John Wagner, Gwenda Coburn-Bowman, James Robertson III, Daniel Saniga, Jr., John W. Miles, and Iris R. Mitchell, individually and on behalf of all others similarly situated v. Andy Frain Services, Inc.

CourtDistrict Court, N.D. Illinois
DecidedJuly 2, 2026
Docket1:25-cv-05252
StatusUnknown

This text of John Wagner, Gwenda Coburn-Bowman, James Robertson III, Daniel Saniga, Jr., John W. Miles, and Iris R. Mitchell, individually and on behalf of all others similarly situated v. Andy Frain Services, Inc. (John Wagner, Gwenda Coburn-Bowman, James Robertson III, Daniel Saniga, Jr., John W. Miles, and Iris R. Mitchell, individually and on behalf of all others similarly situated v. Andy Frain Services, Inc.) is published on Counsel Stack Legal Research, covering District Court, N.D. Illinois primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook
John Wagner, Gwenda Coburn-Bowman, James Robertson III, Daniel Saniga, Jr., John W. Miles, and Iris R. Mitchell, individually and on behalf of all others similarly situated v. Andy Frain Services, Inc., (N.D. Ill. 2026).

Opinion

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

John Wagner, Gwenda Coburn- ) No. 25 cv 5252 Bowman, James Robertson III, ) No. 25 cv 5274 Daniel Saniga, Jr., John W. ) No. 25 cv 5505 Miles, and Iris R. Mitchell, ) No. 25 cv 5306 individually and on behalf of ) No. 25 cv 5333 all others similarly ) No. 25 cv 5402 situated, ) No. 25 cv 5616 ) No. 25 cv 5649 Plaintiffs, ) No. 25 cv 5706 ) ) v. ) ) ) Andy Frain Services, Inc., ) ) Defendant. )

Memorandum Opinion and Order Plaintiffs in these consolidated cases allege on behalf of themselves and a putative class that when they applied for jobs with the security company Andy Frain Services, Inc., (“Andy Frain” or “the company”), they were required to provide the company with their personal identifying information (“PII”), including their names and social security numbers. Thereafter, on or around October 23, 2024, unauthorized third parties gained access to Andy Frain’s network systems and obtained files containing plaintiffs’ PII. Months after discovering this data breach, Andy Frain notified plaintiffs and the putative class that their PII had fallen into the hands of cybercriminals. Plaintiffs allege that the data breach was the result of the company’s inadequate security measures to secure, protect, and safeguard their PII. They allege further that the company’s delay in notifying them about the data breach “virtually ensured that the unauthorized third parties who exploited those security lapses could monetize, misuse, or disseminate that PII before Plaintiffs and Class members could take affirmative steps to protect their sensitive information.” CC Am. Compl., ECF 32 at ¶ 79. Plaintiffs claim that Andy Frain is liable for negligence and for breach of implied contract. As an alternative to their implied contract theory, they

claim that Andy Frain was unjustly enriched because of its misconduct. Plaintiffs seek injunctive relief as well as damages and/or equitable relief. Andy Frain moves to dismiss the complaint on various grounds: First, that all but one named plaintiff signed a binding arbitration agreement that covers the claims they assert, while the remaining plaintiff signed a different agreement in which he waived his right to a jury trial; second, that plaintiffs lack standing because they suffered no injury-in-fact; and third, that they fail to state an actionable claim. The motion is denied for the following reasons. Standing

Although defendant does not lead with the argument that plaintiffs lack standing, I begin with this issue because if defendant is correct, my analysis ends there. See Mack v. Resurgent Cap. Servs., L.P., 70 F.4th 395, 402 (7th Cir. 2023) (“[i]f the plaintiff lacks Article III standing to sue, the court has no jurisdiction to hear the matter.”) (citing Spokeo, Inc. v. Robins, 578 U.S. 330, 337–38 (2016)). For the reasons explained below, however, I am satisfied that my jurisdiction is secure. Three elements comprise the “irreducible constitutional minimum” of standing. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992). A “plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable

judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). Defendant argues that plaintiffs’ allegations do not reasonably suggest the first two elements. Two named plaintiffs—Robertson and Mitchell—allege that shortly after the data breach, they discovered unauthorized activity on their accounts: Robertson’s bank notified him about fraudulent charges on his account, and Mitchell experienced both unauthorized charges and the unauthorized opening of a Verizon account in her name. CC Am. Compl. at ¶¶ 33, 65. After the company notified him of the data breach, Robertson purchased a $70 monthly subscription to Norton LifeLock to protect himself from identity theft. Id. at ¶ 32.

In addition, all named plaintiff allege an “uptick in spam text messages, calls and emails” that they attribute to the breach; that they spent time on “reasonable efforts to mitigate the impact of the Data Breach”; and that they will forever spend valuable time monitoring accounts for actual or attempted fraud and feeling fearful and anxious about the loss of privacy and the risk identity theft and fraud. CC Am. Compl. at ¶¶ 12-13, 22-23, 34-35, 44-45, 54-55, 64-65 (describing uptick in spam and mitigation steps); ¶¶ ¶¶ 13- 14, 23-24, 35-36, 45-46, 55-56, 65-66 (describing opportunity costs and emotional impact). Based on their personal experiences, plaintiffs allege that the putative class members have suffered these types of injuries and damages: (i) a substantially increased and imminent risk of identity theft; (ii) the compromise, publication, and theft of their PII; (iii) out of-pocket expenses associated with the prevention, detection, and recovery from unauthorized use of their PII; (iv) lost opportunity costs associated with efforts attempting to mitigate the actual and future consequences of the Data Breach; (v) the continued risk to their PII which remains in Defendant’s possession; and (vi) future costs in terms of time, effort, and money that will be required to prevent, detect, and repair the impact of the PII compromised as a result of the Data Breach.

CC Am. Compl. at 91.

Andy Frain argues that the injuries plaintiffs allege are both too speculative and too remote from the company’s conduct to satisfy the first and second elements of the standing inquiry: injury-in- fact and fair traceability. But this argument fails to confront the fraudulent activity Robertson and Mitchell already discovered on their accounts as well as the costs Robertson incurred to protect himself from additional fraud. Monetary losses such as Robertson’s are among the “traditional tangible harms” that “readily qualify as concrete injuries under Article III.” TransUnion LLC v. Ramirez, 594 U.S. 413, 425 (2021)). So Robertson obviously has standing to assert claims to recover those costs, and Mitchell—who “spent time and effort resolving” fraudulent charges, even if they “did not result in injury to [her] wallet”—does too. Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016). In fact, Lewert and its predecessor, Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), held that even data breach victims who had not suffered fraudulent charges had standing to recover “mitigation expenses” to protect against future injuries.

819 F.3d. at 967. In Remijas, the Seventh Circuit considered the claims of customers whose credit card information was stolen from a department store’s computer systems. The court held that the victims who had already incurred fraudulent charges suffered concrete and particularized harms in the form of “the aggravation and loss of value of the time needed to set things straight,” and that even the victims who had not suffered those harms had standing based on “two imminent injuries: an increased risk of future fraudulent charges and greater susceptibility to identity theft.” Id. at 692. The court reasoned that the latter harms were “certainly impending,” and that “customers should not have to wait until hackers commit identity

Free access — add to your briefcase to read the full text and ask questions with AI

Related

Lujan v. Defenders of Wildlife
504 U.S. 555 (Supreme Court, 1992)
Howsam v. Dean Witter Reynolds, Inc.
537 U.S. 79 (Supreme Court, 2002)
Christopher L. Gore v. Alltel Commu
666 F.3d 1027 (Seventh Circuit, 2012)
Kiefer Specialty Flooring, Inc. v. Tarkett, Inc.
174 F.3d 907 (Seventh Circuit, 1999)
Dan Richards v. Michael Mitcheff
696 F.3d 635 (Seventh Circuit, 2012)
Clapper v. Amnesty International USA
133 S. Ct. 1138 (Supreme Court, 2013)
Hilary Remijas v. Neiman Marcus Group, LLC
794 F.3d 688 (Seventh Circuit, 2015)
John Lewert v. P.F. Chang's China Bistro, Inc
819 F.3d 963 (Seventh Circuit, 2016)
Spokeo, Inc. v. Robins
578 U.S. 330 (Supreme Court, 2016)
Shiyang Huang v. Equifax Inc.
999 F.3d 1247 (Eleventh Circuit, 2021)
TransUnion LLC v. Ramirez
594 U.S. 413 (Supreme Court, 2021)
BBL, Inc. v. City of Angola
809 F.3d 317 (Seventh Circuit, 2015)
Yvonne Mack v. Resurgent Capital Services, L.
70 F.4th 395 (Seventh Circuit, 2023)
Matt Dinerstein v. Google, LLC
73 F.4th 502 (Seventh Circuit, 2023)

Cite This Page — Counsel Stack

Bluebook (online)
John Wagner, Gwenda Coburn-Bowman, James Robertson III, Daniel Saniga, Jr., John W. Miles, and Iris R. Mitchell, individually and on behalf of all others similarly situated v. Andy Frain Services, Inc., Counsel Stack Legal Research, https://law.counselstack.com/opinion/john-wagner-gwenda-coburn-bowman-james-robertson-iii-daniel-saniga-jr-ilnd-2026.