Dougherty v. Bojangles Rests., Inc., 2026 NCBC 60.
STATE OF NORTH CAROLINA IN THE GENERAL COURT OF JUSTICE SUPERIOR COURT DIVISION WAKE COUNTY 25CV046572-910 ALEXIS DOUGHERTY; DENNIS CALABRESE; LILY NICOLE PORTEE; JESSIE RUIZ- JACOBS; PETER BUNGERT; CHRISTIE STARNES; KASSANDRA BLANKENSHIP; JAMES HIGGINS; and LEONARDO YON, on behalf of ORDER AND OPINION themselves and others similarly situated, ON DEFENDANT’S MOTION TO DISMISS Plaintiffs,
v.
BOJANGLES RESTAURANTS, INC.,
Bojangles.
1. This action arises from a data breach that occurred between 19 February
and 12 March 2024 at Bojangles Restaurants, Inc. (Bojangles). The data breach
allegedly included the personal identifying information and protected health
information (PII/PHI) of current and former Bojangles employees, including
information belonging to Plaintiffs. The case is before the Court on Defendant’s
Motion to Dismiss Plaintiffs’ Class Action Complaint (the Motion), (ECF No. 11).
2. The Court, having considered the Motion, the related briefing, other
relevant matters of record, and the arguments of counsel at a hearing on the Motion
held 3 June 2026, concludes for the reasons stated below that the Motion should be
GRANTED in part and DENIED in part.
Bryson Harris Suciu & DeMay, PLLC, by Scott C. Harris, for Plaintiffs Alexis Dougherty, Dennis Calabrese, Jessie Ruiz-Jacobs, Peter Bungert, Christie Starnes, Kassandra Blankenship, and James Higgins. Bryson Harris Suciu & DeMay, PLLC, by Scott C. Harris, and Milberg Coleman Bryson Phillips Grossman, PLLC, by David K. Lietz, and Strauss Borrelli PLLC, by Sarah Soleiman, for Plaintiff Lily Nicole Portee.
Bryson Harris Suciu & DeMay, PLLC, by Scott C. Harris, and Stranch, Jennings, & Garvey, PLLC, by Robert Bruce Grayson Kent Wells, for Plaintiff Leonardo Yon.
Robinson, Bradshaw & Hinson P.A., by Charles E. Johnson and Caroline Reinwald and Mullen Coughlin LLC, by Richard M. Haggerty and Kayleigh Watson, for Defendant Bojangles Restaurants, Inc.
Earp, Judge.
I. FACTUAL BACKGROUND
3. The Court does not make findings of fact when deciding a motion to dismiss
pursuant to Rule 12(b)(6) of the North Carolina Rules of Civil Procedure. It recites
below factual allegations from the complaint that are relevant to its determination of
the Motion. See, e.g., White v. White, 296 N.C. 661, 667 (1979) (the purpose of “a
motion to dismiss is to test the law of a claim, not the facts which support it” (citation
omitted)).
4. Bojangles is a fast-food chain incorporated in Delaware that maintains a
principal place of business in North Carolina. It has approximately 800 locations
across 17 states. (Compl. ¶¶ 2, 18, 20, ECF No. 3.)
5. Plaintiffs Alexis Dougherty (Dougherty), Dennis Calabrese (Calabrese),
Jessie Ruiz-Jacobs (Ruiz-Jacobs), Christie Starnes (Starnes), James Higgins
(Higgins), and Leonardo Yon (Yon) are citizens of North Carolina. (Compl. ¶¶ 9–10,
12, 14, 16–17.) Plaintiff Lily Nicole Portee (Portee) is a citizen of South Carolina. (Compl. ¶ 11.) Plaintiff Peter Bungert (Bungert) is a citizen of Texas. (Compl. ¶ 13.)
Plaintiff Kassandra Blankenship (Blankenship) is a citizen of Tennessee. (Compl. ¶
15.)
6. Plaintiffs are all former employees of Bojangles. (Compl. ¶¶ 45, 63, 75, 93,
107, 116, 134, 154, 160.)
7. As a condition of their employment, Bojangles required Plaintiffs to provide
their PII/PHI, which Bojangles used for payroll and other employment-related
purposes. (Compl. ¶¶ 48, 64, 78, 94, 119, 137, 154.)
8. Bojangles’ privacy policy states: “Bojangles has security policies and
practices in place designed to protect your Personal Information against
unauthorized access or disclosure, theft, misuse, and loss.” It promises that Bojangles
will “make commercially reasonable efforts for secure handling of this information[.]”
(Compl. ¶ 26.)
9. Plaintiffs allege that Bojangles agreed to safeguard their data in accordance
with its internal policies, state law, and federal law. (Compl. ¶ 24.) Plaintiffs
Dougherty, Calabrese, Portee, Ruiz-Jacobs, Starnes, and Blankenship specifically
allege that they provided their personal information to Bojangles trusting that the
company would use reasonable measures to protect it according to Bojangles’ internal
policies, as well as state and federal law. (Compl. ¶¶ 49, 71, 79, 101, 120, 138.)
Plaintiffs Calabrese and Ruiz-Jacobs state that they would not have provided their
PII to Bojangles had they known that Bojangles “would not utilize standard measures
to reasonably secure” it. (Compl. ¶¶ 68, 98.) 10. Plaintiffs allege that they “reasonably understood that a portion of the
funds derived from their labor would be used to pay for adequate cybersecurity
measures.” (Compl. ¶¶ 50, 80, 121, 139, 249.)
11. From 19 February 2024 to 12 March 2024, the security of Bojangles’
computer systems was breached (the Data Breach). (Compl. ¶ 27.)
12. Plaintiffs contend that over one hundred current or former employees’
names, addresses, Social Security numbers, driver’s license numbers, government-
issued ID numbers, passport numbers, state ID numbers, financial information,
financial account numbers, credit card numbers, debit card numbers, health
insurance information, and medical information were compromised in the Data
Breach. (Compl. ¶¶ 29–30.)
13. Plaintiffs allege that the Data Breach appears to have been the work of
Hunters International (Hunters), an “infamous Russian Ransomware-as-a-Service”
entity. (Compl. ¶¶ 38–39.) On 15 March 2024, Bojangles was listed on Hunters’
dedicated “leak site” on the dark web. (Compl. ¶ 40.) Hunters posted that it had
exfiltrated 294.8 GB of data from Bojangles. (Compl. ¶ 41.) Plaintiffs allege that the
data included their PII/ PHI. (Compl. ¶¶ 42, 52, 82, 109, 123, 141, 153, 163.)
14. Plaintiffs allege that Hunters’ modus operandi includes giving its affiliates
access to its storage server containing stolen files, which can then be downloaded and
stored by the affiliate. Because the stolen data is often stored on the affiliate’s
infrastructure and there are hundreds of affiliates who contract with Hunters, it is
often difficult to track stolen data and to prove whether it has been deleted. (Compl. ¶ 39.) Consequently, Plaintiffs claim that the Data Breach made Plaintiffs’ and the
purported class members’ PII/PHI “available for other cybercriminals to download
and use at their discretion.” (Compl. ¶ 4.)
15. Plaintiffs also complain that Bojangles “kept [them] in the dark” until 19
November 2024, when it began notifying them of the Data Breach. (Compl. ¶¶ 31–
32, 51, 65, 81, 95, 108, 122, 140, 152, 160.)
16. In the Notice Bojangles sent Plaintiffs, it recognized that Plaintiffs were at
a “present, continuing, and significant risk” of identity theft and recommended that
Plaintiffs “remain vigilant against incidents of identity theft by reviewing account
statements and credit reports for unusual activity and to detect errors.” (Compl.
¶ 33a.) Bojangles recommended that “[c]onsumers . . . further educate themselves
regarding identity theft, fraud alerts, credit freezes, and the steps consumers can take
to protect personal information by contacting the consumer reporting bureaus, the
Federal Trade Commission [FTC], or their state attorney general.” (Compl. ¶ 33c.)
17. Plaintiffs allege that Bojangles was negligent as evidenced by its failure to
prevent the Data Breach. (Compl. ¶ 34.) Plaintiffs further allege that Bojangles
acted with a “knowing state of mind” by failing to implement adequate and reasonable
cybersecurity measures. (Compl. ¶¶ 270–71.) They allege that Bojangles’ failure to
promptly and properly notify them of the Data Breach exacerbated their injuries by
depriving them of the earliest ability to take appropriate measures to protect their
PII/PHI and mitigate their damages. (Compl. ¶ 179.) 18. While Plaintiffs recognize that “[s]ince the breach, [Bojangles] claims to
have ‘reviewed [its] existing policies and procedures’ and ‘enhanced certain
administrative and technical controls[,]’ ” (Compl. ¶ 35), they allege that Bojangles’
cybersecurity measures continue to be “inadequate and unreasonable.” (Compl.
¶ 300.)
19. As far as remedies, Plaintiffs acknowledge that Bojangles has “offered some
victims credit monitoring and identity-related services[,]” but they complain that the
services provided are “wholly insufficient” to compensate Plaintiffs for their alleged
injuries. (Compl. ¶ 36.) Plaintiffs allege that their actual damages include the lost
value of their PII/PHI, lost time and money to mitigate and remediate the effects of
the Data Breach, and lost “benefit of the bargain.” (Compl. ¶¶ 71, 171, 234.) In
addition to monetary damages, Plaintiffs allege that they suffer from an increased
risk of future harm, embarrassment, humiliation, frustration and emotional distress.
(Compl. ¶¶ 57, 87, 128, 146, 171, 232.)
20. Since February 2024, Plaintiffs Dougherty, Portee, Starnes, and
Blankenship have experienced a spike in spam and scam phone calls. (Compl. ¶¶ 55,
85, 126, 144.) While telephone numbers were not included in the PII/PHI allegedly
stolen, Plaintiffs claim that the information that was stolen could be used to create
dossiers called “Fullz” packages by cross-referencing and combining it with
information about Plaintiffs found generally on the internet (like telephone
numbers). (Compl. ¶¶ 175–77.) 21. In February 2024, Plaintiff Ruiz-Jacobs’ debit card was fraudulently used
for an $80 purchase. Ruiz-Jacobs believes that this incident was caused by the Data
Breach. (Compl. ¶102.) Although the other Plaintiffs do not allege that they have
experienced any unauthorized use of their information, Plaintiffs believe that injury
to them in the form of fraud and identity theft is imminent because the Data Breach
placed their PII/PHI in the hands of “cybercriminals.” (Compl. ¶¶ 4, 42, 178.)
22. Plaintiffs allege that their PII/PHI continues to be at risk of theft and that
Bojangles has a continuing legal duty to protect it from unauthorized access and
disclosure. (Compl. ¶¶ 49, 79, 120, 138.) They allege that there has been a
“substantial increase in cyberattacks and/or data breaches in recent years[,]” (Compl.
¶ 180), and that the risk of attacks “was widely known to the public and to anyone in
[Bojangles’] industry, including [Bojangles].” (Compl. ¶ 183.)
23. The FTC has established guidelines for the data security practices
businesses must use, including: (a) protecting personal customer information that
they keep, (b) properly disposing of personal information that is no longer needed, (c)
encrypting information stored on computer networks, (d) understanding their
network’s vulnerabilities, and (e) implementing policies to correct security problems.
(Compl. ¶ 185.) The guidelines caution “not [to] maintain information longer than is
needed to authorize a transaction[.]” (Compl.¶ 187a.)
24. Plaintiffs allege that Bojangles’ failure to use reasonable and appropriate
measures to protect against the unauthorized access of its current and former
employees’ personal information constitutes an unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (FTCA), 15 U.S.C. § 45. (Compl.
¶ 189.)
25. Plaintiffs further allege that Bojangles failed to follow industry best
practices, such as educating all employees, using strong passwords, implementing
multi-layer security (including firewalls, anti-virus, and anti-malware software),
using encryption, implementing multi-factor authentication, backing up data, and
limiting employees’ access to sensitive data. (Compl. ¶ 190.)
26. In addition, Plaintiffs maintain that Bojangles failed to implement industry
standard cybersecurity measures, including both the NIST Cybersecurity Framework
Version 2.0 and the Center for Internet Security’s Critical Security Controls. (Compl.
¶ 192.) Plaintiffs argue that by failing to comply with these accepted standards,
Bojangles’ stored PII/PHI was vulnerable to the Data Breach. (Compl. ¶ 193.)
27. Plaintiffs also allege the Data Breach resulted from Bojangles’ failure to
safeguard PHI in compliance with the Health Insurance Portability and
Accountability Act’s (HIPAA) mandated security standards. (Compl. ¶ 196.)
Specifically, Plaintiffs allege that Bojangles failed to: (a) implement policies and
procedures to prevent, detect, contain, and correct security violations; (b) identify and
respond to suspected or known security incidents; (c) mitigate harmful effects of
known security incidents; and (d) train all staff members on policies and procedures
related to PHI. (Compl. ¶ 196f–h.)
28. As a result of the Data Breach, Plaintiffs allege that they have spent, and
will continue to spend, significant time and effort monitoring their accounts to protect themselves from identity theft. (Compl. ¶¶ 54, 70, 84, 100, 110, 125, 143, 156.)
Plaintiff Higgins alleges that he has spent “multiple hours” taking steps to avoid
identity theft, including closely tracking his credit monitoring service, freezing and
closing his accounts, and carefully reviewing his accounts. (Compl. ¶ 156.) Plaintiff
Bungert claims to have spent over ten days (over fifty hours) “dealing with the
consequences of the Data Breach, which includes . . . self-monitoring his accounts.”
(Compl. ¶110.) All Plaintiffs anticipate continuing to spend considerable amounts of
time and money to try to mitigate future consequences of the Data Breach. (Compl.
¶¶ 61, 73, 91, 104, 132, 150, 158, 169.)
29. Stolen PII/PHI is a valuable commodity that reportedly can be worth up to
$1,000.00 depending on the type of information obtained. (Compl. ¶ 172.)
II. PROCEDURAL BACKGROUND
30. Plaintiffs filed this action on 23 December 2025 in Wake County Superior
Court, asserting causes of action for (1) negligence; (2) negligence per se; (3) breach of
implied contract; (4) invasion of privacy; (5) unjust enrichment; (6) violation of the
North Carolina Unfair and Deceptive Trade Practices Act (UDTPA); and (7)
declaratory judgment against Bojangles. (See generally Compl.)
31. On 5 February 2026, the case was designated to the Business Court and
assigned to the undersigned. (ECF Nos. 1–2.)
32. On 9 March 2026, Bojangles filed the Motion. (ECF No. 11.) Plaintiffs filed
their response on 30 March 2026. (ECF No. 15.) Bojangles replied on 9 April 2026.
(ECF No. 17.) 33. The Court held a hearing on the Motion on 3 June 2026. All parties were
present through counsel and had an opportunity to be heard. The Motion is now ripe
for disposition.
III. LEGAL STANDARD
34. As an initial matter, the Court must decide which state’s law to apply. Both
Plaintiffs and Bojangles argue that North Carolina law applies. (Def.’s Br. 7; Pls.’
Mem. L. Opp’n Def. Bojangles Restaurants, Inc.’s Mot. Dismiss [Pls.’ Opp’n] 6 n.1,
ECF No. 15.) Because Plaintiffs allege that “a substantial part of the events and
omissions giving rise to this action” occurred in North Carolina, (Compl. ¶ 20), the
Court agrees for purposes of the Motion. 1
35. “A motion to dismiss under Rule 12(b)(6) ‘tests the legal sufficiency of the
complaint.’ ” Design Gaps, Inc. v. Hall, 2024 NCBC LEXIS 64, at *6 (N.C. Super. Ct.
May 1, 2024) (quoting Isenhour v. Hutto, 350 N.C. 601, 604 (1999)). Dismissal of a
cause of action is proper if “(1) the complaint on its face reveals that no law supports
the plaintiff’s claim; (2) the complaint on its face reveals the absence of facts sufficient
to make a good claim; or (3) the complaint discloses some fact that necessarily defeats
the plaintiff’s claim.” Corwin v. Brit. Am. Tobacco, PLC, 371 N.C. 605, 615 (2018)
(citations omitted); see Sutton v. Duke, 277 N.C. 94, 103 (1970) (“[A] complaint should
not be dismissed for insufficiency unless it appears to a certainty that plaintiff is
entitled to no relief under any state of facts which could be proved in support of the
claim.” (citation and emphasis omitted)).
1 The Court may revisit this issue, if warranted, on a more developed record. 36. When deciding a motion to dismiss, the Court views the allegations in the
“light most favorable to the non-moving party.” Sykes v. Health Network Sols., Inc.,
372 N.C. 326, 332 (2019) (citation omitted). The issue for the Court “is not whether
[the] plaintiff will ultimately prevail but whether the plaintiff is entitled to offer
evidence to support the claim.” Brown v. Lumbermens Mut. Cas. Co., 90 N.C. App.
464, 471 (1988), aff’d, 326 N.C. 387 (1990).
37. North Carolina is a notice pleading state. See, e.g., Cadieu Tree Experts,
Inc. v. Wiedner, 2026 NCBC LEXIS 86, at *10 (N.C. Super. Ct. Apr. 15, 2026) (“North
Carolina remains a notice-pleading state, meaning a pleading filed in this state must
contain a short and plain statement of the claim sufficiently particular to give the
court and the parties notice of the transactions, occurrences intended to be proved
showing that the pleader is entitled to relief.” (citation modified)); PJC Mgmt. Grp.,
LLC v. Maaco Franchisor SPV LLC, 2026 NCBC LEXIS 92, at *8 (N.C. Super. Ct.
Apr. 22, 2026) (“North Carolina remains a notice pleading jurisdiction[.]”). With the
exception of specific causes of action such as fraud, which requires the pleading to be
particular in its facts, notice pleading affords “a sufficiently liberal construction of
complaints so that few fail to survive a motion to dismiss.” Jones v. J. Kim Hatcher
Ins. Agencies, Inc., 387 N.C. 489, 496 (2025) (citations omitted).
38. Nevertheless, the Court is not required “to accept as true allegations that
are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.”
Good Hope Hosp., Inc. v. N.C. HHS, Div. of Facility Servs., 174 N.C. App. 266, 274
(2005) (citation and internal quotation marks omitted); see also PJC Mgmt. Grp., LLC, 2026 NCBC LEXIS 92, at *9 (distinguishing causes of action that are pled
sufficiently from those that are not and holding that “threadbare allegations are
insufficient even under a simple notice-pleading standard”).
IV. ANALYSIS
39. Bojangles requests dismissal of all causes of action alleged against it. The
Court addresses each one below.
A. Negligence Per Se
40. Since the Motion was filed, Plaintiffs abandoned their claim for negligence
per se, (see Pls.’ Opp’n 14); accordingly, the Motion with respect to that claim is
uncontested. See BCR 7.6.
41. Plaintiffs allege that Bojangles committed negligence per se by “violat[ing]
its duty under Section 5 of the FTC[A]” and “its duty under HIPAA[.]” (Compl.
¶¶ 239, 244–45.) This Court previously determined that neither the FTCA nor
HIPAA is a public safety law and therefore neither can form the basis of a negligence
per se claim. See Weddle v. WakeMed Health, 2023 NCBC LEXIS 162, at *6–7 (N.C.
Super. Ct. Dec. 4, 2023) (“The negligence per se claim is untenable because neither
the FTC[A] . . . nor the HIPAA regulations are public safety laws. . . . Because
Plaintiffs have not alleged a violation of a public safety statute, they have failed to
state a claim for negligence per se.”).
42. Accordingly, the negligence per se claim shall be DISMISSED with
prejudice. 2
2 “The decision to dismiss an action with or without prejudice is in the discretion of the trial
court[.]” First Fed. Bank v. Aldridge, 230 N.C. App. 187, 191 (2013). B. Negligence
43. Bojangles contends that Plaintiffs’ negligence claim fails for three reasons:
(1) Plaintiffs have not pled a legally recognized duty of care; (2) Plaintiffs have not
alleged facts to support conclusory allegations of causation; and (3) Plaintiffs have
not alleged any actual damages but instead have engaged in speculation about what
might occur in the future. (Def.’s Br. 7–12.)
44. On the latter point, Bojangles highlights the speculative nature of the
damages, given that the Data Breach occurred more than two years ago, and only one
Plaintiff, Ruiz-Jacobs, has experienced a loss (an $80 charge to his debit card). With
respect to that loss, Bojangles contends the complaint is devoid of facts to support
causation. (Def.’s Br. 10–12.)
45. With respect to the increase in spam and scam calls that some Plaintiffs
claim to have experienced, Bojangles argues that Plaintiffs have not alleged that
telephone numbers were included in the list of PII/PHI involved in the Data Breach.
It concludes, therefore, that any increase in spamming or scamming that Plaintiffs
experienced could not have been caused by the Data Breach. (Def.’s Br. 10.)
46. Bojangles further argues that no North Carolina court has ever recognized
the time and expense of credit monitoring or the diminished value of PII/PHI as
sufficient injuries to support a negligence claim. (Def.’s Br. 11.) It contends that
Plaintiffs’ allegations of emotional harm are also insufficient under North Carolina
law. (Def.’s Br. 12.) 47. Plaintiffs respond that they have met their responsibility to allege breach
of a legal duty by alleging, among other things, that it was foreseeable that Bojangles’
failure to exercise due care in handling their PII/PHI could result in a data breach
that would expose their information to criminals and cause Plaintiffs harm. (Compl.
¶¶ 216–22.) They add that Bojangles’ duty extended to ensuring that Plaintiffs were
notified of the Data Breach within a reasonable timeframe. (Compl. ¶ 219d.)
According to Plaintiffs, courts applying North Carolina law have consistently found
these allegations sufficient to allege a duty of care at the motion to dismiss stage.
(Pls.’ Opp’n 8–10.)
48. Plaintiffs likewise argue that they have sufficiently alleged causation by
stating both that “[a]s a direct and traceable result” of Bojangles’ negligence, they
have suffered damages, and that Bojangles’ breach of its duty to exercise reasonable
care “actually and proximately caused” Plaintiffs damages. (Compl. ¶¶ 232, 234.)
The rest, they contend, is a question of fact to be decided by a jury. (Pls.’ Opp’n 11
n.5.)
49. Specifically referencing Ruiz-Jacobs’ $80 loss, Plaintiffs argue that
causation is adequately pled because the loss happened close in time to the Data
Breach, and a temporal relationship is enough to plead causation. (Compl. ¶ 102.) In
response to Bojangles’ assertion that Ruiz-Jacobs complains only about the theft of
his Social Security number and not his debit card number, Plaintiffs point to
paragraph 29 of the Complaint, which includes debit card numbers among the types
of PII/PHI that were compromised in the Data Breach. 50. As for the increase in spam and scam calls that some Plaintiffs allegedly
experienced, Plaintiffs contend that cybercriminals in possession of the other PII/PHI
compromised in the Data Breach – particularly Plaintiffs’ Social Security numbers –
could pair that information with other information available on the internet, such as
telephone numbers, and then sell dossiers (“Fullz” packages) to mass marketers.
Consequently, they attribute the increase in spam and scam activity to the likelihood
that the stolen PII/PHI was used in this manner. (Pls.’ Opp’n 11–12 n.5; Compl. ¶¶
175–77.)
51. Moving to damages, Plaintiffs respond that they have more than satisfied
their pleading obligation. In addition to Ruiz-Jacobs’ $80 loss, Plaintiffs point to their
allegations that their PII/PHI was posted on the dark web, making it readily
accessible to criminals and diminishing its value; that after the incident some of them
experienced an increase in spam and scam calls; that they have spent time and money
on mitigation efforts to protect their PII/PHI; and that they have suffered emotional
injury in the form of fear, anxiety, sleep disruption, stress, and frustration. (Pls.’
Opp’n 12–14; Compl. ¶¶ 171, 234.)
52. Negligence is defined as the “failure to exercise proper care in the
performance of some legal duty which the defendant owed the plaintiff, under the
circumstances in which they were placed.” Wood v. Guilford Cnty., 355 N.C. 161, 166
(2002) (citation modified). “To state a common law negligence claim, plaintiff must
show (1) a legal duty; (2) a breach thereof; and (3) injury proximately caused by the
breach.” Bridges v. Parrish, 366 N.C. 539, 541 (2013) (citation modified). 53. “The law imposes upon every person who enters upon an active course of
conduct the positive duty to exercise ordinary care to protect others from harm, and
[it] calls a violation of that duty negligence.” Fussell v. N.C. Farm Bureau Mut. Ins.
Co., 364 N.C. 222, 226 (2010) (quoting Council v. Dickerson’s Inc., 233 N.C. 472, 474
(1951)). “It is sufficient if by the exercise of reasonable care the defendant might have
foreseen that some injury would result from his conduct or that consequences of a
generally injurious nature might have been expected. Usually the question of
foreseeability is one for the jury.” Id. (citation modified) (quoting Slaughter v.
Slaughter, 264 N.C. 732, 735 (1965)).
54. In this case, Plaintiffs adequately allege that Bojangles had a legal duty to
protect their data. They allege that it was foreseeable that cybercriminals like
Hunters would attempt a data breach and that they would be successful given
Bojangles’ inadequate security measures. (Compl. ¶¶ 180–83, 216, 218, 222, 224–25.)
They further allege that Bojangles had a duty to notify them of the Data Breach
within a reasonable timeframe. (Compl. ¶ 219d.)
55. Courts applying North Carolina law in data breach cases have found that
one in possession of another’s PII/PHI has a duty of care to safeguard and protect
that information. See Curry v. Schletter Inc., No. 1:17-cv-0001-MR-DLH, 2018 U.S.
Dist. LEXIS 49442, at *9–10 (W.D.N.C. Mar. 26, 2018) (declining to dismiss a
negligence claim in an employer-employee data breach case when the plaintiffs
alleged that “Defendant had a duty to exercise reasonable care to protect [plaintiffs’]
confidential information”); see also Weddle, 2023 NCBC LEXIS 162, at *8–9 (finding a duty of care in a data breach case when a hospital allegedly mishandled patients’
confidential information); Rodriguez v. FastMed Urgent Care, Inc., 2025 NCBC
LEXIS 33, at *8–11 (N.C. Super. Ct. Mar. 25, 2025) (same); Williams v. DukeHealth,
No. L22-CV-727, 2024 U.S. Dist. LEXIS 58377, at *31 (M.D.N.C. Mar. 1, 2024)
(finding “Defendant had a duty of care to protect Plaintiff’s privacy in her medical
records and that HIPAA, among other statutes, informed that standard of care”). 3
This Court also concludes that Plaintiffs have adequately alleged a duty on the part
of Bojangles to exercise reasonable care to protect their PII/PHI and to inform them
of the Data Breach in a reasonable time period after its occurrence.
56. As for causation, Plaintiffs have again satisfied their pleading obligation.
They allege that Bojangles’ breach of its duty to them resulted in the Data Breach
that harmed them. (Compl. ¶¶ 229, 234.) Plaintiffs further allege that by failing to
provide timely notice of the Data Breach, Bojangles exacerbated that harm. (Compl.
¶ 230.) Plaintiffs add that they have or will suffer damages “[a]s a direct and
traceable result of [Bojangles’] negligence[.]” (Compl. ¶ 232.) Nothing more is
required at this stage. Demarco v. Charlotte-Mecklenburg Hosp. Auth., 268 N.C. App.
334, 341 (2019) (“Because the complaint adequately recites the element of causation,
an issue of fact for the jury to decide, plaintiff has made a sufficient pleading of
causation under Rule 12(b)(6).”); Acosta v. Byrum, 180 N.C. App. 562, 568–69 (2006)
3 Contra Cedarbrook Residential Ctr., Inc. v. N.C. HHS, 383 N.C. 31, 61, 63 (2022) ( “Plaintiffs
. . . failed to allege any facts or to cite any legal authority in support of their contention that the department owed them a legally recognized duty of care.” Specifically, “the relevant duty of care runs to the person or persons whom the agency’s regulatory actions were intended to protect rather than to the entity being regulated.” (emphasis added)). (“Questions of proximate cause and foreseeability are questions of fact to be decided
by the jury.” (citations omitted)).
57. Lastly, Plaintiffs are required to allege damages in order to plead a claim
for negligence. See Comm. to Elect Forest v. Employees PAC, 376 N.C. 558, 596 (2021)
(“[T]he proper disposition for failure to allege actual injury or damages
is . . . dismissal for failure to state a claim upon which relief can be granted.” (citing
Hansley v. Jamesville & W.R. Co., 115 N.C. 602, 613 (1894) (“Neither negligence
without damage nor damage without negligence will constitute any cause of
action.”))). 4
58. In Rodriguez, a case involving technology that collected and transmitted
the plaintiff’s confidential information to a third party without her consent, the
plaintiff brought a negligence claim and alleged emotional damages similar to those
alleged here. In rejecting the defendant’s contention that the plaintiff’s description
of her damages as “embarrassment, humiliation, emotional harm, and distress” was
insufficient at the pleading stage, this Court held that the plaintiff’s allegations
cleared the “low bar” of notice pleading. Rodriguez, 2025 NCBC LEXIS 33, at *12–
13 (citing Royster v. McNamara, 218 N.C. App. 520, 530–33 (2012) (determining
allegation that plaintiff “[was] forced to undergo humiliation and emotional damage”
were sufficient in connection with a negligence claim)).
4 Bojangles argues that this Court should follow the lead of the United States District Court
for the Western District of North Carolina, which previously dismissed this action for lack of standing. See Dougherty v. Bojangles’ Rests., Inc., No. 3:25-CV-00065-KDB-DCK, 2025 U.S. Dist. LEXIS 194879 (W.D.N.C. Sep. 30, 2025). While this Court takes note of the federal court’s reasoning, it does not hold Plaintiffs to the standard for standing applied in the federal court when pleading damages in this Court. See Comm. to Elect Forest, 376 N.C. at 607–08. 59. Unlike tort claims for infliction of emotional distress, which require a
plaintiff to plead a disabling mental condition, Plaintiffs here assert that they
suffered damages of a “pain and suffering” nature caused by Bojangles’ alleged
negligence. Our Court of Appeals addressed this distinction:
Defendant also argues that plaintiff cannot recover general damages for pain and suffering without proof of “severe emotional distress.” This argument confuses the “severe emotional distress” that is an essential element of a claim for negligent or intentional infliction of emotional distress, with the emotional suffering that may be part of a claim seeking damages for general “pain and suffering.” Defendant cites no cases in support of the proposition that the psychological component of damages for “pain and suffering” must meet the same standard as the element of “severe emotional distress” that is part of claims for infliction of emotional distress, and we find none. Accordingly, we reject defendant’s argument.
Iadanza v. Harper, 169 N.C. App. 776, 780 (2005).
60. Plaintiffs also allege economic damages in the form of diminished value of
their PII/PHI, the costs they have incurred and will continue to incur to monitor for
fraud and mitigate its effects, and the lost “benefit of the bargain.” (Compl. ¶¶ 71,
171, 234.) Contrary to Bojangles’ argument that these are damages that Plaintiffs
might incur in the future and are, therefore, too speculative to state a claim, Plaintiffs
allege that these damages currently exist.
61. In Capiau v. Ascendum Mach., Inc., No. 3:24-cv-00142-MOC-SCR, 2024
U.S. Dist. LEXIS 142393 (W.D.N.C. Aug. 8, 2024), the United States District Court
for the Western District of North Carolina held that allegations of damages stemming
from “([1]) actual mis-use of [plaintiff’s] PII; (2) an intangible harm fairly analogous
to common law invasion of privacy; (3) the substantial risk that Plaintiff’s PII will continue to be mis-used in the future; and (4) opportunity and other costs imposed by
reasonable mitigation efforts intended to address the substantial risk of PII mis-use”
were sufficient to survive a motion to dismiss. Id. at *26. So too, here. See In re
Marriott Int’l, Inc., 440 F. Supp. 3d 447, 494 (D. Md. 2020) (time and money spent
mitigating harm and loss of value of personal information recognized as damages in
negligence action); see also Holmes v. Elephant Ins. Co., 156 F.4th 413, 425–26 (4th
Cir. 2025) (holding that two plaintiffs who alleged that they had their driver’s license
numbers listed on the dark web against their wishes suffered a concrete injury
sufficient to give them Article III standing to seek damages). 5
62. In sum, Plaintiffs have adequately alleged that Bojangles breached a duty
it owed them and that the breach caused them damage. Accordingly, Bojangles’
Motion with respect to Plaintiffs’ negligence claim shall be DENIED.
C. Breach of Implied Contract
63. Bojangles contends that Plaintiffs have not stated a claim for breach of
implied contract because there are no allegations of mutual assent or meeting of the
minds and because, as with the negligence claim, Plaintiffs have failed to allege any
damages. (Def.’s Br. 14–16.) Specifically, Bojangles argues that Plaintiffs’ reliance
on Bojangles’ privacy policy fails because (a) Bojangles did not promise to be
contractually bound to any privacy standards, 6 and (b) Plaintiffs do not allege that
5 In addition, Plaintiff Ruiz-Jacobs has alleged an actual injury in the form of $80 in fraudulent charges to his debit card which, he alleges upon information and belief, was caused by the Data Breach. (Compl. ¶ 102.)
6 In fact, as Bojangles argues, the privacy policy states “[w]e make commercially reasonable
efforts for secure handling of this information, but we cannot guarantee our security they read or were even aware of the privacy policy when they gave Bojangles their
PII/PHI. (Def.’s Br. 15.)
64. Plaintiffs respond that implied contracts do not require an express
agreement, and whether there was a meeting of the minds is one for the trier of fact.
(Pls.’ Opp’n 15.) Plaintiffs further contend that federal courts applying North
Carolina law have recognized that the promise to safeguard private information is
inherent in any transaction in which one is required to entrust their confidential
information, especially when the relationship is that of employer and employee. (Pls.’
Opp’n 16–18.) Finally, Plaintiffs argue that their allegation that Bojangles’ privacy
policy imposes a commitment on Bojangles to safeguard its employees’ PII/PHI is
sufficient to state a claim. (Pls.’ Opp’n 18–19.)
65. “The elements of a claim for breach of contract are (1) existence of a valid
contract and (2) breach of the terms of that contract.” Johnson v. Colonial Life &
Accident Ins. Co., 173 N.C. App. 365, 369 (2005) (quoting Poor v. Hill, 138 N.C. App.
19, 26 (2000)). “[A] valid contract requires (1) assent; (2) mutuality of obligation; and
(3) definite terms.” Charlotte Motor Speedway, LLC v. Cnty. of Cabarrus, 230 N.C.
App. 1, 7 (2013) (citing Schlieper v. Johnson, 195 N.C. App. 257, 265 (2009)).
66. “[A] contract implied in fact arises where the intent of the parties is not
expressed, but an agreement in fact, creating an obligation, is implied or presumed
from their acts.” Creech v. Melnik, 347 N.C. 520, 526 (1998) (citing Snyder v.
Freeman, 300 N.C. 204, 217 (1980)). “An implied contract is as valid and enforceable
measures.” Privacy Policy, BOJANGLES, https://www.bojangles.com/privacy-policy/ (last visited June 23, 2026) (emphasis added). as an express contract, but mutual assent is determined from the parties’ actions,
rather than an express agreement.” Edwards v. PFA Architects, P.A., 2017 NCBC
LEXIS 56, at *10 (N.C. Super. Ct. June 29, 2017) (citation omitted); see Synder, 300
N.C. at 218 (“With regard to a contract implied in fact, one looks not to some express
agreement, but to the actions of the parties showing an implied offer and
acceptance.”). “Whether mutual assent is established and whether a contract was
intended between parties are questions for the trier of fact.” Id. at 217 (citing Storey
v. Stokes, 178 N.C. 409, 411 (1919)).
67. The Capiau decision from the Western District of North Carolina and the
recent decision in Midkiff v. Shoe Show, Inc., No. 1:24-cv-858, 2026 U.S. Dist. LEXIS
66944 (M.D.N.C. Mar. 30, 2026), both applying North Carolina law, are instructive.
Both cases involved plaintiffs who were required to provide their personal
confidential information to their employers. Both courts held that in such a scenario,
the employer has an implicit obligation to adequately safeguard the information it
receives. See Capiau, 2024 U.S. Dist. LEXIS 142393, at *30 (“As a condition of
Plaintiff’s employment, Defendant required Plaintiff to provide to Defendant his PII.
The requirement that Plaintiff provide Defendant his PII vested in Defendant an
implicit obligation to adequately safeguard Plaintiff’s PII.” (citation omitted));
Midkiff, 2026 U.S. Dist. LEXIS 66944, at *40 (“Plaintiffs have alleged an employment
relationship between [plaintiff] and Defendant, a condition of which was [plaintiff]’s
provision of her PII to Defendant. . . . Such a factual allegation creates the reasonable
inference that an implied contract to protect that PII exists.” (citation omitted)). 68. Likewise, Plaintiffs in this case allege that “[a]s a condition of [their]
employment with [Bojangles]” they were required to provide their PII/PHI. (Compl.
¶¶ 48, 64, 78, 94, 119, 137, 154.) Plaintiffs allege that they “trusted [Bojangles] would
use reasonable measures to protect it according to [Bojangles’] internal polices, as
well as state and federal law.” (Compl. ¶¶ 49, 79, 120, 138.) Bojangles’ policy
promised (but did not guarantee) that Bojangles would protect the information
against theft and that Bojangles would make “commercially reasonable efforts” for
the secure handling of the information. (Compl. ¶ 26b.) These allegations are
sufficient to plead the existence of an implied contract. 7
69. Bojangles’ argument that Plaintiffs have failed to allege damages is also
not persuasive. “In a suit for damages for breach of contract, proof of the breach
would entitle[] the plaintiff to nominal damages at least.” Bryan Builders Supply v.
Midyette, 274 N.C. 264, 271 (1968) (quoting Bowen v. Fid. Bank, 209 N.C. 140, 144
(1936)).
70. Accordingly, Plaintiffs’ claim for breach of implied contract survives.
Bojangles’ Motion with respect to this claim shall be DENIED.
D. Invasion of Privacy
71. Bojangles contends that Plaintiffs’ invasion of privacy claim fails because
(1) North Carolina does not recognize a cause of action for public disclosure of private
7 Bojangles’ argument that Plaintiffs have not alleged the terms of the implied agreement is
also unavailing. “[I]t will be for the trier of fact to determine on what terms there was a meeting of the minds and thus what terms are included in the alleged contract on which Plaintiffs will ultimately need to demonstrate breach to prevail.” Weddle, 2023 NCBC LEXIS 162, at *13–14 (quoting Lannan v. Bd. of Governors of the Univ. of N.C., 285 N.C. App. 574, 598 (2022)). facts; and (2) a claim based on the theory of intrusion into seclusion does not exist
because Plaintiffs willingly shared their information with Bojangles. (Def.’s Br. 16–
18.)
72. Plaintiffs respond that they have sufficiently alleged a claim for intrusion
into seclusion. (Pls.’ Opp’n 19.) Citing Toomer v. Garrett, 155 N.C. App. 462 (2002),
they contend that the North Carolina Court of Appeals allowed a claim for intrusion
into seclusion in a similar factual situation. (Pls.’ Opp’n 20–21.)
73. The Supreme Court of North Carolina has held that “claims for invasions
of privacy by publication of true but ‘private’ facts are not cognizable at law in this
State.” Hall v. Post, 323 N.C. 259, 265 (1988) (emphasis in original). Accordingly, to
the extent Plaintiffs attempt that claim, the Motion shall be GRANTED.
74. However, “[t]he tort of invasion of privacy by intrusion into seclusion has
been recognized in North Carolina and is defined as the intentional intrusion
‘physically or otherwise, upon the solitude or seclusion of another or his private
affairs or concerns . . . [where] the intrusion would be highly offensive to a reasonable
person.’ ” Toomer, 155 N.C. App. at 479 (quoting Miller v. Brooks, 123 N.C. App. 20,
26–27 (1996)). “Generally, there must be a physical or sensory intrusion or an
unauthorized prying into confidential personal records to support a claim for invasion
of privacy by intrusion.” Broughton v. McClatchy Newspapers, Inc., 161 N.C. App.
20, 29 (2003) (citations omitted). “The kinds of intrusions that have been recognized
under this tort include ‘physically invading a person’s home or other private place,
eavesdropping by wiretapping or microphones, peering through windows, persistent telephoning, unauthorized prying into a bank account, and opening personal mail of
another.’ ” Toomer, 155 N.C. App. at 479–80 (quoting Hall v. Post, 85 N.C. App. 610,
615 (1987), rev’d on other grounds, 323 N.C. 259 (1988)).
75. Invasion of privacy by intrusion into seclusion is an intentional tort. See
Capiau, 2024 U.S. Dist. LEXIS 142393, at *33 (“Defendant’s intent is . . . an essential
element of Plaintiff’s invasion of privacy claim.”). In this case, Plaintiffs allege that
Bojangles acted with “a knowing state of mind when it permitted the Data Breach
because it knew its information security practices were inadequate” and also when it
failed to give Plaintiffs timely notice of the Data Breach. (Compl. ¶¶ 270–71.)
Nowhere, however, do Plaintiffs allege that Bojangles intentionally intruded into
their affairs. To the contrary, they allege that they willingly provided their PII/PHI
to Bojangles. See, e.g., Weddle, 2023 NCBC LEXIS 162, at *10–11 (granting a motion
to dismiss on an invasion of privacy claim when plaintiffs alleged “that they
voluntarily shared sensitive information with [defendant] and that [defendant] then
gave Meta unauthorized access to that information”); Fisher v. Commc’n. Workers of
Am., 2008 NCBC LEXIS 19, at *16 (N.C. Super. Ct. Oct. 30, 2008) (finding no claim
for invasion of privacy when the defendants properly received the plaintiffs’ Social
Security numbers and then posted them on a public bulletin board); Alexander v. City
of Greensboro, 762 F. Supp. 2d 764, 816 (M.D.N.C. 2011) (“Because [Defendant]
properly received this information, her disclosure of it did not constitute intrusion
into seclusion, so Plaintiffs cannot rely upon this disclosure for their invasion of
privacy claim.”); Sabrowski v. Albani-Bayeux, Inc., No. 1:02CV00728, 2003 U.S. Dist. LEXIS 23242, at *38 (M.D.N.C. Dec. 19, 2003) (holding that “wrongful dissemination
of Plaintiff’s confidential information would not be recognized as the tort of
intrusion”).
76. In contrast, the court in Toomer allowed a claim for intrusion into seclusion
to proceed past the motion to dismiss stage because the plaintiff alleged that the
defendant undertook the “unauthorized examination of the contents of one’s
personnel file[.]” 155 N.C. App. at 480. Missing here are allegations of that
unauthorized examination on Bojangles’ part. See Weddle, 2023 NCBC LEXIS 162,
at *11–12 (collecting cases distinguishing Toomer on this point).
77. Because Plaintiffs have not alleged a claim against Bojangles for invasion
of privacy based on a theory of intrusion into seclusion, Bojangles’ Motion with
respect to this claim shall be GRANTED.
E. Unjust Enrichment
78. Bojangles argues that this claim fails because Plaintiffs received
compensation in exchange for their employment and have not pled that they expected
Bojangles to provide any other benefit. (Def.’s Br. 19.) Plaintiffs respond that unjust
enrichment claims are routinely permitted in data breach cases where the allegations
are that the defendant accepted the benefit of the plaintiff’s confidential information
but did not implement proper safety measures to protect that information. (Pls.’
Opp’n 21–23.)
79. “[W]here services are rendered and expenditures made by one party to or
for the benefit of another, without an express contract to pay, the law will imply a promise to pay a fair compensation therefor.” Atl. Coast Line R.R. Co. v. State
Highway Com., 268 N.C. 92, 95–96 (1966) (citing Beacon Homes, Inc. v. Holt, 266 N.C.
467, 472 (1966)). To state a claim for unjust enrichment, Plaintiffs must allege that:
(1) they conferred a benefit on another party; (2) the other party consciously accepted
the benefit; and (3) the benefit was not conferred gratuitously or by an interference
in the affairs of the other party. See Booe v. Shadrick, 322 N.C. 567, 570 (1988).
80. Bojangles relies on Weddle for the proposition that when plaintiffs do not
expect to receive a benefit that is specific to the provision of their personal
information, an unjust enrichment claim fails. 2023 NCBC LEXIS 162, at *14
(plaintiffs “do not allege that they expected to receive any other compensation or
benefit, apart from medical services, in return for their personal information”). In
this case, however, Plaintiffs do allege that they expected to receive a benefit.
Plaintiffs allege that they reasonably understood that, in exchange for receiving their
PII/PHI, Bojangles “would use adequate cybersecurity measures to protect the
PII/PHI[.]” (Compl. ¶ 282.) They further allege that Bojangles avoided “its data
security obligations at the expense of Plaintiffs . . . by utilizing cheaper, ineffective
security measures.” (Compl. ¶ 284.) These allegations are sufficient to survive a
motion to dismiss. See, e.g., Capiau, 2024 U.S. Dist. LEXIS 142393, at *35 (unjust
enrichment adequately pled where “Defendant allegedly accepted the benefits
accompanying Plaintiff’s data without implementing adequate safeguards to protect
Plaintiff’s PII”); Midkiff, 2026 U.S. Dist. LEXIS 66944, at *42 (“In the data breach
context, courts have held that an unjust enrichment claim can lie even where the benefit conferred is not monetary and that a defendant cannot be heard to argue that
defendant was indifferent to plaintiff’s provision of PII, since such provision was a
condition of plaintiff’s employment.” (citation modified)).
81. Plaintiffs’ allegations are sufficient to plead a claim for unjust enrichment.
Accordingly, Bojangles’ Motion with respect to this claim shall be DENIED.
F. Unfair and Deceptive Trade Practices
82. To establish a claim under the UDTPA, a complaint must allege that “(1)
defendant committed an unfair or deceptive act or practice, (2) the action in question
was in or affecting commerce, and (3) the act proximately caused injury to the
plaintiff.” Value Health Sols., Inc. v. Pharm. Rsch. Assocs., Inc., 385 N.C. 250, 277
(2023) (quoting SciGrip, Inc. v. Osae, 373 N.C. 409, 426 (2020)); see also N.C.G.S.
§ 75-1.1.
83. “A practice is unfair when it offends established public policy as well as
when the practice is immoral, unethical, oppressive, unscrupulous, or substantially
injurious to consumers[.]” Bumpers v. Cmty. Bank of N. Va., 367 N.C. 81, 91 (2013)
(quoting Walker v. Fleetwood Homes of N.C., Inc., 362 N.C. 63, 72 (2007)). “A practice
is deceptive if it has the capacity or tendency to deceive.” Id. (citation modified)
(quoting Walker, 362 N.C. at 72).
84. Alleging that the defendant merely breached a contract is not enough.
Birtha v. Stonemor, N.C., LLC, 220 N.C. App. 286, 298 (2012) (“It is well recognized
that . . . a mere breach of contract, even if intentional, is not sufficiently unfair or
deceptive to sustain an action under [the UDTPA].” (citation modified)). Instead, “a plaintiff must show substantial aggravating circumstances attending the breach to
recover under [the UDTPA.]” Branch Banking & Tr. Co. v. Thompson, 107 N.C. App.
53, 62 (1992) (citation modified).
85. A UDTPA plaintiff also must show that he or she suffered actual harm.
Jackson v. Home Depot U.S.A., Inc., 388 N.C. 109, 120 (2025). “[S]peculative
allegations of possible harm in the future are simply insufficient to establish the
actual injury necessary to support a claim under the UDTPA.” Precision Links Inc.
v. USA Prods. Grp., No. 3:08cv576, 2009 U.S. Dist. LEXIS 23926, at *7–8 (W.D.N.C.
Mar. 25, 2009) (collecting cases).
86. Bojangles first argues that, to the extent Plaintiffs try to frame their
UDTPA allegations as fraudulent omissions, the allegations must meet Rule 9(b)’s
particularity requirements. (Def.’s Br. 22–23.) Plaintiffs respond that their
allegations are premised on unfair conduct, not fraud, so they do not need to be
alleged with particularity. (Pls.’ Opp’n 24.)
87. Bojangles is correct that when a UDTPA claim is premised on fraudulent
conduct, Rule 9(b) requires that it be pled with particularity. See Botanisol Holdings
II, LLC v. Propheter, 2021 NCBC LEXIS 94, at *24–25 (N.C. Super. Ct. Oct. 18, 2021)
(“With respect to the Rule 9(b) standard, because the Chapter 75 claim is premised
on deceptive conduct, the heightened pleading standard of Rule 9(b) applies.”); see
also Topshelf Mgmt., Inc. v. Campbell-Ewald Co., 117 F. Supp. 3d 722, 731 (M.D.N.C.
2015) (“Rule 9(b) applies to [UDTPA] claims alleging detrimental reliance on false or
deceptive representations.”). However, “Rule 9(b) does not apply to [UDTPA] claims that do not sound in fraud.” Capiau, 2024 U.S. Dist. LEXIS 142393, at *36–37
(collecting cases).
88. In this case, some of the allegations underlying Plaintiffs’ UDTPA claim
sound in fraud. For example, Plaintiffs specifically allege that Bojangles violated the
UDTPA by “omitting, suppressing, and concealing the material fact that it did not
reasonably or adequately secure Plaintiffs’ . . . PII/PHI[.]” (Compl. ¶ 290d.)
However, at the hearing on the Motion, Plaintiffs’ counsel conceded that Plaintiffs
were not pursuing a claim for deceptive conduct; rather, Plaintiffs’ counsel argued,
Plaintiffs’ claim is limited to Bojangles’ alleged unfair conduct. Given this concession,
the Court does not analyze the claim as one for deception. That does not end the
inquiry, however.
89. A recent decision from the United States District Court for the Western
District of North Carolina, applying North Carolina law, held that failure to
implement and maintain reasonable data security measures may be unfair conduct
that amounts to a violation of the North Carolina UDTPA. The court allowed a claim
with similar facts to this one to survive a motion to dismiss. See Capiau, 2024 U.S.
Dist. LEXIS 142393, at *37 (“To the extent that Plaintiff’s [UDTPA] claim pertains
to Defendant’s allegedly unfair business practices–i.e., Defendant’s failure to
implement and maintain adequate cybersecurity measures and to warn Plaintiff of
the breach–Defendant’s motion will be denied.”); cf. Midkiff, 2026 U.S. Dist. LEXIS
66944, at *46 (deferring resolution of the UDTPA claim until further discovery
because “the factual record is relatively sparse as to Defendant’s practices in collecting, storing, and using Plaintiffs’ PII and Defendant’s actions in response to
the data breach”).
90. In the instant case, Plaintiffs likewise allege that Bojangles failed to
“implement and maintain reasonable security and privacy measures[,]” and that it
“fail[ed] to comply with common law and statutory duties pertaining to the security
and privacy of Plaintiffs’ . . . PII/PHI[.]” (Compl. ¶ 290a, c.) These allegations satisfy
the notice pleading standard. Accordingly, the Motion shall be DENIED. 8 See Hilco
Transp., Inc. v. Atkins, 2016 NCBC LEXIS 5, at *24 n.5 (N.C. Super. Ct. Jan. 15,
2016) (concluding that a UDTPA claim based on unfair practices was sufficiently pled
even though “[m]ore-detailed allegations may be required for a [UDTPA] claim to
survive dismissal under Rule 12(b)(6) when the claim is predicated on allegations of
deceptive conduct.” (citations omitted)).
G. Declaratory Judgment and Injunctive Relief
91. Plaintiffs allege upon information and belief that Bojangles’ security
procedures were “and still are” inadequate. (Compl. ¶ 300.) They request that the
Court enter a judgment declaring that: (1) Bojangles owed, and continues to owe, a
legal duty to use reasonable data security measures to secure data entrusted to it; (2)
Bojangles has a duty to notify impacted individuals of the Data Breach; (3) Bojangles
breached, and continues to breach, its duties by failing to use reasonable measures to
8 The parties have not presented a case, and the Court has not unearthed one, stating that a
violation of the FTCA is a per se violation of the UDTPA. See Ken-Mar Finance v. Harvey, 90 N.C. App. 362, 367 (1988) (“We also note that had the FTC regulation been in effect, violation of its provisions would not, as defendant contends, constitute a per se violation of [the UDTPA]. The regulation would serve only as guidance in construing this statute.”). the data entrusted to it; and (4) Bojangles’ breaches of its duties caused, and continue
to cause, injuries to Plaintiffs. (Compl. ¶ 301.) They further request that the Court
issue an injunction requiring Bojangles to implement “adequate security consistent
with industry standards” to protect their PII/PHI. (Compl. ¶ 302.) Plaintiffs allege
that if an injunction is not issued, and if Bojangles experiences a second data breach,
they will suffer “irreparable injury.” (Compl. ¶ 303.)
92. Bojangles responds that there is no actual controversy in this case because
Plaintiffs have suffered no loss even though more than two years have passed since
the Data Breach. It contends that Plaintiffs’ alleged harms are hypothetical and
cannot be the basis for a declaratory judgment. (Def.’s Br. 24.) As for Plaintiffs’
request for injunctive relief, Bojangles contends that their allegations of imminent
harm are unwarranted based on the facts. (Def.’s Br. 24.)
93. The Declaratory Judgment Act provides:
Any person interested under a deed, will, written contract or other writings constituting a contract, or whose rights, status or other legal relations are affected by a statute, municipal ordinance, contract or franchise, may have determined any question of construction or validity arising under the instrument, statute, ordinance, contract, or franchise, and obtain a declaration of rights, status, or other legal relations thereunder. A contract may be construed either before or after there has been a breach thereof.
N.C.G.S. § 1-254.
94. Here, Plaintiffs allege that an actual controversy exists because Bojangles
maintains possession of their PII/PHI and, they believe, continues to fail to
implement appropriate and adequate security measures. (Compl. ¶¶ 71, 101, 300.)
These allegations are enough to state a claim for declaratory judgment. See, e.g., In re Moveit Customer Data Sec. Breach Litig., No. 23-md-3083-ADB-PGL, 2025 U.S.
Dist. LEXIS 147106, at *151 (D. Mass. July 31, 2025) (“An allegation of continued
inadequacy of a defendant’s security measures substantiates a claim for declaratory
judgment in a data breach case.” (citation modified)); In re Cap. One Consumer Data
Sec. Breach Litig., 488 F. Supp. 3d 374, 414 (E.D. Va. 2020) (declining to dismiss a
declaratory judgment claim when plaintiffs alleged “that there remains a dispute over
the security of plaintiffs’ PII, which continues to be stored on [defendant]’s servers
and remain subjected to a heightened risk of access and misuse by hackers”); In re
Home Depot, Inc., No. 1:14-md-2583-TWT, 2016 U.S. Dist. LEXIS 65111, at *32 (N.D.
Ga. May 17, 2016) (“The plaintiffs have pleaded that the defendant’s security
measures continue to be inadequate and that they will suffer substantial harm. The
plaintiffs have pleaded sufficient facts to survive a motion to dismiss regarding a
future breach.”).
95. Accordingly, Bojangles’ Motion with respect to Plaintiffs’ claim for
declaratory judgment shall be DENIED. 9
V. CONCLUSION
96. WHEREFORE, the Court ORDERS as follows:
a. With respect to the First Cause of Action (Negligence), the Third
Cause of Action (Breach of Implied Contract), the Fifth Cause of
Action (Unjust Enrichment), the Sixth Cause of Action (Violation of
North Carolina Unfair and Deceptive Trade Practices Act), and the
9 A more complete record is necessary to address Plaintiffs’ request for injunctive relief. Seventh Cause of Action (Declaratory Judgment), the Motion is
DENIED.
b. With respect to the Second Cause of Action (Negligence per se) and
the Fourth Cause of Action (Invasion of Privacy), the Motion is
GRANTED, and those claims are DISMISSED WITH
PREJUDICE.
SO ORDERED, this the 29th day of June, 2026.
/s/ Julianna T. Earp Julianna T. Earp Special Superior Court Judge for Complex Business Cases