Eighth Circuit Finds Standing, but Ultimately Rejects Claims, in Data-Breach Suit

Cruz-Alvarez_F

Featured Expert Contributor—Civil Justice/Class Actions

Frank Cruz-Alvarez, Shook, Hardy & Bacon L.L.P., with Rachel Forman, Shook, Hardy & Bacon L.L.P.

On August 21, 2017, the U.S. Court of Appeals for the Eighth Circuit, in Kuhns v. Scottrade, Inc., 868 F.3d 711 (8th Cir. 2017), affirmed the district court’s dismissal of a consolidated class action complaint.  The Eighth Circuit disagreed with the district court and held that the plaintiff had Article III standing for the contract-related claims, but nonetheless affirmed the dismissal of the complaint because it failed to state a claim upon which relief could be granted.

The putative class-action plaintiffs were individuals whose claims arose when their personal identifying information (PII) was stolen by hackers from the internal database of Scottrade, a securities brokerage firm, and was “exploited … to operate a stock price manipulation scheme, illegal gambling websites, and a Bitcoin exchange.”  Id. at 713–14.  One of the plaintiffs, Kuhns, had provided his PII to Scottrade when he entered into a brokerage agreement with the firm under which he agreed to pay fees and commissions for purchases and sales of securities “on a per order basis.”  Id. at 714.

An addendum to the brokerage agreement described in detail the procedures and infrastructure Scottrade had in place to safeguard its customers’ personal and financial information.  In addition, Scottrade’s online privacy statement and another document on its website provided guarantees that Scottrade keeps all customer information confidential and uses “leading security technologies” that comply with “applicable laws and regulations.”

As a result of the data breach, the plaintiffs filed their separate class actions against Scottrade in the United States District Court for the Eastern District of Missouri, and after those class actions were consolidated, they filed a consolidated class-action complaint asserting claims for (1) breach of contract, (2) breach of implied contract, (3) unjust enrichment, (4) declaratory judgment, and (5) a violation of the Missouri Merchandising Practices Act (MMPA).  The basic factual premise of the claims was that Scottrade failed to provide sufficient cybersecurity in violation of its “contractual and other obligations,” and that part of the fees customers paid pursuant to the brokerage agreement was used for “data management and security.”  Id. at 714.

The complaint alleged that the plaintiffs faced “an immediate and continuing increased risk of identity theft and identity fraud” and “received Brokerage Agreement services diminished in value and therefore overpaid Scottrade for those services” among other allegations of purported damages.  Id.

Scottrade moved to dismiss for lack of subject matter jurisdiction and failure to state a claim.  The district court found that the plaintiffs did not have Article III standing because no injury in fact had occurred and dismissed the complaint with prejudice on that ground.  Only plaintiff Kuhns appealed the district court’s ruling and Scottrade cross-appealed because the district court failed to address its failure-to-state-a-claim argument.  On appeal, the Eighth Circuit was tasked with addressing both Article III standing—whether Kuhns suffered an injury in fact—and whether Kuhns stated a plausible claim.

Turning first to the issue of Article III standing, the Court opined that Kuhns had standing regarding his contract-related claims “based on his allegations that he did not receive the full benefit of his bargain with Scottrade.”  According to the Eighth Circuit, Kuhns successfully alleged Scottrade used a portion of his fees to “meet Scottrade’s contractual obligations to provide data management and security to protect [Kuhns’] PII.”  Id. at 716.  The Court stated that the “difference between the amount [Kuhns] paid and the value of the services received is an actual economic injury that establishes injury in fact for [Kuhns’] contract related claims”—the overpayment theory.  Id.

Then, relying on its decision in Carlsen v. Gamestop, Inc., Judge Loken wrote that Kuhns had a “judicially cognizable interest for standing purposes, regardless of the merits of the breach alleged,” and that it is crucial not to “conflate Article III’s requirement of injury in fact with a plaintiff’s potential causes of action.”  Id.

The court went on to address whether Kuhns failed to state a claim upon which relief could be granted.  It first found that Kuhns did not assert plausible breach of contract claims for three reasons.

First, it found that Kuhns’ bare assertions that Scottrade did not comply with laws or regulations or maintain sufficient security measures and procedures as it represented it would in the brokerage agreement, did not state a claim for relief.  Id.  It noted that Scottrade represented conditions, and did not make promises, in the recitals of its brokerage agreement, and Plaintiff failed to claim that Scottrade misrepresented those conditions.  Id.

Second, even if Scottrade had made promises, Kuhns failed to allege that Scottrade violated a single “applicable law and regulation,” or that Scottrade promised that its customer data would never be hacked.”  Id.

Third, the complaint failed to allege any actual damage, and Kuhns did not contest that his or any other customers’ stolen PII was actually utilized in the two years between the data breach and the filing of the complaint.  Id. at 718.

And, given that Kuhns paid his fees “on a per order basis,” the allegation that Scottrade’s failure “was a breach of contract that diminished Kuhns’ bargain was not plausible.”  Id.  The Court found that the claims for implied contract and unjust enrichment had to be dismissed for the same reasons.

As to Kuhns’ claim for declaratory relief, the Court dismissed it because the allegations focused on past conduct and not Scottrade’s current practices.  Finally, as to Kuhns’ claim under the MMPA, the court found that it was implausible because Kuhns failed to plead any purported fraudulent conduct with particularity, the alleged unlawful act did not occur in relation to the sale of merchandise, and the complaint failed to allege an unfair or deceptive trade practice.  The Eighth Circuit followed the same approach as did the Ninth Circuit in its Robins v. Spokeo (“Spokeo II”) decision and found an injury in fact, but just as the Eighth Circuit did in Gamestop, the court dismissed the claims pursuant to 12(b)(6).

Article III standing and injury in fact have been a focal point in data-breach litigation.  Kuhns is indicative of a possible growing trend in the Eighth and Ninth Circuits to take a more liberal approach to injury in fact and the overpayment theory in data-breach cases post-Spokeo.  But whether Kuhns provides a roadmap to potential plaintiffs to successfully bring these putative class actions remains unclear.  Given the right allegations, a case such as Kuhns could survive a motion to dismiss, but whether it could survive discovery and summary judgment is unknown.  What is certain is that businesses have entered an era where data-security breaches are more common and present new legal and regulatory obligations.

Given this climate, attorneys should advise their corporate clients to remain on the forefront of data security and legal compliance, and ensure that their consumer agreements contain carefully drafted representations about data security so as to not make promises that cannot be kept.  If a certain level of data security is guaranteed in a consumer agreement, courts may be inclined to hold companies to their word.

[Ed. Note: To learn more about the Ninth Circuit’s Robins v. Spokeo ruling, see and August 28, 2017 WLF Legal Pulse post and an October 20, 2017 WLF Legal Backgrounder.]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s