Privacy & Information Security Law Blog

On August 21, 2017, the United States Court of Appeals for the Eighth Circuit affirmed the dismissal of a putative class action arising from the Scottrade data breach. Notably, however, the Eighth Circuit did not agree with the trial court’s ruling that the plaintiff lacked Article III standing, instead dismissing the case with prejudice for failure to state a claim. 

The plaintiff sued Scottrade after an internal database was breached in late 2013 and early 2014. The plaintiff’s putative class action asserted claims for breach of express and implied contracts, unjust enrichment, declaratory judgment and violation of the Missouri Merchandising Practices Act. He claimed damages based on, among other things, the increased risk of identity fraud, the costs of mitigating that risk and the decline in value of his personal identifying information (“PII”), as well as overpayment to Scottrade for brokerage services. The trial court dismissed the case due to lack of Article III standing. The Eighth Circuit disagreed with the standing ruling, but nevertheless affirmed on different grounds raised on Scottrade’s cross-appeal.

Article III Standing for Contract Claims. The appellate court found standing only for the breach of contract and contract-related claims based on allegations that the plaintiff did not receive the full benefit of his bargain. When the plaintiff opened his Scottrade account, he signed a Brokerage Agreement and provided Scottrade with certain PII. He claimed that a portion of the fees paid in connection with the Scottrade account were used to meet Scottrade’s contractual obligations to provide data management and security to protect his PII.

When Scottrade breached those data-security related obligations, the plaintiff argued that he received services of a lesser value, and the difference between the amount he paid and the value of the actual services rendered was an actual economic injury sufficient to establish constitutional standing. The court agreed that he had satisfied Article III standing for the contract and contract-related claims, but ultimately found the allegations were insufficient to state a claim.

Failure to State a Claim. The appellate court found that “representations of [information security] conditions Scottrade will maintain are in the nature of contract recitals, and there was no alleged misrepresentation.” The court also faulted the plaintiff for not identifying any step Scottrade might have taken to protect his PII, or any applicable law or regulation to which Scottrade did not adhere. The plaintiff’s “implied premise that because data was hacked Scottrade’s protections must have been inadequate” was a naked assertion “that cannot survive a motion to dismiss.” The court stated, “[m]assive class action litigation should be based on more than allegations of worry and inconvenience.”

The court further found the plaintiff failed to plausibly allege actual damages. Because the Brokerage Agreement provided for charges based “on a per order basis,” any alleged information security failure that supposedly diminished the benefit of the plaintiff’s bargain was not plausible. The court identified additional reasons to affirm dismissal of the remainder of the claims.