Olson v. Ferrara Candy Co.

2025 IL App (1st) 241126

• Court: Appellate Court of Illinois
• Decided: June 25, 2025
• Docket: 1-24-1126
• Status: Published

Opinion

2025 IL App (1st) 241126 No. 1-24-1126 Opinion filed June 25, 2025 Third Division

______________________________________________________________________________ IN THE APPELLATE COURT OF ILLINOIS FIRST DISTRICT ______________________________________________________________________________ ERVIN OLSON, and SHAWN WESSON, on Behalf of ) Appeal from the Themselves and All Others Similarly Situated, ) Circuit Court of ) Cook County. Plaintiffs-Appellants, ) ) v. ) No. 22 CH 6866 ) FERRARA CANDY COMPANY, ) Honorable ) Joel Chupack, Defendant-Appellee. ) Judge, presiding.

PRESIDING JUSTICE LAMPKIN delivered the judgment of the court, with opinion. Justices Martin and D.B. Walker concurred in the judgment and opinion.

OPINION

¶1 Plaintiffs Ervin Olson and Shawn Wesson filed a data breach class-action complaint

against their former employer, defendant Ferrara Candy Company (Ferrara). Plaintiffs alleged that

Ferrara negligently failed to use reasonable means to protect its current and former employees’

“personally identifiable information” (PII)—including Social Security numbers, driver’s license

numbers, and bank account and routing numbers—from unauthorized access by an unknown third

party, who stole the PII and committed fraud. Ferrara filed a combined motion to dismiss the No. 1-24-1126

complaint pursuant to section 2-619.1 of the Code of Civil Procedure (Code) (735 ILCS 5/2-619.1

(West 2022)), arguing that plaintiffs lacked standing and failed to plead adequate facts to support

their claims. The circuit court granted the motion to dismiss under section 2-615 of the Code (id.

§ 2-615), ruling that plaintiffs failed to adequately plead facts to support their claims.

¶2 On appeal, plaintiffs argue that the circuit court erred by dismissing their negligence claims

under the Moorman doctrine (see Moorman Manufacturing Co. v. National Tank Co., 91 Ill. 2d

69 (1982)) and by ruling that they failed to plead damages under their negligence claims.

Furthermore, plaintiff Wesson argues that the circuit court erred by ruling that he failed to plead

damages under his implied contract claim and he failed to adequately plead damages and causation

regarding his claim under the Consumer Fraud and Deceptive Business Practices Act (Consumer

Fraud Act) (815 ILCS 505/1 et seq. (West 2022)).

¶3 For the reasons that follow, we affirm in part and reverse in part the judgment of the circuit

court.

¶4 I. BACKGROUND

¶5 Defendant Ferrara is a Chicago-based manufacturer of candies and other sweets. Ferrara

posted a notice of data event to its website (website notice), which plaintiffs attached to their

operative complaint and incorporated therein. The website notice stated that from October 2, 2021,

to October 9, 2021, “an unauthorized actor accessed the Ferrara network and removed certain files

from the network.” Ferrara undertook an investigation to identify the information potentially

contained in the files at issue. Ferrara completed its review on March 30, 2022 “and determined

that certain personal information could have been impacted by this event.” Based on its

investigation, Ferrara “determined that the following types of information were present in the

potentially impacted files: certain individuals’ names, dates of birth, financial account information,

-2- No. 1-24-1126

Social Security numbers, driver’s license numbers, birth certificates, passport numbers or other

government issued identification numbers, digital/electronic signatures, mother’s maiden name,

and/or medical information.” Ferrara encouraged individuals to remain vigilant against incidents

of identity theft and fraud by reviewing their account statements and monitoring their free credit

reports for suspicious activity and to detect errors over the next 12 to 24 months. Further, Ferrara

offered credit monitoring to impacted individuals at no cost to them. In about April 2022, Ferrara

notified individuals whose personal information potentially was impacted. Plaintiffs Olson and

Wesson alleged that they received this notice from Ferrara in about May 2022.

¶6 In July 2022, Olson filed a class action complaint against Ferrara, arising out of the data

breach event. Ferrara moved to dismiss, arguing that Olson lacked standing and did not state a

claim because he did not allege an actual injury, only the risk of future injury. In response, Olson

and Wesson filed an amended complaint adding Wesson as a plaintiff and his additional allegations

of injury. Ferrara moved to dismiss again, contending that plaintiffs lacked standing and neither

plaintiff alleged sufficient facts to satisfy the elements of any of their alleged claims.

¶7 The circuit court granted Ferrara’s motion to dismiss under section 2-615 of the Code and

gave plaintiffs leave to amend their complaint. The court did not address the standing issue portion

of Ferrara’s motion to dismiss under section 2-619 of the Code (735 ILCS 5/2-619 (West 2022)).

¶8 Plaintiffs filed a second amended complaint wherein Wesson alleged that he already

experienced identity theft and fraud following the data breach because in December 2021 he

“suffered fraudulent charges on his credit union account.” Wesson alleged that he was not aware

of other data breaches aside from Ferrara’s or reasons criminals would have his credit union

checking account or debit card information.

-3- No. 1-24-1126

¶9 In its motion to dismiss, Ferrara again argued that plaintiffs lacked standing and failed to

plead sufficient facts to state a claim. Ferrara provided the supporting sworn declaration of David

Fagan, Ferrara’s director of cybersecurity. The declaration stated that

“Ferrara never maintained information on any credit union account held by Mr. Wesson.

The only information on a financial account held by Mr. Wesson that Ferrara has ever

maintained was his routing number and account number for a Chase bank account, which

Ferrara maintained for purposes of paying him by direct deposit. However, even this

information was maintained on a third-party system that was not subject to the

cybersecurity incident.”

¶ 10 After briefing, the circuit court dismissed the second amended complaint under section 2-

615 of the Code based on plaintiffs’ failure to plead legally sufficient claims. The court did not

address the standing issue portion of Ferrara’s motion to dismiss under section 2-619 of the Code.

¶ 11 Plaintiffs then filed a third amended complaint (the operative complaint), which asserted

claims on behalf of themselves and the putative class for (1) negligence, (2) negligence per se,

(3) breach of implied contract, (4) unjust enrichment, and (5) violation of the Consumer Fraud Act.

Regarding their injuries, Olson alleged that he expended effort monitoring his account, suffered

anxiety about the data breach, sustained damages to and diminution in the value of his PII, and

remained at an increased risk of fraud, identity theft, and misuse. Wesson alleged the same injuries

as Olson, plus fraudulent charges to his credit union account. Wesson also alleged that sometime

after receiving notice of the data breach, he bought a credit monitoring service, for which he paid

$24.99 monthly for several months and then $4.99 monthly for a couple of months.

-4- No. 1-24-1126

¶ 12 Plaintiffs alleged that Ferrara required its employees to disclose their PII as part of their

employment with Ferrara. On its website, Ferrara stated that it protects employees’ PII “from loss,

misuse, or unauthorized disclosure”; takes its obligations to employees seriously; and collects,

uses, and processes any PII only for legitimate business purposes and only in accordance with

Ferrara’s privacy policy. Plaintiffs alleged that, despite recognizing its duty to protect employees’

PII, Ferrara failed to implement reasonable cybersecurity safeguards or a privacy policy; failed to

train its “IT” or data security employees to prevent, detect, and stop breaches of Ferrara’s systems;

and stopped operating key cybersecurity infrastructure during evening hours in August 2021—

only two months before the data breach—running it only during Ferrara’s day shifts. Furthermore,

plaintiffs alleged that they faced a significant risk of identity theft and fraud because

cybercriminals compile the plaintiffs’ stolen PII into Fullz packages that are then sold to unsavory

parties that use the information for telemarketer operations or to commit fraud.

¶ 13 Plaintiffs’ complaint sought, inter alia, monetary damages for themselves and the other

putative class members, including compensatory damages, which included the costs of future

monitoring of their credit history for identity theft and fraud, plus attorney fees, prejudgment

interest, and costs.

¶ 14 The circuit court dismissed the case with prejudice under section 2-615 of the Code for

failure to state a claim.

¶ 15 Plaintiffs appealed.

¶ 16 II. ANALYSIS

¶ 17 A section 2-615 motion to dismiss tests the legal sufficiency of the complaint based on

defects apparent on its face. Doe-3 v. McLean County Unit District No. 5 Board of Directors, 2012

IL 112479, ¶ 15. A section 2-615 motion presents the question of whether the facts alleged in the

-5- No. 1-24-1126

complaint—viewed in the light most favorable to the plaintiff, and taking all well-pleaded facts

and all reasonable inferences that may be drawn from those facts as true—are sufficient to state a

cause of action upon which relief may be granted. Id. ¶ 16. “[A] cause of action should not be

dismissed pursuant to section 2-615 unless it is clearly apparent that no set of facts can be proved

that would entitle the plaintiff to recovery.” Marshall v. Burger King Corp., 222 Ill. 2d 422, 429

(2006). In ruling on a section 2-615 motion, the court considers only “those facts apparent from

the face of the pleadings, matters subject to judicial notice, and judicial admissions in the record.”

Gillen v. State Farm Mutual Automobile Insurance Co., 215 Ill. 2d 381, 385 (2005). A section 2-

615 motion dismissal is reviewed de novo. Doe-3, 2012 IL 112479, ¶ 15.

¶ 18 Section 2-619(a)(9) of the Code provides that a defendant may file a motion for dismissal

of the action on the grounds that “the claim asserted against defendant is barred by other

affirmative matter avoiding the legal effect of or defeating the claim.” 735 ILCS 5/2-619(a)(9)

(West 2022). Section 2-619(a)’s purpose is to provide litigants with a method of disposing of issues

of law and easily proved issues of fact—relating to the affirmative matter—early in the litigation.

Van Meter v. Darien Park District, 207 Ill. 2d 359, 367 (2003). A motion for involuntary dismissal

under section 2-619(a)(9) of the Code admits the legal sufficiency of the complaint, admits all

well-pleaded facts and all reasonable inferences therefrom, and asserts an affirmative matter

outside the complaint that bars or defeats the cause of action. Kean v. Wal-Mart Stores, Inc., 235

Ill. 2d 351, 361 (2009). When ruling on the section 2-619(a)(9) motion, the court construes the

pleadings “in the light most favorable to the nonmoving party” (Sandholm v. Kuecker, 2012 IL

111443, ¶ 55) and should grant the motion only “if the plaintiff can prove no set of facts that would

support a cause of action” (Snyder v. Heidelberger, 2011 IL 111052, ¶ 8). A section 2-619(a)(9)

motion dismissal is reviewed de novo. Kean, 235 Ill. 2d at 361.

-6- No. 1-24-1126

¶ 19 A. Standing

¶ 20 Ferrara argues that plaintiffs lack standing because they failed to allege any distinct and

palpable injury fairly traceable to Ferrara. Plaintiffs allege five categories of injuries, namely

(1) the increased risk that their information could be misused, (2) the diminished value of their PII,

(3) the lost time and effort they incurred to safeguard their data or identity, (4) their emotional

distress and worry about the status of their information and possibly compromised privacy, and

(5) as to only Wesson, fraudulent charges on his credit union account and money spent on credit

monitoring services.

¶ 21 Standing in Illinois requires only that the plaintiff demonstrate “some injury in fact to a

legally cognizable interest.” Greer v. Illinois Housing Development Authority, 122 Ill. 2d 462, 492

(1988). A legally cognizable interest exists when that injury, whether actual or threatened, is

(1) distinct and palpable, (2) fairly traceable to the defendant’s actions, and (3) substantially likely

to be prevented or redressed by the grant of the requested relief. Id. at 492-93. “The injury alleged

by the plaintiff must be concrete; a plaintiff alleging only a purely speculative future injury or

where there is no immediate danger of sustaining a direct injury lacks a sufficient interest to have

standing.” (Internal quotation marks omitted.) Petta v. Christie Business Holdings Company, P.C.,

2025 IL 130337, ¶ 18. “In a complaint seeking monetary damages, [plaintiffs’ allegation that they

faced only] an increased risk of harm is insufficient to confer standing.” Id. ¶ 21.

¶ 22 Under federal law, to establish article III standing under the United States Constitution

(U.S. Const., art. III),

“an injury must be concrete, particularized, and actual or imminent; fairly traceable to the

challenged action; and redressable by a favorable ruling. [Citations.] Although imminence

-7- No. 1-24-1126

is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which

is to ensure that the alleged injury is not too speculative for Article III purposes—that the

injury is certainly impending. [Citation.] Thus, [the Supreme Court has] repeatedly

reiterated that [the] threatened injury must be certainly impending to constitute injury in

fact, and that [a]llegations of possible future injury are not sufficient. [Citations.]”

(Emphases in original and internal quotation marks omitted.) Clapper v. Amnesty

International USA, 568 U.S. 398, 409 (2013).

¶ 23 Under federal law, “traditional tangible harms, such as physical harms and monetary

harms,” are the most obvious harms that “readily qualify as concrete injuries.” TransUnion LLC

v. Ramirez, 594 U.S. 413, 425 (2021). Intangible harms can also be concrete, including “injuries

with a close relationship to harms traditionally recognized as providing a basis for lawsuits in

American courts,” such as “reputational harms, disclosure of private information, and intrusion

upon seclusion.” Id. This “inquiry asks whether plaintiffs have identified a close historical or

common-law analogue for their asserted injury,” but “does not require an exact duplicate.” Id. at

424. “ ‘[A] material risk of future harm can [also] satisfy the concrete-harm requirement,’ but only

as to injunctive relief, not damages.” Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365, 372

(1st Cir. 2023) (quoting TransUnion LLC, 594 U.S. at 435). “To have standing to pursue damages

based on a risk of future harm, plaintiffs must demonstrate a separate concrete harm caused ‘by

[the] exposure to the risk [of future harm] itself.’ ” (Emphasis in original.) Webb, 72 F.4th at 372

(quoting TransUnion LLC, 594 U.S. at 437). This standing requirement of a separate concrete

harm when seeking monetary damages based on a risk of future harm was cited approvingly by

the Illinois Supreme Court in Petta, 2025 IL 130337, ¶ 21 (citing TransUnion LLC, 594 U.S. at

-8- No. 1-24-1126

436-37, Pierre v. Midland Credit Management, Inc., 29 F.4th 934, 938 (7th Cir. 2022), and

Maddox v. Bank of New York Mellon Trust Co., N.A., 19 F.4th 58, 64 (2d Cir. 2021)). Accordingly,

we apply this separate concrete harm requirement here because plaintiffs seek monetary damages

based on the risk of future harm.

¶ 24 “Illinois courts are generally more willing than federal courts to recognize standing on the

part of any person ‘who shows that he is in fact aggrieved.’ ” Flores v. Aon Corp., 2023 IL App

(1st) 230140, ¶ 13 (quoting Greer, 122 Ill. 2d at 491). To determine standing in a class action, the

court’s focus must be on the named plaintiffs themselves and not on the unidentified members of

the general class they purport to represent. Id.; I.C.S. Illinois, Inc. v. Waste Management of Illinois,

Inc., 403 Ill. App. 3d 211, 221 (2010). When a plaintiff files a class action, he must allege and

show that he was personally injured; if the named plaintiff has no injury, the plaintiff has no

standing, and no case or controversy arises. I.C.S. Illinois, Inc., 403 Ill. App. 3d at 223. Lack of

standing is an affirmative matter that is properly raised in a section 2-619(a)(9) motion to dismiss,

and our review of this issue is de novo. Petta, 2025 IL 130337, ¶ 18.

¶ 25 We begin with Wesson’s standing to pursue damages. We conclude that the operative

complaint sufficiently alleged a concrete injury in fact as to Wesson based on the allegation that

the data breach resulted in the misuse of his PII by an unauthorized third party who made charges

to his credit union account. Illinois data breach precedent supports the conclusion that actual

misuse of PII may constitute an injury in fact. In Flores, 2023 IL App (1st) 230140, ¶ 7, three of

the four named plaintiffs alleged that, after the data breach, they received increased spam and

targeted marketing. One plaintiff alleged an attempt for a fraudulent charge to a PayPal account,

and one plaintiff alleged a charge for a prescription that the plaintiff did not order. The Flores

-9- No. 1-24-1126

court held that the plaintiffs had standing because, inter alia, they clearly alleged that they faced

an imminent, a certainly impending, or a substantial risk of harm from the data breach since they

alleged that they already had experienced fraudulent charges and spam messaging. Id. ¶ 15. Cf.

Petta, 2025 IL 130337, ¶¶ 24-25 (no concrete injury or standing where a plaintiff seeking monetary

damages speculatively alleged only that she faced an increased risk that her PII had been exposed

to an unauthorized third party but did not allege that any of her PII was used for a fraudulent loan

application, which had used readily available public information); Maglio v. Advocate Health &

Hospitals Corp., 2015 IL App (2d) 140782, ¶¶ 5, 24, 27 (plaintiffs lacked standing where they did

not allege that anyone improperly accessed or used their PII from four stolen password-protected

computers, nor did they allege that they had suffered identity theft or fraud because of the

burglary).

¶ 26 Furthermore, several federal courts “consider actual misuse of a plaintiff’s PII resulting

from a data breach to itself be a concrete injury.” Webb, 72 F.4th at 374 (actual misuse of the

plaintiff’s stolen PII to file a fraudulent tax return sufficed to state a concrete injury under article

III); see In re Equifax Inc. Customer Data Security Breach Litigation, 999 F.3d 1247, 1262 (11th

Cir. 2021) (the “identity theft and damages resulting from such theft” were concrete injuries);

Attias v. CareFirst, Inc., 865 F.3d 620, 627 (D.C. Cir. 2017) (“Nobody doubts that identity theft,

should it befall one of these plaintiffs, would constitute a concrete and particularized injury.”).

¶ 27 Olson’s standing to pursue damages is a more difficult issue because the operative

complaint does not allege actual misuse of his PII. Nevertheless, we conclude that plaintiffs allege

a concrete injury in fact based on an imminent, a certainly impending, or a substantial risk of future

misuse of Olson’s PII and a concrete harm caused by exposure to this risk. This analysis also

- 10 - No. 1-24-1126

applies to Wesson and provides an additional basis to conclude that he sufficiently alleged

standing.

¶ 28 In determining when the risk of future misuse of PII following a data breach is imminent

and substantial, relevant considerations include, first, whether the PII was exposed as the result of

a targeted attempt to obtain that data. See Petta, 2025 IL 130337, ¶¶ 20, 24-25 (harm was not

imminent or substantial where the unauthorized third party attempted to intercept a financial

transaction, not steal the patients’ private information); Maglio, 2015 IL App (2d) 140782, ¶¶ 1-3,

5 (harm not imminent or substantial where plaintiffs did not allege that anyone had improperly

accessed or used their PII on the stolen password-protected computers). A second consideration is

whether any portion of the stolen or accessed PII has already been misused. See Flores, 2023 IL

App (1st) 230140, ¶¶ 7, 15 (imminent and substantial harm where, altogether, the four named

plaintiffs alleged that, after the data breach, they received increased spam, targeted marketing, an

attempt to process a fraudulent charge to a PayPal account, and a charge for a prescription that the

plaintiff did not order); Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693-94 (7th Cir.

2015) (the actual misuse of a portion of the stolen information increased the risk that other

information will be misused in the future); Maglio, 2015 IL App (2d) 140782, ¶¶ 5, 24 (harm not

imminent or substantial where the plaintiffs did not allege that they had suffered identity theft or

fraud because of the burglary). A third consideration is whether the PII at issue is sensitive, such

that there is a high risk of identity theft or fraud. See Petta, 2025 IL 130337, ¶¶ 24-25 (harm not

imminent or substantial where the allegation that an unauthorized third party actually accessed the

plaintiff’s PII was purely speculative and conclusory and the fraudulent loan application used

readily available public information); Flores, 2023 IL App (1st) 230140, ¶¶ 4-5, 16 (imminent and

substantial harm where the stolen PII included the plaintiffs’ names, Social Security numbers,

- 11 - No. 1-24-1126

driver’s license numbers, and benefit enrollment information); see Webb, 72 F.4th at 375

(discussing these three nonexclusive factors and supporting cases).

¶ 29 We conclude that plaintiffs sufficiently allege an imminent and substantial risk of future

misuse of Olson’s and Wesson’s PII. Specifically, the complaint alleged that the data breach was

the result of an attack by thieves who accessed Ferrara’s network and stole the plaintiffs’ PII over

a seven-day period. Furthermore, it is alleged that some of the stolen PII has already been misused

to make fraudulent charges to Wesson’s credit union account. In addition, the stolen PII includes

highly sensitive information, such as plaintiffs’ names, birth dates, financial account information,

Social Security numbers, driver’s license numbers, birth certificates, passport numbers or other

government issued identification numbers, digital/electronic signatures, mother’s maiden names,

and medical information.

¶ 30 To establish standing to pursue damages, the complaint must also sufficiently allege a

separate concrete harm caused by the plaintiffs’ exposure to the alleged risk of future harm.

TransUnion, 594 U.S. at 436. Here, plaintiffs alleged the harm of lost time based on the time and

effort they spent monitoring their accounts to protect themselves from identity theft and fraud.

“The loss of this time is equivalent to a monetary injury, which is indisputably a concrete injury.”

Webb, 72 F.4th at 376 (citing TransUnion, 594 U.S. at 425); Dieffenbach v. Barnes & Noble, Inc.,

887 F.3d 826, 828 (7th Cir. 2018) (“the value of one’s own time needed to set things straight [after

a data theft] is a loss from an opportunity-cost perspective” which “can justify money damages

*** [and] support standing”)). Furthermore, “[b]ecause this alleged injury was a response to a

substantial and imminent risk of harm, this is not a case where the plaintiffs seek to ‘manufacture

standing by incurring costs in anticipation of non-imminent harm.’ ” Webb, 72 F.4th at 377

(quoting Clapper, 568 U.S. at 422). We conclude that the complaint sufficiently alleged a separate

- 12 - No. 1-24-1126

concrete harm caused by plaintiffs’ exposure to the risk of future harm based on their allegations

of their lost time spent monitoring their accounts to protect against identity theft and fraud.

¶ 31 In addition, Wesson alleged the additional concrete injury of paying money for credit

monitoring services, which serves as another basis for standing. Specifically, he paid $24.99

monthly for several months and then $4.99 monthly for a couple of months for a credit monitoring

service to protect his accounts and safeguard himself from further fraud and identity theft. See

In re Mondelez Data Breach Litigation, Nos. 23 C 3999, 23 C 4249, 2024 WL 2817489, at *2

(N.D. Ill. June 3, 2024) (explaining that mitigation expenses to minimize the risk of harm

establishes standing); Florence v. Order Express, Inc., 674 F. Supp. 3d 472, 482 (N.D. Ill. 2023)

(holding that “spent time and money on credit monitoring and identity-theft insurance” establishes

standing); Doe v. Fertility Centers of Illinois, S.C., No. 21 C 579, 2022 WL 972295, at *2 (N.D.

Ill. Mar. 31, 2022) (holding that out-of-pocket costs establish standing); Remijas, 794 F.3d at 694

(explaining that “credit-monitoring services come at a price that is more than de minimis” and

spending “$4.95 a month for the first month [of credit monitoring], and then $19.95 per month

thereafter” “easily qualifies as a concrete injury”).

¶ 32 Regarding traceability, Ferrara argues that the alleged harm of the unauthorized charges to

Wesson’s credit union account is not fairly traceable to the data breach because, as stated in the

declaration from Ferrara’s director of cybersecurity, Ferrara never had any information concerning

Wesson’s credit union account. We disagree. Drawing all reasonable inferences from the operative

complaint at the motion to dismiss stage, we conclude that plaintiffs allege a sufficient connection

between the actual misuse of Wesson’s PII and the data breach. Wesson alleged that two short

months after the data breach, he was the victim of attempted fraudulent charges to his credit union

account. Moreover, he was not aware of any other data breaches or reasons why criminals would

- 13 - No. 1-24-1126

have his credit union account information other than because of Ferrara’s data breach that exposed

certain of his PII. Plaintiffs also alleged that, as a result of Ferrara’s data breach, cybercriminals

were now able to cross reference multiple sources of plaintiffs’ PII to compile Fullz packages that

can be used for further identity theft and fraud, as experienced by Wesson. The risk of future

identity theft and fraud was evident where Ferrara warned of possible identity theft and offered

free credit monitoring services and the stolen PII—including names, dates of birth, and Social

Security numbers—would likely be sufficient to permit identity theft.

¶ 33 We find support for this conclusion in Flores, 2023 IL App (1st) 230140, ¶ 16, where the

court rejected the defendant’s argument that the unauthorized charges were not fairly traceable to

the data breach because the defendant did not collect the plaintiffs’ payment information. Unlike

the instant case, in Flores, the defendant never defined the type of information encompassed in the

plaintiffs’ stolen benefit enrollment information. Nevertheless, the court held that “when personal

information is obtained in a targeted data breach, it is reasonable to assume that the data thieves

will use the stolen data for fraudulent purposes.” Id. (citing Galaria v. Nationwide Mutual

Insurance Co., 663 F. App’x 384, 388 (6th Cir. 2016)). Even if that data breach did not provide

all the information necessary to inflict the alleged harms, the accessed data could have been enough

to aid the infliction of the alleged harms. Id.; In re Mednax Services, Inc., Customer Data Security

Breach Litigation, 603 F. Supp. 3d 1183, 1206 (S.D. Fla. 2022) (the defendants’ failure to protect

the plaintiffs’ information from a security breach, whereby unauthorized persons gained access to

the plaintiffs’ health information and PII, was sufficiently traceable to the plaintiffs’ alleged

injuries of identity theft, economic losses, lost time, and emotional distress); Sweet v. BJC Health

System, No. 3:20-CV-00947-NJR, 2021 WL 2661569, at *4 (S.D. Ill. June 29, 2021) (“while credit

- 14 - No. 1-24-1126

card information may not have been exposed, information such as dates of birth, Social Security

numbers, and addresses would likely be sufficient to permit identity theft”).

¶ 34 There is an obvious temporal connection between the attempted fraudulent charges to

Wesson’s credit union account and the data breach. Moreover, Wesson’s allegations are

substantially similar to those in Flores. Like the analysis in Flores, we conclude that it is

reasonable to infer that the data thieves will use the information stolen from Ferrara—which

included the plaintiffs’ names, dates of birth, Social Security numbers, birth certificates,

digital/electronic signatures, and mothers’ maiden names—for fraudulent purposes.

¶ 35 We conclude that the complaint’s allegations satisfy the traceability and redressability

standing requirements. The complaint alleged that Ferrara’s actions led to the exposure and actual

or potential misuse of plaintiffs’ PII, making their injuries fairly traceable to Ferrara’s conduct.

Moreover, monetary relief would compensate plaintiffs for their injuries.

¶ 36 Because we have concluded that plaintiffs have supported their causes of action for

damages with at least one injury in fact caused by Ferrara and redressable by a court order, we

decline to address plaintiffs’ additional arguments urging standing based on their alleged injuries

of the diminished value of their PII and their emotional distress and worry about the status of their

information and possibly compromised privacy. See Flores, 2023 IL App (1st) 230140, ¶ 18.

¶ 37 B. Negligence

¶ 38 To state a claim for negligence, a plaintiff must allege facts showing that (1) the defendant

owed a duty of care to the plaintiff, (2) the defendant breached that duty, and (3) the breach was

the proximate cause of the plaintiff’s injuries. Cowper v. Nyberg, 2015 IL 117811, ¶ 13. Legal

cause is “ ‘essentially a question of foreseeability.’ ” City of Chicago v. Beretta U.S.A. Corp., 213

Ill. 2d 351, 395, 406 (2004) (quoting Lee v. Chicago Transit Authority, 152 Ill. 2d 432, 456 (1992)).

- 15 - No. 1-24-1126

Where the subsequent acts of third parties constitute an intervening cause of the injury, the court

must assess whether that intervening cause “was of a type that a reasonable person would see as a

likely result of his or her conduct,’ ” or whether the intervening cause breaks the connection

between the defendant’s conduct and the ultimate injury. Id. at 407 (quoting First Springfield Bank

& Trust v. Galman, 188 Ill. 2d 252, 259 (1999)).

¶ 39 Ferrara challenges plaintiffs’ negligence claims on three bases. First, Ferrara argues that

plaintiffs did not adequately plead proximate cause because several other subsequent, independent

acts by third parties had to occur before plaintiffs ever suffered any purported injury and the lack

of factual allegations showing how the injury occurred renders plaintiffs’ allegations of causation

nothing more than speculation and conjecture. Regarding Wesson, Ferrara argues that his

allegations about fraudulent charges to his credit union account and criminals using the data from

the Ferrara data breach to assemble Fullz packages that were then used to harm him are not

sufficient to show proximate cause because (1) he never alleged that Ferrara had the relevant

financial information or that any information obtained about him from Ferrara was ever misused

in any way and (2) numerous intervening causes break the causal chain. We disagree.

¶ 40 Plaintiffs alleged that it was reasonably foreseeable that Ferrara, an employer that collected

sensitive information from thousands of its employees, would be subject to a data breach, given

its failure to use adequate cybersecurity. Wesson alleged that he was not aware of any other

incidents whereby fraudulent actors would have obtained his credit union information aside from

Ferrara’s data breach and that unauthorized charges were made to his credit union account only

two months after the data breach. Wesson also alleged that the loss from the fraudulent charges

prompted him to mitigate his chances of suffering fraud again by purchasing credit monitoring

services. Furthermore, plaintiffs alleged that they would spend considerable time and effort

- 16 - No. 1-24-1126

monitoring their accounts to protect themselves from identity theft. In addition, they alleged that,

as a result of Ferrara’s data breach, cybercriminals were now able to cross reference multiple

sources of their PII to compile Fullz packages that can be used for further identity theft and fraud,

as experienced by Wesson. We conclude that these allegations of proximate cause are sufficient at

the pleading stage. See Flores, 2023 IL App (1st) 230140, ¶ 25 (the timing of the harm suffered

following the breach was enough to plausibly plead causation where the plaintiffs alleged that they

carefully safeguarded their personal information and were targeted more frequently after the

breach by spam messages and marketing and suffered two fraudulent charges).

¶ 41 Second, Ferrara argues that plaintiffs do not state an injury sufficient to support a

negligence claim because they “may not recover solely for the defendant’s creation of an increased

risk of harm.” Berry v. City of Chicago, 2020 IL 124999, ¶ 38; see Williams v. Manchester, 228

Ill. 2d 404, 425 (2008) (“an increased risk of future harm is an element of damages that can be

recovered for a present injury—it is not the injury itself” (emphases in original)). “[A]n increased

risk of harm is not itself, an injury ***. *** The long-standing and primary purpose of tort law is

not to punish or deter the creation of this risk but rather to compensate victims when the creation

of risk tortiously manifests into harm.” Berry, 2020 IL 124999, ¶ 33 (absent manifested injury,

residents could not sue for increased lead in drinking water even though the city conceded that

lead in the water increased the risk of lead poisoning).

¶ 42 Ferrara’s argument lacks merit. Wesson alleged that he already suffered from identify theft

or fraud because some unauthorized actor made fraudulent charges to his credit union account,

which event forced him to pay out-of-pocket for credit monitoring services. As discussed above,

because Wesson’s payment for credit monitoring services was a response to a substantial and

imminent risk of harm, this is not a matter of self-inflicted harm arising from a mere subjective

- 17 - No. 1-24-1126

fear of injury. Additionally, both plaintiffs alleged that they spent time and resources to protect

themselves from fraud and identity theft after the data breach. The lost time Olson and Wesson

spent monitoring their accounts to prevent fraud or identity theft is not a self-inflicted harm arising

from a mere subjective fear of injury because the alleged fraudulent charges to Wesson’s credit

union account showed that a portion of the stolen PII has allegedly already been misused. We

conclude that both plaintiffs alleged an injury sufficient to support their negligence claims. See

Flores, 2023 IL App (1st) 230140, ¶ 25 (allegations of two fraudulent charges and being subject

to an increase of spam messages were sufficient to demonstrate injuries); Dieffenbach, 887 F.3d

at 828 (“the value of one’s own time needed to set things straight” after a data breach is an injury

and “can justify money damages”).

¶ 43 Third, Ferrara argues that the Moorman doctrine applies and forecloses plaintiffs’

negligence claims for purported economic losses. The Moorman doctrine, also known as the

economic loss doctrine, states that there can be no recovery in tort for purely economic losses.

Moorman, 91 Ill. 2d 69 at 88; see Community Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d

803, 812 (7th Cir. 2018) (Moorman doctrine generally bars tort liability “for purely economic

losses *** where [the parties] have already ordered their duties, rights, and remedies by contract.”).

Economic loss is defined as “damages for inadequate value, costs of repair and replacement of the

defective product, or consequent loss of profits—without any claim of personal injury or damage

to other property.” (Internal quotation marks omitted.) Moorman, 91 Ill. 2d at 82.

¶ 44 The traditional rationale for the Moorman doctrine is that courts can “trust the commercial

parties interested in a particular activity to work out an efficient allocation of risks among

themselves in their contracts” (Schnuck Markets, Inc., 887 F.3d at 812), without having to resort

to tort law, which is better reserved for “a sudden, calamitous accident as distinct from a mere

- 18 - No. 1-24-1126

failure to perform up to commercial expectations” (Rardin v. T&D Machine Handling, Inc., 890

F.2d 24, 29 (7th Cir. 1989)). See Mars, Inc. v. Heritage Builders of Effingham, Inc., 327 Ill. App.

3d 346, 351 (2002) (Moorman doctrine is founded on the theory that “parties to a contract may

allocate their risks by agreement and do not need the special protections of tort law to recover

damages caused by a breach of contract”).

¶ 45 The Moorman doctrine arose in the context of products liability, but “Illinois applies

Moorman to services as well as the sale of goods because both business contexts provide ‘[ “]the

ability to comprehensively define a relationship[” ]’ by contract.” Schnuck Markets, Inc., 887 F.3d

at 813 (quoting Fireman’s Fund Insurance Co. v. SEC Donohue, Inc., 176 Ill. 2d 160, 166 (1997),

quoting Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 159 Ill. 2d 137,

161-62 (1994)).

¶ 46 Ferrara contends that plaintiffs’ alleged damages are purely economic losses and, thus,

barred by the Moorman doctrine. Ferrara contends that plaintiffs try to allege (1) a breach of

implied contract claim for the protection of personal information, seeking economic damages for

that injury, and (2) a negligence claim for the same alleged conduct, also seeking economic

damages for that injury. Ferrara argues that plaintiffs cannot have it both ways, contending that

Moorman bars them from seeking economic damages through a tort claim while simultaneously

seeking contract damages for the same injury. Ferrara also argues that no exception to the

Moorman doctrine applies.

¶ 47 Plaintiffs respond that their common law tort claims of negligence are not barred by the

Moorman doctrine because the duty that Ferrara allegedly breached arose out of the common law

duty to safeguard personal information, there is no express contract between the parties, and

plaintiffs’ alleged injuries were not caused by a defect in any actual product of the transaction.

- 19 - No. 1-24-1126

Plaintiffs state that their alleged injuries contemplate a host of noneconomical injuries that render

the Moorman doctrine inapplicable, including anxiety, sleep disturbance, stress, fear, and

frustration. In the alternative, plaintiffs argue that if the Moorman doctrine applies, their claims

qualify for the doctrine’s exceptions because (1) Ferrara’s data breach was a sudden event that

harmed plaintiffs and caused emotional distress, and the damage was calamitous because the

breach compromised the PII of thousands of employees, and (2) plaintiffs’ damages were

proximately caused by Ferrara’s intentional, false representation that it would protect plaintiffs’

PII from loss, misuse, or unauthorized disclosure, but Ferrara never implemented the necessary

security to meet that promise.

¶ 48 There are three exceptions to Moorman: (1) “where the plaintiff sustained damage, i.e.,

personal injury or property damage, resulting from a sudden or dangerous occurrence,” (2) where

the plaintiff’s damages are proximately caused by a defendant’s “intentional, false representation,

i.e., fraud,” and (3) “where the plaintiff’s damages are proximately caused by a negligent

misrepresentation by a defendant in the business of supplying information for the guidance of

others in their business transactions.” (Emphasis omitted.) In re Chicago Flood Litigation, 176 Ill.

2d 179, 199 (1997). None of these exceptions apply here.

¶ 49 As to exception (1), plaintiffs did not suffer personal injury or property damages resulting

from a sudden or dangerous occurrence. Illinois courts have applied this exception to calamitous

events, such as sudden roof collapses, sudden floods, and fires. See Hecktman v. Pacific Indemnity

Co., 2016 IL App (1st) 151459, ¶ 18 (collecting cases). Plaintiffs make no allegation of a sudden,

calamitous occurrence; to the contrary, they allege that the data breach occurred over several days,

followed by misuse of Wesson’s data about two months after the data breach.

- 20 - No. 1-24-1126

¶ 50 As to exception (2), plaintiffs have not sufficiently alleged an intentional, false

representation by Ferrara.

“In a claim of fraudulent misrepresentation, a plaintiff must establish the following

elements: (1) a false statement of material fact (2) known or believed to be false by the

person making it, (3) an intent to induce the plaintiff to act, (4) action by the plaintiff in

justifiable reliance on the truth of the statement, and (5) damage to the plaintiff resulting

from such reliance. [Citation.] Courts have long considered an actual injury to be an

essential element of fraud, which a plaintiff must establish to a reasonable degree of

certainty.” Lewis v. Lead Industries Ass’n, 2020 IL 124107, ¶ 30.

¶ 51 Plaintiffs’ allegations that Ferrara engaged in wrongful conduct by failing to inform

plaintiffs and members of the class that it did not maintain computer software and other security

procedures and precautions fail to identify a specific actionable fraudulent statement under Illinois

law. See Perdue v. Hy-Vee, Inc., 455 F. Supp. 3d 749, 761 (C.D. Ill. 2020); see also Schnuck

Markets, Inc., 887 F.3d at 817 (Although the plaintiffs “suggested in their complaint that [the

defendant] engaged in ‘wrongful conduct’ or ‘wrongful actions *** [and] omissions’ by not

immediately announcing the data breach [citation], these allegations fail to identify specifically an

actionable fraudulent statement under Illinois law.”).

¶ 52 As to exception (3), Ferrara is in the business of making candy. Plaintiffs do not allege that

Ferrara was in the business of supplying information for the guidance of others in their business

transactions. Cf. Flores, 2023 IL App (1st) 230140, ¶¶ 56-57 (the defendant was a professional

services company that provided a wide range of services—including cybersecurity services—to

its commercial clients, and the plaintiffs, who were the clients’ employees, alleged no express

- 21 - No. 1-24-1126

contract between the parties that would establish a duty by the defendant to safeguard the plaintiffs’

personal information).

¶ 53 Even though none of the Moorman doctrine’s three exceptions are applicable here, we

conclude that the Moorman doctrine does not bar plaintiffs’ negligence claims. In the context of

the service industry, the Illinois Supreme Court has held that the Moorman doctrine applies only

where the duty of the party performing the service is defined by a contract executed with the client.

Congregation of the Passion, Holy Cross Province, 159 Ill. 2d at 164 (Moorman doctrine did not

bar recovery in tort for accountant malpractice because the alleged negligent breach of duty arose

outside of the parties’ contract). “If the duty arises outside of a contract between the parties, then

recovery in tort for the negligent breach of that duty is not barred by the Moorman doctrine.”

Flores, 2023 IL App (1st) 230140, ¶ 56. Flores opined that, although the Congregation of the

Passion decision is not factually analogous to data breach cases, “its reasoning equally applies to

data breach cases” and that applying the economic loss doctrine to data breach cases, “would

stretch the applicability of the doctrine far beyond its products liability roots,” an extension the

court was not prepared to make. Id., ¶¶ 56-57; In re Marriott International, Inc., Customer Data

Security Breach Litigation, 440 F. Supp. 3d 447, 468-76 (D. Md. 2020) (thoroughly analyzing the

history of the Moorman doctrine and the potential applicability of the doctrine to data breach cases

under Illinois law); McGlenn v. Driveline Retail Merchandising, Inc., No. 18-cv-2097, 2021 WL

4301476, at *8-9 (C.D. Ill. Sept. 21, 2021) (noting that, in the context of a data breach at the

plaintiff’s former employer, where the plaintiff provided her PII as a legal condition of

employment, application of the Moorman doctrine would significantly stretch it further from its

product liability roots). Similarly, here, we do not extend the application of the Moorman doctrine

to this data breach case, where plaintiffs’ alleged injuries were not caused by any defect in an

- 22 - No. 1-24-1126

actual product of a transaction and their common law tort claim is based on Ferrara’s “common

law duty to safeguard personal information rather than any express contractual duty.” Flores, 2023

IL App (1st) 230140, ¶ 57; see In re Mondelez Data Breach Litigation, 2024 WL 2817489, at *5

(declining to apply the Moorman doctrine to bar a negligence claim based on a law firm’s data

breach that disclosed the PII of the client’s employees).

¶ 54 Finally, Ferrara’s “contention that plaintiffs’ injuries are economic is irrelevant since the

Moorman doctrine does not apply to plaintiffs’ claims in the first place.” See Flores, 2023 IL App

(1st) 230140, ¶ 58.

¶ 55 Because both plaintiffs Olson and Wesson adequately pled proximate cause and an injury

sufficient to support their negligence claims, and because the Moorman doctrine does not bar their

negligence claims, we conclude that the circuit court erred in dismissing their negligence claims.

¶ 56 C. Implied Contract

¶ 57 Plaintiff Olson has forfeited review of his breach of implied contract claim by not raising

this issue on appeal. Ill. S. Ct. R. 341(h)(7) (eff. Oct. 1, 2020) (points not argued in an appellant’s

brief are forfeited). Accordingly, our analysis focuses on Wesson, who argues that the parties had

an implied contract under which Ferrara had a duty to safeguard plaintiffs’ information as shown

in Ferrara’s privacy policy, which acknowledged Ferrara’s duty to “protect [employee] PII from

loss, misuse or unauthorized disclosure.” Wesson also argues that the circuit court erred by

dismissing his breach of implied contract claim for failure to allege an actual loss or measurable

damages resulting from the data breach. Wesson argues that his allegations that he incurred $24.99

and then $4.99 monthly in mitigation costs following the data breach are sufficient to allege

measurable damages in support of this contract claim.

- 23 - No. 1-24-1126

¶ 58 Ferrara argues that Wesson did not adequately plead that an implied contract was ever

formed and, even if one was formed, Wesson did not adequately plead contract damages.

¶ 59 To sustain a complaint for breach of implied contract, a plaintiff must allege that (1) a

contract existed, (2) the plaintiff performed his obligations under that contract, (3) the defendant

breached the contract, and (4) the plaintiff suffered damages as a result of that breach. In re Estate

of Khan, 2021 IL App (1st) 200278, ¶ 28. An implied contract can be created as a result of the

parties’ actions, even if there is no express contract between them. Trapani Construction Co. v.

The Elliot Group, Inc., 2016 IL App (1st) 143734, ¶ 41. Under Illinois law, a contract in fact can

be implied from the facts and circumstances that demonstrate the parties’ intent to be bound.

Heavey v. Ehret, 166 Ill. App. 3d 347, 354 (1988). Unlike an express contract, in which the parties

arrive at an agreement using words, an agreement in an implied-in-fact contract is created through

the actions and conduct of the parties. Trapani Construction Co., 2016 IL App (1st) 143734, ¶ 41.

¶ 60 Wesson has alleged sufficient facts to show that an implied contract existed with Ferrara.

He alleged that plaintiffs were required to provide their PII while employed and that they provided

their information in reliance on the promises Ferrara made in its privacy policy. Ferrara made

representations in its privacy policy that it would safeguard plaintiffs’ personal information using

reasonable security measures. In addition to Ferrara’s representations in its privacy policy, it is

implied from the relationship between the parties that Ferrara would take reasonable steps to

ensure that plaintiffs’ personal information would be protected from unauthorized disclosure. See

Flores, 2023 IL App (1st) 230140, ¶ 33; Doe, 2022 WL 972295, at *4 (“ ‘[i]t can be implied from

the parties’ relationship that [the defendant] would take some steps to ensure that plaintiffs’

sensitive information would be shielded in some manner to prevent unauthorized disclosure of that

information.’ ” (quoting Lozada v. Advocate Health & Hospitals Corp., 2018 IL App (1st) 180320-

- 24 - No. 1-24-1126

U, ¶ 27)); Castillo v. Seagate Technology, LLC, No. 16-cv-01958, 2016 WL 9280242, at *9 (N.D.

Cal. Sept. 14, 2016) (while the defendant may not have explicitly promised to protect personal

information from hackers in plaintiffs’ employment contracts, “it is difficult to imagine how, in

our day and age of data and identity theft, the mandatory receipt of Social Security numbers or

other sensitive personal information would not imply the recipient’s assent to protect the

information sufficiently”).

¶ 61 Ferrara cites Archey v. Osmose Utilities Services, Inc., No. 20-cv-05247, 2022 WL

3543469, at *1 (N.D. Ill. Aug. 18, 2022), where a former employee alleged a breach of contract

claim against his former employer after a cyberattack on the company exposed the plaintiff’s PII

to an unauthorized third party. The plaintiff alleged that by providing his PII to his employer, he

entered into an implied-in-fact contract with the employer whereby it was obligated to take

reasonable steps to secure and safeguard his PII and to take reasonable steps following

unauthorized disclosures of such information. Id. at *3. The court found that the plaintiff’s

subjective inference that a contract was formed was not sufficient to allege the element of mutual

assent because the plaintiff was required to allege that his employer showed an intention to be

bound. Id.

¶ 62 Archey is distinguishable. In Archey, the pleadings lacked the two crucial allegations that

(1) the employer required the plaintiff to provide his personal information and (2) the plaintiff

relied on the employer’s privacy policy. Id. at *2-3. Here, both of these crucial allegations are

present.

¶ 63 To successfully make a breach of implied contract claim, a plaintiff must allege actual

monetary damages. Avery v. State Farm Mutual Automobile Insurance Co., 216 Ill. 2d 100, 149

(2005); In re Illinois Bell Telephone Link-Up II & Late Charge Litigation, 2013 IL App (1st)

- 25 - No. 1-24-1126

113349, ¶ 19. Ferrara argues that Wesson’s payment for credit monitoring is too attenuated from

the alleged contract and, thus, is unrecoverable as consequential damages. In support of this

argument, Ferrara cites 1472 N. Milwaukee, Ltd. v. Feinerman, 2013 IL App (1st) 121191, ¶ 31,

for the proposition that consequential damages are recoverable from a breach of contract only

when the damages were within the contemplation of the parties at the time they entered into the

contract. Ferrara’s argument lacks merit. Paying for credit monitoring is not “attenuated” from the

implied contract in which Ferrara promised to protect plaintiffs’ PII with adequate data security

measures. We also reject Ferrara’s argument that Wesson’s credit monitoring expenses “are non-

cognizable damages because they are ‘self-inflicted’ and flow from the response to a threat that is

speculative, at most.” As discussed above in our analysis of the standing issue (supra ¶¶ 28-30),

unlike the facts in Maglio and Petta, the threat of identity theft and fraud here was not merely

speculative but, rather, was imminent and substantial.

¶ 64 Wesson has alleged adequate damages for a breach of implied contract claim. We reverse

the circuit court’s dismissal of Wesson’s breach of implied contract claim but affirm the circuit

court’s dismissal of Olson’s breach of implied contract claim on the basis of forfeiture.

¶ 65 D. Consumer Fraud Act

¶ 66 Plaintiff Olson has forfeited review of his Consumer Fraud Act claim by not raising this

issue on appeal. Ill. S. Ct. R. 341(h)(7) (eff. Oct. 1, 2020) (points not argued in an appellant’s brief

are forfeited). Accordingly, we focus our analysis of this claim on Wesson, who alleged that

Ferrara violated the Personal Information Protection Act (815 ILCS 530/1 et seq. (West 2022)) by

failing to maintain reasonable security measures to protect plaintiffs’ PII and failing to provide

timely notice of the data breach and that a violation of the Personal Information Protection Act

constitutes an unlawful practice under the Consumer Fraud Act. See id. §§ 20, 45.

- 26 - No. 1-24-1126

¶ 67 To plead a private cause of action for a violation of the Consumer Fraud Act, a plaintiff

must allege “(1) a deceptive act or practice by the defendant, (2) the defendant’s intent that the

plaintiff rely on the deception, (3) the occurrence of the deception in the course of conduct

involving trade or commerce, and (4) actual damage to the plaintiff (5) proximately caused by the

deception.” Oliveira v. Amoco Oil Co., 201 Ill. 2d 134, 149 (2002). The Consumer Fraud Act

provides remedies for purely economic injuries. Morris v. Harvey Cycle & Camper, Inc., 392 Ill.

App. 3d 399, 402 (2009). “Actual damages must be calculable and ‘measured by the plaintiff’s

loss.’ ” Id. (quoting City of Chicago v. Michigan Beach Housing Cooperative, 297 Ill. App. 3d

317, 326 (1998)). The failure to allege specific economic damages precludes a claim brought under

the Consumer Fraud Act. Id.; White v. DaimlerChrysler Corp., 368 Ill. App. 3d 278, 287 (2006).

However, if the plaintiff has suffered an economic loss, noneconomic injuries are compensable.

Dieffenbach, 887 F.3d at 830 (citing Morris, 392 Ill. App. 3d at 402-03); Ainsworth v. Jidd

Enterprises, LLC, 2024 IL App (1st) 230938-U, ¶ 28 (“Illinois law provides that if the plaintiff has

suffered an economic loss, noneconomic injuries such as emotional distress, inconvenience, and

aggravation are compensable under the [Consumer Fraud Act]”).

¶ 68 Ferrara argues that Wesson has not alleged an actual economic injury under the Consumer

Fraud Act. Regarding the fraudulent charges to Wesson’s credit union account, Ferrara notes that

Wesson has not pled that those charges went unreimbursed by his credit union.

¶ 69 In the data breach context, the Flores court held that claims for emotional distress due to

loss of privacy, lost time dealing with the consequences of the data breach, increased spam

messages, and an imminent risk of fraud and identity theft were not “the specific economic

damages required for a claim under the Consumer Fraud Act.” Flores, 2023 IL App (1st) 230140,

¶ 42. Here, however, Wesson alleged that he incurred the costs of $24.99 and $4.99 monthly for

- 27 - No. 1-24-1126

credit monitoring and courts have found that this type of loss constitutes the specific economic

damages required for a claim under the Consumer Fraud Act. See Dieffenbach, 887 F.3d at 829-

30 (plaintiff spent $17 per month on a credit-monitoring service); Worix v. MedAssets, Inc., 869

F. Supp. 2d 893, 901 (N.D. Ill. 2012) (plaintiff alleged lost wages and money spent on credit

monitoring).

¶ 70 Ferrara also argues that Wesson did not adequately plead causation sufficient to support

his Consumer Fraud Act claim. We disagree. Our analysis of this issue is materially the same as

our analysis for plaintiffs’ negligence claims (supra ¶ 40), wherein we concluded that plaintiffs

adequately pled proximate cause.

¶ 71 Because Wesson has sufficiently alleged a specific economic injury and proximate cause,

we reverse the circuit court’s dismissal of his claim under the Consumer Fraud Act. We affirm the

circuit court’s dismissal of Olson’s Consumer Fraud Act claim on the basis of forfeiture.

¶ 72 III. CONCLUSION

¶ 73 We conclude that plaintiffs have standing to pursue their claims. The circuit court’s

dismissal of Olson’s negligence claim for failure to state a claim is reversed. The circuit court’s

dismissal of Olson’s breach of implied contract and Consumer Fraud Act claims for failure to state

a claim is affirmed. The circuit court’s dismissal of Wesson’s negligence, breach of implied

contract, and Consumer Fraud Act claims for failure to state a claim is reversed. The matter is

remanded for further proceedings.

¶ 74 Affirmed in part and reversed in part.

¶ 75 Cause remanded.

- 28 - No. 1-24-1126

Olson v. Ferrara Candy Co., 2025 IL App (1st) 241126

Decision Under Review: Appeal from the Circuit Court of Cook County, No. 22-CH- 6866; the Hon. Joel Chupack, Judge, presiding.

Attorneys Alex Phillips and Cassandra Miller, of Strauss Borrelli PLLC, for of Chicago, for appellants. Appellant:

Attorneys Matthew C. Wolfe, of Shook, Hardy & Bacon L.L.P., of for Chicago, and Shane B. Kolding, of Shook, Hardy & Bacon Appellee: L.L.P., of San Francisco, California, for appellee.

- 29 -