CONTRIBUTOR

ARTICLE

United States: Eighth Circuit Rejects Implied Premise That A Hack Is Tantamount To Inadequate Information Security, Ruling Such " ‘Naked Assertions' … Cannot Survive A Motion To Dismiss."

31 August 2017

by Alan Charles Raul

Sidley Austin LLP

To print this article, all you need is to be registered or login on Mondaq.com.

The Eighth Circuit held on August 21 that, in the absence of actual injury in a data breach case, "massive class action litigation should be based on more than allegations of worry and inconvenience." The Court found that no customers of the defendant securities brokerage firm had suffered fraud or identity theft resulting in financial loss from a 2013 data security incident.* Kuhns v. Scottrade, Inc., Nos. 16-3426, 16-3542 (8th Cir. Aug. 21, 2017).

In a decision that is replete with great holdings and quotable language for defendants in data breach litigation, the Eighth Circuit demonstrated that even where constitutional standing is found, plaintiffs will not likely succeed if they can allege no real injury even years after the hack occurred.

The case was based on a data security incident in which hackers acquired personal identifying information ("PII") of over 4.6 million customers and exploited the information to operate a stock price manipulation scheme, illegal gambling websites, and a Bitcoin exchange. The complaint was based on a contract theory, alleging that a portion of the fees paid in connection with the plaintiff's securities accounts "were used for data management and security." The plaintiff alleged that as a result of the incident, the purported class of affected customers faced an immediate and continuing increased risk of identity theft and identity fraud; incurred financial costs for monitoring their credit and financial accounts to mitigate against that risk; overpaid for brokerage services with a diminished value; suffered economic damage from the decline in value of their PII; and suffered invasion of privacy and breach of confidentiality.

Standing Found Based on "Overpayment" Theory

Reversing the district court, the Eighth Circuit found that the "overpayment theory" was sufficient to grant standing to sue on a breach of contract theory. The appellate opinion states that:

"[W]e conclude he has standing regarding his breach of contract and contract-related claims based on allegations that he did not receive the full benefit of his bargain with Scottrade. Kuhns alleges that a portion of the fees paid in connection with his Scottrade account were used to meet Scottrade's contractual obligations to provide data management and security to protect his PII. When Scottrade breached those obligations, Kuhns received brokerage services of lesser value. He asserts that the difference between the amount he paid and the value of the services received is an actual economic injury that establishes injury in fact for his contract-related claims.

"We have previously explained that "a party to a breached contract has a judicially cognizable interest for standing purposes, regardless of the merits of the breach alleged." Gamestop, 833 F.3d at 909 (quotation omitted)."

Breach of Brokerage Services Contract Not Plausibly Alleged Based on Asserted Data Security Failures

More importantly, however, the Court found the complaint's assertions that the firm "did not comply with applicable laws and regulations," or did not maintain sufficient security measures and procedures to prevent unauthorized access, did not plausibly allege a breach of contract. "First, representations of conditions Scottrade will maintain are in the nature of contract recitals. If Scottrade misrepresented those conditions, Kuhns might have a claim for fraud in the inducement of the contract. But no such claim was asserted. Indeed, there was no alleged misrepresentation, just bare assertions that Scottrade's efforts failed to protect customer PII." (Emphasis added.) Moreover, the Court highlighted that plaintiff failed to allege a specific breach of an express contract or identify a single "applicable law and regulation" that the company allegedly breached regarding its data security practices. Further, the Court noted that the plaintiff did not allege any affirmative promise that customer data would not be hacked, "and such a promise may not be plausibly implied."

Implied Premise that a Hack Is Tantamount to Protections Being Inadequate "Is a 'Naked Assertion[]' ... that Cannot Survive a Motion to Dismiss" and "Massive Class Action Litigation Should Be Based on More than Allegations of Worry and Inconvenience"

Significantly, the Court held that "[t]he implied premise that because data was hacked Scottrade's protections must have been inadequate is a 'naked assertion[] devoid of further factual enhancement' that cannot survive a motion to dismiss. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quotations omitted)." Given that the plaintiff could not contest that no customer had suffered fraud or identity theft from use of their stolen PII in the more than two years that passed between the data breach and the filing of the complaint, "massive class action litigation should be based on more than allegations of worry and inconvenience."

Alleged Failure of Security Measures Was Not a Plausible Breach of Contract Based Solely on "Overpayment" Theory

As to the allegation that the plaintiff overpaid because a portion of the brokerage services fees were for data management and security, the Court noted that given the express terms of the contract, the allegation that the failure of security measures was a breach of contract that diminished the benefit of plaintiff's bargain is not plausible. Plaintiff's claims for breach of implied contract and unjust enrichment were dismissed for the same failure to allege plausible claims. The claim for declaratory relief was found "virtually unintelligible," and focused on past conduct—the 2013 data breach—and not on the firm's current practices. Also, the plaintiff "cite[d] no precedent for the notion that the Declaratory Judgment Act provides federal courts with authority to order a party to 'obey your contract.'"

State Consumer Protection Claims Dismissed Because Plaintiff Did Buy Data Security Services, and Because Fraud Not Pleaded with Particularity

The state consumer protection act count was dismissed because a claim for "fraudulent and deceptive acts" sounds in fraud and was not pleaded with the particularity required by Rule 9(b) of the Federal Rules of Civil Procedure. Also, to be actionable under the state's statute, "an ascertainable pecuniary loss must occur in relation to the plaintiff's purchase or lease of that merchandise. And while "intangible services may qualify as merchandise," the firm "did not sell data security services." Finally, the Court held that the complaint "fail[ed] to plausibly allege how failing to discover and notify customers of the data breach qualifies as an unfair or deceptive trade practice under the statute."

*Sidley represented Scottrade in connection with its incident response.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

AUTHOR(S)

Alan Charles Raul

Sidley Austin LLP

ARTICLE TAGS

United States Litigation, Mediation & Arbitration Class Actions Privacy Data Protection Technology Security

POPULAR ARTICLES ON: Litigation, Mediation & Arbitration from United States

RELATED CONTENT

FREE News Alerts

Sign Up for our free News Alerts - All the latest articles on your chosen topics condensed into a free bi-weekly email.

Article Tags

United States Litigation, Mediation & Arbitration Class Actions Privacy Data Protection

More Tags

Related Articles

Ninth Circuit Holds Warehouse Worker Qualifies As Transportation Worker Under FAA Exemption Jackson Lewis

Supreme Court Rules That The FAA's Arbitration Exemption Is Not Limited To Transportation Industry Ford & Harrison LLP

Michigan Mayor's Term-Limit Challenge Illustrates Need To Draft Charter Provisions Carefully McDonald Hopkins

Chlormequat Contamination In Food Products Draws Attention K&L Gates

Countdown To Business Courts And Other Key Changes Affecting Business Litigation In Texas Butler Snow LLP

Mondaq Webinars

APR24

Mastering Mediation & Arbitration: Strategies for Navigating the Rising Tide of Privacy Class Action Lawsuits

APR25

Canadian Employment Law: Updates and Emerging Trends in Employment

McCarthy Tétrault LLP

Comparative Guides

Anti-Corruption & Bribery

Artificial Intelligence

Aviation Finance

Aviation Regulation

Banking Regulation

Mondaq Advice Centres

United States

Advertising and Marketing

United States

Telemarketing

United States

COVID-19

Global

Trademarks in SAARC Countries

United States

International Trade Law & Customs

Curated Content

Honoring Women's History Month: JAMS Neutrals Reflect On Their Careers And Provide Words Of Wisdom For Future Generations (Podcast)
JAMS

The Use Of AI In ADR: Balancing Potential And Pitfalls
JAMS

[PODCAST] JAMS Neutrals Discuss Evolution Of ADR For Resolving Construction Disputes
JAMS

Neutral Analysis: An Overlooked Tool For Understanding And Handling Disputes
JAMS

Top Considerations For Selecting International Arbitration Seats And The Rise Of The U.S. As An International ADR Hub (Podcast)
JAMS

Upcoming Events

MAY02

Seyfarth & ACC Northeast Present Elevate & Evolve: Transforming Your Legal Ops Approach

Seyfarth Shaw LLP

Webinar Chicago United States

MAY09

Privacy + Security Forum Spring Academy 2024

Forum Washington, DC United States

More filters

Mondaq Social Media

Upcoming Webinar: Mastering Mediation & Arbitration: Strategies for Navigating the Rising Tid (...) Register Now

© Mondaq® Ltd 1994 - 2024. All Rights Reserved.

Please to Mondaq or for unlimited free access and a complimentary news alert

|

|

|

|