The U.S. Court of Appeals for the Eighth Circuit recently affirmed the dismissal of a putative class action complaint alleging various causes of action relating to the cybertheft of personally identifiable information, based in part on the plaintiffs failure to adequately allege any damages caused by the data breach or how the defendant breached the terms of its agreement.
A copy of the opinion is available at: Link to Opinion.
The defendant securities brokerage firm suffered an attack by hackers in which the hackers successfully accessed the firm’s customer database extracting personally identifiable information (“PII”) for potentially millions of customers including their names, addresses, social security numbers, telephone numbers, employer information and work history.
Upon discovery of the attack, the firm alerted the appropriate authorities and following the investigation by law enforcement provided notice to all of its customers of the attack. The firm also provided free identify repair, protection, credit monitoring and theft insurance for one year for its affected customers.
The named plaintiff in this case was one of three independently filed class actions which were consolidated. The consolidated complaint alleged causes of action against the firm for breach of contract, breach of implied contract, unjust enrichment, declaratory judgment and a violation of the Missouri Merchandising Practices Act (MMPA), Mo. Rev. Stat. 407.025.
The firm moved to dismiss the consolidated complaint for failure to state a cause of action and for lack of subject matter jurisdiction, arguing that the plaintiffs lacked standing under Article III. The lower court granted the firm’s motion to dismiss for lack of subject matter jurisdiction because it concluded that the plaintiffs did not suffer an injury in fact.
The named plaintiff appealed (but notably, the other consolidated plaintiffs did not), and the firm filed its own cross-appeal urging the Eighth Circuit to dismiss the claims for failure to state a claim.
On review, the Eighth Circuit rejected the lower court’s finding that the plaintiffs lacked standing, but nevertheless, affirmed the dismissal on grounds that the plaintiffs failed to state claims upon which relief can be granted.
As an aside, the plaintiff attempted to dismiss its appeal after the briefing had concluded in an attempt to join its other class plaintiffs (who did not join in the appeal) in a newly filed class complaint in California state court. The Eighth Circuit denied plaintiff’s motion as untimely.
The complaint alleged that the firm breached its contractual obligations in the agreement by providing deficient cybersecurity. For his damages, the plaintiff alleged that a portion of the fees he paid to the firm were for “data management and security” and as a result of the deficient cybersecurity he received diminished services that he paid for under the agreement.
The plaintiff further alleged various damages resulting from the release and dissemination of the PII including increased risk of identity theft, financial costs for credit monitoring, decline in the value of his PII, and invasion of privacy.
In rejecting the determination that the plaintiff lacked Article III standing, the Eighth Circuit concluded that the plaintiff did have standing to pursue a breach of contract claim based upon the allegation that he did not receive the full benefit of the bargain with the firm due to the diminished services paid for data management and security.
The Court noted that prior Eighth Circuit precedent made clear that “a party to a breached contract has a judicially cognizable interest for standing purposes, regardless of the merits of the breach alleged.” Carlson v. Gamestop, 833 F.3d 903, 908 (8th Cir. 2016). Further, the Court stated that it was crucial “not to conflate Article III’s requirement of injury in fact with a plaintiff’s potential causes of action.” Id. at 909. Accordingly, the Court followed its precedent and determined that the plaintiff had sufficiently alleged a concrete and particularized breach of contract and actual injury.
Nonetheless, the Eighth Circuit found that these allegations had no merit and dismissal for failure to state a claim was appropriate. The Court noted that because the firm had filed its cross-appeal on the issue, it was appropriate for it to review the complaint on these grounds despite the lower court’s refusal to address the issue.
The Eighth Circuit found numerous defects in the complaint in determining that it failed to plausibly state a claim.
Initially, the Court noted that the representations of the firm in the agreement concerning the maintenance of security to protect PII were merely in the nature of recitals. Even assuming that these terms were enforceable obligations undertaken by the firm, the Court found that the complaint failed to allege any specific breach of any “applicable law of regulation” that the firm breached.
Importantly, the Eighth Circuit commented that the agreement does not affirmatively promise that it would not be hacked.
Accordingly, the Court found that the implied premise in the complaint that because the data was hacked the firm’s protections must have been inadequate was a “naked assertion devoid of further factual enhancement” that could not survive a motion to dismiss. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009).
Moreover, the Eighth Circuit determined that the complaint failed to plausibly allege actual damages as required for a breach of contract claim. There was no allegation in the complaint concerning specific actual damage resulting from the hack, and it was undisputed that since the data breach no customer had suffered fraud or identity theft that resulted in a financial loss in the more than two years between the hack and the filing of the complaint. Prudently stated by the Court: “Massive class action litigation should be based on more than allegations of worry and inconvenience.”
Further, the Court rejected the plaintiff’s argument that the fees paid were in part for data security as the express terms of the agreement were for the purchase and sale of brokerage services “on a per order basis.”
Moving on to the other alleged claims, the Eighth Circuit found that the claims for unjust enrichment and implied contract also failed. Similar to the inadequately alleged breach of contract claim, the Court found that it was not articulated in the complaint how the firm failed to take industry leading security measures.
For unjust enrichment, the plaintiff could not recover under this equitable theory when an express agreement covers the same subject matter. Additionally, the unjust enrichment claim also failed because it did not allege which specific portion of the brokerage fees went toward data protection.
The Eighth Circuit quickly rejected the plaintiff’s declaratory judgment claim as it was “virtually unintelligible” because it simply requested relief in the form of a declaration that the firm “stop its illegal practices” and comply with the terms of the agreement. The Court determined this was insufficient to meet the pleading standards under Iqbal and raised considerations under Article III.
Finally, the Court rejected the MMPA claims in the complaint. As you may recall, the MMPA is the Missouri state consumer protection statute which provides a private right of action for any person who sustains an ascertainable loss in connection with the purchase or lease of merchandise as a result of deceptive and fraudulent practices. Mo. Rev. Stat. 407.025(1). As with the other claims, the Court found this claim wanting for many reasons.
First, the complaint failed to plead its MMPA claim with the particularity required for claims sounding in fraud. Second, the Court determined that the firm did not sell the plaintiff data security services, and as a result, any loss as a result of the data breach did not arise from the sale of the firm’s brokerage services to the plaintiff. Instead, the data security measures recited in the agreement were in place to induce customers to provide their PII in order to obtain the brokerage services. Third, the Court determined that the complaint did not plausibly state how the failure to discover the data breach was an unfair or deceptive act.
For all of these reasons, the Eighth Circuit affirmed the lower court’s dismissal of the consolidated complaint.