IN THE UNITED STATES DISTRICT COURT June 29, 2026 FOR THE SOUTHERN DISTRICT OF TEXAS Nathan Ochsner, Clerk HOUSTON DIVISION
§ § § IN RE GULSHAN MANAGEMENT § SERVICES DATA BREACH § CIVIL ACTION NO. H-26-200 LITIGATION § § § §
MEMORANDUM AND OPINION This dispute arises out of a September 2025 breach of personally identifiable information that Gulshan Management Services, Inc. had collected from more than 377,000 customers and employees. A consolidated putative class-action complaint alleges that Gulshan failed to use reasonable security measures to protect against unauthorized access to the class members’ sensitive personal and financial information. Gulshan moved to dismiss the complaint, (Docket Entry No. 35), the plaintiffs have responded, (Docket Entry No. 36), and Gulshan replied, (Docket Entry No. 38). Based on the pleadings, the motion, the record, and the applicable law, the court grants in part and denies in part the motion to dismiss. The reasons for this ruling are set out below. I. Background Gulshan Management Services, Inc. “owns and operates gas stations and restaurant franchises around the country.” (Docket Entry No. 30 ¶ 35). It also operates a “business services company that primarily manages IT, point-of-sale systems, and other operations for convenience stores chains across the country.” (Id.). The complaint alleges that Gulshan collects its customers’ and employees’ personally identifiable information, including Social Security numbers, driver’s license numbers, financial account information, credit and debit card information, government- issued ID numbers (such as passport numbers), contact information, medical information, and health insurance information. (Id. ¶¶ 35–42). The complaint does not explain why or how Gulshan collects this information. In September 2025, Gulshan “discovered that an unauthorized third party had gained access
to its information systems.” (Id. ¶ 44). “Subsequent investigation determined this unauthorized access came from a successful phishing attack . . . .” (Id.). These hackers accessed servers that hosted “personal data” and deployed “malicious software that encrypted portions of” Gulshan’s systems. (Id.). The plaintiffs allege that the hackers accessed and stole sensitive personal information tied to more than 377,000 customers and employees. (Id. ¶¶ 9, 48, 54, 64). The plaintiffs allege that Gulshan failed to implement “basic and industry standard measures,” leading to the data breach. (Id. ¶ 63). The plaintiffs allege that “[d]ata breaches are preventable” and that, “[i]n almost all cases, the data breaches that occurred could have been prevented by proper planning and the correct design and implementation of appropriate security
solutions.” (Id. ¶ 65 (quoting Lucy L. Thomson, Despite the Alarming Trends, Data Breaches Are Preventable, in DATA BREACH AND ENCRYPTION HANDBOOK (Lucy Thompson ed. 2012))). The complaint allegations list security measures that Gulshan could have, but allegedly did not, use, including: properly encrypting their equipment and computer files; implementing an awareness and training program on phishing attacks; enabling strong spam filters to prevent phishing emails from reaching end users; scanning incoming and outgoing emails to detect threats and filter executable files from reaching end users; and setting anti-virus and anti-malware programs to conduct regular and automatic scans. (See id. ¶ 66, 68). The plaintiffs allege that, had Gulshan properly encrypted its data or otherwise secured the servers where Gulshan kept the plaintiffs’
2 sensitive information, the hackers would not have been able to steal their information. (Id. ¶¶ 76, 135). The plaintiffs allege that, as a result of this breach, cybercriminals obtained information necessary to commit identity theft and wreak havoc on their financial and personal lives. (Id. ¶¶ 109, 121, 153–56). The plaintiffs allege that their personal information has already been misused,
as evidenced by the facts that: it has been posted to the dark web; cybercriminals have attempted to access their financial accounts; and they have experienced an increase in spam calls and texts. (Id. ¶¶ 180, 210, 265). They allege that they have had to take steps to mitigate the harms of identity theft; they have experienced emotional distress and diminution in the value of their private information; and they remain at substantial risk of future harm. (Id. ¶¶ 145–310). The complaint asserts claims of (i) negligence; (ii) breach of implied contract; (iii) unjust enrichment; and (vi) a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. (Id. ¶¶ 328–405). The plaintiffs seek damages and a permanent injunction. (See id. at 87– 90). Gulshan has moved to dismiss the plaintiffs’ claims. (Docket Entry No. 35). The motion is
ready for ruling. II. The Legal Standard Rule 12(b)(6) allows dismissal if a plaintiff fails “to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). Rule 12(b)(6) must be read in conjunction with Rule 8(a), which requires “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). “[A] complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)).
3 Rule 8 “does not require ‘detailed factual allegations,’ but it demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation.” Id. (quoting Twombly, 550 U.S. at 555). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. “The plausibility standard is not akin to a ‘probability requirement,’ but it asks for more than a sheer
possibility that a defendant has acted unlawfully.” Id. (quoting Twombly, 550 U.S. at 556). “Conversely, when the allegations in a complaint, however true, could not raise a claim of entitlement to relief, this basic deficiency should be exposed at the point of minimum expenditure of time and money by the parties and the court.” Eli Lilly & Co. v. Revive Rx, LLC, 812 F. Supp. 3d 708, 723 (S.D. Tex. Dec. 15, 2025) (quoting Cuvillier v. Taylor, 503 F.3d 397, 401 (5th Cir. 2007)). III. Analysis Gulshan moves to dismiss each of the plaintiffs’ claims, the plaintiffs’ prayer for emotional-distress damages, and the plaintiffs’ prayer for injunctive relief. (Docket Entry No. 35).1
1 Gulshan argues that the plaintiffs’ 92-page complaint is not a short and plain statement under Rule 8. (Docket Entry No. 35 at 4–5). The plaintiffs’ complaint is not short. But based on this court’s experience with similar data-breach cases, the complaint’s length does not violate Rule 8. Motions to dismiss claims based on data breaches vary widely. See, e.g., In re New Era Enters. Inc. Data Incident Litig., No. CV H- 25-732, 2026 WL 303547, at *1–15 (S.D. Tex. Feb. 4, 2026) (addressing various standing and merits arguments that are not repeated here). The plaintiffs’ attorneys have learned from this experience and have attempted to preempt arguments for dismissal by pleading facts that might defeat them in a single complaint. There are benefits and drawbacks to this approach. On the one hand, the complaint may include many factual allegations that are not relevant to the first round of motion practice. On the other hand, attempts to substantially shorten the complaint may omit information material to opposing a defendant’s potential motion to dismiss, requiring rounds of complaint amendments and motion practice. The court cannot say that, in this context, the complaint violates Rule 8. 4 A. Negligence “Under Texas law, the elements of a negligence cause of action are that the defendant owed the plaintiff a legal duty, breached that duty, and that the plaintiff sustained damages as a result of that breach.” Level 3 Commc’ns, LLC v. Grayco Commc’ns, L.P., No. CV H-21-2826, 2022 WL 5250293, at *2 (S.D. Tex. Oct. 6, 2022) (citing Nabors Drilling, U.S.A., Inc. v. Escoto, 288 S.W.3d
401, 404 (Tex. 2009)). Gulshan moves to dismiss based on the first three elements: (1) duty; (2) breach; and (3) causation. (See Docket Entry No. 35 at 5–12).2 1. Duty “The threshold inquiry in a negligence case is duty.” Greater Hous. Transp. Co. v. Phillips, 801 S.W.2d 523, 525 (Tex. 1990). “This inquiry encompasses several questions of law: the existence, scope, and elements of a duty.” Elephant Ins. Co., LLC v. Kenyon, 644 S.W.3d 137, 144 (Tex. 2022). The “existence of duty is a question of law for the court to decide from the facts surrounding the occurrence in question.” Phillips, 801 S.W.2d at 525. “When a duty has not [already] been recognized in particular circumstances, the question is whether one should be.”
Pagayon v. Exxon Mobil Corp., 536 S.W.3d 499, 503 (Tex. 2017). Gulshan argues that there is “no general common-law duty to safeguard” personal and sensitive information from a data breach. (Docket Entry No. 35 at 6–7). Gulshan’s argument is in part incorrect and in part incomplete. Gulshan’s argument is unpersuasive to the extent that it argues that no duty exists. Texas, in line with the Restatement (Third) of Torts, has recognized tort duties on the part of those “who,
2 Gulshan argues in passing that the plaintiffs’ requested damages for the “diminished value of their Private Information, the loss of the benefit-of-the-bargain, lost time, and risk of future harm” are not recoverable. (Docket Entry No. 35 at 10–11). The court does not need to address arguments raised in passing, see In re Container Store Grp., Inc., 676 B.R. 356, 388 (S.D. Tex. 2026), and the court has held that many of these harms can be cognizable, see New Era, 2026 WL 303547, at *7–10. 5 by ‘lack of reasonable care . . . foreseeably . . . permit[] the improper conduct of . . . a third party.’” New Era, 2026 WL 303547, at *7 (alterations in original) (quoting RESTATEMENT (THIRD) OF TORTS: PHYS. & EMOT. HARM § 19 (Am. L. Inst. 2010)). “A party may be held responsible for a negligent omission which involves an unreasonable risk of harm to another through the foreseeable action of a third person.” Bicknell v. Lloyd, 635 S.W.2d 150, 152 (Tex. App.—
Houston [1st Dist.] 1982) (citing RESTATEMENT (SECOND) OF TORTS § 302 cmt. j (Am. L. Inst. 1965)). That rule applies to anyone who does an affirmative act. See RESTATEMENT (SECOND) OF TORTS § 302 cmt. a (“[A]nyone who does an affirmative act is under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act.”). Texas tort law may hold Gulshan responsible even though the “criminal” acts of third parties harmed the plaintiffs, id. § 302B, because Gulshan affirmatively collected and maintained the plaintiffs’ personal information and allegedly failed to take reasonable steps to secure it, see Dittman v. UPMC, 196 A.3d 1036, 1046–47 (Pa. 2018); Weisenberger v. Ameritas Mut. Holding Co., 597 F. Supp. 3d 1351, 1361 (D. Neb. 2022).
Gulshan’s argument is incomplete because it does not address the scope of its duty. The Texas tort-law requirement that an actor use reasonable care to prevent the foreseeable improper conduct of third parties generally extends only to conduct that causes personal, physical, and emotional harm. The economic-loss rule “generally prevents recovery in tort for purely economic damage unaccompanied by injury to persons or property.” Golden Spread Elec. Coop., Inc. v. Emerson Process Mgmt. Power & Water Sols., Inc., 954 F.3d 804, 808 (5th Cir. 2020) (citing LAN/STV v. Martin K. Eby Const. Co., 435 S.W.3d 234, 235 (Tex. 2014)). If the plaintiffs’ economic injuries in this case are properly characterized as accompanying injury to their person or property, then Gulshan could be liable under traditional tort principles. Cf. New Era, 2026 WL
6 303547, at *7–11 (suggesting that data-breach plaintiffs can prove damages under traditional tort principles but not addressing whether the defendants can be liable for purely economic harms). If the plaintiffs’ injuries are purely economic, then Gulshan’s argument is incomplete because it does not sufficiently address whether the plaintiffs can recover purely economic losses from data breaches.
Two tests might apply to determine whether the defendants are liable in negligence for purely economic loss. Under the first test, the court could analyze the issue under the Phillips factors, which Texas courts use to decide whether to impose a new negligence duty. See Kenyon, 644 S.W.3d at 149. Courts do not use the Phillips test when at least one pre-existing “duty” rule “applies to the factual circumstances” of the case. HNMC, Inc. v. Chan, 683 S.W.3d 373, 381 (Tex. 2024). Under Phillips, Texas courts weigh “the risk, foreseeability, and likelihood of injury against the social utility of the actor’s conduct, the magnitude of the burden of guarding against the injury, and the consequences of placing the burden on the defendant.” Humble Sand & Gravel, Inc. v. Gomez, 146 S.W.3d 170, 182 (Tex. 2004) (quoting Praesel v. Johnson, 967 S.W.2d 391,
397–398 (Tex. 1998)). Courts also consider “whether one party would generally have superior knowledge of the risk or a right to control the actor who caused the harm.” Praesel, 967 S.W.2d at 397–98. Although foreseeability alone is insufficient to create a new duty, SmithKline Beecham Corp. v. Doe, 903 S.W.2d 347, 353 (Tex. 1995), it is the most important factor to consider in establishing one, United Rentals N. Am., Inc. v. Evans, 668 S.W.3d 627, 639 (Tex. 2023). The second test is under the economic-loss rule. See generally Catherine M. Sharkey, Can Data Breach Claims Survive the Economic Loss Rule?, 66 DEPAUL L. REV. 339 (2017). Texas adopted the Restatement (Third) of Tort’s approach to economic harms. Under this approach, although “there is ‘no general duty to avoid the unintentional infliction of economic loss,’ the duty
7 may exist when the rationales just stated for limiting recovery are ‘weak or absent.’” LAN/STV, 435 S.W.3d at 241 (quoting RESTATEMENT (THIRD) OF TORTS: LIAB. FOR ECON. HARM § 1 & cmt. d (Am. L. Inst. 2020)). Courts decide whether to apply the rule based “on an analysis of its rationales in a particular situation.” Golden Spread, 954 F.3d at 808 (quoting LAN/STV, 435 S.W.3d at 245–46).
The rule is based on two rationales. First, “[p]urely economic harms proliferate widely and are not self-limiting in the way that physical damage is, possibly leading to indeterminate liability and pressure to avoid economic activity altogether.” Id. (citing LAN/STV, 435 S.W.3d at 240–41); see Lone Star Nat. Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d 421, 426 (5th Cir. 2013) (holding, at the motion-to-dismiss stage, that data-breach claims by a set of banks would not expose defendants to boundless liability but “rather to the reasonable amount of loss from a limited number of entities”). Second, “the risks of economic harms are better suited to allocation by contract because (a) the parties usually have a full opportunity to consider their positions and manage risks ahead of time, and (b) pecuniary remedies are fungible.” Golden Spread, 954 F.3d
at 808 (citing LAN/STV, 435 S.W.3d at 240–41). The rule enforces the boundary “between tort and contract, encouraging parties to contract ahead of time how to allocate risks, and to ensure that those allocations will not be undone later by the application of tort law.” Id. (citing LAN/STV, 435 S.W.3d at 240). State courts have taken both approaches to negligence liability in data-breach cases. Illinois courts have taken the former approach, concluding that Phillips-like factors favored tort liability: a failure to maintain reasonable security managers would foreseeably cause a data breach and injury; the defendant was a sophisticated company that was aware of cyber risks and how to mitigate them; and the burden of providing reasonable security measures for such a sophisticated
8 defendant was minimal. Flores v. Aon Corp., 242 N.E.3d 340, 354 (Ill. App. 2023); see also In re Kemper Sports Mgmt. Data Breach Litig., No. 24-CV-8503, 2026 WL 25820, at *6 (N.D. Ill. Jan. 5, 2026). But see Doe v. Genesis Health Sys., No. 4:23-CV-04209-JEH, 2025 WL 1000192, at *4 (C.D. Ill. Mar. 18, 2025). The Supreme Court of Pennsylvania took the latter approach. It held that employees whose
personal information was compromised in a data breach was a case involving an “application of an existing duty to a novel factual scenario, as opposed to the imposition of a new, affirmative duty.” Dittman, 196 A.3d at 1046. The court reasoned that the employer’s “affirmative conduct” of requiring “certain personal and financial information” “as a condition of employment” “created the risk of the data breach,” imposing on the employer the “duty to exercise reasonable care to protect [employees] against an unreasonable risk of harm arising out of that act.” Id. at 1047. The court then held that the economic-loss doctrine did not bar the claim. See id. at 1056. Still other courts have taken this approach but have found that the economic-loss rule applies. See S. Indep. Bank v. Fred’s, Inc., No. 2:15-CV-799-WKW, 2019 WL 1179396, at *16 (M.D. Ala. Mar. 13,
2019) (collecting cases). The parties have not sufficiently addressed how this court should assess the existence and scope of Gulshan’s duty. A final consideration is that the Texas legislature has imposed on entities like Gulshan a duty to protect sensitive information that it collects or maintains in conducting its business. The legislature has required entities such as Gulshan to “implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.” TEX. BUS. & COM. CODE § 521.052(a). This provision can be viewed in different ways. First, it could be viewed as imposing a duty to take reasonable care to protect data.
9 See Louisiana-Pac. Corp. v. Knighten, 976 S.W.2d 674, 675 (Tex. 1998) (per curiam) (“[A] statute that requires a driver proceed safely imposes on the driver a duty of reasonable care . . . .”); see also Johnson v. Bearfoot Companies, LLC, No. 02-23-00366-CV, 2024 WL 2202033, at *4 (Tex. App.—Fort Worth May 16, 2024) (mem. op.) (“A legal duty can arise either by statute or by common law.”). The statute could be viewed as suggesting no common-law negligence action
exists because there is a “comprehensive statutory and regulatory scheme” that affords the plaintiffs “significant protection” from data breaches, Mission Petroleum Carriers, Inc. v. Solomon, 106 S.W.3d 705, 715 (Tex. 2003); Houston Area Safety Council, Inc. v. Mendez, 671 S.W.3d 580, 586 (Tex. 2023); see Eli Lilly & Co. v. Revive Rx, LLC, 812 F. Supp. 3d 708, 723–29 (S.D. Tex. 2025), or that deliberately did not include a private right of action, see, e.g., Patton v. Experian Data Corp., No. SACV1701559JVSDFMX, 2018 WL 6190349, at *9 (C.D. Cal. Jan. 23, 2018) (declining to recognize a private right of action under § 521.053). Or the statute may be seen as irrelevant because common-law negligence is independent from, and is not displaced by, a single statutory provision. See Waffle House, Inc. v. Williams, 313 S.W.3d 796, 802 (Tex. 2010)
(“We have recognized that the legislative creation of a statutory remedy is not presumed to displace common-law remedies. To the contrary, abrogation of common-law claims is disfavored.”); cf. Doe, 2025 WL 1000192, at *4–5. The parties have briefed some of these issues. The court denies Gulshan’s motion on this basis, without prejudice, with leave to reurge it with a more detailed analysis of the duty test that the court should use (Phillips or the economic-loss rule); whether and what duty exists under that test; and how the court should consider § 521.052(a).3
3 Gulshan moves to dismiss the plaintiffs’ negligence-per-se claim. (Docket Entry No. 35 at 7–8). The plaintiffs concede that negligence per se is not a standalone claim. (Docket Entry No. 36 at 7–8). They
10 2. Breach “Whether or not a breach has occurred is determined by comparison to the applicable standard of care.” Harris v. Ebby Halliday Real Estate, Inc., 345 S.W.3d 756, 759 (Tex. App.— El Paso 2011, no pet.). To allege a breach of a duty to protect personally identifiable sensitive information, plaintiffs generally must identify “specific measures that” the defendant should have
but “didn’t take” and explain how those measures relate to “the manner in which their systems were breached.” In re Waste Mgmt. Data Breach Litig., No. 21CV6147 (DLC), 2022 WL 561734, at *4 (S.D.N.Y. Feb. 24, 2022); see Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739, 748 (S.D.N.Y. 2017) (allegations that the defendant failed to erect a firewall and encrypt data were sufficient). The complaint allegations meet this standard. The plaintiffs allege specific security measures that Gulshan “could and should have implemented,” such as those recommended by the “United States Government” and “the Microsoft Threat Protection Intelligence Team.” (Docket Entry No. 30 ¶¶ 68–70). The complaint allegations also address certain measures of particular
importance to the data breach Gulshan experienced. For example, the plaintiffs allege that Gulshan “did not encrypt [its] systems or the information contained within them.” (Id. ¶¶ 61, 99). Encryption “make[s] data unreadable without a key,” preventing the type of data copying that cyberhackers used to obtain the Gulshan data. (Id. ¶¶ 44, 51–54, 61–62 135). These allegations are sufficient to state a claim that Gulshan departed from the relevant standard of care for protecting sensitive data.4
rely on statutes “to provide evidence of the relevant standard of care.” (Id. at 8 (citing New Era, 2026 WL 303547, at *12)). The plaintiffs are correct under Texas law.
4 The parties also dispute in passing whether the notice letter was sufficient. The plaintiffs adequately allege the breach of the duty to provide an adequate notice letter, assuming such a duty exists. The plaintiffs
11 Gulshan argues that the plaintiffs reverse-engineered a claim from the fact that a data breach occurred and that their allegations are conclusory. (Docket Entry No. 35 at 9). But the plaintiffs’ allegations point to specific protective measures that they describe as the industry standard and that Gulshan did not use. The plaintiffs do not in generic terms allege that the defendants deviated from the industry standard, cf. Waste Mgmt. Data Breach Litig., 2022 WL
561734, at *4, by, for example, merely reciting the elements of the claim. See Twombly, 550 U.S. at 555 n.3. The allegations that certain data-protection techniques are recommended by industry leaders and that Gulshan did not implement them are not legal conclusions but well-pleaded factual allegations that the court must accept as true on a motion to dismiss. See Del Valle v. Trivago GMBH, No. 23-12966, 2025 WL 1443951, at *5 (11th Cir. May 20, 2025) (per curiam) (explaining that courts must “accept different facts as true” based on the legal claim or element at issue). Given those facts, and the “reasonable inference[s]” from them, Ashcroft, 556 U.S. at 678, the court concludes that the plaintiffs sufficiently pleaded that Gulshan breached its duty of care. 3. Causation and Injury
“The two elements of proximate cause are cause in fact and foreseeability.” Travis v. City of Mesquite, 830 S.W.2d 94, 98 (Tex. 1992). Cause in fact is present if the act or omission was a substantial factor in bringing about the injury. Id. There may be more than one proximate cause. See id. Gulshan argues that the plaintiffs did not adequately allege causation, for two reasons: (1) the intervening acts of cybercriminals broke the chain of causation; and (2) data breaches are so prevalent that it is impossible to establish that this data breach caused the plaintiffs’ alleged
allege that credit-card and financial information was stolen but that Gulshan did not include that fact in the notice letter. (Docket Entry No. 30 ¶¶ 44–45). 12 injuries. (Docket Entry No. 35 at 10–12). The court does not find either argument persuasive at this stage of the litigation. First, the plaintiffs adequately alleged that the cybercriminals’ acts were foreseeable. “A new and independent cause of an occurrence is the act or omission of a separate and independent agent, not reasonably foreseeable, that destroys the causal connection, if any, between the act or
omission inquired about and the occurrence in question.” Columbia Rio Grande Healthcare, L.P. v. Hawley, 284 S.W.3d 851, 856 (Tex. 2009). Whether a separate and independent act or omission destroys the causal connection depends on “whether the intervening cause and its probable consequences were such as could reasonably have been anticipated by the original wrongdoer.” Dew v. Crown Derrick Erectors, Inc., 208 S.W.3d 448, 452 (Tex. 2006) (quoting Bell v. Campbell, 434 S.W.2d 117, 120 (Tex. 1968)); see also RESTATEMENT (SECOND) OF TORTS § 447. “Under the Restatement, ‘the fact that an intervening act of a third person is negligent in itself . . . does not make it a superseding cause of harm to another which the actor’s negligent conduct is a substantial factor in bringing about’ if the actor, or a reasonable man in his situation, should have realized that
a third person might act or if the intervening act is a normal consequence of the actor’s conduct.” Dunn v. Admiralty Marine & Structural Eng’g, Inc., No. CIV.A. H-12-3643, 2014 WL 3749774, at *6 (S.D. Tex. July 29, 2014) (alterations in original) (quoting RESTATEMENT (SECOND) OF TORTS § 447). “When the intervening illegal negligent act is foreseeable, it does not negate the continuing proximate causation and consequent liability of the initial actor.” Travis, 830 S.W.2d at 98; see also Nixon v. Mr. Prop. Mgmt. Co., 690 S.W.2d 546, 550 (Tex. 1985). The plaintiffs adequately alleged that the cyberhackers’ conduct was foreseeable. The complaint alleges that cyberattacks are increasing in frequency in recent years. (Docket Entry No. 30 ¶¶ 84–105, 351). The complaint alleges that Gulshan was, and knew it was, a likely target
13 because “cybercriminals were targeting entities such as Defendant that stored large volumes of PII.” (Id. ¶ 96). The plaintiffs’ allegations that Gulshan did not implement industry-standard security measures permit the reasonable inference that the resulting vulnerabilities made Gulshan aware that it was a likely target for hackers, because hackers are more likely to target vulnerable companies. (See id. ¶¶ 44, 51–54, 61–62, 68–70, 96, 134–35). In short, the complaint adequately
alleges that the hacking was itself the foreseeable result of Gulshan’s negligence, keeping the chain of causation intact. See Bicknell, 635 S.W.2d at 152. Gulshan argues that the hack was not foreseeable because “the risk of crime must be specific to the defendant, not generalized” and that “industry-wide risks” are not sufficiently foreseeable. (Docket Entry No. 35 at 11). The case law that Gulshan cites does not go so far. In Barton v. Whataburger, Inc., the court found that “general evidence of crime rates and of robberies in other locales” was insufficient to make the crime that occurred near the employee’s restaurant foreseeable. 276 S.W.3d 456, 462 (Tex. App.—Houston [1st Dist.] 2008, pet. denied). This decision was based on premises-liability rules that require evidence of specific previous crimes
near the premises to establish foreseeability. Timberwalk Apartments, Partners, Inc. v. Cain, 972 S.W.2d 749, 756 (Tex. 1998). Evidence of past criminal acts can support an inference that criminal acts are foreseeable if similar acts occurred recently and consistently targeting similar defendants. See id. at 756–58. Assuming these factors—proximity, recency, frequency, similarity, and publicity—are controlling, the complaint allegations establish foreseeability. Foreseeability is established with proof of “criminal activity within the specific area at issue”; consistent crime rates within a defined period; previous crimes “sufficiently similar to the crime in question as to place” the defendant “on notice of the specific danger”; and “publicity surrounding the previous crimes.” Id. The
14 plaintiffs allege that cyberhackers have targeted companies that, like Gulshan, “store[] large volumes of PII.” (Docket Entry No. 30 ¶ 96). The complaint allegations include year-over-year crime statistics showing that data breaches are a consistent problem. (Id. ¶¶ 84–95). The plaintiffs’ allegations concern the same type of crime—cyberattacks, including phishing and ransom attacks—at issue here. (See id. ¶¶ 44, 62). Finally, the allegations describe how cyberattacks are
highly publicized. (See id. ¶ 80). On these allegations, Gulshan “knew or should have known that, because of its” failure to implement adequate data-security measures, a cyberhack “(or one like it) might occur.” Barton, 276 S.W.3d at 462. Second, the plaintiffs adequately allege, at this stage, that their injuries are traceable to the Gulshan data breach. This court has recently rejected a heightened traceability or causation analysis at the motion to dismiss stage. See New Era, 2026 WL 303547, at *4. The plaintiffs allege that they are careful about sharing their private information; that they do not knowingly transmit it online over unsecured and unencrypted channels; and that they received messages that their data was posted on the dark web shortly after the Gulshan data breach. (Docket Entry No.
30 ¶¶ 203, 210, 221, 239, 257, 275, 283, 294). “At this stage, the court must draw the reasonable inference that the data incident, not some other hack, is the reason their personal data was shortly thereafter available on the dark web; the plaintiffs do not need to anticipate and negate other potential causes of their injuries at the outset of litigation.” New Era, 2026 WL 303547, at *4 (citing Texas v. Mayorkas, No. 2:22-CV-094-Z, 2024 WL 455337, at *3 (N.D. Tex. Feb. 6, 2024)). * * * For these reasons, the court denies Gulshan’s motion to dismiss the plaintiffs’ negligence claims.
15 B. The Breach-of-Contract Claim The plaintiffs allege a breach of an implied contract. (Docket Entry No. 30 ¶¶ 367–69). A breach of an implied-contract claim requires that the plaintiff show an enforceable contract, including: (1) an offer, (2) an acceptance, (3) a meeting of the minds, (4) mutual consent, and (5) execution and delivery. Plotkin v. Joekel, 304 S.W.3d 455, 476 (Tex. App.—Houston [1st Dist.]
2009, pet. denied). The difference between express contracts and implied contracts is the evidence used to prove the meeting of minds to form a legal agreement. Id. at 476–77; see Southwell v. Univ. of the Incarnate Word, 974 S.W.2d 351, 354–55 (Tex. App.—San Antonio 1998, pet. denied). The parties’ objective actions, not their subjective states of mind, control the analysis. Lindsey Constr., Inc. v. AutoNation Fin. Servs., LLC, 541 S.W.3d 355, 363 (Tex. App.—Houston [14th Dist.] 2017, no pet.). On these principles, the plaintiffs’ implied-contract claim fails. See New Era, 2026 WL 303547, at *13–14. The plaintiffs allege that they were customers or employees of Gulshan and had purchased policies (or had employment contracts) with them. (Docket Entry No. 30 ¶¶ 10, 41, 72, 78, 371).
In other words, the plaintiffs have or had an express contract with Gulshan. Under Texas law, “there can be no implied contract where the subject matter is covered by a valid express contract.” Morales v. Dalworth Oil Co., 698 S.W.2d 772, 774 (Tex. App.—Forth Worth 1985, writ ref’d n.r.e.); see 1 WILLISTON ON CONTRACTS § 4:21 (4th ed. 2025) (“There can be no implied in fact if there is an express contract covering the subject matter involved.”). To facilitate Gulshan’s performance under the parties’ contracts, the plaintiffs provided Gulshan with sensitive personal and confidential information. (Docket Entry No. 30 ¶¶ 41, 78). Arguing that an implied-in-fact contract exists between these parties is an attempt “to change the parties’ express agreement.” Iiitec Ltd. v. Weatherford Tech. Holdings, LLC, No. CV H-19-3386, 2021 WL 2635380, at *13
16 (S.D. Tex. June 25, 2021). The mere provision of sensitive data in exchange for services or employment is insufficient to create an implied-in-fact contract when the plaintiffs provided that data under an express contract that does not include the term that they hope to imply. Cf. Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F. Supp. 3d 1183, 1221 (S.D. Fla. 2022) (declining to imply a contract based on allegations that the plaintiffs merely “provided their
personal information as required to receive healthcare services from Defendants”). The plaintiffs have not stated a breach of express or implied contract claim against Gulshan. The court grants Gulshan’s motion to dismiss this claim, with prejudice, because amendment would be futile. C. The Unjust-Enrichment Claim The plaintiffs allege that Gulshan was unjustly enriched by receiving, retaining, and using their data. (Docket Entry No. 30 ¶¶ 5–6, 39–40, 72–73, 381–84). Under Texas law, unjust enrichment “is an equitable concept that arises in situations in which another person has ‘wrongfully secured a benefit or has passively received one which it would be unconscionable to
retain.’” Houle v. Casillas, 594 S.W.3d 524, 554 (Tex. App.—El Paso 2019, no pet.) (quoting Eun Bok Lee v. Ho Chang Lee, 411 S.W.3d 95, 111–12 (Tex. App.—Houston [1st Dist.] 2013, no pet.)). Gulshan moves to dismiss the claim because the plaintiffs provided their sensitive personal information to Gulshan for “commercial and/or employment-related reasons.” (Docket Entry No. 35 at 16–18). The court agrees. Quasi-contractual claims of quantum-meruit and unjust enrichment are unavailable when a contract governs the services performed. Vortt Exploration Co., Inc. v. Chevron U.S.A., Inc., 787 S.W.2d 942, 944 (1990); Universal MRI & Diagnostics, Inc. v. Med. Lien Mgmt. Inc., 497 S.W.3d 653, 663 (Tex. App.—Houston [14th Dist.] 2016, no pet.); see Shih v. Blue Cross and Blue
17 Shield of Tex., No. CV H-25-2274, 2026 WL 1691601, at *3 (S.D. Tex. June 10, 2026) (explaining that the equitable principles governing implied contract, quasi-contract, and money-had-and- received claims are similar). As with the implied contract claim, the plaintiffs provided their information to Gulshan under a contract for goods, services, or employment. (Docket Entry No. 30 ¶¶ 41, 78). The contract supersedes the quasi-contractual claims.
The unjust enrichment claim is dismissed, with prejudice, because amendment would be futile. D. The ICFA Claim The plaintiffs allege that Gulshan violated the Illinois Personal Information Protection Act, which is actionable under the Illinois Consumer Fraud and Deceptive Business Practices Act. Flores, 242 N.E.3d at 357; Miller v. NextGen Healthcare, Inc., 742 F. Supp. 3d 1304, 1327 (N.D. Ga. 2024). Gulshan moves to dismiss this claim because the plaintiffs do not allege a substantial nexus to Illinois; because the complaint does not satisfy Rule 9(b); and because the plaintiffs have otherwise failed to allege necessary elements of an ICFA claim. (Docket Entry No. at 18–23).
Gulshan’s arguments are persuasive. First, the plaintiffs have not adequately alleged a sufficient nexus to Illinois. The ICFA does not apply extraterritorially, so “the circumstances that relate to the disputed transaction [must] occur primarily and substantially in Illinois.” Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 854 (Ill. 2005). The fact that a plaintiff resides in Illinois is insufficient. “[E]ven an Illinois resident must show that the disputed transaction occurred ‘primarily and substantially in Illinois.’” Archey v. Osmose Utilities Servs., Inc., No. 20-CV-05247, 2022 WL 3543469, at *5 (N.D. Ill. Aug. 18, 2022) (citing Perdue v. Hy-Vee, Inc., 455 F. Supp. 749 (C.D. Ill. 2020)). Courts have dismissed claims by Illinois plaintiffs under the ICFA when the complaint fails to include
18 allegations “that the data breach occurred primarily and substantially in Illinois.” Id. The plaintiffs’ complaint suffers this defect. Like the complaint in Archey, it does not include allegations that the “cyberattack occurred in Illinois or that [Gulshan] stored [the plaintiffs’] information in Illinois.” Id. Nor do the plaintiffs allege that Gulshan “asked for, or that [they] provided [their] personal information to [Gulshan] in Illinois.” Id. Because the complaint “is
devoid of any allegations connecting the data breach to Illinois,” the plaintiffs have “failed to state an ICFA claim.” Id. Second, Rule 9(b) applies to some, but not most, of the plaintiffs’ ICFA claim. Rule 9(b) provides: “In alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake.” FED. R. CIV. P. 9(b). Rule 9(b) requires particularized pleading for claims that “sound in fraud.” Lone Star Ladies Inv. Club v. Schlotzsky’s Inc., 238 F.3d 363, 369 (5th Cir. 2001). “[A]n unfair practices claim is not subject to Rule 9(b)’s heightened pleading requirements.” Santiago v. Tesla, Inc., 757 F. Supp. 3d 831, 844 (N.D. Ill. 2024) (citing Pirelli Armstrong Tire Corp. Retiree Med. Benefits Tr. v. Walgreen Co., 631 F.3d 436, 446 (7th Cir.
2011)). A practice is unfair if it “(1) offends public policy; (2) is immoral, unethical, oppressive, or unscrupulous; or (3) causes substantial injury to consumers.” Batson v. Live Nation Ent., Inc., 746 F.3d 827, 830 (7th Cir. 2014); see Robinson v. Toyota Motor Credit Corp., 775 N.E.2d 951, 961 (2002). Fraud is not a necessary condition of these factors. Rule 9(b) applies, however, if the plaintiff attempts to disguise claim that sounds in fraud through under an unfair practices label. See Pop v. LuliFama.com LLC, 145 F.4th 1285, 1296 n.10 (11th Cir. 2025). Most of the plaintiffs’ ICFA claim depends on allegations that do not sound in fraud. The plaintiffs allege that Gulshan violated the ICFA because it did not “implement and maintain reasonable security and privacy measures”; did not “identify foreseeable security and privacy risks
19 and remediate identified security and privacy risks”; and did not “comply with common law and statutory duties pertaining to the security and privacy of Plaintiffs and Illinois Subclass Members’ PII.” (Docket Entry No. 30 ¶ 397.a–.c). These are allegations about statutorily created duties, violations of which are contrary to public policy established by the Illinois legislature. See Flores, 242 N.E.3d at 357; Miller, 742 F. Supp. 3d at 1327. Such allegations do not sound in fraud and
do not require particularized pleading. But the plaintiffs also allege that Gulshan omitted, suppressed, and concealed the material fact that they did not reasonably or adequately secure the plaintiffs’ information and that they did not comply with their common-law and statutory duties. (See Docket Entry No. 30 ¶ 397.d–.e). Allegations about material omissions sound in fraud. See Pop, 145 F.4th at 1295 (“At bottom, the ‘basic conduct’ that common law fraud targets is ‘misrepresenting or concealing material facts.’” (quoting SEC v. Jarkesy, 603 U.S. 109, 125 (2024))). Rule 9(b) requires particularity pleading. The complaint does not allege with particularity where, when, and how Gulshan omitted or concealed material facts about its data-security practices.
Third, the plaintiffs do not adequately allege an injury under the ICFA. Illinois courts have held that “emotional distress due to [the plaintiffs’] loss of privacy, [their] lost time dealing with the consequences of the data breach, the increase in spam messages [they have] received,” “diminution of the value of [their] personal information,” and the “imminent risk of fraud and identity theft” are not viable claims under the statute. Flores, 242 N.E.3d at 357; see also Petta v. Christie Bus. Holding Co., P.C., 230 N.E.3d 162, 167–72 (Ill. App. 2023) (reaching similar conclusions on standing grounds), aff’d, 267 N.E.3d 904 (2025). Only one plaintiff, Ana Ceja, allegedly suffered “actual economic losses” based on having to order “a credit-monitoring service,” Flores, 242 N.E.3d at 357, in response to the data breach,
20 (Docket Entry No. 30 ¶ 211). Gulshan argues that a credit-monitoring service is a self-inflicted cost that is not recoverable under Illinois law. (Docket Entry No. 38 at 15). Petta held that the plaintiffs did not have standing to recover the costs of a credit-monitoring service because the complaint allegations showed only a speculative risk of harm from the data breach. See Petta, 230 N.E.3d at 169. Standing under Illinois law is different from actual damage under the Consumer
Fraud Act. See Flores, 242 N.E.3d at 357 (citing Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 829-30 (7th Cir. 2018)). But even under Petta’s own terms, Ceja’s allegations are sufficient because she alleges “that her information has been improperly used.” Petta, 230 N.E.3d at 169; New Era, 2026 WL 303547, at *4–5; (see Docket Entry No. 30 ¶ 210 (alleging that her personal information is on the dark web and that third parties have attempted to access her financial accounts)). The plaintiffs’ ICFA claims are dismissed, without prejudice, because amendment may not be futile. E. The Prayers for Relief
1. Emotional Distress “Without intent or malice on the defendant’s part, serious bodily injury to the plaintiff, or a special relationship between the two parties,” Texas courts “permit recovery for mental anguish in only a few types of cases involving injuries of such a shocking and disturbing nature that mental anguish is a highly foreseeable result,” such as in “suits for wrongful death and actions by bystanders for a close family member’s serious injury.” City of Tyler v. Likes, 962 S.W.2d 489, 496 (Tex. 1997) (internal citations omitted); see Motor Exp., Inc. v. Rodriguez, 925 S.W.2d 638, 639 (Tex. 1996) (listing examples of cases in which “a claimant who is not physically injured by the defendant’s breach of a duty may recover mental anguish damages”). Even when plaintiffs
21 may recover for mental anguish, “it is necessary to offer proof of more than mere worry, anxiety, vexation or anger.” Grp. Hosp. Servs., Inc. v. Daniel, 704 S.W.2d 870, 878 (Tex. App.—Corpus Christi-Edinburg 1985, no pet.). Mental anguish “implies a relatively high degree of mental pain and distress,” such as “mental sensation of pain resulting from such painful emotions as grief, severe disappointment, indignation, wounded pride, shame, despair and/or public humiliation.”
Id. (quoting Trevino v. Southwestern Bell Telephone Co., 582 S.W.2d 582 (Tex. Civ. App.— Corpus Christi 1979, writ ref’d n.r.e.)). The plaintiffs allege “stress, anxiety, and concern due to the loss of [their] privacy and concern over the impact of cybercriminals accessing and misusing” their private information. (Docket Entry No. 30 ¶¶ 212, 230, 248, 266, 285, 303). These allegations are insufficient to state a claim for emotional distress under Texas law. Nor does it appear that the alleged torts, which sound in simple negligence and contract, provide a remedy for mental anguish. The plaintiffs’ prayer for damages based on emotional distress is dismissed, without prejudice. See New Era, 2026 WL 303547, at *10. The plaintiffs have one more opportunity to
plead, consistent with Rule 11, that they have suffered emotional damages for which Texas law would permit recovery. 2. Injunctive Relief A court can enter injunctive relief only to abate an imminent or ongoing harm. “The purpose of the requirement that the injury be ‘imminent’ is ‘to ensure that the alleged injury is not too speculative for Article III purposes.’” Stringer v. Whitley, 942 F.3d 715, 721 (5th Cir. 2019). (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013)). “For a threatened future injury to satisfy the imminence requirement, there must be at least a ‘substantial risk’ that the injury will occur.” Id. (quoting Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014)). Standing
22 “does not follow from the conclusion that the injunctive relief sought by a plaintiff would prevent the plaintiff from suffering the same injury in the future, which is always true when a plaintiff seeks an injunction prohibiting a defendant from repeating an action that injured the plaintiff in the past.” Id. Rather, plaintiffs “must also show that there is a substantial risk that they will suffer the potential future injury absent their requested relief.” Id. “Past wrongs are relevant to ‘whether
there is a real and immediate threat of repeated injury,’ but alone they may be insufficient to establish standing for prospective relief.” Attala County, Mississippi Branch of NAACP v. Evans, 37 F.4th 1038, 1042 (5th Cir. 2022) (quoting O’Shea v. Littleton, 414 U.S. 488, 4996 (1974)). Nothing in the complaint supports an inference that a second cyberattack against Gulshan is imminent. The court must draw inferences based on the fact that Gulshan was attacked and has not corrected its vulnerabilities. The court cannot draw from those facts a reasonable inference that another attack is likely to occur in the near future. “A hacker must first discover the same vulnerability as the previous hacker. If the vulnerability has been patched, the hacker must discover an entirely new vulnerability, adding another layer of speculation to the likelihood of the
injury.” In re ESO Sols., Inc. Breach Litig., No. 1:23-CV-1557-RP, 2024 WL 4456703, at *8 (W.D. Tex. July 30, 2024). There is also reason to doubt that another hacker will have the motive to attack Gulshan again. Accepting the plaintiffs’ allegations about the severity and consequences of the Gulshan data breach as true, the next hacker will gain little information that is not already available on the dark web for purchase. Although “a subsequent data breach remains possible, it is a far stretch to describe it as ‘certainly impending.’ Id. (quoting Logan v. Market Group, Inc., No. 4:22-CV-174, 2024 WL 3489208, at *7–8 (S.D. Tex. July 18, 2024)).
23 IV. Conclusion For these reasons, the motion to dismiss, (Docket Entry No. 35), is granted in part and denied in part. The plaintiffs must amend their complaint by July 17, 2026.
SIGNED on June 29, 2026, at Houston, Texas.
LW CreWe— Lee H. Rosenthal Senior United States District Judge