We’ve previously discussed the “overpayment” theory of injury in data-breach litigation. This theory rests on the premise that the price of a product or service includes a payment for data security measures. When a data breach happens, buyers allege they have overpaid for the product or service because the seller failed to provide the agreed-upon measures.
Data-breach plaintiffs have successfully used this theory to overcome standing challenges brought by defendants under Rule 12(b)(1).
Today’s post examines a recent federal appellate decision that shows how data-breach lawsuits premised on overpayment theories—which often assert claims sounding in contract—still face an uphill battle under Rule 12(b)(6).
In that decision—a boon for data-breach defendants—the Eighth Circuit employed a demanding test for the pleading of facts that give rise to an overpayment claim.
Promises Made to Be Broken?
Kuhns v. Scottrade arose after hackers accessed the internal customer database of Scottrade, a securities brokerage firm. The hackers acquired sensitive personal information of over 4.6 million customers. They then used that personal information to operate a stock price manipulation scheme, illegal gambling websites, and a bitcoin exchange.
The plaintiffs—Scottrade customers whose personal information was accessed by the hackers—sued Scottrade in federal court in Missouri. Their complaint asserted claims for breach of express and implied contract.
According to the plaintiffs, a portion of the fees they paid to Scottrade for brokerage services was to be used for data management and security. To that end, the plaintiffs pointed to representations that Scottrade made as part of their brokerage agreements.
Those agreements included a “Privacy and Security Statement” in which Scottrade represented that it would:
- “maintain physical, electronic and procedural safeguards that comply with federal regulations to guard your nonpublic personal information;” and
- “offer[ ] a secure server and password-protected environment . . . protected by Secure Socket Layer (SSL) encryption.”
The plaintiffs alleged that the hack occurred because Scottrade didn’t live up to these promises.
For damages, the plaintiffs sought “the monetary difference between the amount paid for services as promised…and the services actually provided.”
The district court dismissed the complaint for lack of standing. It concluded that the plaintiffs’ “conclusory” allegations that they been deprived of the benefit of data management and security services they paid for when they opened their accounts did not constitute a sufficiently concrete injury.
Overpayment = Concrete Injury
On appeal, the Eighth Circuit rejected that analysis. The Eighth Circuit pointed to an earlier data-privacy decision involving claims premised on an overpayment theory. In that case, the court held that “a party to a breached contract has a judicially cognizable interest for standing purposes, regardless of the merits of the breach alleged.”
The Scottrade plaintiffs satisfied that test. Their complaint alleged that they bargained for and expected protection of their personal information, and suffered a diminished value of that bargain when Scottrade failed to prevent the data breach. Thus, the Eighth Circuit concluded, the plaintiffs had standing to assert the breach of contract claims, “whatever the merits” might be of those claims.
Show Me the Breach
As to the merits, Scottrade argued that even if the plaintiffs had standing, their contract claims that relied on the overpayment theory should still be dismissed under Rule 12(b)(6).
Scottrade argued that the plaintiffs did not allege any specific facts to establish that Scottrade breached its promises regarding data security. To that end, Scottrade observed, the plaintiffs hadn’t alleged any specific security measures that Scottrade had promised but failed to implement. Nor had they specified any particular laws with which Scottrade’s data security practices failed to comply.
Data Breach ≠ Contract Breach (necessarily)
The Eighth Circuit agreed with Scottrade.
It concluded that the plaintiffs had failed to allege any specific breach of the security representations in the brokerage agreement. To that end, the court observed that:
- the plaintiffs did not identify any specific law or regulation that Scottrade’s data security practices violated; and
- Scottrade never affirmatively promised that its customers’ data would not be hacked.
Acknowledging that the complaint presented the “possibility” of misconduct, the court nonetheless held that more was required: “It is possible that Scottrade breached the Brokerage Agreement, but we have no idea how.”
Critically, the court concluded that the mere fact that data breach occurred could not supply the requisite factual basis for the breach of contract claims. It explained that “the implied premise that because data was hacked Scottrade’s protections must have been inadequate” amounted to a “naked assertion devoid of further factual enhancement” that could not survive a motion to dismiss under the Supreme Court’s ruling in Ashcroft v. Iqbal.
The court thus affirmed the district court’s dismissal of the action, albeit under Rule 12(b)(6) rather than Rule 12(b)(1).
Lessons for Litigants
The holding in Scottrade will be a welcome addition to data-breach defendants’ Rule 12(b)(6) arsenal.
It suggests that data-breach plaintiffs who rely on an “overpayment” theory must allege specific facts not only about the data security promises for which they paid, but also about the specific ways in which a defendant’s practices failed to live up to those promises.
And just as importantly, the decision makes clear that neither conclusory allegations of broken security promises, nor the mere fact of a data breach, are sufficient to satisfy that burden.