IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF IOWA EASTERN DIVISION
PATRICK STOKES, individually and on behalf of all others similarly situated,
Plaintiff, No. C26-1002-LTS-MAR vs. MEMORANDUM A.Y. MCDONALD INDUSTRIES, OPINION AND ORDER INC.,
Defendant.
I. INTRODUCTION This matter is before me on a motion (Doc. 18) to dismiss for failure to state a claim filed by defendant A.Y. McDonald Industries (AYM). Plaintiff Patrick Stokes has filed a resistance (Doc. 19) and AYM has filed a reply (Doc. 20). Oral argument is not necessary. See LR 7(c).
II. PROCEDURAL HISTORY Stokes filed his class action complaint (Doc. 4) in the Iowa District Court for Dubuque County on November 10, 2025. He alleges that his personally identifiable information (PII) was exposed after AYM suffered a data breach on or about January 12, 2025, and asserts three causes of action: negligence, breach of an implied contract and unjust enrichment. Id. He further proposes a putative class of “[a]ll persons whose Private Information was actually or potentially accessed or acquired during the January 2025 Data Breach.” Id. at ¶ 145. The complaint was served on AYM on December 16, 2025. Doc. 1-3 at ¶ 7. AYM filed a timely notice (Doc. 1) of removal to this court on January 13, 2026, invoking the Class Action Fairness Act of 2005 (CAFA), 28 U.S.C. § 1332(d), as grounds for removal. Stokes has not yet filed a motion for class certification.1
III. FACTUAL ALLEGATIONS2 AYM is an Iowa-based and multi-state operated manufacturing company that specializes in water works products, plumbing supplies, pump systems and natural gas solutions. Doc. 4 at ¶ 22; see also Doc. 1-3 at ¶ 5. As a condition of employment, AYM’s employees must provide the company with PII, such as names, birth dates, social security numbers and bank account numbers. Doc. 4 at ¶¶ 24, 29, 45, 116. AYM stored this information on its local computer network system. Id. at ¶ 25. The company retained the PII of both current and former employees. Id. at ¶¶ 23, 27, 42, 44. In January 2025, an unauthorized third-party accessed AYM’s computer network system. Id. at ¶¶ 3, 112–14. Months later, on October 29, 2025, AYM mailed thousands of notices of the data breach, providing in part:
What happened? We experienced a security incident on or about January 12, 2025, that impacted our network.
What Information was Involved? The potentially impacted files contained your name and date of birth, Social Security Number, bank account number, routing number.
1 An action need not have been certified as a class action for CAFA to apply, as class allegations are sufficient and are present here. 28 U.S.C. § 1332(d)(8). 2 On a motion to dismiss, the court accepts as true all well-pleaded facts and draws all reasonable inferences in the plaintiffs’ favor. Glick v. W. Power Sports, Inc., 944 F.3d 714, 717 (8th Cir. 2019). This recitation of alleged facts follows that standard and do not constitute factual findings on any matter. Doc. 4 at ¶ 29. It is unclear how the third-party accessed AYM’s system, although Stokes alleges that proper diligence would have prevented the breach. Id. at ¶¶ 37–43. Stokes is a citizen of Iowa and one of AYM’s former employees who received notice of his PII being potentially compromised. Id. at ¶¶ 115, 120. As a result, he has expended time and energy seeking to mitigate or prevent damage from identity fraud. Stokes claims to have suffered injury through the diminution of value in his PII, as well as suffering the exacerbated risk of fraud, identity theft and PII misuse. Id. at ¶¶ 125– 26. He seeks to institute a class action for those similarly situated. Id. at ¶¶ 144–56.
IV. APPLICABLE STANDARDS The Federal Rules of Civil Procedure authorize a pre-answer motion to dismiss a complaint for “fail[ing] to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). The Supreme Court has provided the following guidance in considering whether a pleading properly states a claim: Under Federal Rule of Civil Procedure 8(a)(2), a pleading must contain a “short and plain statement of the claim showing that the pleader is entitled to relief.” As the Court held in [Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007)], the pleading standard Rule 8 announces does not require “detailed factual allegations,” but it demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation. A pleading that offers “labels and conclusions” or “a formulaic recitation of the elements of a cause of action will not do.” Nor does a complaint suffice if it tenders “naked assertion[s]” devoid of “further factual enhancement.”
To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to “state a claim to relief that is plausible on its face.” A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. The plausibility standard is not akin to a “probability requirement,” but it asks for more than a sheer possibility that a defendant has acted unlawfully. Where a complaint pleads facts that are “merely consistent with” a defendant's liability, it “stops short of the line between possibility and plausibility of ‘entitlement to relief.’” Ashcroft v. Iqbal, 556 U.S. 662, 677–78 (2009) (second alteration in original) (citations omitted). Courts assess “plausibility” by “draw[ing] on [their own] judicial experience and common sense.” Whitney v. Guys, Inc., 700 F.3d 1118, 1128 (8th Cir. 2012) (first alteration in original) (quoting Iqbal, 556 U.S. at 679). Also, courts “review the plausibility of the plaintiff’s claim as a whole, not the plausibility of each individual allegation.” Zoltek Corp. v. Structural Polymer Grp., 592 F.3d 893, 896 n.4 (8th Cir. 2010). “The well-pleaded facts alleged in the complaint, not the legal theories of recovery or legal conclusions identified therein, must be viewed to determine whether the pleading party provided the necessary notice and thereby stated a claim in the manner contemplated by the federal rules.” Topichian v. JPMorgan Chase Bank, N.A., 760 F.3d 843, 848 (8th Cir. 2014) (quoting Parkhill v. Minn. Mut. Life Ins., 286 F.3d 1051, 1057– 58 (8th Cir. 2002)). Still, federal courts may dismiss a claim that lacks a cognizable legal theory. See, e.g., Couzen v. Donohue, 854 F.3d 508, 517 (8th Cir. 2017) (affirming dismissal when there was no legal basis to support claim).
V. ANALYSIS Stokes asserts three state-law claims on behalf of himself and the putative class: negligence, breach of implied contract and unjust enrichment. Iowa substantive law controls. See Audler v. CBC Innovis Inc., 519 F.3d 239, 248 (5th Cir. 2008). When Iowa law is not settled, I must predict how the Iowa Supreme Court would decide the issue and in doing so, “may consider relevant state precedent, analogous decisions, considered dicta . . . and other reliable data.” Olmsted Med. Ctr. v. Cont’l Cas. Co., 65 F.4th 1005, 1008 (8th Cir. 2023). I will address each claim separately.
A. Count I – Negligence To establish negligence under Iowa law, the plaintiff must show (1) the defendant had a duty to conform to a standard of conduct to protect others, (2) the defendant breached that duty, (3) the breach was a proximate cause of the plaintiff’s injury and (4) damages resulted. Marcus v. Young, 538 N.W.2d 285, 288 (Iowa 1995). AYM does not challenge Stokes’ pleading of these elements but invokes Iowa’s economic loss rule. That rule maintains the distinction between contract and tort, and their respective remedies. Determan v. Johnson, 613 N.W.2d 259, 262 (Iowa 2000) (quoting Nelson v. Todd’s Ltd., 426 N.W.2d 120, 123 (Iowa 1988)). Under the economic loss rule, a plaintiff is precluded from recovering in tort for the purely economic losses recoverable (though not necessarily sought) through contract claims. Neb. Innkeepers, Inc. v. Pittsburgh-Des Moines Corp., 345 N.W.2d 124, 126 (Iowa 1984). As “[p]urely economic losses usually result from the breach of a contract,” such injuries “should ordinarily be compensable in contract actions, not tort actions.” Van Sickle Constr. Co. v. Wachovia Com. Mortg., Inc., 783 N.W.2d 684, 693 (Iowa 2010) (alteration in original) (quoting Richards v. Midland Brick Sales Co., 551 N.W.2d 649, 650 (Iowa Ct. App. 1996)). The parties need not be in direct contractual privity for the economic loss rule to apply. Annett Holdings, Inc. v. Kum & Go, L.C., 801 N.W.2d 499, 504 (Iowa 2011). While the Iowa Supreme Court has not yet defined “the precise contours of the economic loss rule in Iowa,” id., courts must examine the characteristics of the claim to determine whether the loss is contractual or tortious in nature. Van Sickle, 783 N.W.2d at 693; see also Annett Holdings, 801 N.W.2d at 506 (factors worth analyzing are “the nature of the defect, the type of risk, and the manner in which the injury arose” (quoting Determan, 613 N.W.2d at 263)). The Iowa Supreme Court has not yet addressed the proper avenue for pursuing a data breach claim. Some courts have applied traditional tort law and rejected the applicability of the economic loss rule to this context. See, e.g., Reetz v. Advoc. Aurora Health, Inc., 983 N.W.2d 669, 677–79 (Wis. 2022); Collins v. Athens Orthopedic Clinic, P.A., 837 S.E.2d 310, 316 n.7 (Ga. 2019); Negron v. Ascension Health, No. 24-cv-669, 2025 WL 2710014, at *8–9 (E.D. Mo. Sept. 23, 2025); Allen v. Wenco Mgmt., LLC, 696 F. Supp. 3d 432, 439 (N.D. Ohio 2023). Of course, those decisions interpreted the substantive laws of different states. I have previously predicted that the Iowa Supreme Court would apply the economic loss rule to bar negligence claims in data breach cases. See Mohsen v. Veridian Credit Union, 733 F. Supp. 3d 754, 764–67 (N.D. Iowa 2024). Other courts have reached the same, or similar, conclusions as to Iowa law. See In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1174 (D. Minn. 2014); Fox v. Iowa Health Sys., 399 F. Supp. 3d 780, 795 (W.D. Wis. 2019); see also Harris v. Mercy Health Network, Inc., No. 23-cv-195, 2024 WL 5055556, at *16–18 (S.D. Iowa June 26, 2024) (agreeing that the economic loss rule applies in data breach cases but declining to dismiss certain forms of alleged loss that the defendant failed to address in its motion to dismiss). I again conclude the Iowa Supreme Court would apply the economic loss rule in cases involving the theft of personal data. “There was no risk of physical harm, no ‘defect’” and the injury is a pecuniary one. Annett Holdings, 801 N.W.2d at 506.3 Stokes seeks to avoid this conclusion by arguing the putative class suffered more than purely economic injuries. He alleges: As a direct and proximate result of Defendant’s negligence, Plaintiff and the Class have suffered and will suffer injury, including but not limited to: (i) actual identity theft; (ii) the loss of the opportunity of how their Private Information is used; (iii) the compromise, publication, and/or theft of their Private Information; (iv) out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their Private Information; (v) lost opportunity costs associated with effort expended and the loss of productivity addressing and attempting to mitigate the present and continuing consequences of the Data Breach, including, but not limited to, efforts spent researching how to prevent, detect, contest, and recover from tax fraud and identity theft;
3 To the extent AYM argues that Stokes recognizes the data breach claim as a contractual issue because he later pleads the existence of an implied contract, Doc. 20 at 1, AYM is wrong. A plaintiff “may state as many separate claims or defenses as [he] has, regardless of consistency,” and that Stokes alternatively pleaded a contractual claim that has no bearing on the merits of his tort claim. Fed. R. Civ. P. 8(d). (vi) costs associated with placing freezes on credit reports; (vii) the continued risk to their Private Information, which remain in Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the Private Information of Plaintiff and the Class; and (viii) present and continuing costs in terms of time, effort, and money that has been and will be expended to prevent, detect, contest, and repair the effect of the Private Information compromised because of the Data Breach for the rest of the lives of Plaintiff and the Class.
As a direct and proximate result of Defendant’[s] negligence, Plaintiff and the Class have suffered and will continue to suffer other forms of injury and/or harm, including, but not limited to, anxiety, emotional distress, loss of privacy, and other economic and non-economic losses.
Additionally, as a direct and proximate result of Defendant’s negligence, Plaintiff and the Class have suffered and will suffer the continued risks of exposure of their Private Information, which remain in Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the Private Information in its continued possession.
Doc. 4 at ¶¶ 188–90. Stokes has generally lumped these into four categories of non-economic injury: (1) physical harm manifested through anxiety and emotional distress, (2) lost time responding to the data breach, (3) loss of privacy and (4) the diminution in his PII’s value. Doc. 19 at 10–11. According to AYM, however, these are all economic injuries under a different label. In Mohsen, I rejected the argument that the diminution in the value of PII or emotional distress allows a plaintiff to plead around the economic loss rule. 733 F. Supp. 3d at 764–67. I reject it again here. The diminution in value of one’s PII is, by its terms, a pecuniary loss. See, e.g., Fox, 399 F. Supp. 3d at 795 (W.D. Wis. 2019). In addition, Iowa law generally does not permit recovery for emotional distress or mental anguish in negligence cases without either an accompanying physical injury or the injury being intentionally inflicted. Niblo v. Parr Mfg., Inc., 445 N.W.2d 351, 354 (Iowa 1989); Clark v. Estate of Rice ex rel. Rice, 653 N.W.2d 166, 169 (Iowa 2002). The non-descript, conclusory “physical harm” that Stokes alleges in his resistance (but not in his complaint), supposedly manifesting through “anxiety and emotional distress,” Doc. 19 at 10, does not take him outside of the rule. There are no allegations claiming AYM intended to inflict emotional harm on Stokes. Nor are Iowa’s recognized exceptions to the emotional distress rule germane. Those exceptions are (1) injuries resulting from purely emotional harm can be recoverable when the plaintiff can claim bystander liability and (2) the parties’ relationship deals with such emotionally-charged issues that it would impose “a duty of care on the defendant to avoid causing emotional harm to the plaintiff.” Clark, 653 N.W.2d at 170–71. Stokes is indisputably not a bystander and his relationship with AYM was not so intrinsically emotional that AYM had a duty to avoid causing emotional harm to him or others in the putative class. I do not expect that the Iowa Supreme Court would recognize the diminution in value of PII, or alleged emotional distress injuries, as taking Stokes’ claim outside the economic loss rule. The same is true with regard to Stokes’ lost time argument. Some federal district courts have predicted that other states’ versions of the economic loss rule would not foreclose lost time claims brought in data breach scenarios. See, e.g., Stasi v. Immediata Health Grp., 501 F. Supp. 3d 898, 913 (S.D. Cal. 2020) (under California law, “time spent responding to a data breach is a non-economic injury, that when alleged to support a negligence claim, defeats an economic loss doctrine argument”); Johnson v. Nice Pak Prods., Inc., 736 F. Supp. 3d 639, 648 (S.D. Ind. 2024) (applying Indiana law and noting that “at least some of the harms experienced by the Plaintiffs are not solely economic, such as lost time and worry”); Smallman v. MGM Resorts Int’l, 638 F. Supp. 3d 1175, 1188 (D. Nev. 2022) (data breach harms not purely economic under Nevada law because “the dissemination of an individual’s PII . . . necessarily diminish[es] their control over their digital and physical identity”). But Iowa’s economic loss rule is more robust. In Anderson Plasterers v. Meinecke, 543 N.W.2d 612, 613 (Iowa 1996), the plaintiff asserted tort claims against a negligent third party who injured two of its workers, claiming in part that the company was injured through the loss of its workers’ time. The Iowa Supreme Court rejected the claim. Id. The Court’s subsequent rulings have recognized Anderson as applying the economic loss rule to bar a time-loss claim. See Annett Holdings, 801 N.W.2d at 504. Thus, under Iowa law lost time is categorized as an economic injury that requires more before it can be actionable in negligence. Stokes’ loss of privacy claim fails for similar reasons as his emotional distress theory. Iowa law recognizes a standalone tort for invasion of privacy. Critically, a plaintiff must prove “an intentional intrusion into a matter the plaintiff has a right to expect privacy,” Koeppel v. Speirs, 808 N.W.2d 177, 181 (Iowa 2011) (emphasis added). Permitting Stokes to assert damages for loss of privacy under a negligence theory would constitute an end run around this intent element. Cf. Prestby v. A & A Servs., LLC, No. 24-cv-204, 2026 WL 26128, at *30 (D. Neb. Jan. 5, 2026) (reaching same conclusion under Nebraska and Pennsylvania law). Finally, Stokes argues that applying the economic loss rule to bar his negligence claim expands that rule beyond its original purpose of preventing the “tortification of contract law” and encouraging parties enter contracts. Annett Holdings, 801 N.W.2d at 503–04. Perhaps the Iowa Supreme Court will agree at some point and hold that data breach cases provide an exception to the economic loss rule. At this time, however, the Iowa Supreme Court decisions discussed above cause me to conclude that the Court would reject Stokes’ negligence claim in its entirety. As such, Count I will be dismissed.
B. Count II – Implied Contract Stokes asserts a breach of an implied contract claim, contending that when he and putative class members provided AYM with their PII, they entered an implied contract that AYM would reasonably protect such information. Doc. 4 at ¶¶ 193–203. To maintain a breach of contract claim, Stokes must plausibly plead (1) that a contract existed, (2) the terms and conditions of the contract, (3) that he and the putative class performed under the contract, (4) that AYM had breached the contract and (5) the plaintiffs suffered damages resulting from the breach. Royal Indem. Co. v. Factory Mut. Ins., 786 N.W.2d 839, 846 (Iowa 2010). AYM challenges whether a contract existed and, if so, whether it breached the contract’s terms.
1. Contract Formation Every contract consists of an offer, acceptance and consideration. Margeson v. Artis, 776 N.W.2d 652, 655 (Iowa 2009). An offer is a party’s “manifestation of willingness to enter into a bargain” with another. Anderson v. Douglas & Lomason Co., 540 N.W.2d 277, 285 (Iowa 1995). Acceptance happens when the offeree assents to the terms of the offer, “in a manner invited or required by the offer.” Heartland Express, Inc. v. Terry, 631 N.W.2d 260, 270 (Iowa 2001). Together, offer and acceptance combine to create mutual assent. Id. at 268. Finally, “consideration exists if the promise, in exchange for a promise by the promisor, does or promises to do something the promise has no legal obligation to do.” Margeson, 776 N.W.2d at 656. A contract may be express or implied. Rucker v. Taylor, 828 N.W.2d 595, 601 (Iowa 2013). The distinction has no legal effect; rather, the terms distinguish how parties manifest their assent to a contract. Id. An express contract exists when the parties reach an agreement by words, an implied contract is manifested through the conduct of the parties. Legg v. W. Bank, 873 N.W.2d 763, 771 (Iowa 2016). AYM disputes the existence of both mutual assent and consideration.
a. Mutual Assent To form an implied contract, the parties must show through their conduct a shared agreement to bind themselves to agreed-upon terms. These terms “must be sufficiently definite for the court to determine the duty of each party and the conditions of performance.” Konchar v. Pins, 989 N.W.2d 150, 158 (Iowa 2023) (quoting Royal Indem., 786 N.W.2d at 846). Stokes argues that when AYM required Stokes to provide his PII to the company as a condition of employment, AYM agreed to safeguard that information by “compl[ying] with relevant laws and regulations . . . and adher[ing] to industry standards.” Doc. 4 at ¶ 195. Many courts have accepted this theory, one court noting that “[i]t is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of [PII] would not imply the recipient’s assent to protect the information sufficiently.” Castillo v. Seagate Tech., LLC, No. 16-cv-1958, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016); accord McKenzie v. Allconnect, Inc., 369 F. Supp. 3d 810, 821 (E.D. Ky. 2019); In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1176 (D. Minn. 2014). At minimum, the factual nature of determining whether an implied contract exists, Niday v. Roehl Transp., Inc., 934 N.W.2d 29, 34 n.4 (Iowa Ct. App. 2019), counsels that it is premature to rule on the issue at the motion to dismiss stage. It is at least plausible, based on Stokes’ allegations, that AYM assented to an obligation to safeguard its employees’ PII when it required those employees to provide that information.
b. Consideration Consideration “ensures the promise sought to be enforced was bargained for and given in exchange for a reciprocal promise or an act.” Margeson, 776 N.W.2d at 655. Thus, “[a] promise to do that which one is already obligated to do will not suffice as consideration.” Ins. Agents, Inc. v. Abel, 338 N.W.2d 531, 534 (Iowa Ct. App. 1983) (citing Lovlie v. Plumb, 250 N.W.2d 56, 57–58 (Iowa 1977)). Stokes contends that providing his PII to AYM as a condition of his employment constituted consideration. AYM counters that the decision was incidental to, and contemplated by, his employment contract with the company. See, e.g., Polkowski v. Jack Doheny Cos., No. 25-cv-10516, 2025 WL 3079358, at *10 (E.D. Mich. Nov. 4, 2025) (“Any purported implied contract would be duplicative of the parties' express employment relationship and unsupported by independent consideration.”). In other words, the parties had an express employment contract and Stokes provided his PII as part of that contract. AYM points out that employers have a legal duty to obtain certain employee information, so Stokes shared his PII pursuant to his employment contract. Like with the question of mutual assent, it is premature for me to resolve the proper framing of the parties’ contractual relationship. Accepting Stokes’ theory that AYM’s demand for his PII created a separate, implied agreement, his allegations are sufficient at this stage to satisfy the consideration requirement. Stokes had no pre-existing duty to share his PII with AYM and did so only at AYM’s request, as a condition of employment. By requesting and receiving the information, AYM could be understood as agreeing to safeguard it. AYM contends that its preexisting legal duty to safeguard PII in its possession means that a promise to comply with an existing obligation does not constitute consideration. However, Stokes alleges that the terms of the implied contract went beyond following legal requirements and included an implied promise to comply with industry standards. Doc. 4 at ¶¶ 67–71, 195. At the pleading stage, I cannot discern the extent to which AYM’s legal obligations may have overlapped with industry standards. See, e.g., Rudolph v. Hudson’s Bay Co., No. 18-cv-8472, 2019 WL 2023713, at *11 (S.D.N.Y. May 7, 2019). For that reason, I find that Stokes has plausibly alleged the elements necessary for the formation of an implied contract.
2. Breach of the Contract AYM contends that even if an implied contract existed, Stokes has not sufficiently alleged a breach. It asserts that the mere fact that a data breach occurred does not establish that AYM breached its alleged promise to safeguard its employees PII according to applicable legal and industry standards. AYM first challenges the scope of the purported contract. In Carlsen v. Gamestop, Inc., 833 F.3d 903 (8th Cir. 2016), the court affirmed dismissal of a breach of contract claim under Minnesota law when the contract “unambiguously d[id] not include” the specific pieces of private information among the contract’s protected PII. Id. at 911. In other words, the private information that was disclosed was not within the scope of information the parties contracted to safeguard. Thus, there was no breach of the contract. Id. at 912. The unambiguity of the contract terms in Carlsen is precisely why that case is distinguishable. Here, there is a dispute as to not only the scope of AYM’s obligation to protect PII, but also as to whether an implied contract even existed. Accepting all well-pleaded facts in the complaint as true, as I must at this stage, Stokes has adequately pleaded that the implied contract covers the same information that was later a part of the data breach. AYM next challenges whether Stokes adequately alleges how the company failed to comply with its obligations under the purported contract. Applying Missouri and Florida law in Kuhns v. Scottrade, Inc., 868 F.3d 711 (8th Cir. 2017), the Eighth Circuit affirmed the dismissal of a complaint when the allegations of wrongdoing left the court to “guess how [the defendant] failed to take ‘industry leading’ security measures.” Id. at 719. This holding has been taken as requiring that the plaintiff in a data breach case “identify the actions (e.g., security measures or procedures) the defendant could have employed to prevent the breach.” Harris, 2024 WL 5055556, at *11; Berry v. Crescent Cmty. Health Ctr., No. 24-cv-1036, 2025 WL 1287909, at *9 (N.D. Iowa May 2, 2025). In other words, the data breach itself is not proof that a defendant failed to comply with applicable legal and industry standards. Instead, the allegations must specify how the defendant failed to live up to its obligations. Although the complaint frequently accuses AYM of general misfeasance in protecting its employees’ PII, its allegations go beyond the generic accusations like those in Kuhns. For example, Stokes alleges that encrypting PII is industry standard and that AYM failed to utilize encryption techniques when storing its employees’ PII. Doc. 4 at ¶¶ 37–38, 68, 168–69. In addition, Stokes contends that AYM should have deleted its former employees’ PII after the information was no longer needed. Id. at ¶¶ 37, 120, 179. These allegations are sufficient at this stage to support Stokes’ assertion that AYM breached the alleged, implied contract. AYM’s motion to dismiss Count II will be denied.
C. Count III – Unjust Enrichment Stokes asserts an unjust enrichment claim that is pleaded in the alternative to the breach of implied contract claim. Doc. 4 at ¶ 205. A well-pleaded claim of unjust enrichment consists of three elements: “(1) defendant was enriched by the receipt of a benefit; (2) the enrichment was at the expense of the plaintiff; and (3) it is unjust to allow the defendant to retain the benefit under the circumstances.” State ex rel. Palmer v. Unisys Corp., 637 N.W.2d 142, 154–55 (Iowa 2001). “Unjust enrichment is rooted in the principle that one party should not be unjustly enriched at the expense of another party.” Endress v. Iowa Dep’t of Hum. Servs., 944 N.W.2d 71, 80 (Iowa 2020). It is recognized as “a broad principle with few limitations.” Id. As Stokes formulates the claim, AYM funds its data security measures through the revenue it generates. Doc. 4 at ¶ 206. As an employee, Stokes generated revenue for the company through his labor, which he could provide only after giving his PII to AYM. Id. at ¶¶ 208–09, 215–17. However, instead of allocating the necessary revenue from Stokes’ work to data security, AYM chose to maximize its profits by foregoing investment in security measures to the detriment of its employees. Id. at ¶¶ 210–11, 216–17. As such, it would be unjust to allow AYM to retain the profits it should have applied to data security measures and AYM should be required to disgorge those funds. Id. at ¶¶ 208, 211, 221. In other words, the elements are met because: (1) AYM received the benefits of labor made possible only through Stokes’ sharing of his PII; (2) AYM was enriched at Stokes’ expense when it kept revenue meant for data security measures to instead maximize its profits; and (3) it would be unjust to allow AYM to retain the money it saved by shirking data-security for profit. See, e.g., Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739, 751 (S.D.N.Y. 2017); Tjahjono v. Westinghouse Air Brake Techs. Corp., No., 23-cv-531, 2024 WL 1287085, at *7 (W.D. Pa. Mar. 26, 2024). AYM resists this conclusion by challenging the adequacy of the first and third element. As to the benefit AYM allegedly conferred, the company contends that Stokes falsely equates his labor with his sharing PII with the company and that Stokes did not confer a benefit on AYM by providing the company with his personal information. See Gaddy v. Long & Foster Cos., No. 21-cv-2396, 2022 WL 22894854, at *13 (D.N.J. Mar. 16, 2022). Considering the equitable nature of the doctrine, however, it is reasonable to say that AYM accepted the benefits accompanying Stokes’ data (i.e., his labor) when the company made the sharing of PII a mandatory condition of employment. See Gordon v. Zeroed-In Tech., LLC, No. 23-cv-3284, 2025 WL 936415, at *16 (D. Md. Mar. 26, 2025); Midkiff v. Shoe Show, Inc., No. 24-cv-858, 2026 WL 880210, at *13 (M.D.N.C. Mar. 30, 2026); Hays v. Frost & Sullivan, Inc., No. 23-cv-1490, 2024 WL 4052741, at *13 (W.D. Tex. Aug. 16, 2024). AYM further argues that because Stokes was fairly compensated for his labor through his wages, allowing an unjust enrichment claim to proceed under Stokes’ theory would effectively restructure the parties’ employment agreement. See, e.g., Johnson v. Nice Pak Prods., 736 F. Supp. 3d 639, 652 (S.D. Ind. 2024); Hall v. Centerspace, LP, No. 22-cv-2028, 2023 WL 3435100, at *7 (D. Minn. May 12, 2023); Flores v. Aon Corp., 242 N.E.3d 340, 357 (Ill. App. Ct. 2023); James v. Countrywide Fin. Corp., 849 F. Supp. 2d 296, 322–23 (E.D.N.Y. 2012). This argument has merit and may ultimately prevail. At this stage, however, Stokes’ allegations are sufficient to plausibly contend that it would be unjust to allow AYM to retain funds that it arguably should have applied to data security. See Midkiff, 2026 WL 880210, at *13. AYM’s motion to dismiss Count III will be denied. VI. CONCLUSION For the reasons set forth herein, the motion (Doc. 18) to dismiss filed by defendant A.Y. McDonald Industries is granted in part and denied in part. It is granted as to plaintiff Patrick Stokes’ negligence claim (Count I), which is hereby dismissed. It is denied as to Stokes’ claims for breach of implied contract (Count II) and unjust enrichment (Count III). Those two claims will proceed.
IT IS SO ORDERED this 8th day of June, 2026. AY Leonard T. Strand United States District Judge