Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Dolmage v. Combined Insurance Co. of America

United States District Court, N.D. Illinois, Eastern Division

May 3, 2017

ANNE DOLMAGE, individually and on behalf of all others similarly situated, Plaintiff,


          Ruben Castillo United States District Court

         Anne Dolmage ("Plaintiff) filed this action against Combined Insurance Company of America ("Defendant") alleging breach of contract for failing to keep her personally identifiable information ("PII") private. Presently before the Court is Plaintiffs motion for class certification pursuant to Federal Rule of Civil Procedure 23. (R. 111, Mot.) For the reasons stated below, the motion is denied.


         In April 2011, Plaintiff applied for a life insurance policy underwritten by Defendant. (R. 119-1, Policy Docs, at 1-42.) At the time, Plaintiff was an Iowa resident and an employee of the department store Dillard's. (Id. at 24-25.) Defendant offered a variety of insurance products to Dillard's employees, including group and individual supplemental insurance policies underwritten by Defendant, group products underwritten by ACE American Insurance Company ("ACE"), and vaiious medical, vision, and dental products underwritten by third parties. (R. 111, Mot. at 2.)

         Plaintiff applied for her insurance policy by phone. (R. 119-1, Policy Docs, at 24-25.) After the phone application process was completed. Defendant mailed a package of fulfillment materials to Plaintiff (Id. at 1, 24-25.) These documents included the insurance policy, explanations of benefits, sales materials, and a document labeled, "Our Privacy Pledge to You" (herein "Privacy Pledge"). (Id. at 5-40.) The Privacy Pledge details some of the safeguards Defendant has in place to secure private information, including restricting access to a limited number of people and ensuring that any third party given access to the information abides by the same strict privacy standards. (Id. at 38.) The Privacy Pledge is not specifically mentioned in the Insurance Policy Table of Contents; however, the fulfillment documents mailed to Plaintiff stated that "[a] copy of the application and any rider and endorsement follow page 17." (Id. at 5.) The Privacy Pledge is one of the documents following page 17. (See Id. at 18-38.) The Privacy Pledge is generally sent out with fulfillment materials issued by Combined Insurance, (R. 119-2, Barg Dep. Tr. at 43; R. 111-7, Whalen Dep. Tr, at 8), and it was included in the materials sent to all Dillard's employees who purchased a Combined Insurance policy. (R. 111-20, Def's Resp, to Interrogs. ¶ 20.)

         Defendant hired Robert Diorio, the principal operator of EnroUtek, to provide support services in connection with the insurance policies offered to Dillard's employees. (R. 111-1, Answer ¶¶ 12-13; R. 111-2, Barth Dep. Tr. at 42.) As part of this process, Defendant provided Diorio with the PII of Dillard's employees and their dependents. (R. 111-2, Barth Dep. Tr. at 42.) Diorio had some limited training on how to handle and secure private data, but the training was not provided by Defendant, nor did it include any formal certification. (R. 111-3, Diorio Dep. Tr, at 34-36.) Defendant was aware that Diorio would save the PII of newly enrolled members so that he could process the information. (Id. at 173-74.) Around February or March 2012, Diorio accessed the PIT of certain insureds and their dependents, including Plaintiff. (R. 111-1, Answer ¶ 17.) Diorio then posted the information on the Enrolltek website. (Id.) Diorio also sent an email to employees of Defendant with hyperlinks for all the files contained on the website. (R. 111-5, Email.)

         Unfortunately, EnroUtek's website was not adequately secured, meaning that the PII of Plaintiff and thousands of other Dillard's employees was readily available online from March 2012 to My 2013. (R. 111-10, Whalen Dep. Tr. at 11-12.) On July 8, 2013, a Dillard's employee happened to notice that his social security number and other personal information could be obtained through a basic internet search, (Id. at 63; R. 111 -18, Email.) After learning of the issue, Defendant took steps to remove the information from the Enrolltek website and from several common internet search engines. (R. 111-10, Whalen Dep. Tr. at 8-14.) In a July 2013 letter, Defendant offered credit-monitoring services to Plaintiff and other insureds, (R. 111-1, Answer ¶ 23; R, 111-12, Letter.) Individuals were also offered free credit reports and identity theft insurance. (R. 111-12, Letter at 1-2.)

         In 2013, Plaintiff and approximately 30 other Dillard employees had their tax refunds delayed, diverted, or stolen by identity thieves. (R. 119-11, Worley Dep. Tr. at 22.) After an internal investigation, Defendant sent out another letter to insureds in 2014 alerting them to the tax-fraud scheme and again offering them credit-monitoring services. (R. 111 -13, Letter.) As of the time of briefing of the motion for class certification, Dillard's had received approximately 185 reports of false tax filings or attempted filings from its employees. (R. 119, Resp. at 14.)


         In May 2014, Plaintiff filed this action on behalf of herself and a class of similarly situated individuals alleging a host of federal and state law claims stemming from the data breach. (R. 1, Compl.) After two rounds of motions to dismiss, various amended pleadings, and two substantive opinions from this Court, what remains of the case is a breach of contract claim premised on Defendant's alleged breach of the Privacy Policy. See Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2016 WL 754731 (N.D. Ill. Feb. 23, 2016); Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2015 WL 292947 (N.D. Ill. Jan, 21, 2015). The crux of Plaintiffs claim is that Defendant breached the Privacy Pledge when it failed to ensure that EnroUtek securely maintained the personal information of potential class members. Dolmage, 2016 WL 754731 Id. at *4-6. Plaintiff claims that the Privacy Pledge was incorporated into the terms of the parties' insui'ance agreement, and that it is thus legally enforceable. Id. Defendant disagrees that the Privacy Pledge is part of the parties' agreement and believes that Plaintiffs claim also fails for lack of damages and other reasons. Id. at *4-10.

         After the Court permitted the breach of contract claim to proceed. Defendant answered the complaint and asserted several affirmative defenses. (R. 60, Ans.) After several rounds of motions and amendments to the answer, the Court on May 24, 2016, struck three of Defendant's seven affirmative defenses. (R. 64-73.) On July 8, 2016, Defendant filed a motion seeking to amend its answer in order to assert an entirely new affirmative defense. (R, 76, Mot. to Suppl.) Specifically, Defendant alleged that Plaintiff had provided misinformation on her original insurance policy application, and therefore sought to raise the defense of fraud in the inducement, entitling it to rescind her policy. (Id.) The Court denied the motion as untimely and precluded Defendants' from raising fraud in the inducement as an affirmative defense. (R. 95, Order.) Following the close of discovery, Plaintiff filed her motion for class certification. (R. 111 Mot.) After voluminous briefing, the motion is now fully briefed. (R. 119, Resp.; R. 123, Reply; R. 127, Surreply; R. 132, Resp. to Surreply.)


         To obtain class certification under Rule 23, a plaintiff must satisfy each requirement of Rule 23(a)-numerosity, commonality, typicality, and adequacy of representation-and at least one subsection of Rule 23(b). See Bell v. PNC Bank, Nat'l Ass'n, 800 F, 3d 360, 373 (7th Ch. 2015); Harper v. Sheriff of Cook Cty., 581 F.3d 511, 513 (7th Cir. 2009). Under Rule 23(b), a class may be certified if one of three circumstances is met: (1) prosecuting separate actions by individual class members would "create a risk of inconsistent judgments"; (2) "the party opposing the class has acted or refused to act on grounds that apply generally to the class, so that final injunctive relief or corresponding declaratory relief is appropriate respecting the class as a whole"; or (3) "the court finds that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy." Fed. R, Civ. P. 23(b). Satisfaction of the Rule 23(a) and 23(b) requirements categorically entitles a plaintiff to pursue her claim as a class action. See Shady Grove Orthopedic Assocs., P.A. v. Allstate Ins., 559 U.S. 393, 398-99 (2009). District courts have broad discretion in determining whether certification is appropriate. Ervin v. OS Rest. Servs., Inc., 632 F.3d 971, 976 (7th Ch. 2011).

         In considering a motion for class certification, the Court "may not simply assume the truth of the matters as asserted by the plaintiff." Messner v. Northshore Univ. HealthSystem, 669 F.3d 802, 811 (7th Cir. 2012). If there are material facts in dispute, "the court must 'receive evidence ... and resolve the disputes before deciding whether to certify the class.'" Id. (citation omitted). In order to grant class certification under Rule 23, the Court must be "satisfied, after a rigorous analysis" that the Rule's requirements are met. Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 350-51 (2011) (citation omitted). In conducting this analysis, "[m]erits questions may be considered to the extent-but only to the extent-that they are relevant to determining whether the Rule 23 prerequisites for class certification are satisfied." Amgen Inc. v. Conn. Ret. Plans & Tr. Funds, 133 S.Ct, 1184, 1195 (2013). "The party seeking certification bears the burden of proving that certification is proper by a preponderance of the evidence." Bell, 800 F.3d at 373.


         Plaintiff seeks to certify the following class:

All current and former Dillard's, Inc., employees as well as their dependents who were covered at any time between March 2010 through March 2012, under a hospital indemnity or accident insurance policy underwritten by ACE American Insurance Company, and were covered by insurance underwritten by Combined Insurance at any point in time between April 2000 and August 2013,

(R. 111, Mot. at 7.) Plaintiff argues that the proposed class satisfies all of the Rule 23(a) requirements as well as the requirements of Rule 23(b)(3). (Id. at 13.)

         I. Rule 23(a) requirements

         As stated, to obtain class certification under Rule 23, a plaintiff must satisfy each requirement of Rule 23(a)-numerosity, commonality, typicality, and adequacy of representation. See Bell, ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.