September 01, 2017 Practice Points

Complaint in Cybersecurity Case Dismissed

By Leonard Wills

On August 21, 2017, in Kuhns v. Scottrade, the U.S. Court of Appeals for the Eighth Circuit dismissed a data breach complaint for failure to state a sufficient cause of action.

The court cited the U.S Supreme Court ruling in Spokeo v. Robins (2016), and Carlsen v. GameStop (2016), a case in its own circuit, as controlling. In both cases, each federal court dismissed the plaintiff's claims for failure to show a concrete harm. Spokeo held that a plaintiff must show an "injury-in-fact" and must also show a "concrete harm." In GameStop, the Eighth Circuit held that a plaintiff must show a "concrete and particularized" breach of contract and an "actual injury"—not simply a potential cause of action.

The Eighth Circuit found that Kuhns had standing to bring breach-of-contract claims against Scottrade. In the Scottrade Brokerage Agreement, a privacy statement declared "the company complies with federal regulations and offers a secure server and a password protection environment and uses Secure Socket Layer (SSL) encryption." A portion of fees paid to Scottrade "were for data management and security." When the cyber-attack occurred Scottrade breached its contractual obligations, and Kuhns received "brokerage services of lesser value."

Ultimately, however, the court dismissed the case. As in Spokeo and GameStop, the court ruled that Kuhns made "bare assertions" that Scottrade misrepresented its contractual obligations; he failed to show how he suffered harm from the alleged contract breach. The court reasoned that "the implied premise that because data was hacked Scottrade's protections must have been inadequate is a 'naked assertion devoid of further factual enhancement," and cannot survive a motion to dismiss.

With an increase of cyber-attacks, plaintiff attorneys must use effective legal strategies to show how a data breach harmed their client. Failure to do so, will result in successful motions to dismiss from opposing counsel. Corporate entities must continue to leverage and implement best practices for privacy and cybersecurity requirements to ensure that data remains protected from cyber-attackers and to avoid lawsuits.

Leonard Wills is a city council fellow in Washington, D.C.