Articles Tagged with data breach litigation

|

Every data incident in 2026 produces the same playbook. A plaintiffs’ firm files a class action. The complaint pleads breach of contract. It pleads invasion of privacy. It pleads a federal statutory claim. And, almost always, it pleads negligence.

The negligence count usually says some version of the same thing. The defendant owed a duty to safeguard the plaintiff’s personal information, the defendant breached that duty by allowing the data to be exposed or transmitted, and the plaintiff suffered damages including diminished data value, anxiety, lost time, and lost benefit of the bargain.

Illinois law has a problem with this count. Two problems, actually.

The first problem is that there is no freestanding common law duty in Illinois to safeguard another person’s data. The second problem is that even if there were such a duty, Illinois’s economic loss doctrine, known as the Moorman doctrine, would bar recovery for the kinds of damages plaintiffs typically plead.

Both problems are dispositive at the motion to dismiss stage when the defense is built carefully.

The duty problem is settled by the Seventh Circuit. In Community Bank of Trenton v. Schnuck Markets, Inc., the court held that the Illinois Supreme Court has not recognized an independent common law duty to safeguard personal information. The court applied that holding to a data breach class action and dismissed the negligence claim. The Illinois Appellate Court reached the same conclusion in Cooney v. Chicago Public Schools, where the court rejected an attempt to use HIPAA, the federal medical privacy statute, as the source of a state law duty to safeguard data.

These holdings are not technicalities. They are reflections of how the duty element works in Illinois negligence law. A duty does not arise from a vague feeling that information should be protected. A duty arises from a relationship recognized by law, a statute that creates a private cause of action, or a common law rule the Illinois Supreme Court has actually adopted. When none of those exists, there is no duty, and there is no negligence.

Plaintiffs sometimes argue that the physician patient relationship, the merchant customer relationship, or the employer employee relationship is enough. Federal courts in Illinois have rejected those arguments in the data context. In Doe v. Genesis Health System, decided in 2025, the Central District of Illinois applied Community Bank and Cooney directly to a healthcare website tracking case and dismissed the negligence count. The court explained that the relationship based theory does not change the rule. If the Illinois Supreme Court has not recognized the duty, a federal court sitting in diversity will not invent it.

The second problem is the Moorman doctrine.

Moorman Manufacturing Co. v. National Tank Co. is one of the most cited cases in Illinois law. The Illinois Supreme Court held in 1982 that a plaintiff cannot recover in negligence for purely economic loss. Economic loss means losses that are not personal injury and are not damage to other property. Diminished data value is economic loss. Lost benefit of the bargain is economic loss. Lost time is economic loss. Anxiety and emotional distress are not personal injuries in this context. Each of those theories runs into the Moorman bar.

The reason this matters is that data class action complaints almost always allege economic loss as the principal damage theory. Without economic loss damages, the negligence count loses most of its monetary value. Without an actual breach of contract or a separate statutory cause of action, the case shrinks dramatically.

Three points are worth highlighting for any Illinois business defending a data related lawsuit. Continue reading ›

|

A new wave of class action lawsuits is sweeping into the Northern District of Illinois. The defendants are not telecom companies. They are healthcare practices, retailers, fintech companies, telehealth platforms, employers running candidate portals, and any business with a website that uses analytics or advertising tools.

The legal theory is the same in almost every case. The plaintiff alleges that a tracking pixel, often the Meta pixel, the TikTok pixel, or the Google tag, captured information the user typed into the defendant’s website and quietly transmitted that information to a third party advertising platform. The plaintiff then alleges that this transmission violated the federal Electronic Communications Privacy Act, also known as the Wiretap Act, 18 U.S.C. section 2511.

The financial pressure of these cases is enormous. The Wiretap Act allows statutory damages of the greater of $100 per day or $10,000 per plaintiff, plus attorney fees. Multiplied across a putative class of website visitors, the demand letter is designed to force a settlement. That math is the plaintiffs’ bar’s business model.

There is a powerful defense to most of these cases. It is called the party exception, and Illinois federal courts are increasingly willing to enforce it.

The party exception is not buried in a regulatory annex. It is in the statute itself. 18 U.S.C. section 2511(2)(d) provides that the prohibition on intercepting electronic communications does not apply where one of the parties to the communication has consented, or where the defendant is itself a party to the communication. When a customer or patient fills out a form on your website, the customer’s communication is being directed at you. You are not eavesdropping on someone else. You are the recipient.

That sounds obvious. It is also dispositive in most pixel cases when the defense is properly pleaded.

The Northern District of Illinois has issued a series of decisions applying this exact logic. In Kurowski v. Rush System for Health, the court held that Rush, not Facebook or Google or a downstream ad platform, was the intended recipient of the patient communications submitted through Rush’s website and patient portal. Sloan v. Anker Innovations Ltd. went further, holding that even where a defendant later uploads information to a third party server, the defendant remains a party to the original communication, not a non party interceptor. The Zak v. Bose Corp. line of cases rejected the plaintiffs’ bar’s relabeling tactic of recasting the website operator as a redirector of someone else’s data flow. And in Doe v. Genesis Health System, the court explained the principle in plain language. The communications could not have occurred without the plaintiff communicating with the defendant as the intended recipient and party.

What this means in practice is that when a plaintiff sues your business for embedding analytics on your own website that collected information the plaintiff voluntarily submitted to your business, you have a real defense at the motion to dismiss stage. The defense does not require discovery. It does not require expert testimony. It requires careful pleading and an early motion that frames the issue correctly. Continue reading ›

|

If you operate a healthcare practice, a telehealth platform, a behavioral health clinic, a fertility center, an addiction treatment facility, a dental or optometry chain, or any consumer facing business that handles sensitive information online, you have probably heard about the new generation of class action lawsuits over tracking pixels.

The lawsuits target businesses that embed third party tools like the Meta pixel, the TikTok pixel, or Google Analytics on their websites. The complaints allege that the tools captured information about a user’s interactions and transmitted that information to advertising platforms without consent.

In most of these cases, the defendant has a strong defense built into the federal Wiretap Act itself. When a user submits information to your website, you are a party to the communication, and 18 U.S.C. section 2511(2)(d) excludes parties from liability under the statute.

Plaintiffs know about that defense, so they have a workaround. They invoke the same subsection’s other clause, the so called crime tort exception. It provides that the party exception does not apply if the communication was intercepted for the purpose of committing any criminal or tortious act. Plaintiffs typically plead a HIPAA violation, an invasion of privacy claim, or both, as the predicate.

The question is whether this workaround survives.

That question is now actively splitting the federal courts in Illinois. The split is real, current, and important enough that one judge has already certified it for interlocutory appeal.

In the defense friendly camp, Doe v. Genesis Health System, decided by the United States District Court for the Central District of Illinois in 2025, held the answer is no. The court read the statute carefully and concluded that the defendant must have intercepted the communication for the purpose of committing a crime or a tort. Marketing and advertising purposes, the court held, do not satisfy that standard, because lawful commercial activity, even when it ultimately runs afoul of HIPAA’s regulatory scheme, is not the same as acting in order to commit a crime or tort. The Seventh Circuit articulated a similar principle years earlier in Thomas v. Pearl and again in Desnick v. American Broadcasting Cos. The recorder must intend to break the law or commit a tort. That intent is the heart of the carve out.

Doe 1 v. Chestnut Health Systems, Inc., decided in 2025, took the same path and dismissed a complaint that recited criminal or tortious purpose in conclusory terms. The court held that a conclusory recital will not do.

In the plaintiff friendly camp, Stein v. Edward-Elmhurst Health, decided in 2025, went the other way. The court held that a HIPAA violating disclosure can satisfy the carve out even when the defendant’s overall purpose was lawful commercial advertising. The same court later denied reconsideration but explicitly certified the question for interlocutory appeal, finding substantial ground for difference of opinion. That certification is itself a tell. When a federal trial court is comfortable enough with the strength of the opposing view to permit an immediate appeal, the law is genuinely unsettled.

What does this mean for Illinois businesses? Three things. Continue reading ›

Contact Information
Chicago Office
19 S LaSalle St #702
Chicago, IL 60603
Phone: 630-333-0333
Mailing Address
17W220 22nd St #410
Oakbrook Terrace, IL 60181
Phone: 630-333-0333 Please direct all mail correspondence to our Oakbrook Terrace address office.
Highland Park Office
189 Whistler Rd
Highland Park, IL 60035
Phone: 630-710-4990
We accept the following credit cards
Credit Cards Accepted
We accept payment via Venmo at: @L-A-LAW
Phone: 603-333-0333
Visit our site: chicagobusinesslawfirm.com

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2026, DiTommaso Lubin, PC
JUSTIA Law Firm Blog Design