Lack of Injury Dooms Scottrade Data Breach Class Suit Appeal

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Securities discount brokerage Scottrade Inc. Aug. 21 received federal appeals court affirmation that plaintiffs making class allegations over a 2013 data breach that affected more than 4.6 million customers didn’t demonstrate they had suffered actual damages ( Kuhns v. Scottrade, Inc. , 2017 BL 291803, 8th Cir., Nos. 16-3426, 16-3542, 8/21/17 ).

The difference between the amount customers paid for St. Louis-based Scottrade’s services, and the value of the services they actually received was sufficient to grant plaintiffs standing to sue, the U.S. Court of Appeals for the Eight Circuit held—a finding at odds with the trial court. However, the appeals court ultimately affirmed the trial court’s dismissal of the suit, holding that the plaintiffs failed to demonstrate the actual damages required to sustain their breach-of-contract claims.

The appeal’s court’s holding is great news for companies that do their best to protect personal data, Tara Swaminatha, data privacy & cybersecurity partner at Squire Patton Boggs in Washington, told Bloomberg BNA Aug. 21. If company suffers a data breach, that doesn’t necessarily mean it is going to be liable, Swaminatha, who serves as a defense counsel in such cases, said.

Even if plaintiffs allege potential harm from a breach sufficient for their complaint to withstand the first step of litigation, the same allegations likely won’t be enough to show the kind of actual harm necessary to take the case further.

Overpayment Theory

Plaintiff Matthew Kuhns signed a brokerage agreement with Scottrade in 2005 and provided his name, address, Social Security number, and other personally identifying information. The agreement’s privacy policy said that Scottrade collected customers’ personally identifiable information (PII) and maintained “safeguards that comply with federal regulations.”

However, the 2013 data breach compromised customers’ PII, which was used to operate a stock price manipulation scheme. Kuhns and other plaintiffs sued, asserting that Scottrade provided insufficient cybersecurity, in violation of its contractual obligations.

The trial court dismissed the suit, finding that the plaintiffs didn’t suffer enough injury to demonstrate standing to sue. Kuhns appealed.

The appeals court disagreed that Kuhns lacked standing. “Whatever the merits of Kuhns’s contract claim, and his related claims for breach of implied contract and unjust enrichment, he has Article III standing to assert them,” the court said.

In data breach cases, plaintiffs relying on the over-payment theory allege that information security costs are passed through to customers with higher prices on all products.When information is breached, the consumer is injured by paying those allegedly inflated prices under the theory.

According to Swaminatha, the appeals court ruling recognizes the over-payment theory as a viable means to sustain standing.

However, the appeals court agreed with the lower court that Kuhns lacked actual injury to maintain his claim. Kuhns doesn’t contest Scottrade’s argument that no customers affected by the 2013 breach actually suffered fraud or identity fraud that resulted in financial loss, the court said.

Finding no actual injury, the appeals court said that “massive class action litigation should be based on more than allegations of worry and inconvenience.”

Judges James B. Loken wrote the opinion for the court, which was joined by Judges Roger L. Wollman, and Robert F. Rossiter.

Blood Hurst & O’Reardon LLP and Siprut PC represented the plaintiffs. Thompson Coburn LLP represented Scottrade.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

Full text of the opinion is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security