ST. LOUIS — The U.S. Court of Appeals for the Eighth Circuit has affirmed the dismissal of a class-action suit against securities brokerage firm Scottrade over hacking that occurred in 2013.
According to the ruling filed on Aug. 21, hackers acquired personally identifying information (PII) of more than 4.6 million customers and exploited the data to operate a stock price manipulation scheme, illegal gambling websites and a Bitcoin exchange.
Among customers whose information was hacked included Matthew Kuhns, who was named lead plaintiff in litigation that was consolidated at federal court in St. Louis and brought under provisions of the Class Action Fairness Act.
U.S. Magistrate Judge Shirley Padmore Mensah presided over the case and concluded that the plaintiffs lacked Article III standing, meaning the party seeking to sue must have personally suffered actual or threatened injury. Mensah found that the plaintiffs had not suffered any injury and dismissed the case for lack of subject matter jurisdiction.
The appeals court ruling indicates that after Kuhns appealed, Scottrade filed a cross appeal, arguing that even if the plaintiffs had standing, they failed to state a claim upon which relief can be granted.
"We conclude that [the] plaintiffs have Article III standing, at least for their contract-related claims," according to the appellate court ruling. "We affirm the dismissal with prejudice because the consolidated complaint did not state claims upon which relief can be granted."
While the hacking occurred in 2013, Scottrade did not become aware of the breach until the FBI informed the company in August 2015. In response, Scottrade notified customers on Oct. 2, 2015, one week after the FBI said it could inform customers, the ruling states.
The notice encouraged customers to be vigilant for 12 to 24 months and arranged for identity repair and protection services “with no enrollment required” and offered free enrollment in credit monitoring and identity theft insurance.
Among other things, the lawsuit claimed Scottrade provided deficient cyber security in violation of its contractual obligations.
The three-judge panel for the Eighth Circuit included judges Roger Wollman, James Loken and Robert Rossiter, a district judge from the District of Nebraska sitting by designation.
The panel came down on the plaintiffs for the failure to state a claim on allegations of breach of express contract, breach of implied contract and unjust enrichment, declaratory relief and violations of the Missouri Merchandising Practices Act.
Loken said in the decision that the consolidated complaint failed to plausibly allege the actual damage that is an element of a breach of contract claim.
"As described, the hackers stole PII data and used that data in several illegal schemes," Loken wrote. "But Kuhns does not contest Scottrade’s assertion that no customer affected by the 2013 data breach suffered fraud or identity theft that resulted in financial loss from use of their stolen PII in the more than two years that passed between the data breach and the filing of the consolidated complaint."