The first question asked by many companies after a data breach is – What is our potential liability? On July 12, 2016 a Missouri Federal Court issued a ruling that companies should be aware of when defending customers’ claims post-breach. Class action lawsuits after a breach are on the rise, and a company with a national presence may be faced with class action lawsuits filed in multiple jurisdictions.
For instance, Scottrade, Inc. was met with putative class actions filed in Florida, California, and Missouri, all stemming from the same data breach.(1) Ultimately, these actions were consolidated in Missouri.
Scottrade, which provides brokerage, banking, and retirement planning services to individuals and businesses, required its customers to complete brokerage agreements which disclosed personal identifying information. The brokerage agreements incorporated Scottrade’s privacy statement that indicated the company collected personal information. The company also had an online privacy policy which indicated that it took steps to protect the security of customer information.
Between September 2013 and February 2014, hackers accessed the company’s confidential databases, allegedly involving approximately 4.6 million customers. The hackers used the information to operate a stock price manipulation scheme.
Based upon the data breach, Scottrade’s customers brought several causes of action against the company including breach of contract, breach of implied contract, negligence, unjust enrichment/assumpsit, declaratory relief, and violations of various state consumer protection statutes. Scottrade responded by moving to dismiss Plaintiffs’ consolidated putative class action.
Ultimately, the Court dismissed Plaintiffs’ action finding that Plaintiffs did not have standing to sue. The Court reasoned that an (1) increased risk of identity theft and fraud did not establish standing; (2) the cost of monitoring for the risk of identity theft and fraud did not establish standing; (3) Plaintiffs did not receive services from Scottrade that were less valuable than those they bargained for; (4) Plaintiffs did not demonstrate that their private information became less valuable as a result of the data breach; and, (5) Plaintiffs did not demonstrate that they suffered any injury due to a loss of privacy or breach of confidentiality.(2)
The facts and circumstances of every data breach are different. If Plaintiffs demonstrated that the hackers used the breached data to obtain fraudulent credit to Plaintiffs’ detriment, the Court may have denied the company’s motion to dismiss. Likewise, if Plaintiffs and Scottrade both understood a portion of Plaintiffs’ fees were to be used by Scottrade for data management and security, then the Court may have denied the company’s motion.
A well drafted privacy policy, with disclaimers stating that no portion of the payment received is used to protect client information, may provide a defense if your company is ever faced with a class action lawsuit by customers after a data breach.
____________________
(1) See Hine v. Scottrade, Inc., No. 4:15-CV-01954-CEJ, Duqum v. Scottrade, Inc., No. 4:15-CV-01537-SPM, Kuhns v. Scottrade, Inc., No. 4:15-CV-01812-SPM, Angela Martin v. Scottrade, Inc., No. 4:16-CV-00124-RWS.
(2) See Duqum v. Scottrade, Inc., 2016, U.S. Dist. Lexis 89992 (E.D. Mo. July 12, 2016).
