UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF OHIO EASTERN DIVISION
ANDREW MUNGER, et al., ) CASE NO. 5:23-cv-00337 ) Plaintiffs, ) JUDGE DAVID A. RUIZ ) v. ) ) MATCO TOOLS CORPORATION, ) ) MEMORANDUM OPINION AND ORDER Defendant. ) ) ) )
Plaintiffs’ Amended Class Action Complaint (Amended Complaint) (R. 9) raises the following causes of action: (1) negligence, (2) breach of implied contract, (3) unjust enrichment, (4) negligence per se, and (5) declaratory judgment. Defendant filed a Motion to Dismiss the Amended Complaint. (R. 11). Plaintiffs filed a brief in opposition and Defendant filed a reply in support of the motion to dismiss. ((R. 12; R. 13). Plaintiffs and Defendant also filed supplemental authority for the Court’s review. (R. 20; R. 21). For the reasons stated below, the Court GRANTS in part and DENIES in part Defendant’s Motion. I. Standard of Review A. Rule 12(b)(1) Defendant has moved to dismiss the Amended Complaint for lack of subject matter jurisdiction and failure to state a claim under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). A Rule 12(b)(1) motion to dismiss challenges a court's subject-matter jurisdiction. Fed. R. Civ. P. 12(b)(1). Federal courts have limited jurisdiction, meaning that unlike state trial courts, they do not have general jurisdiction to review all questions of law. See Ohio ex rel. Skaggs v. Brunner, 549 F.3d 468, 474 (6th Cir. 2008) (per curiam). Instead, federal courts have only the authority to decide cases that the U.S. Constitution and Congress have empowered them to resolve. Id. Consequently, “[i]t is to be presumed that a cause lies outside this limited jurisdiction, and the burden of establishing the contrary rests upon the party asserting jurisdiction.” Kokkonen v. Guardian Life Ins. Co. of Am., 511 U.S. 375, 377(1994) (internal citation omitted). Rule 12(b)(1) motions may challenge jurisdiction facially or factually. United States v.
Richie, 15 F.3d 592, 598 (6th Cir. 1994). In a facial attack, the challenger asserts that the allegations in the complaint are insufficient on their face to invoke federal subject-matter jurisdiction. See In re Title Ins. Antitrust Cases, 702 F. Supp. 2d 840, 884-85 (N.D. Ohio 2010) (citing Ohio Hosp. Ass'n v. Shalala, 978 F. Supp. 735, 739 (N.D. Ohio. 1997)). In a factual attack, the challenger disputes the truth of the allegations that would otherwise invoke federal subject-matter jurisdiction. Id. A challenge to subject-matter jurisdiction may be considered a factual attack when the attack relies on extrinsic evidence, as opposed to the pleadings alone, to contest the truth of the allegations. Id. The plaintiff has the burden of proving subject-matter jurisdiction in order to survive a motion to dismiss pursuant to Rule 12(b)(1). Madison-Hughes v. Sh alala, 80 F.3d 1121, 1130 (6th Cir. 1996). Lack of subject-matter jurisdiction is a non- waivable, fatal defect. Von Dunser v. Aronoff, 915 F.2d 1071, 1074 (6th Cir. 1990). B. Rule 12(b)(6) A Rule 12(b)(6) motion to dismiss challenges whether a complaint sets out a “short and plain statement of the claim showing that the pleader is entitled to relief.” Ashcroft v. Iqbal, 556 U.S. 662, 677–78 (2009) (quoting Fed. R. Civ. P. 8(a)(2)). To proceed past the pleading stage, “a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.” Id. at 678 (quotation marks omitted). A claim is facially plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. This “plausibility standard is not akin to a ‘probability requirement,’” but it demands “more than a sheer possibility that a defendant has acted unlawfully.” Id. “Where a complaint pleads facts that are merely consistent with a defendant's liability, it stops short of the line between possibility and plausibility of entitlement to relief.” Id. (quotation marks omitted).
A court resolving a Rule 12(b)(6) motion “must consider the complaint in its entirety.” Tellabs, Inc. v. Makor Issues & Rts., Ltd., 551 U.S. 308, 322 (2007). In doing so, a court must accept as true all the factual allegations contained in the complaint and construe them in the light most favorable to the plaintiff. See Erickson v. Pardus, 551 U.S. 89, 93–94 (2007) (per curiam); accord Streater v. Cox, 336 F. App’x 470, 474 (6th Cir. 2009). A court, however, need not accept as true conclusions of law, “labels,” “formulaic recitation[s] of the elements of a cause of action,” and “naked assertions devoid of further factual enhancement,” although these allegations may provide a framework for the complaint. Iqbal, 556 U.S. at 678–79. “When there are well- pleaded factual allegations, a court should assume their veracity and then determine whether they pl ausibly give rise to an entitlement to relief” under governing law. Id. at 679. II. Factual Allegations The Amended Complaint alleges that Defendant Matco Tools Corporation—a Delaware corporation with its principal place of business in Ohio—manufactures, sells, and services professional tools for resale by distributors and franchisees to mechanics and auto enthusiasts. (R. 9, PageID# 80–81, 85, 86). Defendant requires its customers and employees to provide it personal identifiable information (PII) to purchase tools from, be employed by, or apply for credit with Defendant. (Id. at PageID# 86, 92 102, 104, 105, 107). “Defendant retains and stores this information.” (Id. at PageID# 92–93). If it did not collect customers’ and employees’ PII, “Defendant would be unable to sell or manufacture automobile parts or employ anyone.” (Id. at PageID# 93). By March 1, 2022, Defendant “was storing the PII of more than 14,000 individuals.” (See id. at PageID# 81, 96). Plaintiffs’ and alleged “Class Members’ PII were required to fill out various forms,” including “employment paperwork and applications, tax documents, various authorizations, other
form documents associated with the manufacturing of car components, and employment documentation.” (Id. at PageID# 86–87). Defendant required named Plaintiffs Andrew Munger and Keston Lewis to provide PII to Defendant when they “purchased tools from Defendant, using credit.” (Id. at PageID# 104, 107). Named Plaintiff William Faduie “was required to provide and did provide his PII to Defendant during the course of his employment with Defendant.” (Id. at PageID# 102). Defendant required named Plaintiff Toby Clarkson Gardner to provide PII to Defendant when he applied to work for Defendant. (Id. at PageID# 105). The information named Plaintiffs provided included their names and social security numbers. (Id. at PageID# 102, 104, 105, 107). Plaintiffs allege Defendant stored this information “unencrypted, in an Internet-accessible environment on Defendant’s network.” (Id. at PageID# 81, 87). In doing so, Plaintiffs allege “Defendant did not use reasonable security procedures and practices appropriate to the nature of the sensitive, unencrypted information it was maintaining.” (Id. at PageID# 90, 94–96). According to the Amended Complaint, Defendant stored PII this way “[d]espite the prevalence of public announcements of data breach and data security compromises,” (id. at PageID# 97), including those “targeting big companies[,] such as Defendant,” and resulting in leaks or threats to release stolen PII, (id. at PageID# 92), despite “having full knowledge of the sensitivity of the PII and the types of harm” that would result “if the PII were wrongfully disclosed[.]” (Id. at PageID# 113). Plaintiffs allege they are careful about sharing their PII and “ha[ve] never knowingly transmitted unencrypted PII over the internet or other unsecured source.” (Id. at PageID# 102–04, 106–07). They “would not have entrusted their PII to Defendant had they known that [Defendant] would fail to maintain adequate data security.” (Id. at PageID# 85). “On or before December 8, 2022, Defendant learned” that a data breach occurred on its
network “on or around March 1, 2022.” (Id. at PageID# 81). During this breach, “an unknown actor accessed and/or acquired” Plaintiffs’ PII. Id. On January 26, 2023, Defendant sent notice of the breach to Plaintiffs and putative class members “and submitted sample notices to various states’ Attorneys General.” (Id. at PageID# 88). The notice Plaintiffs received indicated that their “name[s] and Social Security number[s] were accessed during the” breach. Id. However, in “the sample notices and reports it sent to the states’ Attorneys General,” Defendant indicated that the information accessed in the breach included “name, Social Security number, driver’s license number, and/or financial account information.” (Id. at PageID# 89). “Defendant reported to the Maine attorney general that 14,342 individuals were impacted in the” breach. (Id. at PageID# 10 9). Plaintiffs seek to represent this group in their class action. Id. In response to the breach, Defendant has offered Plaintiffs and putative Class Members one year of complimentary identity monitoring services. (Id. at PageID# 101). Defendant also asserts that it has implemented additional security, is helping convert its partners to modernized systems, and is continuing to train employees about data security. (Id. at PageID# 89). Plaintiffs allege they have suffered various harms since the breach. Plaintiffs have spent time dealing with the breach’s consequences, including monitoring their accounts and “verifying the legitimacy” of the notice of the breach. (Id. at PageID# 102–08). They also have “suffered lost time, annoyance, interference, … inconvenience,” and anxiety. (Id. at PageID# 102–08). They are at “substantially increased risk of fraud, identity theft and misuse resulting from [their] PII, especially their Social Security number[s], being placed in the hands of criminals.” (Id. at PageID# 102–08). Additionally, “approximately two months after the breach,” Plaintiff Munger “was notified that an unknown individual using [his] identity applied for an automobile loan.” (Id. at PageID# 104). After the breach, “Plaintiff Clarkson Gardner was notified that he was the
victim of identity theft[] as some unidentified individual residing in California attempted to make a purchase using his bank.” (Id. at PageID# 105–06). “[I]n approximately March 2022,” his bank called him “regarding the fraudulent transactions he did not authorize.” (Id. at PageID# 106). Plaintiffs’ Amended Complaint asserts four claims for damages and injunctive relief. (Id. at Page ID# 113–28). They assert that Defendant is liable for negligence, negligence per se, breach of implied contract, and unjust enrichment. (Id. at PageID# 113–23). They also assert that this Court should enter a declaratory judgment regarding Defendant’s duties with respect to maintaining PII and the effects of breaching such duties. (Id. at PageID# 123–25). On the negligence claim, they allege that Defendant owed them a duty of reasonable care when storing th eir PII, which they contend Defendant violated with its “inadequate security practices,” resulting in the data breach. (Id. at PageID# 113–18). They also allege that Defendant had a “duty to adequately and timely disclose” the “existence and scope of the [d]ata [b]reach,” but contend that Defendant did not timely disclose the breach. (Id. at PageID# 113–18). On the breach of implied contract claim, they allege that they were required to and did provide PII to Defendant, forming an implied contract under which Defendant had a duty to protect Plaintiffs’ PII and timely notify of any data breach, but they accuse Defendant of not implementing appropriate security measures and not timely notifying Plaintiffs of the data breach. (Id. at PageID# 118–20). On the unjust enrichment claim, Plaintiffs allege that Defendant “benefited from receiving Plaintiffs’ and Class Members’ PII” and the “monetary benefit” of Plaintiffs “purchasing services” but “failed to provide reasonable security, safeguards, and protections to the PII,” enriching Defendant “at the expense of Plaintiffs and Class Members.” (Id. at PageID# 120–21). On the negligence per se claim, they allege that Defendant violated section 5 of the Federal Trade Commission (FTC) Act and the Ohio Consumer Sales Practices Act (CSPA) “by
failing to use reasonable measures to protect PII and not complying with industry standards.” (Id. at PageID# 121–23). Defendant moved to dismiss the Amended Complaint. (See R. 11). First, Defendant argues that the law applicable to Plaintiffs’ claims is the law of Plaintiffs’ home states as the places of injury. (Id. at PageID# 149). Second, Defendant argues that Plaintiffs Faduie and Lewis lack standing because their alleged “injuries fail to satisfy the requisite injury-in-fact requirement for Article III standing.” (Id. at PageID# 150–53). Third, Defendant argues that Plaintiffs fail to state their claims. (Id. at PageID# 153–64). On the negligence claims, Defendant argues that Plaintiffs do not allege causation or damages “sufficient to survive a motion to dismiss.” (Id. at Pa geID# 153–59). Defendant argues that Plaintiffs fail to state their breach of implied contract claim because they “do not allege any representations, conduct, or other facts demonstrating a contract for data security, let alone a meeting of the minds sufficient for mutual assent.” (Id. at PageID# 159–60). Defendant also argues that “Employee Plaintiffs[]” fail to state this claim “because courts have routinely held that an employment relationship alone is insufficient to support an implied contract for data security.” (Id. at PageID# 160). Defendant argues that Plaintiffs fail to state their unjust enrichment claim because allegations of “making a purchase for a product or service” do not sufficiently allege “that either party understood that a portion of their payment was dedicated to data security.” (Id. at PageID# 161). Defendant also argues that “Employee Plaintiffs” fail to state this claim because they do not allege that they “made a purchase from Defendant or otherwise provided Defendant money.” Id. Defendant argues that Plaintiffs fail to state their negligence per se claim under the CSPA because they do not allege that they made consumer transactions. (Id. at PageID# 162). Defendant argues that Plaintiffs fail to state this claim under section 5 of the FTC Act because it “cannot support a negligence per se
claim” as it does not provide a private right of action. (Id. at PageID# 162–63). Finally, Defendant argues that Plaintiffs fail to state their “claims for declaratory and injunctive relief” because the Declaratory Judgment Act does not create an independent cause of action and because Plaintiffs’ other claims should be dismissed. (Id. at PageID# 164). III. Analysis A. Choice of Law Federal courts have “original diversity jurisdiction over class actions where any member of the class of plaintiffs is a citizen of a state different from any defendant, the putative class has at least 100 members, and the amount in controversy exceeds $5 million, exclusive of interest an d costs.” Gascho v. Glob. Fitness Holdings, LLC, 863 F. Supp. 2d 677, 688 (S.D. Ohio 2012) (citing 28 U.S.C. § 1332(d)(2), (5), (6)). Plaintiffs allege that they meet these requirements. (R. 7, PageID# 85–86). In actions brought pursuant to diversity jurisdiction, the substantive law of the forum state applies. Savedoff v. Access Grp., Inc., 524 F.3d 754, 762 (6th Cir. 2008). In Ohio, “an actual conflict between Ohio law and the law of another jurisdiction must exist for a choice- of-law analysis to be undertaken.” Mendoza v. J.M. Smucker Co., No. 5:22-cv-02281, 2023 WL 3588280, at *8 (N.D. Ohio May 22, 2023) (quoting Glidden Co. v. Lumbermens Mut. Cas. Co., 112 Ohio St. 3d 470, 2006-Ohio-6553, 861 N.E.2d 109, 115 (2006)); see also Moore v. Weinstein Co., LLC, 545 F. App'x 405, 411 (6th Cir. 2013). Here, Defendant’s principal place of business is in Ohio, and it correctly identifies the choice of law rules applied in Ohio. (R. 9, PageID# 85; R. 11, PageID#: 149–150). Defendant asserts that the substantive law of Plaintiffs’ home states governs their claims because this Court is “sitting in diversity” and the alleged places of injury are in Plaintiffs’ home states. (Id. at PageID# 149). However, Defendant has not argued that a conflict exists between Ohio law and
the law of Plaintiffs’ home states as required. See Mendoza, 2023 WL 3588280, at *8. In addition, “[c]ourts routinely decline to decide complicated choice-of-law issues at the pleading stage.” Stinson v. Yum Brands, Inc., No. 3:23cv183, 2025 WL 2755879, *19 (W.D. Ky Aug. 29, 2025) (collecting cases). Until Defendant identifies such a conflict and the parties conduct discovery, the Court defers a choice of law analysis and will apply Ohio law where relevant in this ruling. B. Standing Article III of the U.S. Constitution limits federal courts’ jurisdiction to adjudicating actual Cases and Controversies. Lujan v. Defenders of Wildlife, 504 U.S. 555, 559 (1992). St anding is essential to the exercise of jurisdiction and is a “threshold question...[that] determin[es] the power of the court to entertain the suit.” Crawford v. Roane, 53 F.3d 750, 753 (6th Cir. 1995), cert. denied, 517 U.S. 1121 (1996) (quoting Warth v. Seldin, 422 U.S. 490, 498 (1975)). The Supreme Court has established that “the irreducible constitutional minimum of standing contains three elements.” Lujan, 504 U.S. at 560–61; see also Imhoff Inv., L.L.C. v. Alfoccino, Inc., 792 F.3d 627, 631 (6th Cir. 2015). First, the plaintiff must have suffered an “injury in fact.” Lujan, 504 U.S. 560. This alleged injury “must be both ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Imhoff Inv., 792 F.3d at 631 (quoting Friends of the Earth, Inc. v. Laidlaw Env’t Servs. (TOC), Inc., 528 U.S. 167, 180 (2000)). Second, “there must be a causal connection between the injury and the conduct complained of” that is “fairly traceable” to the defendant’s challenged conduct. Lujan, 504 U.S. 560 (cleaned up). Finally, it must be “likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.” Friends of the Earth, Inc., 528 U.S. at 180. “The party
invoking federal jurisdiction bears the burden of establishing these elements.” Lujan, 504 U.S. at 561. Here, Defendant challenges Plaintiffs Faduie and Lewis’s standing based only the first element. (R. 11, PageID# 150). Defendant argues that these two Plaintiffs who have not alleged that their data has been misused have not established an injury-in-fact. Id. Defendant acknowledges that Plaintiffs have pled injury through “‘substantially increased risk of fraud, identity theft, and misuse,’ time and effort to mitigate future risk, emotional distress and lost benefit of the bargain and value of PII.” Id. (quoting R. 9, PageID# 103, 107–08). Nevertheless, Defendant argues these allegations are not enough to establish the requisite injury in fact for Pl aintiffs Faduie and Lewis to have standing. Id. Defendant characterizes Plaintiffs’ claims as based on risk of future harm, and argues that such a harm is not an injury in fact per TransUnion LLC v. Ramirez, 594 U.S. 413 (2021). Id. Defendant also points to supplemental authority from this jurisdiction holding that such risk of future harm is insufficient to establish standing unless a plaintiff demonstrates that the harm is “certainly impending.” (R. 20, PageID# 249, citing Marlin v. Associated Materials, LLC, No. 5:23cv1621, 2024 WL 2319115, at *1–4 (N.D. Ohio May 22, 2024)). Defendant’s argument is unavailing on the alleged facts in this case. “The United States Court of Appeals for the Sixth Circuit found Article III injury-in-fact” sufficient to establish standing “in a similar case” to this one. Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384, 388 (6th Cir. 2016). In Galaria, the Sixth Circuit found that the plaintiffs, whose data had been accessed in a breach, sufficiently alleged an injury-in-fact based on their mitigation costs and the substantial risk that the data would be used for fraudulent purposes. Galaria, 663 F. App'x at 387–90. The Sixth Circuit reasoned that this was not the insufficient kind of “possible future
injury” that the Supreme Court has found insufficient because “[t]here is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill- intentioned criminals.” Id. at 388 (citing Clapper v. Amnesty Int’l USA, 568 U.S. 398, 408–10 (2013)). The court further reasoned that “although it might not [have] be[en] ‘literally certain’ that [the] [p]laintiffs’ data w[ould] be misused, there [wa]s a sufficiently substantial risk of harm that incurring mitigation costs [wa]s reasonable.” Id. (quoting Clapper, 568 U.S. at 414 n.5). TransUnion “may have modified the standard for assessing whether a future harm constitutes an Article III injury-in-fact,” Brooks v. Peoples Bank, No. 2:23cv3043, 2024 WL 2314538, at *4 (S.D. Ohio May 6, 2024), such that it “casts some doubt on the continued vi ability of Galaria,” Marlin, 2024 WL 2319115, at *4 (citing Brickman v. Maximus, Inc., No. 2:21cv3822, 2022 WL 16836186, at *3–4 (S.D. Ohio May 2, 2022)). Nevertheless, “that is a question for the Sixth Circuit to decide,” Brooks, 2024 WL 2314538, at *4 (citing Brickman, 2022 WL 16836186, at *3–4), and “unless and until the Sixth Circuit decides to revisit th[is] precedent,” this Court is “bound to follow” Galaria. Brickman, 2022 WL 16836186, at *4; see also Brooks, 2024 WL 2314538, at *4. Here, as in Galaria, Plaintiffs Faduie and Lewis allege that an unauthorized third party accessed their PII that Defendant stored, and that this breach put them “at substantially increased risk of fraud, identity theft, and misuse” causing them to incur continuing mitigation costs. (R. 9, PageID# 102–04, 107–08). Therefore, because this Court remains “bound to follow” Galaria and Plaintiffs Faduie and Lewis allege the same kind of injury that was sufficient in Galaria, they allege an injury in fact sufficient to establish standing. Brickman, 2022 WL 16836186, at *4; see also Brooks, 2024 WL 2314538, at *4. Defendant’s supplemental authority does not change this outcome. In a case similar to this one, the Marlin court found the plaintiffs had not sufficiently alleged an injury in fact. See
2024 WL 2319115, at *1–4. In doing so, the court reconciled TransUnion and Galaria by relying on Brickman for the proposition that in light of TransUnion, “Galaria’s finding of an injury-in- fact based on a risk of future harm caused by a data breach may no longer be valid.” Marlin, 2024 WL 2319115, at *4 (quoting Brickman, 2022 WL 16836186, at *3–4). Thus, the Marlin court implied that TransUnion and Galaria are irreconcilable such that TransUnion overrules Galaria and district courts need not wait for the Sixth Circuit’s word on the matter. See id. However, “TransUnion and Galaria (and TransUnion and this case, for that matter) are factually and legally distinguishable. For example, TransUnion deals with a legitimate credit reporting company while both Galaria and this case address data breaches by cybercriminals.” See B rickman, 2022 WL 16836186, at *4 (citing TransUnion, 594 U.S. 413; Galaria, 663 F. App'x 384). Given this crucial distinction, this Court agrees with the courts in Brickman and Brooks that TransUnion and Galaria are not so fundamentally irreconcilable that TransUnion obviously overrules Galaria. See Brickman, 2022 WL 16836186, at *4; Brooks, 2024 WL 2314538, at *4. Instead, this Court remains “bound to follow” Galaria, and as such, Plaintiffs Faduie and Lewis allege an injury in fact sufficient to establish standing. Brickman, 2022 WL 16836186, at *4; see also Brooks, 2024 WL 2314538, at *4. Moreover, even assuming arguendo that Galaria is no longer good precedent, Plaintiffs still have sufficiently alleged an injury in fact to establish standing. In TransUnion, the Supreme Court noted that “there is a significant difference between (i) an actual harm that has occurred but is not readily quantifiable, as in cases of libel and slander per se, and (ii) a mere risk of future harm.” 594 U.S. at 437. In determining whether a plaintiff suffered a concrete harm, “courts should assess whether the alleged injury to the plaintiff has a close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts.” Id. at 424.
“[A]pplying this principle, courts have held that a privacy injury stemming from a data breach ‘bears some relationship to a well-established common-law analog: public disclosure of private facts.’” Allen v. Wenco Mgmt., LLC, 696 F. Supp. 3d 432, 437–38 (N.D. Ohio 2023) (citing Bohnak v. Marsh & McLennan Cos., 79 F.4th 276, 285 (2d Cir. 2023); Clemens v. ExecuPharm Inc., 48 F.4th 146, 154–55 (3d Cir. 2022)). This Court agrees with the Allen court that “the weight of post-TransUnion authority establishes that” an unauthorized third party stealing PII is a privacy injury that suffices “for Article III purposes.” Id. at 434–35, 437–38. The Court finds no reason to require “widespread disclosure” of stolen PII to establish a privacy injury. Compare Marlin, 2024 WL 2319115, at *3. Here, as all Plaintiffs, including Plaintiffs Faduie and Lewis, ha ve alleged an unauthorized third party accessed their PII, (R. 9, PageID# 14, 83–84, 180, 192), leading to, inter alia, mitigation costs, they have alleged a sufficient injury in fact for standing purposes. Allen, 696 F. Supp. 3d at 434–38. C. Negligence “To state a claim for negligence, Plaintiff must allege facts to suggest the existence of a duty, a breach of that duty, and an injury proximately caused by the breach.” Lacy v. Corr. Corp. of Am., No. 1:14cv2347, 2015 WL 1564954, at *6 (citing Menifee v. Ohio Welding Prods., Inc., 472 N.E.2d 707, 710 (Ohio 1984)). Here, Defendant argues only that Plaintiffs fail to state their negligence claims because Plaintiffs do not plausibly allege facts showing causation and damages. (R. 11, PageID# 153–59). 1. Damages Alleging facts showing damages is intimately related to alleging facts showing an injury in fact for standing purposes. “[I]f a plaintiff meets Article III’s injury-in-fact requirement, that plaintiff has almost certainly sustained cognizable damages.” Allen, 696 F. Supp. 3d at 437
(citing Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018)); Dieffenbach, 887 F.3d at 828 (“To say that the plaintiffs have standing is to say that they have alleged injury in fact, and if they have suffered an injury then damages are available.”) Defendant argues that Plaintiffs’ allegations of misuse, increased risk of harm, mitigation expenses, and lost value of PII are not sufficient to establish damages required for negligence. (R. 11, PageID# 154–58). However, because Plaintiffs’ plausibly assert misuse, increased risk of harm, mitigation expenses, and privacy injury to establish injury in fact, they are sufficient to allege “cognizable damages” for negligence. See Allen, 696 F. Supp. 3d at 437. Moreover, as for the allegations of misuse and increased risk of harm, these are sufficient to allege damages under O hio law. See id. at 438. Additionally, Plaintiffs allege that the risk of future harm has led them to incur mitigation expenses, loss of time, caused anxiety and emotional injury, and will cause them to continue to incur expenses for credit monitoring. (R. 9, PageID# 102–08). A “plaintiff can demonstrate actual harm by alleging emotional distress.” Foster v. Health Recovery Servs., Inc., 493 F. Supp. 3d 622, 632 (S.D. Ohio 2020). With respect to Plaintiffs’ allegations of a privacy injury, though courts are divided on whether the loss of privacy in one’s PII is sufficient to allege injury, Plaintiffs’ supplemental authority from this district holds that this is sufficient to establish damages in a negligence claim, at least at the motion to dismiss stage. Allen, 696 F. Supp. 3d at 437–38 (“[A]t this early stage of the litigation, Allen's alleged privacy injury satisfies the ‘damages’ element of negligence.”). The Allen court looked to recent decisions in other circuits and concluded that “a privacy injury stemming from a data breach ‘bears some relationship to a well-established common-law analog: public disclosure of private facts.’” Id. The Court finds the Allen court’s reasoning to be persuasive and agrees that, at this phase of litigation, Plaintiffs have sufficiently pleaded their
negligence claim, including the alleged damages that stem from a violation of privacy. Therefore, Plaintiffs sufficiently allege damages to state a claim for negligence. 2. Causation Defendant argues that Plaintiffs Munger and Gardner have not established causation with respect to their allegations of attempted misuse. Specifically, Defendant argues that the temporal proximity of the breach and the attempted misuse does not establish causation and that Plaintiffs Munger and Gardner “do not allege they have never been a victim of identity theft or fraud before” the breach. (R. 11, at PageID# 154–55). However, this overstates what is required. Under Ohio law, causation “requires that the injury sustained shall be the natural and probable co nsequence of the negligence alleged; that is, such consequence as under the surrounding circumstances of the particular case might, and should have been foreseen or anticipated by the wrongdoer as likely to follow his negligent act.” Jeffers v. Olexo, 539 N.E.2d 614, 617 (Ohio 1989). Plaintiffs allege that “Defendant knew or reasonably should have known” that storing Plaintiffs’ PII as they did created an unreasonable risk of the harm from misuse. (R. 9, PageID# 114–18). Plaintiffs sufficiently allege that the harm was foreseeable. See Jeffers, 539 N.E.2d at 618. Moreover, Plaintiffs also allege they are careful about sharing their PII and “ha[ve] never knowingly transmitted unencrypted PII over the internet or other unsecured source.” (Id. at PageID# 102–04, 106–07). At this pleading stage, such averments are sufficient D. Breach of Implied Contract
Defendant argues that Plaintiffs have not sufficiently stated their claim for breach of an implied contract. (R. 11, PageID#: 159). “The elements of an implied-in-fact contract are the same as those of an express contract: offer, acceptance, consideration, and a meeting of the minds.” Randleman v. Fid. Nat’l Title Ins. Co., 465 F. Supp. 2d 812, 818 (N.D. Ohio 2006). Here, Plaintiffs allege that they entrusted their PII to Defendant under an implied contract that Defendant would keep that information secure, because Defendant required that Plaintiffs supply PII as customers, job applicants, or employees. (R. 9, PageID# 119). The facts here are highly analogous to those of another case in which the court denied a similar motion to dismiss. There, Plaintiff allege[d] that he and class members entered into an implied agreement with Defendant HRS which required them to provide their personal information in exchange for treatment services. Plaintiff further allege[d] that Defendant HRS represented that it would keep this information secure, and that HRS breached this obligation. (ECF No. 6 at 16-17). F oster, 493 F. Supp. 3d at 640–41. Plaintiffs’ Amended Complaint makes nearly identical allegations: As a condition of making purchases from Defendant, Plaintiffs and the Customer Subclass provided and entrusted their PII. In so doing, Plaintiffs and the Customer Subclass entered into implied contracts with Defendant by which Defendant agreed to safeguard and protect such PII, to keep such PII secure and confidential, and to timely and accurately notify Plaintiffs and the Customer Subclass if their PII had been compromised or stolen.
(R. 9, PageID 119). Thus, Plaintiffs’ allegations “are sufficient at this stage to state a claim for breach of implied contract since they specifically identify a contractual undertaking that Defendant allegedly breached.” Foster, 493 F. Supp. 3d at 640–41. E. Unjust Enrichment Defendant asserts that courts have rejected the theory that the purchase of a product or service confers a monetary benefit on the seller, because a portion of the payment is ostensibly dedicated to data security. (R. 11-1, PageID# 161). While Defendant cites to several cases to support their position, none of them are in the Sixth Circuit, and the Court finds Foster to be instructive here. To state a claim for unjust enrichment, a plaintiff must allege “(1) a benefit conferred by a plaintiff upon a defendant; (2) knowledge by the defendant of the benefit; and (3) retention of the benefit by the defendant under circumstances where it would be unjust to do so without payment.” Foster, 493 F. Supp. 3d at 641 (citing Dailey v. Craigmyle & Son Farms, L.L.C., 177 Ohio App.3d 439, 2008-Ohio-4034, 894 N.E.2d 1301, 1309 (Ohio Ct. App. 2008)). Plaintiffs have sufficiently alleged each of these elements. Plaintiffs allege that (1) they provided their PII to Defendant; (2) Defendant knew Plaintiffs’ and class members’ PII was a benefit, which Defendant accepted; and (3) Defendant failed to provide reasonable security, safeguards, and protections to the PII. (R. 9, PageID# 120–21). They al lege that retaining the PII was beneficial as it allowed Defendant to sell its products, employ people, and because the PII is valuable. (Id. at PageID# 94, 120–21). Plaintiffs further allege that Defendant’s lax security of the PII created a circumstance in which it would be unjust for Defendant to retain the benefit from the PII without payment. (Id. at PageID# 121). Plaintiffs’ allegations are sufficient to state a plausible claim for unjust enrichment and Defendant’s motion to dismiss is denied. F. Negligence Per Se Plaintiffs also present claims for negligence per se, but these claims are not properly brought or sufficiently alleged. As an initial matter, the CSPA negligence per se claim only applies to the customer Plaintiffs, not the employee Plaintiffs. (R. 12, PageID 191). To allege a violation of the CSPA, the transaction must have been for purposes that are primarily for personal, family, or household use. (O.R.C. §1345.01(A)). Plaintiffs’ first pleading deficiency is that there are no allegations that the tools were bought for personal use. In fact, Plaintiffs’ Amended Complaint describes Defendant as “engaged in the manufacture and sale of tools for
resale by distributors and franchisees.” (R. 9, PageID# 85 (emphasis added)). Plaintiffs’ argument—that “Defendant does not, however, cite any allegation supporting that these purchases were not for such purposes”—improperly places the burden on Defendant to prove that the transaction was not a consumer transaction. (R. 12, PageID# 191). At this stage, Plaintiffs bear the burden of making well-pleaded factual allegations showing their claims. See Iqbal, 556 U.S. at 678–79. Moreover, Plaintiffs’ claim fails under O.R.C. §1345.09(B). For Plaintiffs to bring a private cause of action as a class they must allege that: [T]he violation was an act or practice declared to be deceptive or unconscionable by rule adopted under division (B)(2) of section 1345.05 of the Revised Code before the consumer transaction on which the action is based, or an act or practice determined by a court of this state to violate section 1345.02, 1345.03, or 1345.031 of the Revised Code and committed after the decision containing the determination has been made available for public inspection under division (A)(3) of section 1345.05 of the Revised Code.
(O.R.C. §1345.09(B)). Plaintiffs have not pleaded allegations satisfying the requisite notice element. (See generally R. 9; R. 12). As such, the Court must dismiss Plaintiffs’ CSPA negligence per se claims. See Foster, 493 F. Supp. 3d at 637. As for the section 5 FTC negligence per se claim, “the availability of negligence per se depends on more than simply whether the statute in question contains a private right of action.” Allen, 696 F. Supp. 3d at 440. Rather, “the critical question is whether the statute ‘contains a general, abstract description of a duty’ or ‘sets forth a positive and definite standard of care whereby a jury may determine whether there has been a violation thereof by finding a single issue of fact.’” Id. (citing Sikora v. Wenzel, 88 Ohio St.3d 493, 496, 2000-Ohio-406, 727 N.E.2d 1277, 1280 (2000)). Here, “[b]ased on the statutory text alone, there is no ‘single issue of fact’ by which a jury could find that [Defendant] violated Section 5 of the FTC Act.” Id. (citing Sikora, 727 N.E.2d at 1280). A “jury would need to look beyond the statute to make such a finding,” as “Section 5’s prohibition of ‘unfair practices’” typifies “a general, abstract description of a duty.” Id.; see also In re Sonic Corp. Customer Data Sec. Breach Litig., 2020 WL 3577341, at *6 (N.D. Ohio July 1, 2020) (holding that Section 5 of the FTC Act “does not lay out objective standards”). Accordingly, Plaintiffs’ FTC Act negligence per se claim is dismissed for failure to state a claim. See Allen, 696 F. Supp.3d at 440. G. Declaratory Judgment Defendant’s primary argument for dismissing Plaintiffs’ claim for declaratory judgment is that it must be dismissed if all the other claims are dismissed. (R. 11, PageID# 164). As discussed above, Plaintiffs’ negligence, breach of implied contract, and unjust enrichment claims are not dismissed. As such, neither is their derivative claim for declaratory judgement. IV. Conclusion Defendant’s Motion to Dismiss (R. 11) is hereby GRANTED in part and DENIED in part for the foregoing reasons. Specifically, the Court dismisses the negligence per se claims brought in Count Four. The Motion to Dismiss is denied with respect to the remaining counts. IT IS SO ORDERED. s/ David A. Ruiz
David A. Ruiz Date: May 5, 2026 United States District Judge