ST. LOUIS (Legal Newsline) - A Missouri federal judge has dismissed a group of class action lawsuits brought against retail brokerage firm Scottrade over a data breach the company discovered last year.
Judge Shirley Padmore Mensah said in her July 12 memorandum and order that the plaintiffs’ allegations were too speculative.
“Here, although Plaintiffs have alleged that the hackers accessed Plaintiffs’ PII (personal identifying information) and used that PII for certain illegal business enterprises, Plaintiffs do not allege any of the PII stolen in the breach has been used to commit any identity theft, fraud, or any other act that has resulted in harm to any plaintiff,” Mensah wrote in the 19-page ruling. “Nor do Plaintiffs allege any facts that suggest that the hackers intend to commit identity theft, fraud, or any other act that would result in harm to any plaintiff.”
The judge said she couldn’t determine whether the plaintiffs will suffer harm in the future without engaging in “considerable speculation” about the hackers’ possible intentions and future actions.
“Plaintiffs will suffer harm only if the hackers actually intend to use Plaintiffs’ PII to commit identity theft, fraud, or some other act that might harm Plaintiffs; if the hackers attempt to use the PII to commit such identity theft, fraud, or other act; if they actually succeed in doing so; and if the identity theft, fraud, or other act causes harm to Plaintiffs,” she wrote.
Mensah said because of the “uncertainty,” she couldn’t find that the plaintiffs face any harm that is “certainly impending.”
“This conclusion is strengthened by the fact that more than two years have passed since the original data breach without a single alleged instance of identity theft or fraud involving any of Defendant’s customers,” the judge noted.
The defendant, Scottrade, is a privately owned financial firm headquartered in Town and Country, Missouri. The firm provides brokerage, banking and retirement planning services to individuals and businesses.
In October 2015, Scottrade was notified by federal law enforcement officials that a breach in the company’s network occurred between late 2013 and early 2014, targeting client names and street addresses.
Contact information was the focus on the incident, the firm said in a statement; however, Social Security numbers, email addresses and other sensitive data in the system were accessed.
Scottrade said it had no reason to believe that its trading platforms or any client funds were compromised.
In response, the firm conducted an internal data forensics investigation into the incident with assistance from a leading computer security firm and took “additional steps” to strengthen its network defenses.
“We appreciate and value the trust you place in us,” Scottrade said in a statement last year. “We are very sorry that this happened and for any uncertainty or inconvenience this has caused. We know that incidents like these are frustrating and we want to keep you informed about what our forensic investigation has revealed.”
Soon after the firm announced the data breach, several of its customers filed putative class action lawsuits based on the breach.
The first was filed in the U.S. District Court for the Southern District of California, then two in the Missouri federal court, and another in the U.S. District Court for the Middle District of Florida. All four were later consolidated before Mensah.
In February, the plaintiffs filed their consolidated class action complaint.
In their complaint, the plaintiffs alleged they suffered several categories of injury or harm related to the data breach: (a) increased risk of identity theft and identity fraud; (b) the financial and/or temporal cost of monitoring their credit, monitoring their financial accounts, and mitigating their damages; (c) failure to receive the full benefit of their bargain as a result of receiving brokerage and financial services that were less valuable than what they paid for; (d) deprivation in the value of their personal information; and (e) invasion of privacy and breach of the confidentiality of their personal information.
Scottrade, in response, argued that none of the alleged harms constituted an injury in fact that is “actual” or “imminent.”
The firm argued that the majority of courts faced with similar allegations have found such alleged harms too speculative or abstract to satisfy the injury in fact requirement.
Mensah agreed, pointing to the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International USA.
The Supreme Court dismissed the case by following the federal government’s argument that “the claims of the challengers that they were likely to be targets of surveillance were based too much on speculation and on a predicted chain of events that might never occur, so they could not satisfy the constitutional requirement for being allowed to sue.”
“Respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending,” Justice Samuel Alito wrote in the majority opinion.
The Scottrade plaintiffs argued that instead of relying on Clapper and similar cases, the federal court should rely on the U.S. Court of Appeals for the Seventh Circuit’s decision in Remijas v. Neiman Marcus Group LLC.
The federal appeals court, in its July 2015 ruling, found that the risk of harm to the 300,000-plus people whose credit card numbers were exposed as a result of a 2014 data breach suffered by Neiman Marcus was “very real and immediate.”
But Mensah wasn’t buying it.
“The 9,200 fraudulent charges in Remijas demonstrated that the hackers in that case intended to use, were capable of using, and were actually using the stolen data to create fraudulent credit card charges as to some cardholders, which significantly increased the likelihood that they intended to do the same with regard to the remaining cardholders and would be capable of doing so,” the judge wrote. “That fact distinguishes Remijas from the instant case, in which more than two years have passed with no incidents of identity theft or other actual harm to the individuals whose PII was taken.”
Mensah dismissed the case without prejudice, meaning that the plaintiffs can file an amended complaint.
From Legal Newsline: Reach Jessica Karmasek by email at jessica@legalnewsline.com.