Eighth Circuit Finds Standing in Data Breach Case for Privacy Policy Violation, Dismisses for Lack of Specificity

by Fenwick & West LLP

Fenwick & West LLP

The U.S. Court of Appeals for the Eighth Circuit has held that allegations that the security provisions of a privacy policy were violated are sufficient for standing in a data breach case, but that plaintiffs’ contractual claims needed to be pled with specificity. The August 21 ruling, Kuhns v. Scottrade, makes it easier for data breach plaintiffs to establish standing to bring their contractual claims even as it raises the level of detail that must be present in those claims to survive a motion to dismiss.


Between September 2013 and February 2014, hackers successfully accessed the customer databases of securities brokerage firm Scottrade and extracted the personal identifying information for 4.6 million customers. These hackers used the stolen PII to operate a stock price manipulation scheme, illegal internet gambling services and a Bitcoin exchange.

Matthew Kuhns, one of the affected Scottrade customers, opened his account in 2005, signing a brokerage agreement and providing Scottrade with his name, address, social security number, tax identification number, telephone number, employer information and work history. The brokerage agreement provided that Kuhns would pay Scottrade on a per order basis and included as an addendum Scottrade’s privacy policy and security statement. According to the privacy policy and statement, the firm collected the its customers’ PII but “maintain[ed] physical, electronic and procedural safeguards that comply with federal regulations to guard your nonpublic personal information,” and “offers a secure server and password-protected environment . . . protected by Secure Socket Layer (SSL) encryption.”

Scottrade’s online privacy policy purportedly also stated: “We comply with applicable laws and regulations regarding personal information. . . . We use industry leading security technologies, including layered security and access controls over personal information.” A document on the firm’s website also stated: “We keep all customer information confidential and maintain strict physical, electronic and procedural safeguards to protect against unauthorized access to your information.”

Kuhns and three others affected by the data breach brought putative class actions against Scottrade alleging claims for breach of contract, breach of implied contract, unjust enrichment, declaratory judgment and violations of the Missouri Merchandising Practices Act, a state consumer protection statute. The consolidated class action complaint in district court asserted that a portion of the brokerage fees paid to Scottrade was used for data management and security and that Scottrade breached its contractual obligations by failing to have adequate security measures. The complaint also asserted that, as a result of the data breach, the plaintiffs faced an increased risk of identity theft and incurred financial costs of monitoring their financial accounts and the value of their brokerage services and PII was diminished in value. The district court dismissed the consolidated class action complaint with prejudice, concluding that the plaintiffs lacked Article III standing because they had not alleged an injury in fact.

Eighth Circuit Decision

The Eighth Circuit affirmed the district court’s dismissal, not for lack of standing but for failing to state a claim. Relying on its prior precedent of Carlsen v. Gamestop, the court concluded that Kuhns had “standing regarding his breach of contract and contract-related claims based on allegations that he did not receive the full benefit of his bargain with Scottrade.” Specifically, the Eighth Circuit held that Kuhns’ allegations that “he bargained for and expected protection of his PII, that Scottrade breached the contract when it failed to provide reasonable safeguards, and that Kuhns suffered actual injury, the diminished value of his bargain,” established an injury in fact. In Gamestop, the Eighth Circuit found that allegations that subscriptions to a website were devalued because the website shared the personal information of its customer in violation of its privacy policy established an actual injury that conferred Article III standing. In light of Gamestop, the court noted: “Whatever the merits of Kuhns’ contract claim and his related claims . . . , he has Article III standing to assert them.”

Turning to Kuhns’ breach of contract claims, the Eighth Circuit found that “bare allegations that Scottrade’s efforts failed to protect customer PII” were not sufficiently specific. The court observed that Kuhns had not identified a single applicable law and regulation that

Scottrade had allegedly breached regarding its data security practices. Nor had Kuhns identified any actual financial loss suffered by the affected Scottrade customers as a result of the data breach. The Eighth Circuit noted that “[m]assive class action litigation should be based on more than allegations of worry and inconvenience.” In addition, the court found that, because the brokerage agreement expressly provided that brokerage services were paid “on a per order basis,” Kuhns’ “allegation that the failure of Scottrade’s security measures was a breach of contract that diminished the benefit of Kuhns’ bargain is not plausible.”

Similarly, the Eighth Circuit found that Kuhns’ claims for breach of implied contract, unjust enrichment and declaratory judgment lacked sufficient detail. The court held that Kuhns had not identified how Scottrade had failed to take “industry leading” security measures, what “specific portion of [Kuhns’ brokerage service fees] went to data protection,” or which of Scottrade’s current security practices were allegedly “illegal.”

Finally, the Eighth Circuit addressed Kuhns’ claim under the Missouri Merchandising Practices Act. Finding that Kuhns’ claim sounded in fraud, the court found that Kuhns had not pled his claim with the particularity required by Rule 9(b) of the Federal Rules of Civil Procedure. Moreover, the court also found that the Missouri Merchandising Practices Act requires an alleged unlawful act to occur in relation to a sale of merchandise and an ascertainable loss must result from that transaction and that Scottrade sold brokerage services, not data security services, making the Missouri statute inapplicable.


The Scottrade decision offers something significant for both data breach plaintiffs and defendants. It provides an avenue for satisfying Article III’s injury in fact requirement where the plaintiff is able to allege he relied on a specific statement by the defendant about its security practices when entering a contract with the defendant. For example, following a data breach, plaintiffs (at least in the Eighth Circuit) need only allege a breach of the ubiquitous language in privacy policies concerning maintaining the security of customer PII in their class action complaint to establish a concrete injury and survive a motion to dismiss for lack of standing. However, data breach plaintiffs will also have to plead their contract and contract-related claims with much greater specificity to survive a motion to dismiss for failure to state a claim. Plaintiffs will be unable to rely on general allegations that defendants’ security measures were inadequate, that a data breach resulted from these inadequate measures and that they suffered undefined damages from the breach. Plaintiffs will now have to identify the applicable law, regulation or industry standard with which defendants failed to comply; the particular security measure or practice they are challenging as insufficient; and the financial loss that they have suffered as a result of the data breach.????

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fenwick & West LLP | Attorney Advertising

Written by:

Fenwick & West LLP

Fenwick & West LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.