Between September 2013 and February 2014, hackers successfully accessed the customer databases of securities brokerage firm Scottrade and extracted the personal identifying information for 4.6 million customers. These hackers used the stolen PII to operate a stock price manipulation scheme, illegal internet gambling services and a Bitcoin exchange.
Kuhns and three others affected by the data breach brought putative class actions against Scottrade alleging claims for breach of contract, breach of implied contract, unjust enrichment, declaratory judgment and violations of the Missouri Merchandising Practices Act, a state consumer protection statute. The consolidated class action complaint in district court asserted that a portion of the brokerage fees paid to Scottrade was used for data management and security and that Scottrade breached its contractual obligations by failing to have adequate security measures. The complaint also asserted that, as a result of the data breach, the plaintiffs faced an increased risk of identity theft and incurred financial costs of monitoring their financial accounts and the value of their brokerage services and PII was diminished in value. The district court dismissed the consolidated class action complaint with prejudice, concluding that the plaintiffs lacked Article III standing because they had not alleged an injury in fact.
Turning to Kuhns’ breach of contract claims, the Eighth Circuit found that “bare allegations that Scottrade’s efforts failed to protect customer PII” were not sufficiently specific. The court observed that Kuhns had not identified a single applicable law and regulation that
Scottrade had allegedly breached regarding its data security practices. Nor had Kuhns identified any actual financial loss suffered by the affected Scottrade customers as a result of the data breach. The Eighth Circuit noted that “[m]assive class action litigation should be based on more than allegations of worry and inconvenience.” In addition, the court found that, because the brokerage agreement expressly provided that brokerage services were paid “on a per order basis,” Kuhns’ “allegation that the failure of Scottrade’s security measures was a breach of contract that diminished the benefit of Kuhns’ bargain is not plausible.”
Similarly, the Eighth Circuit found that Kuhns’ claims for breach of implied contract, unjust enrichment and declaratory judgment lacked sufficient detail. The court held that Kuhns had not identified how Scottrade had failed to take “industry leading” security measures, what “specific portion of [Kuhns’ brokerage service fees] went to data protection,” or which of Scottrade’s current security practices were allegedly “illegal.”
Finally, the Eighth Circuit addressed Kuhns’ claim under the Missouri Merchandising Practices Act. Finding that Kuhns’ claim sounded in fraud, the court found that Kuhns had not pled his claim with the particularity required by Rule 9(b) of the Federal Rules of Civil Procedure. Moreover, the court also found that the Missouri Merchandising Practices Act requires an alleged unlawful act to occur in relation to a sale of merchandise and an ascertainable loss must result from that transaction and that Scottrade sold brokerage services, not data security services, making the Missouri statute inapplicable.
The Scottrade decision offers something significant for both data breach plaintiffs and defendants. It provides an avenue for satisfying Article III’s injury in fact requirement where the plaintiff is able to allege he relied on a specific statement by the defendant about its security practices when entering a contract with the defendant. For example, following a data breach, plaintiffs (at least in the Eighth Circuit) need only allege a breach of the ubiquitous language in privacy policies concerning maintaining the security of customer PII in their class action complaint to establish a concrete injury and survive a motion to dismiss for lack of standing. However, data breach plaintiffs will also have to plead their contract and contract-related claims with much greater specificity to survive a motion to dismiss for failure to state a claim. Plaintiffs will be unable to rely on general allegations that defendants’ security measures were inadequate, that a data breach resulted from these inadequate measures and that they suffered undefined damages from the breach. Plaintiffs will now have to identify the applicable law, regulation or industry standard with which defendants failed to comply; the particular security measure or practice they are challenging as insufficient; and the financial loss that they have suffered as a result of the data breach.