We previously reported on the developing circuit split over Article III standing in data breach class action cases. In August, the D.C. Circuit Court joined the Sixth, Seventh, and Ninth Circuits in finding that the injury-in-fact requirement for Article III standing can be satisfied by fear of identity theft following a data breach. Now, the Eighth Circuit has weighed in with two new decisions that evidence a narrower, more nuanced approach to the standing issue.
In In re Supervalu, Inc., grocery stores owned by the defendant suffered two data breaches that compromised customers’ credit and debit card information. Sixteen customers whose information was accessed filed putative class actions, which were consolidated in the District of Minnesota. In an attempt to satisfy Article III standing, plaintiffs relied on the concept of future harm, claiming they suffered an “imminent and real possibility of identity theft” as a result of the data breach. However, only one of the named plaintiffs had actually suffered present harm in the form of fraudulent credit card charges. The district court dismissed for lack of standing, and the Eighth Circuit affirmed in part on appeal. Though acknowledging that other circuits have found an increased risk of identity theft may suffice to show injury-in-fact, the court held that plaintiffs did not establish standing in this case. In particular, plaintiffs did not show that the theft of their credit information created a substantial risk of future identity theft; indeed, the relevant evidence instead suggested that incidences of such fraud are rare. However, the court dealt separately with the one named plaintiff who alleged he had suffered fraudulent credit card charges, determining he had Article III standing based on this present harm. The Eighth Circuit found the district court had erred in determining that this plaintiff’s standing depended on that of other class members. In doing so, the Eighth Circuit deviated slightly from its sister circuits by establishing a plaintiff-by-plaintiff standing analysis. Although this approach enabled the one remaining plaintiff to establish standing in this case, the result may be to make class certification more difficult for future data breach litigants, as most customers do not suffer fraudulent charges after their card information is stolen.
Another recent Eighth Circuit case, Kuhns v. Scottrade, involved the 2013 breach of securities brokerage firm Scottrade’s internal database, resulting in the theft of personally identifying information of roughly 4.6 million customers. Plaintiffs filed a putative class action lawsuit alleging, inter alia, breach of express and implied contract, unjust enrichment, and violation of the Missouri Merchandising Practice Act. The contract claims were based on Scottrade’s brokerage agreement, which contained a privacy policy outlining how the company planned to protect its customers’ personal information. Plaintiffs alleged that Scottrade’s failure to utilize sufficient cybersecurity protections breached this agreement and resulted in customers receiving brokerage services of a lesser value than agreed. After the district court dismissed the case for lack of standing, one plaintiff appealed, asserting that the decreased value of the services constituted an injury in fact sufficient to establish standing. The Eighth Circuit agreed with this reasoning, cautioning that a court should not conflate the merits of a claim with the standing requirements of Article III. However, the court ultimately affirmed the dismissal of the action, finding plaintiff failed to state a claim for breach of contract, as he did not plausibly allege that Scottrade failed to comply with its privacy policy. Moreover, although plaintiff had alleged sufficient injury for purposes of standing, he did not plausibly allege that he suffered any actual damage as a result of the breach, especially in light of Scottrade’s undisputed contention that no customer had suffered financial loss due to the data breach. The court emphasized that “[m]assive class action litigation should be based on more than allegations of worry and inconvenience.” However, although the case was dismissed, this Eighth Circuit ruling serves as a warning to companies to adhere to their privacy policies. If customers can point to a specific breach, they may be able to establish standing on this basis — though, under the court’s opinion, the mere fact of a data breach is not enough to show that a company failed to comply with its policies.
In re Supervalu, Inc., Nos. 16-2378, 16-2528 (8th Cir. Aug. 30, 2017).
Kuhns v. Scottrade, No. 16-3426, 16-3542 (8th Cir. Aug. 21, 2017).