LAW.coLAW.co

Dougherty v. Bojangles Rests., Inc.

2026-06-29

Authorities cited

Opinion

majority opinion

Dougherty v. Bojangles Rests., Inc., 2026 NCBC 60.

STATE OF NORTH CAROLINA IN THE GENERAL COURT OF JUSTICE

SUPERIOR COURT DIVISION

WAKE COUNTY 25CV046572-910

ALEXIS DOUGHERTY; DENNIS

CALABRESE; LILY NICOLE

PORTEE; JESSIE RUIZJACOBS; PETER BUNGERT;

CHRISTIE STARNES;

KASSANDRA BLANKENSHIP;

JAMES HIGGINS; and

LEONARDO YON, on behalf of ORDER AND OPINION

themselves and others similarly

situated, ON DEFENDANT’S MOTION TO

DISMISS

Plaintiffs,

v.

BOJANGLES RESTAURANTS,

INC.,

Bojangles.

1. This action arises from a data breach that occurred between 19 February

and 12 March 2024 at Bojangles Restaurants, Inc. (Bojangles). The data breach

allegedly included the personal identifying information and protected health

information (PII/PHI) of current and former Bojangles employees, including

information belonging to Plaintiffs. The case is before the Court on Defendant’s

Motion to Dismiss Plaintiffs’ Class Action Complaint (the Motion), (ECF No. 11).

2. The Court, having considered the Motion, the related briefing, other

relevant matters of record, and the arguments of counsel at a hearing on the Motion

held 3 June 2026, concludes for the reasons stated below that the Motion should be

GRANTED in part and DENIED in part.

Bryson Harris Suciu & DeMay, PLLC, by Scott C. Harris, for Plaintiffs

Alexis Dougherty, Dennis Calabrese, Jessie Ruiz-Jacobs, Peter Bungert,

Christie Starnes, Kassandra Blankenship, and James Higgins.

Bryson Harris Suciu & DeMay, PLLC, by Scott C. Harris, and Milberg

Coleman Bryson Phillips Grossman, PLLC, by David K. Lietz, and

Strauss Borrelli PLLC, by Sarah Soleiman, for Plaintiff Lily Nicole

Portee.

Bryson Harris Suciu & DeMay, PLLC, by Scott C. Harris, and Stranch,

Jennings, & Garvey, PLLC, by Robert Bruce Grayson Kent Wells, for

Plaintiff Leonardo Yon.

Robinson, Bradshaw & Hinson P.A., by Charles E. Johnson and

Caroline Reinwald and Mullen Coughlin LLC, by Richard M. Haggerty

and Kayleigh Watson, for Defendant Bojangles Restaurants, Inc.

Earp, Judge.

I. FACTUAL BACKGROUND

3. The Court does not make findings of fact when deciding a motion to dismiss

pursuant to Rule 12(b)(6) of the North Carolina Rules of Civil Procedure. It recites

below factual allegations from the complaint that are relevant to its determination of

the Motion. See, e.g., White v. White, 296 N.C. 661, 667 (1979) (the purpose of “a

motion to dismiss is to test the law of a claim, not the facts which support it” (citation

omitted)).

4. Bojangles is a fast-food chain incorporated in Delaware that maintains a

principal place of business in North Carolina. It has approximately 800 locations

across 17 states. (Compl. ¶¶ 2, 18, 20, ECF No. 3.)

5. Plaintiffs Alexis Dougherty (Dougherty), Dennis Calabrese (Calabrese),

Jessie Ruiz-Jacobs (Ruiz-Jacobs), Christie Starnes (Starnes), James Higgins

(Higgins), and Leonardo Yon (Yon) are citizens of North Carolina. (Compl. ¶¶ 9–10,

12, 14, 16–17.) Plaintiff Lily Nicole Portee (Portee) is a citizen of South Carolina. (Compl. ¶ 11.) Plaintiff Peter Bungert (Bungert) is a citizen of Texas. (Compl. ¶ 13.)

Plaintiff Kassandra Blankenship (Blankenship) is a citizen of Tennessee. (Compl. ¶

15.)

6. Plaintiffs are all former employees of Bojangles. (Compl. ¶¶ 45, 63, 75, 93,

107, 116, 134, 154, 160.)

7. As a condition of their employment, Bojangles required Plaintiffs to provide

their PII/PHI, which Bojangles used for payroll and other employment-related

purposes. (Compl. ¶¶ 48, 64, 78, 94, 119, 137, 154.)

8. Bojangles’ privacy policy states: “Bojangles has security policies and

practices in place designed to protect your Personal Information against

unauthorized access or disclosure, theft, misuse, and loss.” It promises that Bojangles

will “make commercially reasonable efforts for secure handling of this information[.]”

(Compl. ¶ 26.)

9. Plaintiffs allege that Bojangles agreed to safeguard their data in accordance

with its internal policies, state law, and federal law. (Compl. ¶ 24.) Plaintiffs

Dougherty, Calabrese, Portee, Ruiz-Jacobs, Starnes, and Blankenship specifically

allege that they provided their personal information to Bojangles trusting that the

company would use reasonable measures to protect it according to Bojangles’ internal

policies, as well as state and federal law. (Compl. ¶¶ 49, 71, 79, 101, 120, 138.)

Plaintiffs Calabrese and Ruiz-Jacobs state that they would not have provided their

PII to Bojangles had they known that Bojangles “would not utilize standard measures

to reasonably secure” it. (Compl. ¶¶ 68, 98.)

10. Plaintiffs allege that they “reasonably understood that a portion of the

funds derived from their labor would be used to pay for adequate cybersecurity

measures.” (Compl. ¶¶ 50, 80, 121, 139, 249.)

11. From 19 February 2024 to 12 March 2024, the security of Bojangles’

computer systems was breached (the Data Breach). (Compl. ¶ 27.)

12. Plaintiffs contend that over one hundred current or former employees’

names, addresses, Social Security numbers, driver’s license numbers, governmentissued ID numbers, passport numbers, state ID numbers, financial information,

financial account numbers, credit card numbers, debit card numbers, health

insurance information, and medical information were compromised in the Data

Breach. (Compl. ¶¶ 29–30.)

13. Plaintiffs allege that the Data Breach appears to have been the work of

Hunters International (Hunters), an “infamous Russian Ransomware-as-a-Service”

entity. (Compl. ¶¶ 38–39.) On 15 March 2024, Bojangles was listed on Hunters’

dedicated “leak site” on the dark web. (Compl. ¶ 40.) Hunters posted that it had

exfiltrated 294.8 GB of data from Bojangles. (Compl. ¶ 41.) Plaintiffs allege that the

data included their PII/ PHI. (Compl. ¶¶ 42, 52, 82, 109, 123, 141, 153, 163.)

14. Plaintiffs allege that Hunters’ modus operandi includes giving its affiliates

access to its storage server containing stolen files, which can then be downloaded and

stored by the affiliate. Because the stolen data is often stored on the affiliate’s

infrastructure and there are hundreds of affiliates who contract with Hunters, it is

often difficult to track stolen data and to prove whether it has been deleted. (Compl. ¶ 39.) Consequently, Plaintiffs claim that the Data Breach made Plaintiffs’ and the

purported class members’ PII/PHI “available for other cybercriminals to download

and use at their discretion.” (Compl. ¶ 4.)

15. Plaintiffs also complain that Bojangles “kept [them] in the dark” until 19

November 2024, when it began notifying them of the Data Breach. (Compl. ¶¶ 31–

32, 51, 65, 81, 95, 108, 122, 140, 152, 160.)

16. In the Notice Bojangles sent Plaintiffs, it recognized that Plaintiffs were at

a “present, continuing, and significant risk” of identity theft and recommended that

Plaintiffs “remain vigilant against incidents of identity theft by reviewing account

statements and credit reports for unusual activity and to detect errors.” (Compl.

¶ 33a.) Bojangles recommended that “[c]onsumers . . . further educate themselves

regarding identity theft, fraud alerts, credit freezes, and the steps consumers can take

to protect personal information by contacting the consumer reporting bureaus, the

Federal Trade Commission [FTC], or their state attorney general.” (Compl. ¶ 33c.)

17. Plaintiffs allege that Bojangles was negligent as evidenced by its failure to

prevent the Data Breach. (Compl. ¶ 34.) Plaintiffs further allege that Bojangles

acted with a “knowing state of mind” by failing to implement adequate and reasonable

cybersecurity measures. (Compl. ¶¶ 270–71.) They allege that Bojangles’ failure to

promptly and properly notify them of the Data Breach exacerbated their injuries by

depriving them of the earliest ability to take appropriate measures to protect their

PII/PHI and mitigate their damages. (Compl. ¶ 179.)

18. While Plaintiffs recognize that “[s]ince the breach, [Bojangles] claims to

have ‘reviewed [its] existing policies and procedures’ and ‘enhanced certain

administrative and technical controls[,]’ ” (Compl. ¶ 35), they allege that Bojangles’

cybersecurity measures continue to be “inadequate and unreasonable.” (Compl.

¶ 300.)

19. As far as remedies, Plaintiffs acknowledge that Bojangles has “offered some

victims credit monitoring and identity-related services[,]” but they complain that the

services provided are “wholly insufficient” to compensate Plaintiffs for their alleged

injuries. (Compl. ¶ 36.) Plaintiffs allege that their actual damages include the lost

value of their PII/PHI, lost time and money to mitigate and remediate the effects of

the Data Breach, and lost “benefit of the bargain.” (Compl. ¶¶ 71, 171, 234.) In

addition to monetary damages, Plaintiffs allege that they suffer from an increased

risk of future harm, embarrassment, humiliation, frustration and emotional distress.

(Compl. ¶¶ 57, 87, 128, 146, 171, 232.)

20. Since February 2024, Plaintiffs Dougherty, Portee, Starnes, and

Blankenship have experienced a spike in spam and scam phone calls. (Compl. ¶¶ 55,

85, 126, 144.) While telephone numbers were not included in the PII/PHI allegedly

stolen, Plaintiffs claim that the information that was stolen could be used to create

dossiers called “Fullz” packages by cross-referencing and combining it with

information about Plaintiffs found generally on the internet (like telephone

numbers). (Compl. ¶¶ 175–77.)

21. In February 2024, Plaintiff Ruiz-Jacobs’ debit card was fraudulently used

for an $80 purchase. Ruiz-Jacobs believes that this incident was caused by the Data

Breach. (Compl. ¶102.) Although the other Plaintiffs do not allege that they have

experienced any unauthorized use of their information, Plaintiffs believe that injury

to them in the form of fraud and identity theft is imminent because the Data Breach

placed their PII/PHI in the hands of “cybercriminals.” (Compl. ¶¶ 4, 42, 178.)

22. Plaintiffs allege that their PII/PHI continues to be at risk of theft and that

Bojangles has a continuing legal duty to protect it from unauthorized access and

disclosure. (Compl. ¶¶ 49, 79, 120, 138.) They allege that there has been a

“substantial increase in cyberattacks and/or data breaches in recent years[,]” (Compl.

¶ 180), and that the risk of attacks “was widely known to the public and to anyone in

[Bojangles’] industry, including [Bojangles].” (Compl. ¶ 183.)

23. The FTC has established guidelines for the data security practices

businesses must use, including: (a) protecting personal customer information that

they keep, (b) properly disposing of personal information that is no longer needed, (c)

encrypting information stored on computer networks, (d) understanding their

network’s vulnerabilities, and (e) implementing policies to correct security problems.

(Compl. ¶ 185.) The guidelines caution “not [to] maintain information longer than is

needed to authorize a transaction[.]” (Compl.¶ 187a.)

24. Plaintiffs allege that Bojangles’ failure to use reasonable and appropriate

measures to protect against the unauthorized access of its current and former

employees’ personal information constitutes an unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (FTCA), 15 U.S.C. § 45. (Compl.

¶ 189.)

25. Plaintiffs further allege that Bojangles failed to follow industry best

practices, such as educating all employees, using strong passwords, implementing

multi-layer security (including firewalls, anti-virus, and anti-malware software),

using encryption, implementing multi-factor authentication, backing up data, and

limiting employees’ access to sensitive data. (Compl. ¶ 190.)

26. In addition, Plaintiffs maintain that Bojangles failed to implement industry

standard cybersecurity measures, including both the NIST Cybersecurity Framework

Version 2.0 and the Center for Internet Security’s Critical Security Controls. (Compl.

¶ 192.) Plaintiffs argue that by failing to comply with these accepted standards,

Bojangles’ stored PII/PHI was vulnerable to the Data Breach. (Compl. ¶ 193.)

27. Plaintiffs also allege the Data Breach resulted from Bojangles’ failure to

safeguard PHI in compliance with the Health Insurance Portability and

Accountability Act’s (HIPAA) mandated security standards. (Compl. ¶ 196.)

Specifically, Plaintiffs allege that Bojangles failed to: (a) implement policies and

procedures to prevent, detect, contain, and correct security violations; (b) identify and

respond to suspected or known security incidents; (c) mitigate harmful effects of

known security incidents; and (d) train all staff members on policies and procedures

related to PHI. (Compl. ¶ 196f–h.)

28. As a result of the Data Breach, Plaintiffs allege that they have spent, and

will continue to spend, significant time and effort monitoring their accounts to protect themselves from identity theft. (Compl. ¶¶ 54, 70, 84, 100, 110, 125, 143, 156.)

Plaintiff Higgins alleges that he has spent “multiple hours” taking steps to avoid

identity theft, including closely tracking his credit monitoring service, freezing and

closing his accounts, and carefully reviewing his accounts. (Compl. ¶ 156.) Plaintiff

Bungert claims to have spent over ten days (over fifty hours) “dealing with the

consequences of the Data Breach, which includes . . . self-monitoring his accounts.”

(Compl. ¶110.) All Plaintiffs anticipate continuing to spend considerable amounts of

time and money to try to mitigate future consequences of the Data Breach. (Compl.

¶¶ 61, 73, 91, 104, 132, 150, 158, 169.)

29. Stolen PII/PHI is a valuable commodity that reportedly can be worth up to

$1,000.00 depending on the type of information obtained. (Compl. ¶ 172.)

II. PROCEDURAL BACKGROUND

30. Plaintiffs filed this action on 23 December 2025 in Wake County Superior

Court, asserting causes of action for (1) negligence; (2) negligence per se; (3) breach of

implied contract; (4) invasion of privacy; (5) unjust enrichment; (6) violation of the

North Carolina Unfair and Deceptive Trade Practices Act (UDTPA); and (7)

declaratory judgment against Bojangles. (See generally Compl.)

31. On 5 February 2026, the case was designated to the Business Court and

assigned to the undersigned. (ECF Nos. 1–2.)

32. On 9 March 2026, Bojangles filed the Motion. (ECF No. 11.) Plaintiffs filed

their response on 30 March 2026. (ECF No. 15.) Bojangles replied on 9 April 2026.

(ECF No. 17.)

33. The Court held a hearing on the Motion on 3 June 2026. All parties were

present through counsel and had an opportunity to be heard. The Motion is now ripe

for disposition.

III. LEGAL STANDARD

34. As an initial matter, the Court must decide which state’s law to apply. Both

Plaintiffs and Bojangles argue that North Carolina law applies. (Def.’s Br. 7; Pls.’

Mem. L. Opp’n Def. Bojangles Restaurants, Inc.’s Mot. Dismiss [Pls.’ Opp’n] 6 n.1,

ECF No. 15.) Because Plaintiffs allege that “a substantial part of the events and

omissions giving rise to this action” occurred in North Carolina, (Compl. ¶ 20), the

Court agrees for purposes of the Motion. 1

35. “A motion to dismiss under Rule 12(b)(6) ‘tests the legal sufficiency of the

complaint.’ ” Design Gaps, Inc. v. Hall, 2024 NCBC LEXIS 64, at *6 (N.C. Super. Ct.

May 1, 2024) (quoting Isenhour v. Hutto, 350 N.C. 601, 604 (1999)). Dismissal of a

cause of action is proper if “(1) the complaint on its face reveals that no law supports

the plaintiff’s claim; (2) the complaint on its face reveals the absence of facts sufficient

to make a good claim; or (3) the complaint discloses some fact that necessarily defeats

the plaintiff’s claim.” Corwin v. Brit. Am. Tobacco, PLC, 371 N.C. 605, 615 (2018)

(citations omitted); see Sutton v. Duke, 277 N.C. 94, 103 (1970) (“[A] complaint should

not be dismissed for insufficiency unless it appears to a certainty that plaintiff is

entitled to no relief under any state of facts which could be proved in support of the

claim.” (citation and emphasis omitted)).

1 The Court may revisit this issue, if warranted, on a more developed record.

36. When deciding a motion to dismiss, the Court views the allegations in the

“light most favorable to the non-moving party.” Sykes v. Health Network Sols., Inc.,

372 N.C. 326, 332 (2019) (citation omitted). The issue for the Court “is not whether

[the] plaintiff will ultimately prevail but whether the plaintiff is entitled to offer

evidence to support the claim.” Brown v. Lumbermens Mut. Cas. Co., 90 N.C. App.

464, 471 (1988), aff’d, 326 N.C. 387 (1990).

37. North Carolina is a notice pleading state. See, e.g., Cadieu Tree Experts,

Inc. v. Wiedner, 2026 NCBC LEXIS 86, at *10 (N.C. Super. Ct. Apr. 15, 2026) (“North

Carolina remains a notice-pleading state, meaning a pleading filed in this state must

contain a short and plain statement of the claim sufficiently particular to give the

court and the parties notice of the transactions, occurrences intended to be proved

showing that the pleader is entitled to relief.” (citation modified)); PJC Mgmt. Grp.,

LLC v. Maaco Franchisor SPV LLC, 2026 NCBC LEXIS 92, at *8 (N.C. Super. Ct.

Apr. 22, 2026) (“North Carolina remains a notice pleading jurisdiction[.]”). With the

exception of specific causes of action such as fraud, which requires the pleading to be

particular in its facts, notice pleading affords “a sufficiently liberal construction of

complaints so that few fail to survive a motion to dismiss.” Jones v. J. Kim Hatcher

Ins. Agencies, Inc., 387 N.C. 489, 496 (2025) (citations omitted).

38. Nevertheless, the Court is not required “to accept as true allegations that

are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.”

Good Hope Hosp., Inc. v. N.C. HHS, Div. of Facility Servs., 174 N.C. App. 266, 274

(2005) (citation and internal quotation marks omitted); see also PJC Mgmt. Grp., LLC, 2026 NCBC LEXIS 92, at *9 (distinguishing causes of action that are pled

sufficiently from those that are not and holding that “threadbare allegations are

insufficient even under a simple notice-pleading standard”).

IV. ANALYSIS

39. Bojangles requests dismissal of all causes of action alleged against it. The

Court addresses each one below.

A. Negligence Per Se

40. Since the Motion was filed, Plaintiffs abandoned their claim for negligence

per se, (see Pls.’ Opp’n 14); accordingly, the Motion with respect to that claim is

uncontested. See BCR 7.6.

41. Plaintiffs allege that Bojangles committed negligence per se by “violat[ing]

its duty under Section 5 of the FTC[A]” and “its duty under HIPAA[.]” (Compl.

¶¶ 239, 244–45.) This Court previously determined that neither the FTCA nor

HIPAA is a public safety law and therefore neither can form the basis of a negligence

per se claim. See Weddle v. WakeMed Health, 2023 NCBC LEXIS 162, at *6–7 (N.C.

Super. Ct. Dec. 4, 2023) (“The negligence per se claim is untenable because neither

the FTC[A] . . . nor the HIPAA regulations are public safety laws. . . . Because

Plaintiffs have not alleged a violation of a public safety statute, they have failed to

state a claim for negligence per se.”).

42. Accordingly, the negligence per se claim shall be DISMISSED with

prejudice. 2

2 “The decision to dismiss an action with or without prejudice is in the discretion of the trial

court[.]” First Fed. Bank v. Aldridge, 230 N.C. App. 187, 191 (2013).

B. Negligence

43. Bojangles contends that Plaintiffs’ negligence claim fails for three reasons:

(1) Plaintiffs have not pled a legally recognized duty of care; (2) Plaintiffs have not

alleged facts to support conclusory allegations of causation; and (3) Plaintiffs have

not alleged any actual damages but instead have engaged in speculation about what

might occur in the future. (Def.’s Br. 7–12.)

44. On the latter point, Bojangles highlights the speculative nature of the

damages, given that the Data Breach occurred more than two years ago, and only one

Plaintiff, Ruiz-Jacobs, has experienced a loss (an $80 charge to his debit card). With

respect to that loss, Bojangles contends the complaint is devoid of facts to support

causation. (Def.’s Br. 10–12.)

45. With respect to the increase in spam and scam calls that some Plaintiffs

claim to have experienced, Bojangles argues that Plaintiffs have not alleged that

telephone numbers were included in the list of PII/PHI involved in the Data Breach.

It concludes, therefore, that any increase in spamming or scamming that Plaintiffs

experienced could not have been caused by the Data Breach. (Def.’s Br. 10.)

46. Bojangles further argues that no North Carolina court has ever recognized

the time and expense of credit monitoring or the diminished value of PII/PHI as

sufficient injuries to support a negligence claim. (Def.’s Br. 11.) It contends that

Plaintiffs’ allegations of emotional harm are also insufficient under North Carolina

law. (Def.’s Br. 12.)

47. Plaintiffs respond that they have met their responsibility to allege breach

of a legal duty by alleging, among other things, that it was foreseeable that Bojangles’

failure to exercise due care in handling their PII/PHI could result in a data breach

that would expose their information to criminals and cause Plaintiffs harm. (Compl.

¶¶ 216–22.) They add that Bojangles’ duty extended to ensuring that Plaintiffs were

notified of the Data Breach within a reasonable timeframe. (Compl. ¶ 219d.)

According to Plaintiffs, courts applying North Carolina law have consistently found

these allegations sufficient to allege a duty of care at the motion to dismiss stage.

(Pls.’ Opp’n 8–10.)

48. Plaintiffs likewise argue that they have sufficiently alleged causation by

stating both that “[a]s a direct and traceable result” of Bojangles’ negligence, they

have suffered damages, and that Bojangles’ breach of its duty to exercise reasonable

care “actually and proximately caused” Plaintiffs damages. (Compl. ¶¶ 232, 234.)

The rest, they contend, is a question of fact to be decided by a jury. (Pls.’ Opp’n 11

n.5.)

49. Specifically referencing Ruiz-Jacobs’ $80 loss, Plaintiffs argue that

causation is adequately pled because the loss happened close in time to the Data

Breach, and a temporal relationship is enough to plead causation. (Compl. ¶ 102.) In

response to Bojangles’ assertion that Ruiz-Jacobs complains only about the theft of

his Social Security number and not his debit card number, Plaintiffs point to

paragraph 29 of the Complaint, which includes debit card numbers among the types

of PII/PHI that were compromised in the Data Breach.

50. As for the increase in spam and scam calls that some Plaintiffs allegedly

experienced, Plaintiffs contend that cybercriminals in possession of the other PII/PHI

compromised in the Data Breach – particularly Plaintiffs’ Social Security numbers –

could pair that information with other information available on the internet, such as

telephone numbers, and then sell dossiers (“Fullz” packages) to mass marketers.

Consequently, they attribute the increase in spam and scam activity to the likelihood

that the stolen PII/PHI was used in this manner. (Pls.’ Opp’n 11–12 n.5; Compl. ¶¶

175–77.)

51. Moving to damages, Plaintiffs respond that they have more than satisfied

their pleading obligation. In addition to Ruiz-Jacobs’ $80 loss, Plaintiffs point to their

allegations that their PII/PHI was posted on the dark web, making it readily

accessible to criminals and diminishing its value; that after the incident some of them

experienced an increase in spam and scam calls; that they have spent time and money

on mitigation efforts to protect their PII/PHI; and that they have suffered emotional

injury in the form of fear, anxiety, sleep disruption, stress, and frustration. (Pls.’

Opp’n 12–14; Compl. ¶¶ 171, 234.)

52. Negligence is defined as the “failure to exercise proper care in the

performance of some legal duty which the defendant owed the plaintiff, under the

circumstances in which they were placed.” Wood v. Guilford Cnty., 355 N.C. 161, 166

(2002) (citation modified). “To state a common law negligence claim, plaintiff must

show (1) a legal duty; (2) a breach thereof; and (3) injury proximately caused by the

breach.” Bridges v. Parrish, 366 N.C. 539, 541 (2013) (citation modified).

53. “The law imposes upon every person who enters upon an active course of

conduct the positive duty to exercise ordinary care to protect others from harm, and

[it] calls a violation of that duty negligence.” Fussell v. N.C. Farm Bureau Mut. Ins.

Co., 364 N.C. 222, 226 (2010) (quoting Council v. Dickerson’s Inc., 233 N.C. 472, 474

(1951)). “It is sufficient if by the exercise of reasonable care the defendant might have

foreseen that some injury would result from his conduct or that consequences of a

generally injurious nature might have been expected. Usually the question of

foreseeability is one for the jury.” Id. (citation modified) (quoting Slaughter v.

Slaughter, 264 N.C. 732, 735 (1965)).

54. In this case, Plaintiffs adequately allege that Bojangles had a legal duty to

protect their data. They allege that it was foreseeable that cybercriminals like

Hunters would attempt a data breach and that they would be successful given

Bojangles’ inadequate security measures. (Compl. ¶¶ 180–83, 216, 218, 222, 224–25.)

They further allege that Bojangles had a duty to notify them of the Data Breach

within a reasonable timeframe. (Compl. ¶ 219d.)

55. Courts applying North Carolina law in data breach cases have found that

one in possession of another’s PII/PHI has a duty of care to safeguard and protect

that information. See Curry v. Schletter Inc., No. 1:17-cv-0001-MR-DLH, 2018 U.S.

Dist. LEXIS 49442, at *9–10 (W.D.N.C. Mar. 26, 2018) (declining to dismiss a

negligence claim in an employer-employee data breach case when the plaintiffs

alleged that “Defendant had a duty to exercise reasonable care to protect [plaintiffs’]

confidential information”); see also Weddle, 2023 NCBC LEXIS 162, at *8–9 (finding a duty of care in a data breach case when a hospital allegedly mishandled patients’

confidential information); Rodriguez v. FastMed Urgent Care, Inc., 2025 NCBC

LEXIS 33, at *8–11 (N.C. Super. Ct. Mar. 25, 2025) (same); Williams v. DukeHealth,

No. L22-CV-727, 2024 U.S. Dist. LEXIS 58377, at *31 (M.D.N.C. Mar. 1, 2024)

(finding “Defendant had a duty of care to protect Plaintiff’s privacy in her medical

records and that HIPAA, among other statutes, informed that standard of care”). 3

This Court also concludes that Plaintiffs have adequately alleged a duty on the part

of Bojangles to exercise reasonable care to protect their PII/PHI and to inform them

of the Data Breach in a reasonable time period after its occurrence.

56. As for causation, Plaintiffs have again satisfied their pleading obligation.

They allege that Bojangles’ breach of its duty to them resulted in the Data Breach

that harmed them. (Compl. ¶¶ 229, 234.) Plaintiffs further allege that by failing to

provide timely notice of the Data Breach, Bojangles exacerbated that harm. (Compl.

¶ 230.) Plaintiffs add that they have or will suffer damages “[a]s a direct and

traceable result of [Bojangles’] negligence[.]” (Compl. ¶ 232.) Nothing more is

required at this stage. Demarco v. Charlotte-Mecklenburg Hosp. Auth., 268 N.C. App.

334, 341 (2019) (“Because the complaint adequately recites the element of causation,

an issue of fact for the jury to decide, plaintiff has made a sufficient pleading of

causation under Rule 12(b)(6).”); Acosta v. Byrum, 180 N.C. App. 562, 568–69 (2006)

3 Contra Cedarbrook Residential Ctr., Inc. v. N.C. HHS, 383 N.C. 31, 61, 63 (2022) ( “Plaintiffs

. . . failed to allege any facts or to cite any legal authority in support of their contention that the department owed them a legally recognized duty of care.” Specifically, “the relevant duty of care runs to the person or persons whom the agency’s regulatory actions were intended to protect rather than to the entity being regulated.” (emphasis added)).

(“Questions of proximate cause and foreseeability are questions of fact to be decided

by the jury.” (citations omitted)).

57. Lastly, Plaintiffs are required to allege damages in order to plead a claim

for negligence. See Comm. to Elect Forest v. Employees PAC, 376 N.C. 558, 596 (2021)

(“[T]he proper disposition for failure to allege actual injury or damages

is . . . dismissal for failure to state a claim upon which relief can be granted.” (citing

Hansley v. Jamesville & W.R. Co., 115 N.C. 602, 613 (1894) (“Neither negligence

without damage nor damage without negligence will constitute any cause of

action.”))). 4

58. In Rodriguez, a case involving technology that collected and transmitted

the plaintiff’s confidential information to a third party without her consent, the

plaintiff brought a negligence claim and alleged emotional damages similar to those

alleged here. In rejecting the defendant’s contention that the plaintiff’s description

of her damages as “embarrassment, humiliation, emotional harm, and distress” was

insufficient at the pleading stage, this Court held that the plaintiff’s allegations

cleared the “low bar” of notice pleading. Rodriguez, 2025 NCBC LEXIS 33, at *12–

13 (citing Royster v. McNamara, 218 N.C. App. 520, 530–33 (2012) (determining

allegation that plaintiff “[was] forced to undergo humiliation and emotional damage”

were sufficient in connection with a negligence claim)).

4 Bojangles argues that this Court should follow the lead of the United States District Court

for the Western District of North Carolina, which previously dismissed this action for lack of standing. See Dougherty v. Bojangles’ Rests., Inc., No. 3:25-CV-00065-KDB-DCK, 2025 U.S. Dist. LEXIS 194879 (W.D.N.C. Sep. 30, 2025). While this Court takes note of the federal court’s reasoning, it does not hold Plaintiffs to the standard for standing applied in the federal court when pleading damages in this Court. See Comm. to Elect Forest, 376 N.C. at 607–08.

59. Unlike tort claims for infliction of emotional distress, which require a

plaintiff to plead a disabling mental condition, Plaintiffs here assert that they

suffered damages of a “pain and suffering” nature caused by Bojangles’ alleged

negligence. Our Court of Appeals addressed this distinction:

Defendant also argues that plaintiff cannot recover general damages for

pain and suffering without proof of “severe emotional distress.” This

argument confuses the “severe emotional distress” that is an

essential element of a claim for negligent or intentional infliction of

emotional distress, with the emotional suffering that may be part of a

claim seeking damages for general “pain and suffering.” Defendant cites

no cases in support of the proposition that the psychological component

of damages for “pain and suffering” must meet the same standard as

the element of “severe emotional distress” that is part of claims for

infliction of emotional distress, and we find none. Accordingly, we reject

defendant’s argument.

Iadanza v. Harper, 169 N.C. App. 776, 780 (2005).

60. Plaintiffs also allege economic damages in the form of diminished value of

their PII/PHI, the costs they have incurred and will continue to incur to monitor for

fraud and mitigate its effects, and the lost “benefit of the bargain.” (Compl. ¶¶ 71,

171, 234.) Contrary to Bojangles’ argument that these are damages that Plaintiffs

might incur in the future and are, therefore, too speculative to state a claim, Plaintiffs

allege that these damages currently exist.

61. In Capiau v. Ascendum Mach., Inc., No. 3:24-cv-00142-MOC-SCR, 2024

U.S. Dist. LEXIS 142393 (W.D.N.C. Aug. 8, 2024), the United States District Court

for the Western District of North Carolina held that allegations of damages stemming

from “([1]) actual mis-use of [plaintiff’s] PII; (2) an intangible harm fairly analogous

to common law invasion of privacy; (3) the substantial risk that Plaintiff’s PII will continue to be mis-used in the future; and (4) opportunity and other costs imposed by

reasonable mitigation efforts intended to address the substantial risk of PII mis-use”

were sufficient to survive a motion to dismiss. Id. at *26. So too, here. See In re

Marriott Int’l, Inc., 440 F. Supp. 3d 447, 494 (D. Md. 2020) (time and money spent

mitigating harm and loss of value of personal information recognized as damages in

negligence action); see also Holmes v. Elephant Ins. Co., 156 F.4th 413, 425–26 (4th

Cir. 2025) (holding that two plaintiffs who alleged that they had their driver’s license

numbers listed on the dark web against their wishes suffered a concrete injury

sufficient to give them Article III standing to seek damages). 5

62. In sum, Plaintiffs have adequately alleged that Bojangles breached a duty

it owed them and that the breach caused them damage. Accordingly, Bojangles’

Motion with respect to Plaintiffs’ negligence claim shall be DENIED.

C. Breach of Implied Contract

63. Bojangles contends that Plaintiffs have not stated a claim for breach of

implied contract because there are no allegations of mutual assent or meeting of the

minds and because, as with the negligence claim, Plaintiffs have failed to allege any

damages. (Def.’s Br. 14–16.) Specifically, Bojangles argues that Plaintiffs’ reliance

on Bojangles’ privacy policy fails because (a) Bojangles did not promise to be

contractually bound to any privacy standards, 6 and (b) Plaintiffs do not allege that

5 In addition, Plaintiff Ruiz-Jacobs has alleged an actual injury in the form of $80 in fraudulent charges to his debit card which, he alleges upon information and belief, was caused by the Data Breach. (Compl. ¶ 102.)

6 In fact, as Bojangles argues, the privacy policy states “[w]e make commercially reasonable

efforts for secure handling of this information, but we cannot guarantee our security they read or were even aware of the privacy policy when they gave Bojangles their

PII/PHI. (Def.’s Br. 15.)

64. Plaintiffs respond that implied contracts do not require an express

agreement, and whether there was a meeting of the minds is one for the trier of fact.

(Pls.’ Opp’n 15.) Plaintiffs further contend that federal courts applying North

Carolina law have recognized that the promise to safeguard private information is

inherent in any transaction in which one is required to entrust their confidential

information, especially when the relationship is that of employer and employee. (Pls.’

Opp’n 16–18.) Finally, Plaintiffs argue that their allegation that Bojangles’ privacy

policy imposes a commitment on Bojangles to safeguard its employees’ PII/PHI is

sufficient to state a claim. (Pls.’ Opp’n 18–19.)

65. “The elements of a claim for breach of contract are (1) existence of a valid

contract and (2) breach of the terms of that contract.” Johnson v. Colonial Life &

Accident Ins. Co., 173 N.C. App. 365, 369 (2005) (quoting Poor v. Hill, 138 N.C. App.

19, 26 (2000)). “[A] valid contract requires (1) assent; (2) mutuality of obligation; and

(3) definite terms.” Charlotte Motor Speedway, LLC v. Cnty. of Cabarrus, 230 N.C.

App. 1, 7 (2013) (citing Schlieper v. Johnson, 195 N.C. App. 257, 265 (2009)).

66. “[A] contract implied in fact arises where the intent of the parties is not

expressed, but an agreement in fact, creating an obligation, is implied or presumed

from their acts.” Creech v. Melnik, 347 N.C. 520, 526 (1998) (citing Snyder v.

Freeman, 300 N.C. 204, 217 (1980)). “An implied contract is as valid and enforceable

measures.” Privacy Policy, BOJANGLES, https://www.bojangles.com/privacy-policy/ (last visited June 23, 2026) (emphasis added).

as an express contract, but mutual assent is determined from the parties’ actions,

rather than an express agreement.” Edwards v. PFA Architects, P.A., 2017 NCBC

LEXIS 56, at *10 (N.C. Super. Ct. June 29, 2017) (citation omitted); see Synder, 300

N.C. at 218 (“With regard to a contract implied in fact, one looks not to some express

agreement, but to the actions of the parties showing an implied offer and

acceptance.”). “Whether mutual assent is established and whether a contract was

intended between parties are questions for the trier of fact.” Id. at 217 (citing Storey

v. Stokes, 178 N.C. 409, 411 (1919)).

67. The Capiau decision from the Western District of North Carolina and the

recent decision in Midkiff v. Shoe Show, Inc., No. 1:24-cv-858, 2026 U.S. Dist. LEXIS

66944 (M.D.N.C. Mar. 30, 2026), both applying North Carolina law, are instructive.

Both cases involved plaintiffs who were required to provide their personal

confidential information to their employers. Both courts held that in such a scenario,

the employer has an implicit obligation to adequately safeguard the information it

receives. See Capiau, 2024 U.S. Dist. LEXIS 142393, at *30 (“As a condition of

Plaintiff’s employment, Defendant required Plaintiff to provide to Defendant his PII.

The requirement that Plaintiff provide Defendant his PII vested in Defendant an

implicit obligation to adequately safeguard Plaintiff’s PII.” (citation omitted));

Midkiff, 2026 U.S. Dist. LEXIS 66944, at *40 (“Plaintiffs have alleged an employment

relationship between [plaintiff] and Defendant, a condition of which was [plaintiff]’s

provision of her PII to Defendant. . . . Such a factual allegation creates the reasonable

inference that an implied contract to protect that PII exists.” (citation omitted)).

68. Likewise, Plaintiffs in this case allege that “[a]s a condition of [their]

employment with [Bojangles]” they were required to provide their PII/PHI. (Compl.

¶¶ 48, 64, 78, 94, 119, 137, 154.) Plaintiffs allege that they “trusted [Bojangles] would

use reasonable measures to protect it according to [Bojangles’] internal polices, as

well as state and federal law.” (Compl. ¶¶ 49, 79, 120, 138.) Bojangles’ policy

promised (but did not guarantee) that Bojangles would protect the information

against theft and that Bojangles would make “commercially reasonable efforts” for

the secure handling of the information. (Compl. ¶ 26b.) These allegations are

sufficient to plead the existence of an implied contract. 7

69. Bojangles’ argument that Plaintiffs have failed to allege damages is also

not persuasive. “In a suit for damages for breach of contract, proof of the breach

would entitle[] the plaintiff to nominal damages at least.” Bryan Builders Supply v.

Midyette, 274 N.C. 264, 271 (1968) (quoting Bowen v. Fid. Bank, 209 N.C. 140, 144

(1936)).

70. Accordingly, Plaintiffs’ claim for breach of implied contract survives.

Bojangles’ Motion with respect to this claim shall be DENIED.

D. Invasion of Privacy

71. Bojangles contends that Plaintiffs’ invasion of privacy claim fails because

(1) North Carolina does not recognize a cause of action for public disclosure of private

7 Bojangles’ argument that Plaintiffs have not alleged the terms of the implied agreement is

also unavailing. “[I]t will be for the trier of fact to determine on what terms there was a meeting of the minds and thus what terms are included in the alleged contract on which Plaintiffs will ultimately need to demonstrate breach to prevail.” Weddle, 2023 NCBC LEXIS 162, at *13–14 (quoting Lannan v. Bd. of Governors of the Univ. of N.C., 285 N.C. App. 574, 598 (2022)).

facts; and (2) a claim based on the theory of intrusion into seclusion does not exist

because Plaintiffs willingly shared their information with Bojangles. (Def.’s Br. 16–

18.)

72. Plaintiffs respond that they have sufficiently alleged a claim for intrusion

into seclusion. (Pls.’ Opp’n 19.) Citing Toomer v. Garrett, 155 N.C. App. 462 (2002),

they contend that the North Carolina Court of Appeals allowed a claim for intrusion

into seclusion in a similar factual situation. (Pls.’ Opp’n 20–21.)

73. The Supreme Court of North Carolina has held that “claims for invasions

of privacy by publication of true but ‘private’ facts are not cognizable at law in this

State.” Hall v. Post, 323 N.C. 259, 265 (1988) (emphasis in original). Accordingly, to

the extent Plaintiffs attempt that claim, the Motion shall be GRANTED.

74. However, “[t]he tort of invasion of privacy by intrusion into seclusion has

been recognized in North Carolina and is defined as the intentional intrusion

‘physically or otherwise, upon the solitude or seclusion of another or his private

affairs or concerns . . . [where] the intrusion would be highly offensive to a reasonable

person.’ ” Toomer, 155 N.C. App. at 479 (quoting Miller v. Brooks, 123 N.C. App. 20,

26–27 (1996)). “Generally, there must be a physical or sensory intrusion or an

unauthorized prying into confidential personal records to support a claim for invasion

of privacy by intrusion.” Broughton v. McClatchy Newspapers, Inc., 161 N.C. App.

20, 29 (2003) (citations omitted). “The kinds of intrusions that have been recognized

under this tort include ‘physically invading a person’s home or other private place,

eavesdropping by wiretapping or microphones, peering through windows, persistent telephoning, unauthorized prying into a bank account, and opening personal mail of

another.’ ” Toomer, 155 N.C. App. at 479–80 (quoting Hall v. Post, 85 N.C. App. 610,

615 (1987), rev’d on other grounds, 323 N.C. 259 (1988)).

75. Invasion of privacy by intrusion into seclusion is an intentional tort. See

Capiau, 2024 U.S. Dist. LEXIS 142393, at *33 (“Defendant’s intent is . . . an essential

element of Plaintiff’s invasion of privacy claim.”). In this case, Plaintiffs allege that

Bojangles acted with “a knowing state of mind when it permitted the Data Breach

because it knew its information security practices were inadequate” and also when it

failed to give Plaintiffs timely notice of the Data Breach. (Compl. ¶¶ 270–71.)

Nowhere, however, do Plaintiffs allege that Bojangles intentionally intruded into

their affairs. To the contrary, they allege that they willingly provided their PII/PHI

to Bojangles. See, e.g., Weddle, 2023 NCBC LEXIS 162, at *10–11 (granting a motion

to dismiss on an invasion of privacy claim when plaintiffs alleged “that they

voluntarily shared sensitive information with [defendant] and that [defendant] then

gave Meta unauthorized access to that information”); Fisher v. Commc’n. Workers of

Am., 2008 NCBC LEXIS 19, at *16 (N.C. Super. Ct. Oct. 30, 2008) (finding no claim

for invasion of privacy when the defendants properly received the plaintiffs’ Social

Security numbers and then posted them on a public bulletin board); Alexander v. City

of Greensboro, 762 F. Supp. 2d 764, 816 (M.D.N.C. 2011) (“Because [Defendant]

properly received this information, her disclosure of it did not constitute intrusion

into seclusion, so Plaintiffs cannot rely upon this disclosure for their invasion of

privacy claim.”); Sabrowski v. Albani-Bayeux, Inc., No. 1:02CV00728, 2003 U.S. Dist. LEXIS 23242, at *38 (M.D.N.C. Dec. 19, 2003) (holding that “wrongful dissemination

of Plaintiff’s confidential information would not be recognized as the tort of

intrusion”).

76. In contrast, the court in Toomer allowed a claim for intrusion into seclusion

to proceed past the motion to dismiss stage because the plaintiff alleged that the

defendant undertook the “unauthorized examination of the contents of one’s

personnel file[.]” 155 N.C. App. at 480. Missing here are allegations of that

unauthorized examination on Bojangles’ part. See Weddle, 2023 NCBC LEXIS 162,

at *11–12 (collecting cases distinguishing Toomer on this point).

77. Because Plaintiffs have not alleged a claim against Bojangles for invasion

of privacy based on a theory of intrusion into seclusion, Bojangles’ Motion with

respect to this claim shall be GRANTED.

E. Unjust Enrichment

78. Bojangles argues that this claim fails because Plaintiffs received

compensation in exchange for their employment and have not pled that they expected

Bojangles to provide any other benefit. (Def.’s Br. 19.) Plaintiffs respond that unjust

enrichment claims are routinely permitted in data breach cases where the allegations

are that the defendant accepted the benefit of the plaintiff’s confidential information

but did not implement proper safety measures to protect that information. (Pls.’

Opp’n 21–23.)

79. “[W]here services are rendered and expenditures made by one party to or

for the benefit of another, without an express contract to pay, the law will imply a promise to pay a fair compensation therefor.” Atl. Coast Line R.R. Co. v. State

Highway Com., 268 N.C. 92, 95–96 (1966) (citing Beacon Homes, Inc. v. Holt, 266 N.C.

467, 472 (1966)). To state a claim for unjust enrichment, Plaintiffs must allege that:

(1) they conferred a benefit on another party; (2) the other party consciously accepted

the benefit; and (3) the benefit was not conferred gratuitously or by an interference

in the affairs of the other party. See Booe v. Shadrick, 322 N.C. 567, 570 (1988).

80. Bojangles relies on Weddle for the proposition that when plaintiffs do not

expect to receive a benefit that is specific to the provision of their personal

information, an unjust enrichment claim fails. 2023 NCBC LEXIS 162, at *14

(plaintiffs “do not allege that they expected to receive any other compensation or

benefit, apart from medical services, in return for their personal information”). In

this case, however, Plaintiffs do allege that they expected to receive a benefit.

Plaintiffs allege that they reasonably understood that, in exchange for receiving their

PII/PHI, Bojangles “would use adequate cybersecurity measures to protect the

PII/PHI[.]” (Compl. ¶ 282.) They further allege that Bojangles avoided “its data

security obligations at the expense of Plaintiffs . . . by utilizing cheaper, ineffective

security measures.” (Compl. ¶ 284.) These allegations are sufficient to survive a

motion to dismiss. See, e.g., Capiau, 2024 U.S. Dist. LEXIS 142393, at *35 (unjust

enrichment adequately pled where “Defendant allegedly accepted the benefits

accompanying Plaintiff’s data without implementing adequate safeguards to protect

Plaintiff’s PII”); Midkiff, 2026 U.S. Dist. LEXIS 66944, at *42 (“In the data breach

context, courts have held that an unjust enrichment claim can lie even where the benefit conferred is not monetary and that a defendant cannot be heard to argue that

defendant was indifferent to plaintiff’s provision of PII, since such provision was a

condition of plaintiff’s employment.” (citation modified)).

81. Plaintiffs’ allegations are sufficient to plead a claim for unjust enrichment.

Accordingly, Bojangles’ Motion with respect to this claim shall be DENIED.

F. Unfair and Deceptive Trade Practices

82. To establish a claim under the UDTPA, a complaint must allege that “(1)

defendant committed an unfair or deceptive act or practice, (2) the action in question

was in or affecting commerce, and (3) the act proximately caused injury to the

plaintiff.” Value Health Sols., Inc. v. Pharm. Rsch. Assocs., Inc., 385 N.C. 250, 277

(2023) (quoting SciGrip, Inc. v. Osae, 373 N.C. 409, 426 (2020)); see also N.C.G.S.

§ 75-1.1.

83. “A practice is unfair when it offends established public policy as well as

when the practice is immoral, unethical, oppressive, unscrupulous, or substantially

injurious to consumers[.]” Bumpers v. Cmty. Bank of N. Va., 367 N.C. 81, 91 (2013)

(quoting Walker v. Fleetwood Homes of N.C., Inc., 362 N.C. 63, 72 (2007)). “A practice

is deceptive if it has the capacity or tendency to deceive.” Id. (citation modified)

(quoting Walker, 362 N.C. at 72).

84. Alleging that the defendant merely breached a contract is not enough.

Birtha v. Stonemor, N.C., LLC, 220 N.C. App. 286, 298 (2012) (“It is well recognized

that . . . a mere breach of contract, even if intentional, is not sufficiently unfair or

deceptive to sustain an action under [the UDTPA].” (citation modified)). Instead, “a plaintiff must show substantial aggravating circumstances attending the breach to

recover under [the UDTPA.]” Branch Banking & Tr. Co. v. Thompson, 107 N.C. App.

53, 62 (1992) (citation modified).

85. A UDTPA plaintiff also must show that he or she suffered actual harm.

Jackson v. Home Depot U.S.A., Inc., 388 N.C. 109, 120 (2025). “[S]peculative

allegations of possible harm in the future are simply insufficient to establish the

actual injury necessary to support a claim under the UDTPA.” Precision Links Inc.

v. USA Prods. Grp., No. 3:08cv576, 2009 U.S. Dist. LEXIS 23926, at *7–8 (W.D.N.C.

Mar. 25, 2009) (collecting cases).

86. Bojangles first argues that, to the extent Plaintiffs try to frame their

UDTPA allegations as fraudulent omissions, the allegations must meet Rule 9(b)’s

particularity requirements. (Def.’s Br. 22–23.) Plaintiffs respond that their

allegations are premised on unfair conduct, not fraud, so they do not need to be

alleged with particularity. (Pls.’ Opp’n 24.)

87. Bojangles is correct that when a UDTPA claim is premised on fraudulent

conduct, Rule 9(b) requires that it be pled with particularity. See Botanisol Holdings

II, LLC v. Propheter, 2021 NCBC LEXIS 94, at *24–25 (N.C. Super. Ct. Oct. 18, 2021)

(“With respect to the Rule 9(b) standard, because the Chapter 75 claim is premised

on deceptive conduct, the heightened pleading standard of Rule 9(b) applies.”); see

also Topshelf Mgmt., Inc. v. Campbell-Ewald Co., 117 F. Supp. 3d 722, 731 (M.D.N.C.

2015) (“Rule 9(b) applies to [UDTPA] claims alleging detrimental reliance on false or

deceptive representations.”). However, “Rule 9(b) does not apply to [UDTPA] claims that do not sound in fraud.” Capiau, 2024 U.S. Dist. LEXIS 142393, at *36–37

(collecting cases).

88. In this case, some of the allegations underlying Plaintiffs’ UDTPA claim

sound in fraud. For example, Plaintiffs specifically allege that Bojangles violated the

UDTPA by “omitting, suppressing, and concealing the material fact that it did not

reasonably or adequately secure Plaintiffs’ . . . PII/PHI[.]” (Compl. ¶ 290d.)

However, at the hearing on the Motion, Plaintiffs’ counsel conceded that Plaintiffs

were not pursuing a claim for deceptive conduct; rather, Plaintiffs’ counsel argued,

Plaintiffs’ claim is limited to Bojangles’ alleged unfair conduct. Given this concession,

the Court does not analyze the claim as one for deception. That does not end the

inquiry, however.

89. A recent decision from the United States District Court for the Western

District of North Carolina, applying North Carolina law, held that failure to

implement and maintain reasonable data security measures may be unfair conduct

that amounts to a violation of the North Carolina UDTPA. The court allowed a claim

with similar facts to this one to survive a motion to dismiss. See Capiau, 2024 U.S.

Dist. LEXIS 142393, at *37 (“To the extent that Plaintiff’s [UDTPA] claim pertains

to Defendant’s allegedly unfair business practices–i.e., Defendant’s failure to

implement and maintain adequate cybersecurity measures and to warn Plaintiff of

the breach–Defendant’s motion will be denied.”); cf. Midkiff, 2026 U.S. Dist. LEXIS

66944, at *46 (deferring resolution of the UDTPA claim until further discovery

because “the factual record is relatively sparse as to Defendant’s practices in collecting, storing, and using Plaintiffs’ PII and Defendant’s actions in response to

the data breach”).

90. In the instant case, Plaintiffs likewise allege that Bojangles failed to

“implement and maintain reasonable security and privacy measures[,]” and that it

“fail[ed] to comply with common law and statutory duties pertaining to the security

and privacy of Plaintiffs’ . . . PII/PHI[.]” (Compl. ¶ 290a, c.) These allegations satisfy

the notice pleading standard. Accordingly, the Motion shall be DENIED. 8 See Hilco

Transp., Inc. v. Atkins, 2016 NCBC LEXIS 5, at *24 n.5 (N.C. Super. Ct. Jan. 15,

2016) (concluding that a UDTPA claim based on unfair practices was sufficiently pled

even though “[m]ore-detailed allegations may be required for a [UDTPA] claim to

survive dismissal under Rule 12(b)(6) when the claim is predicated on allegations of

deceptive conduct.” (citations omitted)).

G. Declaratory Judgment and Injunctive Relief

91. Plaintiffs allege upon information and belief that Bojangles’ security

procedures were “and still are” inadequate. (Compl. ¶ 300.) They request that the

Court enter a judgment declaring that: (1) Bojangles owed, and continues to owe, a

legal duty to use reasonable data security measures to secure data entrusted to it; (2)

Bojangles has a duty to notify impacted individuals of the Data Breach; (3) Bojangles

breached, and continues to breach, its duties by failing to use reasonable measures to

8 The parties have not presented a case, and the Court has not unearthed one, stating that a

violation of the FTCA is a per se violation of the UDTPA. See Ken-Mar Finance v. Harvey, 90 N.C. App. 362, 367 (1988) (“We also note that had the FTC regulation been in effect, violation of its provisions would not, as defendant contends, constitute a per se violation of [the UDTPA]. The regulation would serve only as guidance in construing this statute.”). the data entrusted to it; and (4) Bojangles’ breaches of its duties caused, and continue

to cause, injuries to Plaintiffs. (Compl. ¶ 301.) They further request that the Court

issue an injunction requiring Bojangles to implement “adequate security consistent

with industry standards” to protect their PII/PHI. (Compl. ¶ 302.) Plaintiffs allege

that if an injunction is not issued, and if Bojangles experiences a second data breach,

they will suffer “irreparable injury.” (Compl. ¶ 303.)

92. Bojangles responds that there is no actual controversy in this case because

Plaintiffs have suffered no loss even though more than two years have passed since

the Data Breach. It contends that Plaintiffs’ alleged harms are hypothetical and

cannot be the basis for a declaratory judgment. (Def.’s Br. 24.) As for Plaintiffs’

request for injunctive relief, Bojangles contends that their allegations of imminent

harm are unwarranted based on the facts. (Def.’s Br. 24.)

93. The Declaratory Judgment Act provides:

Any person interested under a deed, will, written contract or other

writings constituting a contract, or whose rights, status or other legal

relations are affected by a statute, municipal ordinance, contract or

franchise, may have determined any question of construction or validity

arising under the instrument, statute, ordinance, contract, or franchise,

and obtain a declaration of rights, status, or other legal relations

thereunder. A contract may be construed either before or after there has

been a breach thereof.

N.C.G.S. § 1-254.

94. Here, Plaintiffs allege that an actual controversy exists because Bojangles

maintains possession of their PII/PHI and, they believe, continues to fail to

implement appropriate and adequate security measures. (Compl. ¶¶ 71, 101, 300.)

These allegations are enough to state a claim for declaratory judgment. See, e.g., In re Moveit Customer Data Sec. Breach Litig., No. 23-md-3083-ADB-PGL, 2025 U.S.

Dist. LEXIS 147106, at *151 (D. Mass. July 31, 2025) (“An allegation of continued

inadequacy of a defendant’s security measures substantiates a claim for declaratory

judgment in a data breach case.” (citation modified)); In re Cap. One Consumer Data

Sec. Breach Litig., 488 F. Supp. 3d 374, 414 (E.D. Va. 2020) (declining to dismiss a

declaratory judgment claim when plaintiffs alleged “that there remains a dispute over

the security of plaintiffs’ PII, which continues to be stored on [defendant]’s servers

and remain subjected to a heightened risk of access and misuse by hackers”); In re

Home Depot, Inc., No. 1:14-md-2583-TWT, 2016 U.S. Dist. LEXIS 65111, at *32 (N.D.

Ga. May 17, 2016) (“The plaintiffs have pleaded that the defendant’s security

measures continue to be inadequate and that they will suffer substantial harm. The

plaintiffs have pleaded sufficient facts to survive a motion to dismiss regarding a

future breach.”).

95. Accordingly, Bojangles’ Motion with respect to Plaintiffs’ claim for

declaratory judgment shall be DENIED. 9

V. CONCLUSION

96. WHEREFORE, the Court ORDERS as follows:

a. With respect to the First Cause of Action (Negligence), the Third

Cause of Action (Breach of Implied Contract), the Fifth Cause of

Action (Unjust Enrichment), the Sixth Cause of Action (Violation of

North Carolina Unfair and Deceptive Trade Practices Act), and the

9 A more complete record is necessary to address Plaintiffs’ request for injunctive relief.

Seventh Cause of Action (Declaratory Judgment), the Motion is

DENIED.

b. With respect to the Second Cause of Action (Negligence per se) and

the Fourth Cause of Action (Invasion of Privacy), the Motion is

GRANTED, and those claims are DISMISSED WITH

PREJUDICE.

SO ORDERED, this the 29th day of June, 2026.

/s/ Julianna T. Earp

Julianna T. Earp

Special Superior Court Judge

for Complex Business Cases