Eighth Circuit Rejects Implied Premise that a Hack Is Tantamount to Inadequate Information Security, Ruling Such “ ‘Naked Assertions’ … Cannot Survive a Motion to Dismiss.”
The Eighth Circuit held on August 21 that, in the absence of actual injury in a data breach case, “massive class action litigation should be based on more than allegations of worry and inconvenience.” The Court found that no customers of the defendant securities brokerage firm had suffered fraud or identity theft resulting in financial loss from a 2013 data security incident.* Kuhns v. Scottrade, Inc., Nos. 16-3426, 16-3542 (8th Cir. Aug. 21, 2017).
In a decision that is replete with great holdings and quotable language for defendants in data breach litigation, the Eighth Circuit demonstrated that even where constitutional standing is found, plaintiffs will not likely succeed if they can allege no real injury even years after the hack occurred.
The case was based on a data security incident in which hackers acquired personal identifying information (“PII”) of over 4.6 million customers and exploited the information to operate a stock price manipulation scheme, illegal gambling websites, and a Bitcoin exchange. The complaint was based on a contract theory, alleging that a portion of the fees paid in connection with the plaintiff’s securities accounts “were used for data management and security.” The plaintiff alleged that as a result of the incident, the purported class of affected customers faced an immediate and continuing increased risk of identity theft and identity fraud; incurred financial costs for monitoring their credit and financial accounts to mitigate against that risk; overpaid for brokerage services with a diminished value; suffered economic damage from the decline in value of their PII; and suffered invasion of privacy and breach of confidentiality.
Standing Found Based on “Overpayment” Theory
Reversing the district court, the Eighth Circuit found that the “overpayment theory” was sufficient to grant standing to sue on a breach of contract theory. The appellate opinion states that:
“[W]e conclude he has standing regarding his breach of contract and contract-related claims based on allegations that he did not receive the full benefit of his bargain with Scottrade. Kuhns alleges that a portion of the fees paid in connection with his Scottrade account were used to meet Scottrade’s contractual obligations to provide data management and security to protect his PII. When Scottrade breached those obligations, Kuhns received brokerage services of lesser value. He asserts that the difference between the amount he paid and the value of the services received is an actual economic injury that establishes injury in fact for his contract-related claims.
“We have previously explained that “a party to a breached contract has a judicially cognizable interest for standing purposes, regardless of the merits of the breach alleged.” Gamestop, 833 F.3d at 909 (quotation omitted).”
Breach of Brokerage Services Contract Not Plausibly Alleged Based on Asserted Data Security Failures
More importantly, however, the Court found the complaint’s assertions that the firm “did not comply with applicable laws and regulations,” or did not maintain sufficient security measures and procedures to prevent unauthorized access, did not plausibly allege a breach of contract. “First, representations of conditions Scottrade will maintain are in the nature of contract recitals. If Scottrade misrepresented those conditions, Kuhns might have a claim for fraud in the inducement of the contract. But no such claim was asserted. Indeed, there was no alleged misrepresentation, just bare assertions that Scottrade’s efforts failed to protect customer PII.” (Emphasis added.) Moreover, the Court highlighted that plaintiff failed to allege a specific breach of an express contract or identify a single “applicable law and regulation” that the company allegedly breached regarding its data security practices. Further, the Court noted that the plaintiff did not allege any affirmative promise that customer data would not be hacked, “and such a promise may not be plausibly implied.”
Implied Premise that a Hack Is Tantamount to Protections Being Inadequate “Is a ‘Naked Assertion’ … that Cannot Survive a Motion to Dismiss” and “Massive Class Action Litigation Should Be Based on More than Allegations of Worry and Inconvenience”
Significantly, the Court held that “[t]he implied premise that because data was hacked Scottrade’s protections must have been inadequate is a ‘naked assertion devoid of further factual enhancement’ that cannot survive a motion to dismiss. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quotations omitted).” Given that the plaintiff could not contest that no customer had suffered fraud or identity theft from use of their stolen PII in the more than two years that passed between the data breach and the filing of the complaint, “massive class action litigation should be based on more than allegations of worry and inconvenience.”
Alleged Failure of Security Measures Was Not a Plausible Breach of Contract Based Solely on “Overpayment” Theory
As to the allegation that the plaintiff overpaid because a portion of the brokerage services fees were for data management and security, the Court noted that given the express terms of the contract, the allegation that the failure of security measures was a breach of contract that diminished the benefit of plaintiff’s bargain is not plausible. Plaintiff’s claims for breach of implied contract and unjust enrichment were dismissed for the same failure to allege plausible claims. The claim for declaratory relief was found “virtually unintelligible,” and focused on past conduct—the 2013 data breach—and not on the firm’s current practices. Also, the plaintiff “cite[d] no precedent for the notion that the Declaratory Judgment Act provides federal courts with authority to order a party to ‘obey your contract.’”
State Consumer Protection Claims Dismissed Because Plaintiff Did Buy Data Security Services, and Because Fraud Not Pleaded with Particularity
The state consumer protection act count was dismissed because a claim for “fraudulent and deceptive acts” sounds in fraud and was not pleaded with the particularity required by Rule 9(b) of the Federal Rules of Civil Procedure. Also, to be actionable under the state’s statute, “an ascertainable pecuniary loss must occur in relation to the plaintiff’s purchase or lease of that merchandise. And while “intangible services may qualify as merchandise,” the firm “did not sell data security services.” Finally, the Court held that the complaint “fail[ed] to plausibly allege how failing to discover and notify customers of the data breach qualifies as an unfair or deceptive trade practice under the statute.”
*Sidley represented Scottrade in connection with its incident response.