On July 12, 2016, the United States District Court for the Eastern District of Missouri granted Scottrade’s motion to dismiss a putative class action complaint that was predicated on the alleged theft of personal information from Scottrade.
Based on the allegations in the complaint, Scottrade sells brokerage, banking, and retirement planning services. When a customer opens an account with Scottrade, the customer must give the firm various types of personal information. Between September 2013 and February 2014, hackers accessed Scottrade’s customer databases and downloaded the personal information of approximately 4.6 million customers. Scottrade did not know about the incident until August 2015, when the FBI contacted Scottrade about it. In October 2015, Scottrade started to notify customers about the incident. The firm also offered to provide a year of credit monitoring and identity theft insurance.
After Scottrade publicly announced the incident, multiple customers filed putative class action lawsuits. Eventually, the various suits were consolidated in the United States District Court for the Eastern District of Missouri. The plaintiffs’ consolidated complaint alleged multiple causes of action, including breach of contract, breach of implied contract, negligence, and violations of various state consumer protection statutes.
To satisfy the United States Constitution’s jurisdictional case or controversy requirement, plaintiffs must establish that they have standing to sue. This requires a statement of sufficient facts at the pleadings stage to show that plaintiffs “(1) suffered an injury in facts, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” An injury in fact is “an invasion of a legally protected interest” that is (1) “concrete and particularized” and (2) “actual or imminent, not conjectural or hypothetical.” Scottrade contended that the plaintiffs lacked standing because they had not suffered an injury in fact. The plaintiffs alleged that they had suffered a variety of injuries, but the court rejected each one as a basis for standing.
First, the plaintiffs alleged that they had an increased risk of identity theft and identity fraud. The court concluded that these “increased risks” were not “actual” or “imminent” because the plaintiffs did not allege that anyone had used or intended to use their stolen personal information to commit identity theft, identity fraud, or any other conduct that had harmed them or would harm them. Additionally, the court noted that two years had passed since the incident and the plaintiffs had not alleged that a single instance of identity theft or identity fraud had occurred.
Second, the plaintiffs alleged that they had suffered the financial or temporal cost of monitoring their credit, monitoring their financial accounts, and mitigating their damages. The Court noted that, in data breach cases, the cost of mitigating the risk of future injury cannot be an injury in fact unless the future injury being mitigated against is imminent. The Court, however, had already determined that the future injuries being mitigated against—identity theft and identity fraud—were not imminent. Given the lack of an imminent future injury to mitigate against, the Court concluded these alleged facts did not satisfy the injury in fact requirement.
Third, the plaintiffs alleged that they did not receive the full benefit of their bargain with Scottrade because the brokerage and financial services that they had received were less valuable than the ones that they thought they had purchased. Fourth, the plaintiffs alleged that the data breach deprived them of the value of their personal information. Specifically, the plaintiffs alleged that, after the data breach, their information became less valuable—especially to them—because they were no longer the only people able to monetize the information. The Court rejected the plaintiffs’ third and fourth alleged injuries because the plaintiffs had not alleged facts that could sufficiently support them.
Finally, the plaintiffs alleged that the data breach caused an invasion of their privacy and a breach of the confidentiality of their personal information. The Court, however, concluded that the plaintiffs had not alleged any facts that demonstrated that the alleged invasion of privacy or breach of confidentiality used any damages or injury.
A copy of the Scottrade decision is available by clicking here.
In a different data breach putative class action lawsuit, a Wendy’s customer alleged that the company had failed to adequately safeguard the financial information of customers. On July 15, 2016, the United State District Court for the Middle District of Florida granted Wendy’s motion to dismiss the class action complaint because the plaintiff had failed to satisfy the injury in fact component of the Constitution’s standing requirement. The Court, however, gave the plaintiff the opportunity to file an amended class action complaint to cure the deficiencies in the class action complaint that the Court dismissed.
A copy of the Wendy’s decision is available by clicking here.