United States District Court, N.D. Illinois, Eastern Division
ANNE DOLMAGE, individually and on behalf of all others similarly situated, Plaintiff,
COMBINED INSURANCE COMPANY OF AMERICA, Defendant.
MEMORANDUM OPINION & ORDER
Castillo United States District Court
Dolmage ("Plaintiff) filed this action against Combined
Insurance Company of America ("Defendant") alleging
breach of contract for failing to keep her personally
identifiable information ("PII") private. Presently
before the Court is Plaintiffs motion for class certification
pursuant to Federal Rule of Civil Procedure 23. (R. 111,
Mot.) For the reasons stated below, the motion is denied.
April 2011, Plaintiff applied for a life insurance policy
underwritten by Defendant. (R. 119-1, Policy Docs, at 1-42.)
At the time, Plaintiff was an Iowa resident and an employee
of the department store Dillard's. (Id. at
24-25.) Defendant offered a variety of insurance products to
Dillard's employees, including group and individual
supplemental insurance policies underwritten by Defendant,
group products underwritten by ACE American Insurance Company
("ACE"), and vaiious medical, vision, and dental
products underwritten by third parties. (R. 111, Mot. at 2.)
applied for her insurance policy by phone. (R. 119-1, Policy
Docs, at 24-25.) After the phone application process was
completed. Defendant mailed a package of fulfillment
materials to Plaintiff (Id. at 1, 24-25.) These
documents included the insurance policy, explanations of
benefits, sales materials, and a document labeled, "Our
Privacy Pledge to You" (herein "Privacy
Pledge"). (Id. at 5-40.) The Privacy Pledge
details some of the safeguards Defendant has in place to
secure private information, including restricting access to a
limited number of people and ensuring that any third party
given access to the information abides by the same strict
privacy standards. (Id. at 38.) The Privacy Pledge
is not specifically mentioned in the Insurance Policy Table
of Contents; however, the fulfillment documents mailed to
Plaintiff stated that "[a] copy of the application and
any rider and endorsement follow page 17." (Id.
at 5.) The Privacy Pledge is one of the documents following
page 17. (See Id. at 18-38.) The Privacy Pledge is
generally sent out with fulfillment materials issued by
Combined Insurance, (R. 119-2, Barg Dep. Tr. at 43; R. 111-7,
Whalen Dep. Tr, at 8), and it was included in the materials
sent to all Dillard's employees who purchased a Combined
Insurance policy. (R. 111-20, Def's Resp, to Interrogs.
hired Robert Diorio, the principal operator of EnroUtek, to
provide support services in connection with the insurance
policies offered to Dillard's employees. (R. 111-1,
Answer ¶¶ 12-13; R. 111-2, Barth Dep. Tr. at 42.)
As part of this process, Defendant provided Diorio with the
PII of Dillard's employees and their dependents. (R.
111-2, Barth Dep. Tr. at 42.) Diorio had some limited
training on how to handle and secure private data, but the
training was not provided by Defendant, nor did it include
any formal certification. (R. 111-3, Diorio Dep. Tr, at
34-36.) Defendant was aware that Diorio would save the PII of
newly enrolled members so that he could process the
information. (Id. at 173-74.) Around February or
March 2012, Diorio accessed the PIT of certain insureds and
their dependents, including Plaintiff. (R. 111-1, Answer
¶ 17.) Diorio then posted the information on the
Enrolltek website. (Id.) Diorio also sent an email
to employees of Defendant with hyperlinks for all the files
contained on the website. (R. 111-5, Email.)
EnroUtek's website was not adequately secured, meaning
that the PII of Plaintiff and thousands of other
Dillard's employees was readily available online from
March 2012 to My 2013. (R. 111-10, Whalen Dep. Tr. at 11-12.)
On July 8, 2013, a Dillard's employee happened to notice
that his social security number and other personal
information could be obtained through a basic internet
search, (Id. at 63; R. 111 -18, Email.) After
learning of the issue, Defendant took steps to remove the
information from the Enrolltek website and from several
common internet search engines. (R. 111-10, Whalen Dep. Tr.
at 8-14.) In a July 2013 letter, Defendant offered
credit-monitoring services to Plaintiff and other insureds,
(R. 111-1, Answer ¶ 23; R, 111-12, Letter.) Individuals
were also offered free credit reports and identity theft
insurance. (R. 111-12, Letter at 1-2.)
2013, Plaintiff and approximately 30 other Dillard employees
had their tax refunds delayed, diverted, or stolen by
identity thieves. (R. 119-11, Worley Dep. Tr. at 22.) After
an internal investigation, Defendant sent out another letter
to insureds in 2014 alerting them to the tax-fraud scheme and
again offering them credit-monitoring services. (R. 111 -13,
Letter.) As of the time of briefing of the motion for class
certification, Dillard's had received approximately 185
reports of false tax filings or attempted filings from its
employees. (R. 119, Resp. at 14.)
2014, Plaintiff filed this action on behalf of herself and a
class of similarly situated individuals alleging a host of
federal and state law claims stemming from the data breach.
(R. 1, Compl.) After two rounds of motions to dismiss,
various amended pleadings, and two substantive opinions from
this Court, what remains of the case is a breach of contract
claim premised on Defendant's alleged breach of the
Am., No. 14 C 3809, 2016 WL 754731 (N.D. Ill.
Feb. 23, 2016); Dolmage v. Combined Ins. Co. of Am.,
No. 14 C 3809, 2015 WL 292947 (N.D. Ill. Jan, 21, 2015).
The crux of Plaintiffs claim is that Defendant breached the
Privacy Pledge when it failed to ensure that EnroUtek
securely maintained the personal information of potential
class members. Dolmage, 2016 WL 754731 Id.
at *4-6. Plaintiff claims that the Privacy Pledge was
incorporated into the terms of the parties'
insui'ance agreement, and that it is thus legally
enforceable. Id. Defendant disagrees that the
Privacy Pledge is part of the parties' agreement and
believes that Plaintiffs claim also fails for lack of damages
and other reasons. Id. at *4-10.
the Court permitted the breach of contract claim to proceed.
Defendant answered the complaint and asserted several
affirmative defenses. (R. 60, Ans.) After several rounds of
motions and amendments to the answer, the Court on May 24,
2016, struck three of Defendant's seven affirmative
defenses. (R. 64-73.) On July 8, 2016, Defendant filed a
motion seeking to amend its answer in order to assert an
entirely new affirmative defense. (R, 76, Mot. to Suppl.)
Specifically, Defendant alleged that Plaintiff had provided
misinformation on her original insurance policy application,
and therefore sought to raise the defense of fraud in the
inducement, entitling it to rescind her policy.
(Id.) The Court denied the motion as untimely and
precluded Defendants' from raising fraud in the
inducement as an affirmative defense. (R. 95, Order.)
Following the close of discovery, Plaintiff filed her motion
for class certification. (R. 111 Mot.) After voluminous
briefing, the motion is now fully briefed. (R. 119, Resp.; R.
123, Reply; R. 127, Surreply; R. 132, Resp. to Surreply.)
obtain class certification under Rule 23, a plaintiff must
satisfy each requirement of Rule 23(a)-numerosity,
commonality, typicality, and adequacy of representation-and
at least one subsection of Rule 23(b). See Bell v. PNC
Bank, Nat'l Ass'n, 800 F, 3d 360, 373 (7th Ch.
2015); Harper v. Sheriff of Cook Cty., 581 F.3d 511,
513 (7th Cir. 2009). Under Rule 23(b), a class may be
certified if one of three circumstances is met: (1)
prosecuting separate actions by individual class members
would "create a risk of inconsistent judgments";
(2) "the party opposing the class has acted or refused
to act on grounds that apply generally to the class, so that
final injunctive relief or corresponding declaratory relief
is appropriate respecting the class as a whole"; or (3)
"the court finds that the questions of law or fact
common to class members predominate over any questions
affecting only individual members, and that a class action is
superior to other available methods for fairly and
efficiently adjudicating the controversy." Fed. R, Civ.
P. 23(b). Satisfaction of the Rule 23(a) and 23(b)
requirements categorically entitles a plaintiff to pursue her
claim as a class action. See Shady Grove Orthopedic
Assocs., P.A. v. Allstate Ins., 559 U.S. 393, 398-99
(2009). District courts have broad discretion in determining
whether certification is appropriate. Ervin v. OS Rest.
Servs., Inc., 632 F.3d 971, 976 (7th Ch. 2011).
considering a motion for class certification, the Court
"may not simply assume the truth of the matters as
asserted by the plaintiff." Messner v. Northshore
Univ. HealthSystem, 669 F.3d 802, 811 (7th Cir. 2012).
If there are material facts in dispute, "the court must
'receive evidence ... and resolve the disputes before
deciding whether to certify the class.'"
Id. (citation omitted). In order to grant class
certification under Rule 23, the Court must be
"satisfied, after a rigorous analysis" that the
Rule's requirements are met. Wal-Mart Stores, Inc. v.
Dukes, 564 U.S. 338, 350-51 (2011) (citation omitted).
In conducting this analysis, "[m]erits questions may be
considered to the extent-but only to the extent-that they are
relevant to determining whether the Rule 23 prerequisites for
class certification are satisfied." Amgen Inc. v.
Conn. Ret. Plans & Tr. Funds, 133 S.Ct,
1184, 1195 (2013). "The party seeking certification
bears the burden of proving that certification is proper by a
preponderance of the evidence." Bell, 800 F.3d
seeks to certify the following class:
All current and former Dillard's, Inc., employees as well
as their dependents who were covered at any time between
March 2010 through March 2012, under a hospital indemnity or
accident insurance policy underwritten by ACE American
Insurance Company, and were covered by insurance underwritten
by Combined Insurance at any point in time between April 2000
and August 2013,
(R. 111, Mot. at 7.) Plaintiff argues that the proposed class
satisfies all of the Rule 23(a) requirements as well as the
requirements of Rule 23(b)(3). (Id. at 13.)
Rule 23(a) requirements
stated, to obtain class certification under Rule 23, a
plaintiff must satisfy each requirement of Rule
23(a)-numerosity, commonality, typicality, and adequacy of
representation. See Bell, ...