Kuhns v. Scottrade: Eighth Circuit Court of Appeals Weighs in on Standing for Data Breach Class Acti Kuhns v. Scottrade: Eighth Circuit Court of Appeals Weighs in on Standing for Data Breach Class Acti

Kuhns v. Scottrade: Eighth Circuit Court of Appeals Weighs in on Standing for Data Breach Class Actions

Last week, the Eighth Circuit Court of Appeals became the latest circuit court to weigh in on the developing circuit split regarding whether, in a data breach action, a plaintiff’s risk of future injury is enough to establish standing under Article III.

Kuhns v. Scottrade, Inc., No. 16-3426, No. 16-3542 (8th Cir. Aug. 21, 2017), stems from a 2013 data breach of Scottrade, a St. Louis, Mo.-based securities brokerage firm. In the breach, hackers acquired the personal identifying information (“PII”) of over 4.6 million Scottrade customers and later used the information to operate a stock price manipulation scheme, illegal gambling websites, and a Bitcoin exchange. Id., slip op. at 2. Kuhns and others affected by the breach brought putative federal class actions against Scottrade, which were consolidated in the Eastern District of Missouri, asserting claims of breach of contract, breach of implied contract, unjust enrichment, declaratory judgment, and violation of Missouri’s consumer protection laws. Id. The district court dismissed the Consolidated Complaint for lack of jurisdiction, pursuant to Fed. R. Civ. P. 12(b)(1), concluding that because they failed to suffer an injury in fact, plaintiffs lacked Article III standing. Id.; see Duqum, et al. v. Scottrade, Inc., No. 4:15-CV-1537-SPM, 2016 WL 3683001 (E.D. Mo. July 12, 2016).
 
Kuhns appealed the district court’s dismissal, and Scottrade cross-appealed, arguing that even if plaintiffs have Article III standing, the district court’s dismissal should still be affirmed pursuant to Fed. R. Civ. P. 12(b)(6), as plaintiffs failed to state a claim under which relief can be granted. Kuhns, slip op. at 2. On appeal, the Eighth Circuit determined that “[w]hatever the merits of Kuhns’s contract claim, and his related claims for breach of implied contract and unjust enrichment, he has Article III standing to assert them.” Id. at 6-7. However, the court determined the Consolidated Complaint failed to “plausibly allege the actual damage that is an element of a breach of contract claim.” Id. at 8-9. Pointing to the fact Kuhns did not dispute “Scottrade’s assertion that no customer affected by the 2013 data breach suffered fraud or identity theft that resulted in financial loss from the use of their stolen PII in the more than two years that passed between the data breach and the filing of the Consolidated Complaint,” the court concluded plaintiffs had not plausibly alleged they had been damaged. Id. at 9. In what will surely be an oft-cited portion of the opinion, the court found that “[m]assive class action litigation should be based on more than allegations of worry and inconvenience.” Id. The court similarly concluded Kuhns’s remaining claims failed to establish plausible claims for relief, and therefore, affirmed the district court’s dismissal of the Consolidated Complaint. Id. at 9-11.
 
While the Eighth Circuit found Kuhns had Article III standing to bring his claims, aligning itself with those circuits courts which have opined actual harm is not required to establish Article III standing, see Attias v. CareFirst, Inc., et al., No. 16-7108 (D.C. Cir. Aug. 1, 2017); Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 386 (6th Cir. 2016); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Remijas v. Nieman Marcus Group, LLC 794 F.3d 688 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), this decision highlights that defendants still have pathways to dismissal at an early stage. This decision also emphasizes the importance of privacy policies and/or security statements and how these statements can be used against companies in data breach lawsuits. See also In re VTech Data Breach Litig., 2017 WL 2880102 (N.D. Ill. July 5, 2017); Dolmage v. Combined Ins. Co. of Am., 2016 WL 754731 (N.D. Ill. Feb. 23, 2016); www.icemiller.com/ice-on-fire-insights/publications/your-privacy-policy-needs-updating-the-california/.
 
For guidance on responding to data breaches to minimize the risk of litigation and handling such litigation if it occurs, please contact Stephen Reynolds or Jenny Buchheit. Jenny Buchheit is a partner in Ice Miller’s Litigation and Intellectual Property Group who represents clients at both the trial and appellate levels and focuses much of her work on defending companies in both state and national putative class actions. Stephen Reynolds, a former computer programmer and IT analyst, is a partner in Ice Miller’s Litigation and Intellectual Property Group and co-chair of Ice Miller’s Data Security and Privacy Practice.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances. 

View Full Site View Mobile Optimized