Illinois Has No Common Law “Duty to Safeguard Data,” and the Moorman Doctrine Closes the Door on Most Negligence Damages

|

Every data incident in 2026 produces the same playbook. A plaintiffs’ firm files a class action. The complaint pleads breach of contract. It pleads invasion of privacy. It pleads a federal statutory claim. And, almost always, it pleads negligence.

The negligence count usually says some version of the same thing. The defendant owed a duty to safeguard the plaintiff’s personal information, the defendant breached that duty by allowing the data to be exposed or transmitted, and the plaintiff suffered damages including diminished data value, anxiety, lost time, and lost benefit of the bargain.

Illinois law has a problem with this count. Two problems, actually.

The first problem is that there is no freestanding common law duty in Illinois to safeguard another person’s data. The second problem is that even if there were such a duty, Illinois’s economic loss doctrine, known as the Moorman doctrine, would bar recovery for the kinds of damages plaintiffs typically plead.

Both problems are dispositive at the motion to dismiss stage when the defense is built carefully.

The duty problem is settled by the Seventh Circuit. In Community Bank of Trenton v. Schnuck Markets, Inc., the court held that the Illinois Supreme Court has not recognized an independent common law duty to safeguard personal information. The court applied that holding to a data breach class action and dismissed the negligence claim. The Illinois Appellate Court reached the same conclusion in Cooney v. Chicago Public Schools, where the court rejected an attempt to use HIPAA, the federal medical privacy statute, as the source of a state law duty to safeguard data.

These holdings are not technicalities. They are reflections of how the duty element works in Illinois negligence law. A duty does not arise from a vague feeling that information should be protected. A duty arises from a relationship recognized by law, a statute that creates a private cause of action, or a common law rule the Illinois Supreme Court has actually adopted. When none of those exists, there is no duty, and there is no negligence.

Plaintiffs sometimes argue that the physician patient relationship, the merchant customer relationship, or the employer employee relationship is enough. Federal courts in Illinois have rejected those arguments in the data context. In Doe v. Genesis Health System, decided in 2025, the Central District of Illinois applied Community Bank and Cooney directly to a healthcare website tracking case and dismissed the negligence count. The court explained that the relationship based theory does not change the rule. If the Illinois Supreme Court has not recognized the duty, a federal court sitting in diversity will not invent it.

The second problem is the Moorman doctrine.

Moorman Manufacturing Co. v. National Tank Co. is one of the most cited cases in Illinois law. The Illinois Supreme Court held in 1982 that a plaintiff cannot recover in negligence for purely economic loss. Economic loss means losses that are not personal injury and are not damage to other property. Diminished data value is economic loss. Lost benefit of the bargain is economic loss. Lost time is economic loss. Anxiety and emotional distress are not personal injuries in this context. Each of those theories runs into the Moorman bar.

The reason this matters is that data class action complaints almost always allege economic loss as the principal damage theory. Without economic loss damages, the negligence count loses most of its monetary value. Without an actual breach of contract or a separate statutory cause of action, the case shrinks dramatically.

Three points are worth highlighting for any Illinois business defending a data related lawsuit.

The first point is that HIPAA is not a backdoor. Federal courts have held repeatedly that HIPAA does not create a private right of action. Plaintiffs cannot use HIPAA to manufacture a state law duty in Illinois. Doe v. Board of Trustees of the University of Illinois confirmed this, and Cooney followed the same logic. Healthcare defendants need to be ready to defeat the HIPAA based duty argument cleanly.

The second point is that the negligence dismissal can come early. The duty inquiry is a question of law. The Moorman doctrine is also a question of law as applied to the damages pleaded. Both can be resolved on a motion to dismiss without discovery, and a well drafted motion can take the negligence count off the case before document review begins.

The third point is that the negligence count is often the lynchpin of class certification. Without a viable common law theory, plaintiffs lose the centerpiece of a class settlement narrative. The federal statutory claims, where they survive, often have individualized consent and standing issues that make class treatment harder. Eliminating the negligence count narrows the case and changes its settlement value.

There are exceptions, and a careful defense lawyer respects them. The Illinois Personal Information Protection Act, the Illinois Biometric Information Privacy Act, and certain federal statutes do create specific duties and remedies. The argument here is not that no data related claim can ever proceed in Illinois. The argument is that the bare common law negligence count, untethered to a statute that creates the duty, does not survive in Illinois under current law.

Defense lawyers see the same litigation pattern repeatedly. The plaintiffs’ firm files a complaint with five counts. The complaint reads like a checklist. The negligence count assumes a duty exists. The damages section recites diminished data value and anxiety. The defense is then forced to choose between a slow, expensive war and a nuisance settlement.

That choice is a false choice when the dismissal motion is built right. Community Bank, Cooney, Genesis, and Moorman are not obscure precedents. They are controlling Illinois law on the common law duty and economic loss issues, and they are designed to be used at the motion stage.

If you are an Illinois business defending a class action, a single plaintiff data lawsuit, a pixel tracking complaint, or any matter where a negligence count alleges a duty to safeguard data, DiTommaso Lubin, P.C. handles the defense end of these cases. Call 630-333-0333 for a free consultation or contact us online. This post is for general information and is not legal advice.

Contact Information
Chicago Office
19 S LaSalle St #702
Chicago, IL 60603
Phone: 630-333-0333
Mailing Address
17W220 22nd St #410
Oakbrook Terrace, IL 60181
Phone: 630-333-0333 Please direct all mail correspondence to our Oakbrook Terrace address office.
Highland Park Office
189 Whistler Rd
Highland Park, IL 60035
Phone: 630-710-4990
We accept the following credit cards
Credit Cards Accepted
We accept payment via Venmo at: @L-A-LAW
Phone: 603-333-0333
Visit our site: chicagobusinesslawfirm.com

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2026, DiTommaso Lubin, PC
JUSTIA Law Firm Blog Design