The United States Court of Appeals for the Eighth Circuit recently affirmed the district court’s dismissal of a putative class action brought by customers of the brokerage firm Scottrade in the wake of an alleged data breach impacting Scottrade in 2013. The named plaintiffs had asserted several contract-based claims against Scottrade, alleging that Scottrade had violated its contractual obligations to take adequate steps to safeguard the personal identifying information (“PII”) of its customers.
The Eighth Circuit first considered whether the plaintiffs had adequately alleged standing. The Complaint alleged a number of injuries in fact, including “that plaintiffs faced an immediate and continuing increased risk of identity theft and identity fraud; incurred financial costs of monitoring their credit and financial accounts to mitigate against that risk; received Brokerage Agreement services diminished in value and therefore overpaid Scottrade for those services; suffered economic damage from the decline in value of their PII; and suffered invasion of privacy and breach of confidentiality.” Kuhns v. Scottrade, Inc., No. 16-3426, — F.3d —, 2017 WL 3584046, at *2 (8th Cir. Aug. 21, 2017). The Court found that these allegations were sufficient to confer Article III standing because the only named plaintiff that had appealed the district court’s ruling “alleged that he bargained for and expected protection of his PII, that Scottrade breached the contract when it failed to provide promised reasonable safeguards, and that Kuhns suffered actual injury, the diminished value of his bargain.” Id. at *3.
The Court then considered whether the Complaint stated a plausible claim to relief. All of the plaintiffs’ claims were based on the core allegation that the appealing named plaintiff “paid for data security services that Scottrade did not provide.” Id. The Court held that this allegation does not “plausibly allege a breach of contract” because the Complaint “does not allege that Scottrade affirmatively promised that its customer data would not be hacked, and such a promise may not be plausibly implied.” Id. at *4. Moreover, “[t]he implied premise that because data was hacked Scottrade’s protections must have been inadequate is a ‘naked assertion[] devoid of further factual enhancement’ that cannot survive a motion to dismiss.” Id. (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). The Court also concluded that the Complaint “failed to plausibly allege the actual damage that is an element of a breach of contract claim” because it was based solely on “allegations of worry and inconvenience” and because the Complaint did not allege that Plaintiffs had “suffered fraud or identity theft that resulted in financial loss from use of PII.” Id. The Court then concluded that the Complaint’s breach of implied contract and unjust enrichment claims failed for similar reasons, and that the claims for declaratory relief and for a violation of a state consumer protection statute also should be dimsissed. Id. at *4-5.
The Court’s holding on the breach of contract claims is potentially significant, as it suggests that consumers in the Eighth Circuit cannot simply rely on the fact that a company’s systems were breached to support a claim that the company’s data security practices were inadequate. The opinion suggests that, to state a plausible claim to relief in the data breach context, consumers must allege specific facts to support their allegation that their PII was not adequately protected. See id. at *4 (concluding that contract-based claims were implausible because the court was “left to guess how Scottrade failed to take ‘industry leading’ security measures”).