In two recent decisions, the Eighth Circuit addressed the hotly-litigated issue of when consumer plaintiffs have standing to pursue claims arising out of a data breach. The decisions stake out the Eighth Circuit’s positions on a current circuit split and also address the viability of certain types of injuries often alleged in data breach class actions. Notably, the Eighth Circuit revealed its skepticism that an increased risk of future injury alone can support Article III standing in a data breach class action.

In Kuhns v. Scottrade, Inc., [1] the Eighth Circuit expressed approval of a fairly recent and unique standing argument. In Kuhns, the plaintiff alleged that hackers stole his personal identifying information (“PII”) from the defendant’s securities-brokerage system. [2] In assessing plaintiff’s standing, the Eighth Circuit focused on his allegation that “a portion of the fees paid in connection with his … account were used to meet [the defendant]’s contractual obligations to provided data management and security to protect his PII.” [3] Kuhns found this allegation was sufficient to create standing because the plaintiff had alleged that he had “bargained for and expected protection of his PII, that [the defendant] breached the contract when it failed to provide promised reasonable safeguards, and that [the plaintiff] suffered actual injury, the diminished value of his bargain.” [4] The court’s conclusion that the plaintiffs’ benefit-of-the-bargain theory was sufficient to establish standing is contrary to decisions by other courts. [5] The Eighth Circuit reasoned that the standing inquiry is distinct from the inquiry into the viability of a plaintiff’s claims, such that “a party to a breached contract has a judicially cognizable interest for standing purposes, regardless of the merits of the breach alleged.” [6]

At the same time, the Eighth Circuit roundly rejected the same allegation as sufficient to state a breach of contract claim under Rule 12(b)(6). [7] First, the relevant provisions in the defendant’s privacy statement were not binding promises but rather “in the nature of contract recitals,” which are insufficient to support a breach of contract claim. [8] Second, the language in the privacy statement said that the defendant would “use security measures that comply with federal law,” but the plaintiff had not pleaded any federal authority breached by the defendant. [9] Third, the plaintiff had failed to allege any actual damage flowing from the purported breach because he had not claimed that he (or anyone else) had “suffered fraud or identity theft that resulted in financial loss.” [10]

Two weeks later, in In re SuperValu, Inc., [11] the Eighth Circuit stepped into the waters on an issue currently dividing the federal circuit courts of appeals—namely whether pleading an increased risk of future injury is sufficient to establish Article III standing in a data breach suit. [12] In SuperValu, the plaintiffs alleged that hackers had stolen their credit and debit card information from the defendant’s systems. [13] The vast majority of the plaintiffs alleged only future injury, in the form of an increased risk of identity theft. [14]

The Eighth Circuit did not attempt to reconcile the conflicting circuit court decisions on data breach standing “because the cases ultimately turned on the substance of the allegations before each court.” [15] Rather, although recognizing that a “substantial risk of identify theft” may give rise to standing, the court held that the plaintiffs’ allegations were insufficient to plead such a risk. [16] First, the SuperValu Court rejected as insufficient plaintiffs’ allegation that their data was being sold on “illicit websites,” because that did not plead any actual harm “to the plaintiffs.” [17] Second, the court noted that the information allegedly stolen—credit and debit card information—generally could not be used to open unauthorized accounts in the plaintiffs’ names, “which is ‘the type of identity theft generally considered to have a more harmful direct effect on consumers.’” [18] Third, the plaintiffs had relied upon a report from the U.S. Government Accountability Office (“GAO”), [19] but the court held the report did not support plaintiffs’ allegations of future injury as it concluded that “most [data] breaches have not resulted in detected incidents of identity theft.” [20] Accordingly, the SuperValu Court affirmed dismissal of all of the named plaintiffs who had pleaded only an increased risk of future injury. [21]

The Kuhns and SuperValu decisions further advance the landscape of authority regarding standing in data breach class actions but also increase the growing divergence between circuits. We will continue to monitor and report on developments in data breach standing law as they occur.