In one of the first federal appellate court rulings following the Ninth Circuit’s decision in Robins v. Spokeo, the Eighth Circuit delivered a pyrrhic victory for customers victimized by a data breach. In Kuhns v. Scottrade, the Eighth Circuit ruled that, although the plaintiff had established standing to pursue a claim against Scottrade, Inc. resulting from a data breach that occurred in 2013, the customer failed to sufficiently allege that the brokerage firm breached its contractual obligations and affirmed dismissal of the case.
In 2016, a group of Scottrade customers, including Matthew Kuhns, filed a consolidated class action complaint against Scottrade, the St. Louis-based securities brokerage firm. The complaint alleged that between September 2013 and February 2014, hackers accessed Scottrade’s databases and acquired personal identifying information for approximately 4.6 million customers. The hackers used this information to operate a stock manipulation scheme, engage in illegal online gambling, and develop a Bitcoin exchange. The plaintiffs alleged that Scottrade provided inadequate cybersecurity in violation of its contractual obligations to protect customers’ personal and financial information. According to the complaint, the plaintiffs faced imminent and increased risk of identity theft and fraud.
The district court dismissed the action finding that the plaintiffs lacked standing to assert their claims. On appeal, the Eighth Circuit considered whether Kuhns— the only plaintiff who appealed—“suffered an injury in fact, that is, ‘an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.’” Kuhns v. Scottrade, Inc., Nos. 16-3426, 16-3542, at 5 (8th Cir. Aug. 21 2017) (quoting Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016)). The court found that Kuhns had standing to assert the contract-related claims on the basis of the allegation that he did not receive the full benefit of the contract with Scottrade.
“Kuhns alleged that he bargained for and expected protection of his PII [personally identifiable information], that Scottrade breached the contract when it failed to provide promised reasonable safeguards, and that Kuhns suffered actual injury, the diminished value of his bargain,” wrote the court. “Whatever the merits of Kuhn’s contract claim . . . he has Article III standing to assert them.”
But the court also found that Kuhn’s complaint did not plausibly allege a breach of contract. “The implied premise that because the data was hacked Scottrade’s protections must have been inadequate is a ‘naked assertion devoid of further factual enhancement’ that cannot survive a motion to dismiss.” Specifically, none of the 4.6 million customers affected by the breach suffered identity theft or fraud that resulted in financial loss, a fact that Kuhns did not dispute. In passing, the Circuit stated that “[m]assive class action litigation should be based on more than allegations of worry and inconvenience.”
The Eighth Circuit’s standing determination in Kuhns comes only days after the Ninth Circuit’s second look at the Spokeo case. On remand from the United States Supreme Court, the Ninth Circuit was instructed to determine whether an alleged violation of the Fair Credit Reporting Act (“FCRA”) constituted a concrete harm sufficient to satisfy the Article III injury in fact requirement. Robins v. Spokeo, Inc., No. 11-56843 (9th Cir. Aug. 15 2017). Plaintiff-appellant Thomas Robins alleged that defendant-appellee Spokeo, Inc. published his consumer report containing inaccurate information and harmed his employment prospects at a time when he was unemployed. The Ninth Circuit ruled that Robins’ alleged injuries were sufficiently concrete for the purposes of Article III standing because the FCRA was established to protect consumers from the transmission of inaccurate information and Spokeo’s alleged violations were substantially likely to harm those concrete interests.