affirmed in part and reversed in part the circuit court's decision. Notably, the court acknowledged the plaintiffs' allegations of unauthorized acquisition of personal information leading to identity theft and fraud.
The court found that the plaintiffs had standing due to their experience of fraudulent charges and spam messaging, which were deemed distinct and palpable injuries. The defendant's argument that the fraudulent charges were unsuccessful and therefore not actual injuries was rejected. The sufficiency of the complaint was then discussed, with the critical inquiry being whether the well-pleaded facts were enough to state a cause of action. The court determined that the plaintiffs adequately alleged that the defendant had a common law duty to protect their personal information and that the data breach was the proximate cause of their injuries.
Examining the Negligence Claim: Proximate Cause and Injury in the Aon Data Breach Case
In the context of the Aon data breach class action lawsuit, the Information Protection Act played a significant role in shaping the court's judgement. The court recognized the importance of the Act in establishing new standards and precedents, subsequently distancing itself from the reasoning presented in the Cooney court case. By doing so, the court signified that the landscape of information protection had evolved, necessitating a fresh perspective in this lawsuit.
Apart from the Act, the negligence claim was also deliberated upon during the proceedings. The defendant contended that the plaintiffs had failed to provide sufficient evidence demonstrating that their behavior directly caused any tangible harm. Nevertheless, the court determined that the plaintiffs had indeed demonstrated the necessary elements of proximate cause and injury to merit consideration. Consequently, the court recognized that the negligence claim should not have been dismissed and proceeded to examine it further.
Furthermore, the lawsuit delved into the concept of negligence per se, which stemmed from the defendant's alleged violations of the FTC Act. While the court determined that these violations did not automatically equate to negligence per se, they were deemed as prima facie evidence of negligence. This distinction highlighted how the defendant's actions, as highlighted in the context of the FTC Act, played a crucial role in shaping the court's perception of negligence within the case.
The breach of implied contract claim was addressed, with the defendant arguing that there was no independent cause of action for a breach of the implied covenant of good faith and fair dealing. The court acknowledged that the plaintiffs alleged the existence of an implied contract but dismissed the claim due to the failure to allege adequate damages.
Dismissal of the Plaintiffs' Unjust Enrichment Claim
The unjust enrichment claim was also discussed, with the defendant contending that the plaintiffs did not provide sufficient evidence of any benefit retained by the defendant to the plaintiffs' detriment. The court dismissed the plaintiffs' claim as they failed to sufficiently allege that the defendant had unjustly retained a benefit to their detriment. The court noted that for a private cause of action under the Consumer Fraud Act, the plaintiff must allege actual damages, which were not specified in this case.
The court also discussed the plaintiffs' claim under the Florida Deceptive and Unfair Trade Practices Act, stating that the defendant argued the claim should fail because the data breach occurred in Illinois. However, the court found that the plaintiff adequately alleged that the defendant made misrepresentations within Florida, thus validating the claim. Still, the court determined that the plaintiff is limited to seeking injunctive relief since she did not allege the required actual damages under the Florida Trade Practices Act.
Invasion of Privacy Claim and the Sensitivity of Breached Data
The plaintiffs assert a claim for invasion of privacy. Despite the defendant's argument that the accessed information is not private, the court recognizes the sensitivity of the breached data, which includes financial and medical records. Financial information, such as bank details and transaction histories, holds personal value and exposes individuals to financial risks. Similarly, the exposure of medical records violates patient confidentiality and compromises the privacy and integrity of their healthcare information. By acknowledging the validity of the plaintiffs' claim, the court emphasizes the importance of safeguarding personal data and stressing the need for robust data protection measures.
The Moorman doctrine, which typically precludes recovery for purely economic losses, is discussed by the court. It is deemed inapplicable to the plaintiffs' claims because the alleged breach of duty stems from common law, implied contract, and statutes, rather than mere economic losses.
The Court's Ruling
The court addresses the trial court's dismissal of the plaintiffs' claims with prejudice, stating that this ruling was mistaken due to a misunderstanding of the plaintiffs' standing. The court overturns the dismissal for the plaintiffs' negligence, Florida Trade Practices Act, and invasion of privacy claims, while affirming the dismissal for the negligence per se claim. The court sustains the dismissal of the plaintiffs' breach of implied contract, unjust enrichment, and consumer fraud claims, but modifies the dismissal to be without prejudice.
Read more about Data Rights.