Matthew Kuhns v. Scottrade, Inc.

United States Court of Appeals For the Eighth Circuit ___________________________ No. 16-3426 No. 16-3542 ___________________________ Matthew Kuhns, Individually and on behalf of all others similarly situated lllllllllllllllllllll Plaintiff - Appellant/Cross-Appellee v. Scottrade, Inc., a Missouri Corporation lllllllllllllllllllll Defendant - Appellee/Cross-Appellant ____________ Appeals from United States District Court for the Eastern District of Missouri - St. Louis ____________ Submitted: April 5, 2017 Filed: August 21, 2017 ____________ Before WOLLMAN and LOKEN, Circuit Judges, and ROSSITER,* District Judge. ____________ LOKEN, Circuit Judge. In 2013, hackers accessed the internal database of Scottrade, a securities brokerage firm based in St. Louis, Missouri. The hackers acquired personal * The Honorable Robert F. Rossiter, Jr., United States District Judge for the District of Nebraska, sitting by designation. identifying information (“PII”) of over 4.6 million Scottrade customers, including plaintiff Matthew Kuhns, and exploited the information to operate a stock price manipulation scheme, illegal gambling websites, and a Bitcoin exchange. Kuhns and three others affected by the data breach brought putative class actions against Scottrade. After the actions were consolidated in the United States District Court for the Eastern District of Missouri, plaintiffs filed a Consolidated Class Action Complaint under the Class Action Fairness Act, 28 U.S.C. § 1332(d), asserting, as relevant here, claims of breach of contract, breach of implied contract, unjust enrichment, declaratory judgment, and violation of the Missouri Merchandising Practices Act (“MMPA”), Mo. Rev. Stat. § 407.025. The district court1 concluded plaintiffs lacked Article III standing because they had not suffered injury in fact and dismissed the Consolidated Complaint for lack of subject matter jurisdiction. The court’s judgment dismissed the Consolidated Complaint with prejudice. Kuhns appealed, and Scottrade filed a cross-appeal arguing that, even if plaintiffs have standing, Kuhns failed to state a claim upon which relief can be granted. We conclude that plaintiffs have Article III standing, at least for their contract-related claims. We affirm the dismissal with prejudice because the Consolidated Complaint did not state claims upon which relief can be granted. I. Background. When Kuhns opened a Scottrade account in 2005, he signed a Brokerage Agreement and provided Scottrade with his name, address, social security number, tax identification number, telephone number, employer information, and work history. The Brokerage Agreement provided that Kuhns agreed to pay Scottrade brokerage fees and commissions for purchases and sales of securities “on a per order 1 The Honorable Shirley Padmore Mensah, United States Magistrate Judge for the Eastern District of Missouri, who was designated to exercise jurisdiction over the proceedings with the consent of the parties. See 28 U.S.C. § 636(c)(1). -2- basis.” Addendum 2 of the Brokerage Agreement was Scottrade’s “Privacy Policy and Security Statement” describing “how we protect your personal and financial information that we collect in the course of providing our financial services.” The Statement explained that Scottrade collects customers’ PII but will “maintain physical, electronic and procedural safeguards that comply with federal regulations to guard your nonpublic personal information,” and “offers a secure server and password-protected environment . . . protected by Secure Socket Layer (SSL) encryption.” In addition, the Consolidated Complaint alleges that an Online Privacy Statement represented: “We comply with applicable laws and regulations regarding the protection of personal information. . . . We use industry leading security technologies, including layered security and access controls over personal information.”2 A document available on Scottrade’s website represented: “We keep all customer information confidential and maintain strict physical, electronic and procedural safeguards to protect against unauthorized access to your information.” Between September 2013 and February 2014, hackers successfully accessed Scottrade’s customer databases, extracting the PII of more than 4.6 million Scottrade customers, including Kuhns. The hackers used the acquired PII to operate a stock price manipulation scheme and “operated a dozen illegal Internet gambling websites, and a Bitcoin exchange.” The FBI informed Scottrade of the data breach in August 2015. Scottrade sent affected customers a notice of the data breach on October 2, one week after the FBI advised Scottrade that it could inform its customers. The notice explained that customer PII may have been compromised and encouraged customers to be “vigilant for the next 12 to 24 months and report any suspected incidents of 2 The Online Privacy Statement did not apply to Kuhns’s account. It explicitly stated that “[i]f you are a United States resident . . . how we collect, use, and share your account information is governed by the Scottrade Privacy Statement. To the extent that there is a discrepancy between the Online Privacy Policy and the Scottrade Privacy Statement, you should look to the Scottrade Privacy Statement.” -3- fraud.” Scottrade arranged to have customers pre-qualified for one year of identity repair and protection services “with no enrollment required,” and offered customers free enrollment in one year of credit monitoring and identity theft insurance. Plaintiffs’ Consolidated Class Action Complaint asserted that Scottrade provided deficient cybersecurity in violation of its “contractual and other obligations,” resulting in a data breach “by people willing to use the information for any number of improper purposes and scams, including making the information available for sale on the black-market.” Kuhns alleged that a portion of the fees paid in connection with his Scottrade account “were used for data management and security,” but “one or more data thieves . . . transferred, sold, opened, read, mined and otherwise used Mr. Kuhns’ PII, without his authorization, to their financial benefit and his financial and other detriment.” The Complaint alleged that plaintiffs faced an immediate and continuing increased risk of identity theft and identity fraud; incurred financial costs of monitoring their credit and financial accounts to mitigate against that risk; received Brokerage Agreement services diminished in value and therefore overpaid Scottrade for those services; suffered economic damage from the decline in value of their PII; and suffered invasion of privacy and breach of confidentiality. Scottrade filed a Motion to Dismiss for lack of subject matter jurisdiction and for failure to state a claim. The district court granted the Rule 12(b)(1) Motion to Dismiss for lack of subject matter jurisdiction because plaintiffs did not have standing to bring their claims. Kuhns (but not the other plaintiffs) appeals that ruling. The district court did not address Scottrade’s fully briefed Rule 12(b)(6) Motion to Dismiss for failure to state a claim. Scottrade urges us to affirm the Rule 12(b)(1) dismissal and in a cross appeal urges us to dismiss for failure to state a claim. With the appeal fully briefed and awaiting oral argument before this court, Kuhns filed a motion to voluntarily dismiss his appeal and to dismiss Scottrade’s cross-appeal. Kuhns argued that the litigation should proceed in a California action filed by -4- Kuhns’s attorneys on behalf of a non-appealing co-plaintiff following the district court’s dismissal, which had been remanded to state court based on the district court’s ruling that there was no federal subject matter jurisdiction. II. Standing. We review a district court’s dismissal for lack of subject matter jurisdiction de novo. Diversified Ingredients, Inc. v. Testa, 846 F.3d 994, 995 (8th Cir.), cert. denied, 2017 WL 1426363 (2017). Like the district court, we consider Scottrade’s facial attack on jurisdiction based on the face of the Consolidated Complaint and on other materials necessarily embraced by the pleadings, such as relevant contract documents. See Zean v. Fairview Health Servs., 858 F.3d 520, 526-27 (8th Cir. 2017). We accept all fact allegations as true, and make all reasonable inferences in favor of Kuhns. Carlsen v. GameStop, Inc., 833 F.3d 903, 908 (8th Cir. 2016). Constitutional standing (as opposed to statutory standing) is a threshold question that determines whether a federal court has jurisdiction over a plaintiff’s claims. Article III extends judicial power only to “cases” and “controversies.” This limitation imposes as an “irreducible constitutional minimum” the burden on plaintiff Kuhns to establish that he personally “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016) (quotation omitted). In this case, the issue is whether Kuhns suffered an injury in fact, that is, “an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Id. at 1548 (quotations omitted); see Clapper v. Amnesty Int’l, USA, 133 S. Ct. 1138, 1147 (2013). Though Kuhns asserted, and the parties briefed, additional alleged types of injury in fact, we conclude he has standing regarding his breach of contract and -5- contract-related claims based on allegations that he did not receive the full benefit of his bargain with Scottrade. Kuhns alleges that a portion of the fees paid in connection with his Scottrade account were used to meet Scottrade’s contractual obligations to provide data management and security to protect his PII. When Scottrade breached those obligations, Kuhns received brokerage services of lesser value. He asserts that the difference between the amount he paid and the value of the services received is an actual economic injury that establishes injury in fact for his contract-related claims. We have previously explained that “a party to a breached contract has a judicially cognizable interest for standing purposes, regardless of the merits of the breach alleged.” Gamestop, 833 F.3d at 909 (quotation omitted). In Gamestop, a customer of an online video-game publisher sued the publisher for breach of contract, alleging the publisher breached its contractual privacy policy by sharing the customer’s PII with Facebook, and the customer suffered damages in the form of a devaluation of his subscription. The district court dismissed for lack of subject matter jurisdiction, concluding the alleged overpayment was not injury in fact. Though we affirmed the dismissal because plaintiff’s complaint failed to state a claim, we reversed the district court’s conclusion that plaintiff lacked standing. Noting that “it is crucial . . . not to conflate Article III’s requirement of injury in fact with a plaintiff’s potential causes of action,” we concluded plaintiff alleged a concrete and particularized breach of contract and “actual” injury. Id. (alterations omitted); cf. Spokeo, 136 S. Ct. at 1551 (Thomas, J., concurring). Gamestop is controlling here. Kuhns alleged that he bargained for and expected protection of his PII, that Scottrade breached the contract when it failed to provide promised reasonable safeguards, and that Kuhns suffered actual injury, the diminished value of his bargain. Whatever the merits of Kuhns’s contract claim, and his related claims for breach of implied contract and unjust enrichment, he has Article -6- III standing to assert them. See ABF Freight Sys., Inc. v. Int’l Bhd. of Teamsters, 645 F.3d 954, 960-61 (8th Cir. 2011). We decline to consider the other standing issues. III. Failure to State a Claim. “When a district court erroneously dismisses under Rule 12(b)(1) a claim that is clearly meritless, an appellate court may affirm under Rule 12(b)(6).” GameStop, 833 F.3d at 910 (quotations omitted); see Morrison v. Nat’l Australia Bank Ltd., 130 S. Ct. 2869, 2877 (2010). Because Scottrade filed a cross appeal, we may take up the Rule 12(b)(6) issue even if it would afford additional relief. See Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 697 (7th Cir. 2015). We consider whether Kuhns failed to state a claim because the parties fully briefed the issue on appeal. “To survive [a] motion to dismiss for failure to state a claim,” a Complaint must “alleg[e] sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.” OmegaGenesis Corp. v. Mayo Found. for Med. Educ. & Research, 851 F.3d 800, 804 (8th Cir. 2017) (quotation omitted). A claim is plausibly pleaded when its “factual context . . . allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. (quotation omitted). 1. The Consolidated Complaint alleges that Scottrade breached an express contract, because Kuhns paid for data security services that Scottrade did not provide. Both parties agree that the Brokerage Agreement governed the relationship and incorporated the Privacy Statement. The Privacy Statement represented that, “[t]o protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.” The contract also represented that Scottrade provides Secure Socket Layer encryption. -7- The Consolidated Complaint alleges that Scottrade breached the Brokerage Agreement because it “did not comply with applicable laws and regulations as described herein or otherwise adequately safeguard or protect Plaintiffs’ . . . personal data from being accessed and taken. Scottrade did not maintain sufficient security measures and procedures to prevent unauthorized access.” These assertions do not plausibly allege a breach of contract. First, representations of conditions Scottrade will maintain are in the nature of contract recitals. If Scottrade misrepresented those conditions, Kuhns might have a claim for fraud in the inducement of the contract. But no such claim was asserted. Indeed, there was no alleged misrepresentation, just bare assertions that Scottrade’s efforts failed to protect customer PII. Second, even if the security representations can be construed as promises of contract performance, the lengthy Consolidated Complaint fails to allege a specific breach of the express contract. Plaintiffs do not identify a single “applicable law and regulation” that Scottrade allegedly breached regarding its data security practices.3 Kuhns does not allege that Scottrade affirmatively promised that its customer data would not be hacked, and such a promise may not be plausibly implied. The allegation that “Scottrade did not maintain sufficient security measures and procedures to prevent unauthorized access” does not assert more than the mere possibility of misconduct: it is possible that Scottrade breached the Brokerage Agreement, but we have no idea how. The implied premise that because data was hacked Scottrade’s protections must have been inadequate is a “naked assertion[] devoid of further factual enhancement” that cannot survive a motion to dismiss. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quotations omitted). Third, though we have concluded it alleged breach-of-contract injury in fact, the Consolidated Complaint failed to plausibly allege the actual damage that is an 3 Kuhns’s brief on appeal acknowledged that his breach of contract claim “does not specifically rely on Scottrade’s failure to comply with federal law.” -8- element of a breach of contract claim. As described, the hackers stole PII data and used that data in several illegal schemes. But Kuhns does not contest Scottrade’s assertion that no customer affected by the 2013 data breach suffered fraud or identity theft that resulted in financial loss from use of their stolen PII in the more than two years that passed between the data breach and the filing of the Consolidated Complaint. See In re Barnes & Noble Pin Pad Litig., No. 12-CV-08617, 2016 WL 5720370 at *1, *4-5 (N.D. Ill. Oct. 3, 2016). Massive class action litigation should be based on more than allegations of worry and inconvenience. The Complaint alleged that Kuhns overpaid for Scottrade because a portion of its services were for data management and security. But the Brokerage Agreement expressly provided for the purchase and sale of brokerage services in executing securities transactions “on a per order basis.” Given the express terms of this contract, the allegation that the failure of Scottrade’s security measures was a breach of contract that diminished the benefit of Kuhns’s bargain is not plausible. See Gamestop, 833 F.3d at 911-12. 2. Kuhns’s claims for breach of implied contract and unjust enrichment must be dismissed for the same failure to allege plausible claims. Kuhns alleges that Scottrade led him to believe it would protect PII and asserts breach of this implied contract because Scottrade did not take reasonable measures to protect the data. But we are left to guess how Scottrade failed to take “industry leading” security measures. The unjust enrichment claim also fails because, under Missouri and Florida law (one of which governs Kuhns’ claims), a plaintiff cannot recover under an equitable theory such as unjust enrichment when an express agreement covers the same subject matter. See 32nd St. Surgery Ctr., LLC v. Right Choice Managed Care, 820 F.3d 950, 955-56 (8th Cir. 2016); White Constr. Co. v. Martin Marietta Materials, Inc., 633 F. Supp. 2d 1302, 1334 (M.D. Fla. 2009). Kuhns concedes the Brokerage Agreement expressly covered the subject of customer data security. The claim also fails because -9- the Consolidated Complaint “does not allege that any specific portion of [Kuhns’s brokerage services fees] went toward data protection.” Gamestop, 833 F.3d at 912. 3. Kuhns’s bare bones claim for declaratory relief is virtually unintelligible, asking the court to declare that Scottrade must “stop its illegal practices.” Kuhns’s appeal briefs explained that this claim seeks relief regarding Scottrade’s current practices and compliance with the Brokerage Agreement. But the Consolidated Complaint focuses on past conduct, the 2013 data breach, not on Scottrade’s current practices. Kuhns cites no precedent for the notion that the Declaratory Judgment Act provides federal courts with authority to order a party to “obey your contract.” In an action seeking declaratory judgment relief in a contract dispute, “Article III considerations include whether the contractual dispute . . . can be immediately resolved by a judicial declaration of the parties’ contractual rights and duties.” Maytag Corp. v. International Union, UAW, 687 F.3d 1076, 1082 (8th Cir. 2012). At a minimum, this claim does not meet Iqbal’s pleading standard. 4. Finally, Kuhns asserted a claim under the MMPA, a state consumer protection statute. The MMPA provides a private right of action to any person who sustains ascertainable loss in connection with the purchase or lease of merchandise as a result of certain practices declared unlawful. Mo. Rev. Stat. § 407.025(1). The statute supplements the common law definition of fraud. See Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1057 (E.D. Mo. 2009). Section 407.020(1) declares unlawful the use of “any deception, fraud, false pretense, false promise, misrepresentation, unfair practice or the concealment, suppression, or omission of any material fact in connection with the sale or advertisement of any merchandise.” Kuhns asserts that Scottrade engaged in “fraudulent and deceptive acts and omissions” from its “failure to properly implement adequate, commercially reasonable security measures . . . in the face of Scottrade’s repeated representations and assurances to the contrary,” its failure to warn plaintiffs their information was at -10- risk, and its failure to discover and immediately notify affected customers of the data breach. Kuhns alleges that he suffered “lost money and property as a result of Scottrade’s violations.” This claim must be dismissed for several reasons. First, the allegation that Scottrade engaged in “fraudulent and deceptive acts” is a claim that sounds in fraud that was not pleaded with the particularity required by Rule 9(b) of the Federal Rules of Civil Procedure. See OmegaGenesis, 851 F.3d at 804. Second, to be actionable under the MMPA, the alleged unlawful act must occur in relation to a sale of merchandise, and an ascertainable pecuniary loss must occur in relation to the plaintiff’s purchase or lease of that merchandise. See Grawitch v. Charter Commc’n, Inc., 750 F.3d 956, 960 (8th Cir. 2014); Amburgy, 671 F. Supp. 2d at 1057. While intangible services may qualify as merchandise, Scottrade did not sell data security services; it put data security measures in place to induce customers to voluntarily transfer their PII to Scottrade to obtain its brokerage services. Cf. Amburgy, 671 F. Supp. 2d at 1057-58. The Consolidated Complaint also fails to plausibly allege how failing to discover and notify customers of the data breach qualifies as an unfair or deceptive trade practice under the statute. For the foregoing reasons, the judgment of the district court dismissing the Consolidated Class Action Complaint is affirmed. We deny Kuhns’s untimely motion to dismiss the appeal and the cross appeal. ______________________________ -11-