Scottrade Escapes Confidential Data Breach Claims

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

July 13 — Financial services company Scottrade Inc. July 12 escaped liability for a breach of confidential data on some 4.6 million customers ( Duqum v. Scottrade, Inc., 2016 BL 223330, E.D. Mo., No. 4:15-CV-1537-SPM, 7/12/16 ).

The putative class plaintiffs failed to show how they were harmed by the breach and, therefore, had no standing to sue, Magistrate Judge Shirley Padmore Mensah of the U.S. District Court for the Eastern District of Missouri ruled in dismissing the complaint without prejudice.

Even though Scottrade may appear off the hook, the plaintiffs may still file an amended class complaint.

The injury requirement for standing to sue has recently been in the spotlight, as the U.S. Supreme Court held May 16 that both tangible and intangible injuries may prove that a plaintiff's injury was “concrete and particularized” (15 PVLR 1062, 5/23/16).

According to the consolidated class complaint, sometime between September 2013 and February 2014, hackers gained access to Scottrade's customer databases and stole customers' confidential personal identifying information (PII), including names, addresses, phone numbers, Social Security numbers and work history. The hackers used the stolen information to operate a stock price manipulation scheme that resulted in million of dollar in illicit gains. Scottrade, however, wasn't aware of the data breach until August 2015, when it was notified by the Federal Bureau of Investigation.

Considerable Speculation Required

Several Scottrade customers filed class actions against the company, alleging that as a result of the breach, their personal information was disclosed, transferred, sold and otherwise used without their consent. Scottrade moved to dismiss the class action, alleging that the plaintiffs haven't suffered an injury sufficient to confer standing.

The court agreed.

In the class complaint, the plaintiffs alleged several categories of injury, including: increased risk of identity theft; cost of monitoring their accounts and mitigating damages; deprivation in the value of the personal information; and invasion of privacy.

“Here, although plaintiffs have alleged that the hackers accessed plaintiffs' PII and used that PII for certain illegal business enterprises, plaintiffs do not allege any of the PII stolen in the breach has been used to commit any identity theft, fraud, or any other act that has resulted in harm to any plaintiff,” the court held.

Concluding that it can't determine whether the plaintiffs will suffer harm in the future “without engaging in considerable speculation about the hackers' possible intentions and future actions,” the court held that the plaintiffs' allegations are insufficient to demonstrate injury for purposes of Article III standing.

The Simon Law Firm PC, Siprut PC, Blood and Hurst LLP and Spreter Law Firm APC represent the plaintiffs. Thompson Coburn LLP represents Scottrade.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editors responsible for this story: Donald G. Aplin at daplin@bna.com ; Daniel R. Stoller at dstoller@bna.com

For More Information

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.