Eighth Circuit Finds Standing in Data Breach Case for Privacy Policy Violation, Dismisses for Lack of Specificity

The U.S. Court of Appeals for the Eighth Circuit has held that allegations that the security provisions of a privacy policy were violated are sufficient for standing in a data breach case, but that plaintiffs’ contractual claims needed to be pled with specificity. The August 21 ruling, Kuhns v. Scottrade, makes it easier for data breach plaintiffs to establish standing to bring their contractual claims even as it raises the level of detail that must be present in those claims to survive a motion to dismiss.

Background

Between September 2013 and February 2014, hackers successfully accessed the customer databases of securities brokerage firm Scottrade and extracted the personal identifying information for 4.6 million customers. These hackers used the stolen PII to operate a stock price manipulation scheme, illegal internet gambling services and a Bitcoin exchange.

Matthew Kuhns, one of the affected Scottrade customers, opened his account in 2005, signing a brokerage agreement and providing Scottrade with his name, address, social security number, tax identification number, telephone number, employer information and work history. The brokerage agreement provided that Kuhns would pay Scottrade on a per order basis and included as an addendum Scottrade’s privacy policy and security statement. According to the privacy policy and statement, the firm collected the its customers’ PII but “maintain[ed] physical, electronic and procedural safeguards that comply with federal regulations to guard your nonpublic personal information,” and “offers a secure server and password-protected environment... protected by Secure Socket Layer (SSL) encryption.”

Scottrade’s online privacy policy purportedly also stated: “We comply with applicable laws and regulations regarding personal information.... We use industry leading security technologies, including layered security and access controls over personal information.” A document on the firm’s website also stated: “We keep all customer information confidential and maintain strict physical, electronic and procedural safeguards to protect against unauthorized access to your information.”

Kuhns and three others affected by the data breach brought putative class actions against Scottrade alleging claims for breach of contract, breach of implied contract, unjust enrichment, declaratory judgment and violations of the Missouri Merchandising Practices Act, a state consumer protection statute. The consolidated class action complaint in district court asserted that a portion of the brokerage fees paid to Scottrade was used for data management and security and that Scottrade breached its contractual obligations by failing to have adequate security measures. The complaint also asserted that, as a result of the data breach, the plaintiffs faced an increased risk of identity theft and incurred financial costs of monitoring their financial accounts and the value of their brokerage services and PII was diminished in value. The district court dismissed the consolidated class action complaint with prejudice, concluding that the plaintiffs lacked Article III standing because they had not alleged an injury in fact.

Eighth Circuit Decision

The Eighth Circuit affirmed the district court’s dismissal, not for lack of standing but for failing to state a claim. Relying on its prior precedent of Carlsen v. Gamestop, the court concluded that Kuhns had “standing regarding his breach of contract and contract-related claims based on allegations that he did not receive the full benefit of his bargain with Scottrade.” Specifically, the Eighth Circuit held that Kuhns’ allegations that “he bargained for and expected protection of his PII, that Scottrade breached the contract when it failed to provide reasonable safeguards, and that Kuhns suffered actual injury, the diminished value of his bargain,” established an injury in fact. In Gamestop, the Eighth Circuit found that allegations that subscriptions to a website were devalued because the website shared the personal information of its customer in violation of its privacy policy established an actual injury that conferred Article III standing. In light of Gamestop, the court noted: “Whatever the merits of Kuhns’ contract claim and his related claims..., he has Article III standing to assert them.”

Turning to Kuhns’ breach of contract claims, the Eighth Circuit found that “bare allegations that Scottrade’s efforts failed to protect customer PII” were not sufficiently specific. The court observed that Kuhns had not identified a single applicable law and regulation that

Scottrade had allegedly breached regarding its data security practices. Nor had Kuhns identified any actual financial loss suffered by the affected Scottrade customers as a result of the data breach. The Eighth Circuit noted that “[m]assive class action litigation should be based on more than allegations of worry and inconvenience.” In addition, the court found that, because the brokerage agreement expressly provided that brokerage services were paid “on a per order basis,” Kuhns’ “allegation that the failure of Scottrade’s security measures was a breach of contract that diminished the benefit of Kuhns’ bargain is not plausible.”

Similarly, the Eighth Circuit found that Kuhns’ claims for breach of implied contract, unjust enrichment and declaratory judgment lacked sufficient detail. The court held that Kuhns had not identified how Scottrade had failed to take “industry leading” security measures, what “specific portion of [Kuhns’ brokerage service fees] went to data protection,” or which of Scottrade’s current security practices were allegedly “illegal.”

Finally, the Eighth Circuit addressed Kuhns’ claim under the Missouri Merchandising Practices Act. Finding that Kuhns’ claim sounded in fraud, the court found that Kuhns had not pled his claim with the particularity required by Rule 9(b) of the Federal Rules of Civil Procedure. Moreover, the court also found that the Missouri Merchandising Practices Act requires an alleged unlawful act to occur in relation to a sale of merchandise and an ascertainable loss must result from that transaction and that Scottrade sold brokerage services, not data security services, making the Missouri statute inapplicable.

Takeaways

The Scottrade decision offers something significant for both data breach plaintiffs and defendants. It provides an avenue for satisfying Article III’s injury in fact requirement where the plaintiff is able to allege he relied on a specific statement by the defendant about its security practices when entering a contract with the defendant. For example, following a data breach, plaintiffs (at least in the Eighth Circuit) need only allege a breach of the ubiquitous language in privacy policies concerning maintaining the security of customer PII in their class action complaint to establish a concrete injury and survive a motion to dismiss for lack of standing. However, data breach plaintiffs will also have to plead their contract and contract-related claims with much greater specificity to survive a motion to dismiss for failure to state a claim. Plaintiffs will be unable to rely on general allegations that defendants’ security measures were inadequate, that a data breach resulted from these inadequate measures and that they suffered undefined damages from the breach. Plaintiffs will now have to identify the applicable law, regulation or industry standard with which defendants failed to comply; the particular security measure or practice they are challenging as insufficient; and the financial loss that they have suffered as a result of the data breach.