IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION ) ) ) IN RE KEMPER SPORTS ) Case No. 24-CV-8503 MANAGEMENT DATA BREACH ) LITIGATION ) Honorable Joan B. Gottschall ) ) ) ) MEMORANDUM OPINION AND ORDER On April 1, 2024, hostile actors compromised and accessed defendant Kemper Sports Management, LLC’s, network. See Am. Compl. ¶¶ 1–3, Dkt. No. 39. Kemper notified current and former employees of this data breach on September 9, 2024. Id. ¶ 4; see also id. Ex. 1 (sample notice of data breach). This litigation followed. By agreement of all parties, these five cases were consolidated, and the plaintiffs filed an amended consolidated class action complaint, referred to for simplicity here as the “amended complaint.” Am. Compl.; Order dated Nov. 22, 2024, Dkt. No. 20 (consolidating cases). Federal jurisdiction is based on the Class Action Fairness Act (CAFA), 28 U.S.C. § 1332(d)(2). Kemper moves to dismiss the amended complaint for lack of Article III standing and failure to state a claim upon which relief can be granted. Mot. to Dismiss, Dkt. No. 25; Mem. Supp. Mot. to Dismiss, Dkt. No. 26. For the reasons explained below, the court determines that plaintiffs have pleaded concrete and particularized injuries sufficient to show that they have standing. See, e.g., Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015). On the merits, the complaint states plausible claims for negligence, breach of contract, and unjust enrichment. The court dismisses plaintiffs’ intrusion upon seclusion claims because, although the actors who penetrated Kemper’s security engaged in intentional conduct, plaintiffs alleged no such intentional tortious conduct attributable to Kemper. I. Background1 Kemper is a hospitality management services company with $410 million in annual revenue. Am. Compl. ¶¶ 1, 28. It maintains a national portfolio of more than 140 resorts, golf courses, private clubs, and sports venues. Am. Compl. ¶ 1. Each of the six named plaintiffs— Rachel Getzinger, Kelli Seals, Edwin Scheide, Kendra Davila, William Campe, Corey Bergamo, and Tracy Kading—is a current or former Kemper employee whose personally identifiable information (“PII”) was exposed in the April 1, 2024, data breach. Am. Compl. ¶ 11. Kemper required its current and former employees to provide their PII, e.g., social security numbers, as a condition of employment, and it used that information to facilitate paying employees. See Am. Compl. ¶ 34. According to Kemper, the data breach exposed approximately 62,815 individuals’ PII. Am. Compl. ¶ 39 (citation omitted). The potentially exposed information includes individuals’ “full names, addresses, Social Security numbers, financial information, medical information, and health insurance information.” Am. Compl. ¶ 40. Plaintiffs further allege, on information and belief, that Kemper did not encrypt their PII. Am. Compl. ¶ 35. The amended complaint asserts that Kemper “did not use reasonable security procedures and practices appropriate to the nature of the sensitive, unencrypted information it was maintaining for Plaintiffs and Class Members, causing the exposure of PII for Plaintiffs and Class Members.” Am. Compl. ¶ 45. Plaintiffs plead: “Given the type of targeted attack in this case, the type of PII accessed, and the fact that such information was successfully exfiltrated by cybercriminals, there is a strong probability that the unencrypted PII of Plaintiffs and Class Members have [sic] been placed, or will be placed, on the black market/Dark Web for sale and purchase by criminals ———————————————————— 1 To decide Kemper’s motion to dismiss, the court accepts the amended complaint’s well‐pleaded factual allegations as true and draws all reasonable inferences in plaintiffs’ favor. See Bilek v. Fed. Ins. Co., 8 F.4th 581, 584 (7th Cir. 2021) (citing Taha v. Int'l Bhd. of Teamsters, Loc. 781, 947 F.3d 464, 469 (7th Cir. 2020)) (Rule 12(b)(6) failure to state a claim); Bultasa Buddhist Temple of Chi. v. Nielsen, 878 F.3d 570, 573 (7th Cir. 2017) (citing Ezekiel v. Michel, 66 F.3d 894, 897 (7th Cir. 1995)) (Rule 12(b)(1) motion testing subject matter jurisdiction). The court recites the facts alleged in the amended complaint in conformity with this standard. intending to utilize the PII for identity theft crimes.” Am. Compl. ¶ 44. Kemper advised those potentially affected by the breach “to remain vigilant against incidents of identity theft and fraud by reviewing your account statements and monitoring your free credit reports for suspicious activity.” Am. Compl. ¶ 49 (quoting Notice of Security Incident, Am. Compl., Ex. 1); see also Am. Compl. ¶¶ 188–91 (describing alleged industry best practices). Kemper has provided plaintiffs a year of complimentary credit monitoring, but plaintiffs allege that credit monitoring “does not adequately address the lifelong harm that victims will face from the Data Breach.” Am. Compl. ¶ 51; see also Am. Compl. ¶¶ 51–72. Each named plaintiff’s experience has been pleaded. See Am. Compl. ¶¶ 73–170. In summary, each plaintiff alleges that he or she suffered an invasion of privacy; has experienced anxiety and stress in the past; will continue to experience anxiety and stress in the future; has been exposed to an increased risk of identity theft and fraud; (as to some plaintiffs) has experienced an increased number of spam texts, calls, and/or emails since the data breach; and has expended time researching the data breach and taking steps to monitor and mitigate it, such as changing passwords and monitoring financial account statements. See Am. Compl. ¶¶ 73–170 (some allegations made on information and belief). In addition, plaintiff Scheide alleges that someone posted an unauthorized $200 transaction to his bank account in June 2024. Am. Compl. ¶ 108. He “was then forced to spend time on the phone with his financial institution’s fraud department reporting this fraudulent transaction in order to be reimbursed. Further, Plaintiff Scheide was forced to spend time canceling his debit card and ordering a new debit card.” Am. Compl. ¶ 108. The amended complaint charges, “[u]pon information and belief,” that the data breach precipitated this incident, which occurred approximately two months after the breach. Am. Compl. ¶ 109. Plaintiffs seek to represent a class consisting of “[a]ll individuals residing in the United States whose PII was compromised in the Data Breach discovered by Defendant in April 2024, including all those who received notice of the Data Breach.” Am. Compl. ¶ 192; see also Am. Compl. ¶¶ 193–94 (exclusions and reservation of right to amend proposed class definition). The amended complaint has four counts: negligence, breach of implied contract, unjust enrichment, and invasion of privacy. Am. Compl. ¶¶ 197–258. Plaintiffs seek declaratory and injunctive relief, monetary damages, and attorneys’ fees and costs. See Am. Compl. p. 46 (prayer for relief). II. Standing A Rule 12(b)(1) motion to dismiss for lack of subject matter jurisdiction raises either a facial or factual challenge to subject matter jurisdiction. Silha v. ACT, Inc., 807 F.3d 169, 173 (7th Cir. 2015) (citing Apex Digit., Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 443 (7th Cir. 2009)). Significant differences exist between the standards that apply to facial and factual challenges. See Boim v. Am. Muslims for Palestine, 9 F.4th 545, 557–58 (7th Cir. 2021). A facial challenge claims that the complaint’s, or another pleading’s, allegations are insufficient, while “[a] factual challenge contends that ‘there is in fact no subject matter jurisdiction,’ even if the pleadings are formally sufficient.” Silha, 807 F.3d at 173 (emphasis omitted) (quoting Apex Digit., 572 F.3d at 444). Kemper raises a facial attack here, for it does not dispute the facts alleged in the amended complaint or rely on extrinsic facts. See Mem. Supp. Mot. to Dismiss 3– 10, Dkt. No. 26; See also Boim, 9 F.4th at 557–58; Bazile v. Fin. Sys. of Green Bay, Inc., 983 F.3d 274, 279 (7th Cir. 2020). To survive a facial attack, a “plaintiff may demonstrate standing by clearly pleading allegations [in her complaint] that ‘plausibly suggest’ each element of standing when all reasonable inferences are drawn in the plaintiff's favor.” Spuhler v. State Collection Serv., Inc., 983 F.3d 282, 285 (7th Cir. 2020) (quoting Silha, 807 F.3d at 173–74; other citations omitted). The court “must accept as true all material allegations of the complaint, drawing all reasonable inferences therefrom in the plaintiff’s favor.” Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 691 (7th Cir. 2015) (quoting Reid L. v. Ill. State Bd. of Educ., 358 F.3d 511, 515 (7th Cir. 2004)); see also Lujan v. Defs. of Wildlife, 504 U.S. 555, 561 (1992). Putting these standards together, this court’s task is to determine whether the amended complaint includes well‐pleaded allegations that plausibly suggest each element of Article III standing when all reasonable inferences are drawn in the named plaintiffs’ favor.
Article III of the Constitution limits the judicial power of federal courts to resolving “cases” and “controversies.” U.S. Const. art. III, § 2, cl. 1. For “a lawsuit to constitute a case within the meaning of Article III, the plaintiff must have standing to sue.” Diamond Alt. Energy, LLC v. EPA, 606 U.S. 100, 110 (2025); see also id. at 110–11. Supreme Court decisions establish that “the irreducible constitutional minimum of standing contains three elements: injury in fact, causation, and redressability.” Id. at 111 (citation modified) (citing Lujan, 504 U.S. at 560). The parties focus primarily on the injury in fact requirement. Like the other standing elements, the injury in fact requirement ensures that plaintiffs “possess a personal stake in the dispute and are not mere bystanders . . . Standing doctrine also tends to assure that the legal questions presented to the court will be resolved, not in the rarified atmosphere of a debating society, but in a concrete factual context conducive to a realistic appreciation of the consequences of judicial action.” Diamond Alt. Energy, 606 U.S. at 110–11 (citation modified); see also FDA v. All. for Hippocratic Med., 602 U.S. 367, 381 (2024). “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’ ” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016) (quoting Lujan, 504 U.S. at 560). Concreteness and particularization are “independent requirements[s].” Id.; see id. at 335, 338–42. Concreteness “examines the substance of a plaintiff’s asserted injury, [and] the imminence requirement measures its likelihood.” Dinerstein v. Google, LLC, 73 F.4th 502, 511 (7th Cir. 2023) (quoting Whitmore v. Arkansas, 495 U.S. 149, 155 (1990)). To be particularized, an alleged “injury must affect ‘the plaintiff in a personal and individual way’ and not be a generalized grievance.” All. for Hippocratic Med., 602 U.S. at 381 (quoting Lujan, 504 U.S. at 560). An injury must actually exist, that is it must be “real and not abstract,” to be concrete. Id. (quoting Spokeo, 578 U.S. at 340). The Supreme Court has been clear that tangible harms, such as physical and monetary harms, as well as intangible harms may be sufficiently concrete to confer standing. See TransUnion LLC v. Ramirez, 594 U.S. 413, 424 (2021). As examples of concrete intangible harms, the Supreme Court has cited “injuries with a close relationship to harms traditionally recognized as providing a basis for a lawsuit in American courts,” such as “reputational harms, disclosure of private information, and intrusion upon seclusion.” Id. (citations omitted); see Spokeo, 578 U.S. at 340–42.
Beginning with Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), the Seventh Circuit has issued three opinions applying the injury in fact requirement in what is commonly referred to as data breach litigation. Remijas grew out of a 2013 data breach in which bad actors stole department store customers’ credit card numbers. See id. at 690. The department store offered potentially affected customers a year of free credit monitoring. Id. Class-action litigation followed. See id. The Seventh Circuit analyzed each form of harm the plaintiffs alleged. See id. at 692–93. It found plaintiffs’ arguments that the loss of their private information was itself an adequately concrete injury, as well as defendant’s delay in notifying the plaintiffs of the data breach, “problematic.” See id. at 694–95. But the Remijas court disagreed with the district court’s reading of Clapper v. Amnesty International USA, 568 U.S.398 (2013), as foreclosing “any use whatsoever of future injuries to support Article III standing.” Remijas, 794 F.3d at 693. Rather, the Seventh Circuit stated, if the plaintiffs can show a “ ‘substantial risk’ that the harm will occur, and they are forced to reasonably incur costs to mitigate or avoid that harm,” id. at 693 (quoting Clapper, 568 U.S. at 409), they may be able to establish standing. In Clapper, the harm of which the plaintiffs complained was that their future communications with foreign surveillance targets might be intercepted, a harm which had not yet occurred and might never occur. But in Remijas, in contrast, plaintiffs’ information had already been stolen, putting it at immediate risk for misuse: “Why else would hackers break into a store's database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” 794 F.3d at 693. In these circumstances, where it is clear that the plaintiffs’ PII had been targeted and stolen, a substantial risk of its misuse can easily be inferred. Id. And where a breach has already occurred, and an affected customer has already been notified that his or her credit card information has been compromised, a reasonable customer “might think it necessary to subscribe to a service that offers monthly credit monitoring.” Id. at 694. The fact that defendant “offered one year of credit monitoring and identity-theft protection” to affected customers demonstrates that the defendant did not view the risk as “ephemeral.” Such a risk “easily qualifies as a concrete injury.” Id. Remijas has been applied in two subsequent data breach cases in the Seventh Circuit. See Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018); see also Bryant v. Compass Grp. USA, Inc., 958 F.3d 617, 623–27 (7th Cir. 2020). Kemper contends that TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), calls into question the reasoning of Remijas, Lewert, and Dieffenbach. This court disagrees. The facts in TransUnion easily distinguish the circumstances present there from the Seventh Circuit’s data breach cases, as well as the circumstances present in the instant case. In TransUnion, 8,185 class members complained that TransUnion, a credit reporting agency, had failed to ensure the accuracy of information in their credit files. In the case of 1,853 of those class members, TransUnion had provided the inaccurate credit reports to third‐party businesses. See 594 U.S. at 432. Those 1,853 class members, the Supreme Court held, had demonstrated “concrete reputational harm,” and adequately made out Article III standing. Id. at 432-33. But as for the 6,332 class members whose allegedly faulty credit files had not been provided to third‐party businesses, those class members had failed to demonstrate concrete harm and accordingly lacked standing. Id. at 434. The Seventh Circuit has not addressed the effect of TransUnion on its standing jurisprudence in a data breach case, but it has cited the Remijas line of cases, post‐TransUnion, for the proposition that “people injured by leaked or hacked data can have standing.” Baysal v. Midvale Indem. Co., 78 F.4th 976, 977 (7th Cir. 2023). And, as far as this court is aware, every federal court of appeals to have considered the effect of TransUnion on data breach litigation has embraced, contrary to Kemper’s position, an approach similar to Remijas. See Webb v. Inj. Workers Pharm., LLC, 72 F.4th 365, 371–72 (1st Cir. 2023) (surveying decisions). All of this authority militates against the conclusion that TransUnion has altered or will alter the law as articulated in Remijas applicable to data breach cases.
The plaintiffs in these consolidated cases identify four types of harms they contend establish their standing. See Am. Compl. ¶¶ 197–258. Only one of these theories must be reached to find standing: plaintiffs’ allegations that, in view of the fact that their PPI was targeted and stolen, they have expended and will expend time and money protecting themselves from identity theft. The amended complaint details the steps plaintiffs took, such as monitoring their credit reports and financial accounts for suspicious activity. See, e.g., Am. Compl. ¶¶ 80, 124, 164, 168. Kemper points out that more than a year has passed since the data breach, and plaintiffs have identified only one alleged incident of identity theft potentially related to it. But as the Seventh Circuit took pains to point out in Remijas, the length of time that a plaintiff whose sensitive data has been stolen is truly at risk has not been conclusively established and imminence cannot be ruled out. 794 F.3d at 694. The fact that criminals considered plaintiffs’ PII valuable enough to steal suffices, in view of the sensitive nature of the information stolen, to plead a plausible injury in fact.2 See id. at 694.
———————————————————— 2 Social security numbers and employment-related financial information are highly sensitive, so much so that the Federal Rules of Civil Procedure protect them from public disclosure in court filings. See Fed. R. Civ. P. 5.2(a); see also Florence v. Ord. Exp., Inc., 674 F. Supp. 3d 472, 480–81 (N.D. Ill. 2023) (citations omitted). Kemper also moves under Federal Rule of Civil Procedure 12(b)(6) to dismiss the amended complaint for failure to state a claim. Kemper argues primarily that it owed plaintiffs no duty to protect their personally identifiable information under Illinois negligence law and that they have failed to allege a claim for breach of implied contract.
A Rule 12(b)(6) motion tests the sufficiency of a complaint rather than the case's merits or the merits of any affirmative defense. See Richards v. Mitcheff, 696 F.3d 635, 637–38 (7th Cir. 2012). Rule 8(a)(2) requires every complaint, and every other pleading that states a claim for relief, to contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” To withstand a Rule 12(b)(6) motion, a complaint must “state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim satisfies this standard when its factual allegations “raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555–56. When testing a complaint's sufficiency, the court accepts the complaint's well-pleaded facts as true and draws reasonable inferences from those facts in the plaintiff's favor, but conclusory allegations that merely recite the elements of a claim do not enjoy a presumption of truth. Virnich v. Vorwald, 664 F.3d 206, 212 (7th Cir. 2011). To state a negligence claim under Illinois law, plaintiffs must plausibly allege “the existence of a duty owed by the defendant to the plaintiff, a breach of that duty, and injury proximately resulting from the breach.” Cruz v. Costco Wholesale Corp., 134 F.4th 984, 987 (7th Cir. 2025) (quoting Heider v. DJG Pizza, Inc., 138 N.E.3d 934, 939 (Ill. App. Ct. 1st. Dist. 2019). Relying on Community Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803 (7th Cir. 2018), and Cooney v. Chicago Public Schools, 943 N.E.2d 23 (Ill. App. Ct. 1st Dist. 2010), Kemper maintains that it owed plaintiffs no duty to protect their personal information. Based on a prior version of the Illinois Personal Information Protection Act, the Cooney court held that the statute as then in effect “reflect[ed] legislative intent to limit defendants’ duty to providing notice” of a data breach but does not create a duty to safeguard information. Cooney, 943 N.E.2d at 28 (citation omitted). The Seventh Circuit applied Cooney’s reasoning in Schnuck Markets to affirm the dismissal of a negligence claim, “in the absence of some other reason why the Illinois Supreme Court would likely disagree with the Cooney analysis.” 887 F.3d at 816. But see Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 830 (7th Cir. 2018). As other courts have recognized, the Illinois legislature provided such a reason when it amended the Illinois Personal Information Protection Act in 2017. See, e.g., In re Arthur J. Gallagher Data Breach Litig., 631 F. Supp. 3d 573, 590 (N.D. Ill. 2022); In re Mondelez Data Breach Litig., 2024 WL 2817489, at *4 (N.D. Ill. June 3, 2024). The amendment added, inter alia, the following language: “A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” 815 Ill. Comp. Stat. 530/45(a). As Illinois and federal courts have explained, the addition of this language undermines Cooney. Consistent with the 2017 amendment, the amended complaint here states a plausible claim that Kemper owed plaintiffs a duty to protect their personal information. See Flores v. AON Corp., 2023 IL App (1st) 230140, ¶ 23; Arthur J. Gallagher Data Breach Litig., 631 F. Supp. 3d at 590; Mondelez Data Breach Litig., 2024 WL 2817489, at *4. Kemper also argues that Illinois’ economic loss doctrine bars plaintiffs’ negligence claims. The economic loss doctrine generally “bars tort recovery for purely economic losses based on failure to perform contractual obligations.” Catalan v. GMAC Mortg. Corp., 629 F.3d 676, 693 (7th Cir. 2011) (citing Moorman Mfg. Co. v. Nat’l Tank Co., 435 N.E.2d 443, 448–49 (Ill. 1982)). The doctrine’s rationale is that in the case of “purely economic losses inflicted by one business on another where those businesses have already ordered their duties, rights, and remedies by contract[,] liability for purely economic loss is more appropriately determined by commercial rather than tort law,” i.e., by the system of rights and remedies created by the parties themselves. Schnuck Markets, 887 F.3d at 812 (citation modified). After explaining the rationale of the economic loss rule, the Illinois appellate court recently held, “Applying the Moorman [economic loss] doctrine to . . . data breach case[s] would stretch the applicability of the doctrine far beyond its products liability roots, given that there is no express contract between the parties and the injuries allegedly suffered by plaintiffs were not caused by any defect in the actual product of the transaction.” Flores, 2023 IL App (1st) 230140 ¶ 57 (citing In re Marriott Int’l, Inc., Customer Data Security Breach Litig., 440 F. Supp. 3d 447, 468–76 (D. Md. 2020)). The Illinois appellate court followed Flores in Olson v. Ferrara Candy Co., 2025 IL App (1st) 241126, ¶¶ 44–45, holding that the economic loss doctrine did not bar a negligence claim in data breach litigation. Federal courts have accordingly denied motions to dismiss negligence claims in data breach litigation, based on Flores and Olson. See Nazzaro v. Tecta Am. Corp., 2025 WL 2604790, at *4–5 (N.D. Ill. Sept. 9, 2025); Wittmeyer v. Heartland All. for Hum. Needs & Rts., 2024 WL 182211, at *3 (N.D. Ill. Jan. 17, 2024); Mondelez Data Breach Litig., 2024 WL 2817489, at *5. Kemper cites no contrary case applying Illinois law. This court therefore applies Flores and Olson to conclude that the economic loss doctrine does not bar plaintiffs’ negligence claim as pleaded in their amended complaint. See, e.g., Nazzaro, 2025 WL 2604790, at *5.
Plaintiffs plead that Kemper breached an implied contract, meaning a contract implied by the factual circumstances of their relationship with Kemper. That is, they allege the existence and breach of a contract implied in fact. See Marcatante v. City of Chicago, 657 F.3d 433, 440 (7th Cir. 2011) (discussing Illinois law concerning contracts implied in fact and contracts implied in law). “To sustain a complaint for breach of implied contract, a plaintiff must allege that (1) a contract existed, (2) the plaintiff performed his obligations under that contract, (3) the defendant breached the contract, and (4) the plaintiff suffered damages as a result of that breach.” Olson, 2025 IL App (1st) 241126, ¶ 59 (citing In re Estate of Khan, 191 N.E.3d 98, 105 (Ill. App. Ct. 1st Dist. 2021)). “A contract implied in fact is one in which a contractual duty is imposed by a promissory expression which may be inferred from the facts and circumstances and the expressions on the part of the promisor which show an intention to be bound.” Marcatante, 657 F.3d at 440 (alterations omitted) (quoting Estate of Jesmer v. Rohlev, 609 N.E.2d 816, 820 (Ill. 1993)). Kemper relies on Archey v. Osmose Utilities Services., Inc., 2022 WL 3543469, at *2 (N.D. Ill. Aug. 18, 2022), to argue that the amended complaint does not adequately allege the existence of an implied in fact contract. Like the present suit, Archey arose out of a data breach in which employees’ personally identifiable information was compromised. See id. at *1. The Archey court dismissed a breach of implied contract claim because the complaint did not plausibly plead a meeting of the minds between employer and employee. See id. at *2–3 (citing, among other cases, Midland Hotel Corp. v. Reuben H. Donnelley Corp., 515 N.E.2d 61, 65 (Ill. 1987)). A plaintiff’s “subjective inference that a contract was formed does not suffice to show the existence of an implied-in-fact contract,” the Archey court explained. Id. at *3 (citing Miksis v. Evanston Twp. High Sch. Dist., 235 F. Supp. 3d 960, 996 (N.D. Ill. 2017)). The Archey court drew a distinction that matters here. See id. at *3 (distinguishing In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 531 (N.D. Ill. 2011)). The Archey plaintiff argued that he “was required to provide [his employer] his personal information as a condition of employment[.]” But, the Archey court explained, “that is not what the [second amended complaint] allege[d].” Id. at *3. In contrast, the plaintiffs in these consolidated cases plead that Kemper required them to provide their PII as a condition of employment. Where an employer requires employees to provide PII as a condition of employment, courts have declined to dismiss claims for breach of implied contract in data breach cases. See Nazzaro, 2025 WL 2604790, at *6 (collecting citations). The rationale is simple: “As a matter of common sense, the employer-employee relationship generally encompasses the implicit mutual understanding that PII should be kept private and not be subject to public disclosure.” Id. (alteration omitted) (quoting Duffy v. Lewis Bros. Bakeries, Inc., 760 F. Supp. 3d 704, 724 (S.D. Ind. 2024)). As the Illinois appellate court stated in a data breach case, “[I]t is implied from the relationship between the parties that [the defendant‐employer] would take reasonable steps to ensure that plaintiffs’ personal information would be protected from unauthorized disclosure.” Olson, 2025 IL App (1st) 241126, ¶ 60 (citing Flores, 2023 IL App (1st) 230140, ¶ 33); see id. ¶¶ 62–63 (distinguishing Archey). Under this authority, the amended complaint adequately alleges the existence of a contract implied in fact. Illinois law also requires plaintiffs to “allege actual monetary damages.” Id. (quoting Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801 (Ill. 2005)) (other citation omitted). Kemper cites data breach cases rejecting as insufficient various theories of actual monetary damages. But the Illinois appellate court held in its 2025 decision in Olson that the plaintiff’s out of pocket payments for credit monitoring services stated a claim for breach of contract. Id. The Olson court reasoned: “Paying for credit monitoring is not ‘attenuated’ from the implied contract in which [the defendant-employer] promised to protect plaintiffs’ PII with adequate data security measures.” Id. Since the Illinois Supreme Court has not spoken to this issue, Olson provides helpful guidance for the task at hand, which is predicting how the state’s highest court would rule. See Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 811 (7th Cir. 2018). The amended complaint here includes allegations that plaintiffs incurred “[o]ut-of-pocket costs associated with the prevention, detection, recovery, and remediation from [sic] identity theft or fraud,” and “[l]ost opportunity costs and lost wages associated with the time and effort expended addressing and attempting to mitigate the actual and future consequences of the Data Breach.” Am. Compl. ¶ 172. Under Olson, these costs constitute economic damages recoverable on plaintiffs’ breach of contract claim. See also Dieffenbach, 887 F.3d at 830. The amended complaint states a plausible breach of implied contract claim. “In Illinois, ‘to state a cause of action based on a theory of unjust enrichment, a plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiff's detriment, and that defendant’s retention of the benefit violates the fundamental principles of justice, equity, and good conscience.’ ” Cleary v. Philip Morris Inc., 656 F.3d 511, 516 (7th Cir. 2011) (citation modified) (quoting HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc., 545 N.E.2d 672, 679 (Ill. 1989)). Kemper makes a series of arguments here that parallel its arguments for dismissal of plaintiffs’ negligence and breach of contract claims. For reasons similar to its arguments that plaintiffs experienced no cognizable contract damages and breached no duty of care owed to plaintiffs, Kemper maintains that the amended complaint does not plausibly allege that it retained any benefit to plaintiffs’ detriment. See Mem. Supp. Mot. to Dismiss 18–19, Dkt. No. 26. “If an unjust enrichment claim rests on the same improper conduct alleged in another claim, then the unjust enrichment claim will be tied to this related claim—and, of course, unjust enrichment will stand or fall with the related claim.” Cleary, 656 F.3d at 517 (citing Ass'n Benefit Servs. v. Caremark Rx, Inc., 493 F.3d 841, 855 (7th Cir. 2007)). The foregoing analysis of plaintiffs’ breach of contract and negligence claims also explains why the amended complaint states a claim for unjust enrichment premised on the same underlying conduct. See id. at 517– 18; Sloan v. Anker Innovations Ltd., 711 F. Supp. 3d 946, 966 (N.D. Ill. 2024). In addition, as plaintiffs point out, they plead specifically that they would not have worked for Kemper, or would have demanded to be paid more, had they known the details of Kemper’s data security practices. See Am. Compl. ¶ 242. These allegations distinguish the amended complaint from the complaints in cases such as Irwin v. Jimmy John's Franchise, LLC, 175 F. Supp. 3d 1064, 1072 (C.D. Ill. 2016). Contrast also In re Lurie Children's Hosp. Data Sec. Litig., 2025 WL 2754760, at *11 (N.D. Ill. Sept. 27, 2025). Kemper’s motion to dismiss the unjust enrichment claim pleaded in the amended complaint is denied. Plaintiffs clarify in their response memorandum that Count IV of the amended complaint asserts a tort claim for intrusion upon seclusion. Dkt. No. 35 at 20–21. In Illinois, an intrusion upon seclusion claim has four elements: “(1) an unauthorized intrusion or prying into a plaintiff's seclusion; (2) the intrusion would be highly offensive or objectionable to a reasonable person; (3) the matters upon which the intrusion occurred were private; and (4) the intrusion caused anguish and suffering.” Ramirez v. LexisNexis Risk Sols., 729 F. Supp. 3d 838, 850 (N.D. Ill. 2024) (quoting Bonilla v. Ancestry.com Ops. Inc., 574 F. Supp. 3d 595, 596 (N.D. Ill. 2021)); see Dinerstein v. Google, LLC, 73 F.4th 502, 511 (7th Cir. 2023). As Kemper argues, plaintiffs allege an intentional act on the part of the thieves who penetrated Kemper’s digital security, but they do not allege an intentional invasion by Kemper of their privacy and seclusion. As in White v. Citywide Title Corp., 2018 WL 5013571, at *3 (N.D. Ill. Oct. 16, 2018), “Nothing in [the amended] complaint allows the court to reasonably infer that [Kemper] intentionally shared [plaintiffs’] information with third parties.” In response, plaintiffs cite Cooney, supra, for the proposition that “reckless conduct” satisfies the intentional invasion element. Resp. to Mot. to Dismiss 28, Dkt. No. 35. Cooney does not so hold. Rather, the Illinois appellate court affirmed the dismissal of the complaint’s intrusion upon seclusion claim. See Cooney, 943 N.E.2d at 32. Because third parties carried out the intentional conduct described in the amended complaint, it fails to state a claim against Kemper for the intentional tort of intrusion upon seclusion. See White, 2018 WL 5013571, at *3; Kurowski v. Rush Sys. for Health, 683 F. Supp. 3d 836, 849 (N.D. Ill. 2023); see also Lawlor v. N. Am. Corp. of Ill., 983 N.E.2d 414, 424 (Ill. 2012).
For the reasons stated, Kemper’s motion to dismiss the amended complaint is granted in part and denied in part. Kemper’s motion to dismiss for lack of Article III standing is denied. The court also denies Kemper’s motion to dismiss plaintiffs’ negligence, breach of contract, and unjust enrichment claims. The intrusion upon seclusion claim in Count IV is dismissed for failure to state a claim upon which relief may be granted. If they wish to attempt to cure the deficiencies in Count IV, plaintiffs may file a second amended complaint within twenty‐one days, that is, on or before January 26, 2026.
Date: January 5, 2026 /s/ Joan B. Gottschall United States District Judge