Illinois Appellate Court decides issue of first impression in data breach case


data; security

By: Donald Patrick Eckler and Adelaide Bell

In a matter of first impression, the Illinois Appellate Court has decided what is sufficient to have standing to pursue a data breach lawsuit under Illinois law. In Flores v. Aon Corp., 2023 IL App (1st) 230140, the court set forth a standard that is particularly salient as the Illinois Supreme Court has granted a petition for leave to appeal in Fausett v. Walgreen concerning whether a plaintiff has standing merely by alleging a mere violation of statute. 

The Flores case concerns a data breach that defendant Aon Corporation (“Aon”) discovered in February 2022, in which an unauthorized third party had accessed the company’s systems since December 2020, exposing the personal information of several individuals. Following the breach, Aon notified the individuals potentially impacted. Plaintiff Flores filed a class action complaint after receiving notice and later filed an amended class action to add Dube, Rushing, and Williams as plaintiffs (collectively “Plaintiffs”). They stated claims of relief for negligence, negligence per se, breach of implied contract, unjust enrichment, Illinois’s Consumer Fraud Act, Florida Deceptive and Unfair Trade Practices Act (“FTPA”), and invasion of privacy. This case highlights the court’s detailed consideration on the requirements for standing to bring a claim.  

Plaintiffs alleged that they suffered harm in various ways due to the data breach, including unauthorized charges, increased spam messages, emotional distress over the loss of privacy, and an imminent risk of identity theft and fraud. Under Illinois law, a plaintiff “must only demonstrate some injury in fact to a legally cognizable interest” to have standing to bring a claim. The injury claimed must be “distinct and palpable,” “fairly traceable to the defendant’s actions,” and “substantially likely to be prevented or redressed by the grant of the requested relief.” Although the claimed injury can either be actual or threatened, Illinois courts tend to be more inclined than federal courts to acknowledge standing for individuals who can demonstrate that they have indeed suffered harm or are aggrieved.  

The circuit court initially granted Aon’s motion to dismiss Plaintiffs’ class action complaint in its entirety for lack of standing, citing the only (other) Illinois case addressing standing in a data breach, Maglio v. Advocate Health & Hospitals Corp., 2015 IL App (2d) 140782, which held that the “risk of identity theft or fraud can create standing, but only if the risk of identity theft is imminent or certainly impending.” A “mere increased risk of identity theft is not enough.” Aon argued that Plaintiffs’ allegations were insufficient to establish injury-in-fact for standing purposes, contending that they had not adequately connected the data breach to the unauthorized charges experienced by some Plaintiffs.  

The appellate court disagreed with the circuit court, emphasizing that the Plaintiffs already suffered injuries. Particularly, that Plaintiffs had made specific allegations that they had already experienced fraudulent charges and increased spam messages, constituting distinct and palpable injuries. The court noted that the Plaintiffs had alleged that the data breach was the cause of their injuries, as personal information stolen in data breaches can be used for illegal purposes, such as fraud. Further, the court determined that the unauthorized charges experienced by some plaintiffs were fairly traceable to the data breach, as the Plaintiffs alleged that their “benefit enrollment information” was obtained during the breach. Accordingly, the court rejected Aon’s argument that unsuccessful fraudulent charges were not actual injuries, stating that the charges still showed imminent risk of future fraudulent activity. Thus, the appellate court held that the circuit court’s dismissal for lack of standing was erroneous and that Plaintiffs had standing to pursue their claims.  

Although the court acknowledged that the alleged injuries were sufficient for standing, it noted they did not amount to actual monetary damages. An implied contract between Plaintiffs and Aon was recognized by the court, yet the breach of implied contract claim was dismissed as Plaintiffs’ failed to allege actual monetary damages, a requisite element. Aon also prevailed in the consumer protection claims. The court ruled that the alleged injuries, such as emotional distress due to a loss of privacy, lost time dealing with data breach consequences, increased spam messages, and the risk of fraud and identity theft, did not meet the threshold of actual economic damages required by the Consumer Fraud Act. Similarly, the FTPA claim was limited to injunctive relief due to the absence of actual damages and the unjust enrichment claim failed to demonstrate that Aon unjustly retained any benefits provided by the Plaintiffs.  

Plaintiffs argued that Aon had a common law duty to protect their personal information and the appellate court agreed. It found that the circuit court erred in dismissing the negligence claim because the Plaintiffs’ allegations of proximate cause and injury were sufficient at the pleading stage. The court considered factors like foreseeability, likelihood, burden, and consequences, asserting that Aon, as a sophisticated company was well “aware of the risks of providing inadequate security measures for personal information …given its experience and expertise in cyber security.” However, the negligence per se claim, based on Aon’s violations of 15 U.S.C. § 45(a), was dismissed, as there was no legislative intent to impose strict liability for Federal Trade Commission Act violations.  

Finally, the court held that the circuit court erred in dismissing the claim for invasion of privacy because the introduction of the term “benefit enrollment information” by Aon added a layer of uncertainty in regards to whether the Plaintiffs’ information qualified as private or personal facts. Consequently, this claim was left open for further proceedings to clarify the nature of the data breach.  

This ruling highlights issues surrounding data breach cases and emphasizes the court’s consideration on the analysis of standing in Illinois.  

For more information, please contact Donald Patrick Eckler at or your local FMG attorney.