Gales v. Ohio Lottery Comm.

2025 Ohio 5189

• Court: Ohio Court of Claims
• Decided: October 31, 2025
• Docket: 2024-00434JD
• Status: Published

Opinion

[Cite as Gales v. Ohio Lottery Comm., 2025-Ohio-5189.]

IN THE COURT OF CLAIMS OF OHIO

TERRI GALES, et al. Case No. 2024-00434JD

Plaintiffs Judge David E. Cain

v. DECISION

OHIO LOTTERY COMMISSION

Defendant

{¶1} Before the court and ripe for consideration is defendant’s motion to dismiss plaintiffs’ consolidated amended complaint. For the reasons stated below, the court GRANTS the motion.

Relevant Background {¶2} This proposed class action arises from defendant, Ohio Lottery Commission (OLC), informing plaintiffs on May 8, 2024, that an unauthorized cybersecurity incident (data breach) was detected on December 24, 2023, which potentially exposed plaintiffs’ non-public personal identifying information (PII). See Consolidated Amended Class Action Complaint, ¶ 12-109. The consolidated amended complaint alleges that OLC is liable to plaintiffs and all those similarly situated in tort, contract, and equity for injuries resulting from identity theft because OLC failed to reasonably secure their PII with adequate cybersecurity and, thereafter, failed to timely detect the data breach and inform plaintiffs of the same. Id. {¶3} Specifically, plaintiffs allege that they were required to provide their PII to participate in or receive payment for winning lottery prizes from OLC’s online digital games. Id. at ¶ 14. According to the consolidated amended complaint, plaintiffs felt secure providing the necessary PII because OLC maintains a privacy policy “in furtherance of Revised Code Chapter 1347” and ensures that it “will follow Ohio state laws that require the establishment of reasonable precautions to prevent personal Case No. 2024-00434JD -2- DECISION

information from unauthorized modification, destruction, use, or disclosure.” Id. at ¶ 16- 17. Through its privacy policy, OLC represents the following: We take very seriously the integrity of the information and systems that we maintain. Therefore, we have instituted security measures for information systems under our control. These security measures are designed to identify attempts to tamper with this Web site. Information collected through these security measures may be used in connection with a criminal prosecution or other legal proceedings. Id. at ¶ 17. Moreover, OLC’s privacy policy indicates that it “uses the industry-standard Secure Socket Layers (SSL) protocol which provides data encryption, message integrity, and server authentication . . . .” Id. Notwithstanding, plaintiffs allege their “PII was targeted because of the ability of the hackers to attempt to steal and/or steal [their] entitlement to benefits to be paid” by OLC. Id. at ¶ 34. Moreover, plaintiffs conclude that “[t]he occurrence of the Data Breach indicates that Defendant failed to adequately implement one or more [reasonable security measures] to prevent cyberattacks, resulting in the Data Breach.” Id. at ¶ 62. {¶4} As a result, plaintiffs assert claims for breach of implied contract, unjust enrichment, negligence, negligence per se, breach of fiduciary duty, and invasion of privacy. In its motion to dismiss these claims, OLC argues that (1) it is entitled to sovereign immunity, (2) plaintiffs lack standing because they fail to allege any concrete and traceable injury; and (3) plaintiffs fail to state any claim upon which relief can be granted. In response, plaintiffs argue they have standing because the consolidated amended complaint alleges eight harms—five of which apply to all plaintiffs and three of which are unique to only certain plaintiffs—that are traceable to OLC’s lax network security. Additionally, plaintiffs argue that they have stated cognizable claims because a duty to protect PII as well as a contractual obligation to do so can be inferred from the surrounding circumstances, state and federal statutory laws, industry standard, and OLC’s privacy policies. In reply, OLC reiterates its position that plaintiffs fail to state any claims otherwise cognizable in the Court of Claims.

Standard of Review Case No. 2024-00434JD -3- DECISION

{¶5} When deciding a motion to dismiss based on lack of subject-matter jurisdiction, a court must determine “whether any cause of action cognizable by the forum has been raised in the complaint.” State ex rel. Bush v. Spurlock, 42 Ohio St.3d 77, 80 (1989). To determine whether a complaint raises a cognizable cause of action, “the court must look beyond the language used in the complaint and examine the underlying nature of the claims.” Guillory v. Ohio Dept. of Rehab. & Corr., 2008-Ohio-2299, ¶ 11 (10th Dist.). Moreover, “[t]he mere fact that claims in a complaint are couched in certain legal terms is insufficient to confer jurisdiction upon a court.” Id. {¶6} When a court has subject-matter jurisdiction and must determine whether dismissal is appropriate under Civ.R. 12(B)(6), a court must “presume that all factual allegations of the complaint are true and make all reasonable inferences in favor of the non-moving party.” Mitchell v. Lawson Milk Co., 40 Ohio St.3d 190, 192 (1988). Before a court may dismiss a complaint, it must appear beyond doubt that “plaintiff can prove no set of facts entitling him to recovery.” O’Brien v. Univ. Community Tenants Union, Inc., 42 Ohio St.2d 242, 242 (1975). {¶7} However, the court is “not bound to accept as true a legal conclusion couched as a factual allegation.” (Cleaned up.) Stainbrook v. Ohio Secretary of State, 2017-Ohio- 1526, ¶ 11 (10th Dist.). Indeed, “[o]nly claims supported by factual allegations can avoid dismissal.” Id., citing Haas v. Vill. of Stryker, 2013-Ohio-2476, ¶ 10 (6th Dist.). To that end, it is well settled that a “motion to dismiss for failure to state a claim upon which relief can be granted is procedural and tests the sufficiency of the complaint.” Short v. Ohio Dept. of Job & Family Servs., 2025-Ohio-2604, ¶ 16 (10th Dist.).

Law and Analysis {¶8} As a threshold jurisdictional issue, the court initially finds the consolidated amended complaint alleges facts sufficient to demonstrate that plaintiffs have standing to pursue their claims against OLC. See, e.g., id. at ¶ 32, 56-57 (the court held standing existed when “the core injury at issue in the present case concerned the acquisition and exposure of the class members’ personal information by cybercriminals.”). Notwithstanding, the court finds that it lacks subject-matter jurisdiction over plaintiffs’ tort claims. Case No. 2024-00434JD -4- DECISION

{¶9} Indeed, it is well-settled that “the Court of Claims has exclusive, original jurisdiction over civil actions filed against the state for money damages sounding in law.” Cullinan v. Ohio Dept. of Job & Family Servs., 2012-Ohio-4836, ¶ 6 (10th Dist.). Indeed, “suits against the state are inherently limited by the type of action asserted against it; if the cause of action is not cognizable as between private parties, then there can likewise be no state liability.” Wallace v. Ohio Dept. of Commerce, 2002-Ohio-4210, ¶ 37. Furthermore, “[i]f no statutory authority for a lawsuit against the state exists, the suit is barred because the court lacks subject matter jurisdiction over the controversy.” Bungard v. Dept. of Job & Family Servs., 2007-Ohio-6280, ¶ 6 (10th Dist.). {¶10} With respect to plaintiffs’ claim that OLC violated the Federal Trade Commission Act (FTCA), “[c]ourts have uniformly held that a private right of action does not exist under § 5 of the FTCA.” Morales v. Walker Motor Sales, Inc., 162 F.Supp.2d 786, 790 (S.D.Ohio 2000) (collecting cases); see also Wells Fargo Bank, N.A. v. Sessley, 2010-Ohio-2902, ¶ 25 (10th Dist.) (“Indeed, the decision as to whether actions amount to unfair or deceptive practices under FTCA must be left to the Federal Trade Commission, rather than the courts.”). Therefore, the Court of Claims lacks jurisdiction over any such allegations. {¶11} With respect to plaintiffs’ claim that OLC violated Ohio’s Privacy Act, the statutory scheme provided by R.C. 1347, et seq. only protects an individual’s privacy interests “insofar as it guards against excessive governmental recordkeeping.” State ex rel. Renfro v. Cuyahoga County Dept. of Human Servs., 54 Ohio St.3d 25, 27, fn. 2 (1990) (the protection against excessive governmental record keeping “is manifested by provisions like R.C. 1347.08(A)(2), which require, rather than prevent, disclosure of personal information in certain situations.” Emphasis added.). Instead, it is well established that R.C. 1347, et seq. being “commonly referred to as the ‘Privacy Act’” merely sparked a “popular misconception” that the chapter “grants an encompassing individual right of privacy in records kept by governmental agencies.” (Cleaned up.) Id.; see also Henneman v. Toledo, 35 Ohio St.3d 241, 245 (1988); see also Anthony v. Wonnell, 1992 Ohio App.LEXIS 1950, *22, fn. 4 (10th Dist.1992). Furthermore, the statutory scheme does not provide for a private right of action for money damages. See generally Clark v. State Teachers Ret. Sys., 2018-Ohio-4680, ¶ 17 (10th Dist.) (a court Case No. 2024-00434JD -5- DECISION

must apply the statutory language as written and give effect to the plain words used when a statute is clear and unambiguous). {¶12} Importantly, “R.C. 1347.10 provides the principal grounds for recourse to the courts so far as the Ohio Privacy Act is concerned.” See Petrie v. Forest Hills School Dist. Bd. of Ed., 5 Ohio App.3d 115, 118 (1st Dist.1982). R.C. 1347.10(B) states: Any person who, or any state or local agency that, violates or proposes to violate any provision of this chapter may be enjoined by any court of competent jurisdiction. The court may issue an order or enter a judgment that is necessary to ensure compliance with the applicable provisions of this chapter or to prevent the use of any practice that violates this chapter. An action for an injunction may be prosecuted by the person who is the subject of the violation, by the attorney general, or by any prosecuting attorney. The court finds the statute expressly limits remedies for wrongful disclosure of personal information to those that sound in equity. It is well settled that the Court of Claims has subject matter jurisdiction over actions seeking declaratory or injunctive relief only when such actions are ancillary to a claim for monetary relief. Wood v. Div. of Oil & Gas Res. Mgmt., 2018-Ohio-4968, ¶ 16-18. {¶13} Inasmuch as other sections throughout R.C. 1347, et seq. provide for additional remedies, they are similarly limited to those over which this court does not have jurisdiction. Particularly, R.C. 1347.12(G) specifically authorizes the attorney general— not a private party—to “conduct an investigation and bring a civil action upon an alleged failure by a state agency . . . to comply with the requirements of [R.C. 1347.12]” which requires a state agency to timely disclose certain security breaches of its personal information systems. Separately, R.C. 1347.99 authorizes criminal penalties for certain purposeful or intentional violations of this statutory scheme. However, the Court of Claims does not have jurisdiction over criminal matters. See generally Evans v. Ohio Dept. of Rehab. & Corr., 2020-Ohio-1521, ¶ 11 (10th Dist.) (“We have previously held that the Court of Claims does not have jurisdiction to determine whether the State (or an agent or agency thereof) has committed a crime to serve as a predicate for establishing liability in a civil action brought pursuant to R.C. 2307.60.”). Case No. 2024-00434JD -6- DECISION

{¶14} Plaintiffs specifically point the court to R.C. 1347.15(B), which requires state agencies to adopt rules regulating access to the confidential personal information the agency keeps. However, the court finds that the General Assembly did not intend for this statute to authorize a private right of action for the type of allegations plaintiffs pleaded in their consolidated amended complaint given the plain language of R.C. 1347.15(G). See generally Meyers v. Hadsell Chem. Processing, LLC, 2019-Ohio-2982, ¶ 32 (10th Dist.), quoting Dodds v. Croskey, 2015-Ohio-2362, ¶ 24 (“When construing the language of a statute, a court must ‘ascertain and give effect to the intention of the General Assembly.’”). {¶15} With respect to violations of R.C. 1347.15(B), R.C. 1347.15(G) provides: “A person who is harmed by a violation of a rule of a state agency described in [R.C. 1347.15(B)] may bring an action in the court of claims, as described in [R.C. 2743.02(F)], against any person who directly and proximately caused the harm.” R.C. 2743.02(F) provides, in pertinent part: A civil action against an officer or employee, as defined in [R.C. 109.36], that alleges that the officer’s or employee’s conduct was manifestly outside the scope of the officer’s or employee’s employment or official responsibilities, or that the officer or employee acted with malicious purpose, in bad faith, or in a wanton or reckless manner shall first be filed against the state in the court of claims that has exclusive, original jurisdiction to determine, initially, whether the officer or employee is entitled to personal immunity under [R.C. 9.86] and whether the courts of common pleas have jurisdiction over the civil action. The officer or employee may participate in the immunity determination proceeding before the court of claims to determine whether the officer or employee is entitled to personal immunity under [R.C. 9.86]. While the court acknowledges that the statute including a reference to the Court of Claims arguably causes some ambiguity, the intended application of R.C. 1347.15(G) is unambiguous when using noscitur a sociis. See generally Bungard v. Dept. of Job & Family Servs., 2007-Ohio-6280, ¶ 12 (10th Dist.) (“Noscitur a sociis, which means ‘it is known from its associates,’ is a canon of statutory construction providing that the meaning Case No. 2024-00434JD -7- DECISION

of an ambiguous statutory word or phrase be determined by the terms or phrases surrounding it.”). {¶16} Specifically, R.C. 1347.15(H)(1)-(2) provides that “[n]o person shall knowingly access confidential personal information in violation of a rule of a state agency” and “[n]o person shall knowingly use or disclose confidential personal information in a manner prohibited by law.” Whoever violates R.C. 1347.15(H)(1)-(2) is “guilty of a misdemeanor of the first degree.” R.C. 1347.99(B). Furthermore, “[n]o state agency shall employ a person who has been convicted of or pleaded guilty to a violation of [R.C. 1347.15(H)(1)-(2)].” R.C. 1347.15(H)(3). {¶17} Upon reading R.C. 1347.15(G)-(H) in pari materia with R.C. 1347.15(B) and R.C. 2743.02(F), the court finds the General Assembly did not intend for “any person” to be construed to include state agencies under this statutory scheme. See generally In re Duke Energy Ohio, Inc., 2017-Ohio-5536, ¶ 27 (Under the in pari materia rule of statutory construction, “a court must read all statutes relating to the same general subject matter together to give proper force and effect to each one.”). Importantly, the reference to the Court of Claims is limited to the court’s jurisdiction to determine whether a state employee is immune from personal liability for their alleged conduct. Additionally, the terms “any person” and “state agency” are both explicitly used in separate contexts throughout R.C. 1347, et seq. Compare R.C. 1347.15(H)(3) (“No state agency shall . . . .”) with R.C. 1347.15(H)(1)-(2) (“No person shall . . . .”); see, e.g., R.C. 1347.10(B) (“Any person who, or any state . . . agency that, violates or propose to violate . . . .” Emphasis added.); see also R.C. 1347.15(G) (“. . . a rule of a state agency . . . against any person who directly and proximately caused the harm.” Emphasis added.). Put simply, there is no statutory language from which the court could reasonably infer that these terms were intended to be used interchangeably. {¶18} Assuming arguendo that R.C. 1347.15(G) authorizes tort liability, plaintiffs do not allege that OLC “directly” caused their harm. At most, plaintiffs allege OLC indirectly caused their harm by having subpar cybersecurity. However, the court generally lacks jurisdiction over such agency-wide technology decisions. See generally Wolfe v. Ohio Dept. of Rehab. & Corr., 2025-Ohio-4560, ¶ 10 (10th Dist.) (the court upheld the finding that the court of claims lacks subject matter jurisdiction over challenges to the Case No. 2024-00434JD -8- DECISION

state’s decision to change the brand of tablets available to inmates); see also R.C. 1347.06 (“A state . . . agency that . . . complies in good faith with a rule applicable to the agency is not subject to criminal prosecution or civil liability under this chapter.”). {¶19} Furthermore, the court specifically rejects plaintiff’s argument that a duty concerning these cybersecurity decisions can be otherwise inferred from R.C. 1354.02(D)(1) providing “an affirmative defense to any cause of action sounding in tort . . . that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information” because R.C. 1354.04 explicitly states: “Sections 1354.01 to 1354.05 of the Revised Code shall not be construed to provide a private right of action, including a class action, with respect to any act or practice regulated under those sections.” While the consolidated amended complaint details in length the type of cybersecurity OLC “could and should have” had, there is simply no statutory language that suggests the General Assembly intended for a state agency to be liable for any such alleged wrongdoing. Consequently, plaintiffs’ tort claims must be dismissed pursuant to Civ.R. 12(B)(1). {¶20} While the Court of Claims generally has jurisdiction over contract claims against OLC, plaintiffs have failed to plead the existence of a contract. Specifically, plaintiffs “must demonstrate: (1) the existence of a contract, whether express or implied; (2) plaintiff’s performance; (3) defendant’s breach; and (4) plaintiff’s damage or loss.” Cashlink, LLC v. Mosin, Inc., 2012-Ohio-5906, ¶ 19 (10th Dist.). Here, plaintiffs did not attach a contract to their complaint. Instead, the consolidated amended complaint identifies the privacy policy on OLC’s website as the implied contract at issue because it allegedly promises to take reasonable measures to protect PII. However, these publicly available policies cannot amount to an enforceable contract. See Alexander v. Columbus State Cmty. Coll., 2015-Ohio-2170, ¶ 20 (10th Dist.) (“Without mutual assent of the parties, a policy manual is merely a unilateral statement of rules and policies which creates no rights or obligations.”). {¶21} Even accepting the allegations detailing OLC’s privacy policy as fact, a contract must be “definite and certain” and the parties must have had “a meeting of the minds as to the essential terms of the contract” to be actionable upon breach. (Cleaned up.) Rayess v. Educ. Commn. for Foreign Med. Graduates, 2012-Ohio-5676, ¶ 19 (“A Case No. 2024-00434JD -9- DECISION

contract is generally defined as a promise, or a set of promises, actionable upon breach.”). While the court acknowledges that plaintiffs’ relationship with OLC may be contractual in nature with regard to paying to participate in the lottery games, the relationship between the parties concerning the requirement to provide their PII to receive lottery winnings in accordance with state law is purely statutory in nature pursuant to R.C. 3770, et seq. See generally Bungard at ¶ 24 (“Statutes are laws and regulations, they are not contracts.”). {¶22} Additionally, the consolidated amended complaint specifically alleges that OLC’s policy was established in furtherance of R.C. 1347, et seq. However, these general and aspirational policies regarding general concern for the security of PII are not sufficient to establish the existence of an enforceable contract. See Ullmo ex rel. Ullmo v. Gilmour Academy, 273 F.3d 671, 676-77 (6th Cir. 2001), citing Rulli v. Fan Co., 79 Ohio St.3d 374, 376 (1997) (“Indefinite and aspirational language does not constitute an enforceable promise under Ohio law.”). Consequently, the consolidated amended complaint fails to allege sufficient facts upon which the court could reasonably infer a contractual relationship between the parties under the circumstances. Therefore, plaintiffs’ contract claim must be dismissed pursuant to Civ.R. 12(B)(6). {¶23} Regarding plaintiffs’ alternative equitable action, unjust enrichment “occurs when [a person] has and retains money or benefits which in justice and equity belong to another.” Hummel v. Hummel, 133 Ohio St. 520, 528 (1938). Because a claim for unjust enrichment arises from a contract implied in law or quasi-contract, OLC’s “civil liability arises out of the obligation cast by law upon [the party] in receipt of benefits which [it] is not justly entitled to retain without compensating the individual[s] who conferred the benefits.” Longmire v. Danaci, 2020-Ohio-3704, ¶ 32 (10th Dist.) (internal citations and quotation marks omitted). To this end, it is well-settled that “a party cannot recover under a claim for unjust enrichment when the subject matter of that claim is covered by an express contract or an implied-in-fact contract.” McDermott v. Ohio State Univ., 2025- Ohio-396, ¶ 22 (10th Dist.). {¶24} To prevail, Plaintiffs must establish that: “(1) the plaintiff conferred a benefit on the defendant; (2) the defendant knew of the benefit; and (3) it would be unjust to permit the defendant to retain the benefit without payment.” Meyer v. Chieffo, 2011-Ohio- 1670, ¶ 37 (10th Dist.). To succeed, “it is not sufficient for the plaintiffs to show that they Case No. 2024-00434JD -10- DECISION

have conferred a benefit upon the defendants. Plaintiffs must go further and show that under the circumstances they have a superior equity so that as against them it would be unconscionable for the defendant to retain the benefit.” (Cleaned up.) Longmire at ¶ 32. To this end, “[i]n the absence of fraud or bad faith, a person is not entitled to compensation on the ground of unjust enrichment if he received from the other that which it was agreed between them the other should give in return.” Ullman v. May, 147 Ohio St. 468 (1947), paragraph four of the syllabus. {¶25} Initially, the court notes that no other legal claim remains by which ancillary jurisdiction over plaintiffs’ equitable claim exists. Insofar as the Court of Claims has jurisdiction, however, the court finds that plaintiffs have failed to state a claim upon which relief can be granted. While the consolidated amended complaint alleges that plaintiffs paid OLC, plaintiffs do not allege that OLC failed to provide them with the service(s) for which they conferred the payment. Similarly, plaintiffs allege neither that OLC acted in bad faith or committed fraud when it collected this payment nor that OLC has superior equity for retaining the payment for services rendered. Even making all reasonable inferences in favor of plaintiffs, the court finds it is beyond doubt that plaintiffs can prove no set of facts that OLC was unjustly enriched as a consequence of the acts committed by third-party cybercriminals. Therefore, plaintiffs’ equitable claim must be dismissed pursuant to Civ.R. 12(B)(6).

Conclusion {¶26} For the reasons stated above, the court GRANTS defendant’s motion to dismiss plaintiffs’ consolidated amended complaint. Plaintiffs’ tort claims are DISMISSED pursuant to Civ.R. 12(B)(1). Plaintiffs’ claims for breach of implied contract and unjust enrichment are DISMISSED pursuant to Civ.R. 12(B)(6). Court costs are assessed against plaintiffs. The clerk shall serve upon all parties notice of this judgment and its date of entry upon the journal.

DAVID E. CAIN Case No. 2024-00434JD -11- DECISION

Judge [Cite as Gales v. Ohio Lottery Comm., 2025-Ohio-5189.]

v. JUDGMENT ENTRY

{¶27} For the reasons set forth in the decision filed concurrently herewith, the court GRANTS defendant’s motion to dismiss plaintiffs’ consolidated amended complaint. Plaintiffs’ tort claims are DISMISSED pursuant to Civ.R. 12(B)(1). Plaintiffs’ claims for breach of implied contract and unjust enrichment are DISMISSED pursuant to Civ.R. 12(B)(6). Court costs are assessed against plaintiffs. The clerk shall serve upon all parties notice of this judgment and its date of entry upon the journal.

DAVID E. CAIN Judge

Filed October 31, 2025 Sent to S.C. Reporter 11/17/25