Defending Breach-of-Contract Claims in Data-Breach Litigation

We’ve previously discussed the “overpayment” theory of injury in data-breach litigation.  This theory rests on the premise that the price of a product or service includes a payment for data security measures.  When a data breach happens, buyers allege they have overpaid for the product or service because the seller failed to provide the agreed-upon measures.  

Data-breach plaintiffs have successfully used this theory to overcome standing challenges brought by defendants under Rule 12(b)(1). 

Today’s post examines a recent federal appellate decision that shows how data-breach lawsuits premised on overpayment theories—which often assert claims sounding in contract—still face an uphill battle under Rule 12(b)(6). 

In that decision—a boon for data-breach defendants—the Eighth Circuit employed a demanding test for the pleading of facts that give rise to an overpayment claim.

Promises Made to Be Broken? 

Kuhns v. Scottrade arose after hackers accessed the internal customer database of Scottrade, a securities brokerage firm. The hackers acquired sensitive personal information of over 4.6 million customers. They then used that personal information to operate a stock price manipulation scheme, illegal gambling websites, and a bitcoin exchange. 

The plaintiffs—Scottrade customers whose personal information was accessed by the hackers—sued Scottrade in federal court in Missouri. Their complaint asserted claims for breach of express and implied contract.

According to the plaintiffs, a portion of the fees they paid to Scottrade for brokerage services was to be used for data management and security. To that end, the plaintiffs pointed to representations that Scottrade made as part of their brokerage agreements. 

Those agreements included a “Privacy and Security Statement” in which Scottrade represented that it would:

  • “maintain physical, electronic and procedural safeguards that comply with federal regulations to guard your nonpublic personal information;” and
  • “offer[ ] a secure server and password-protected environment . . . protected by Secure Socket Layer (SSL) encryption.”

The plaintiffs alleged that the hack occurred because Scottrade didn’t live up to these promises.

For damages, the plaintiffs sought “the monetary difference between the amount paid for services as promised…and the services actually provided.”

The district court dismissed the complaint for lack of standing. It concluded that the plaintiffs’ “conclusory” allegations that they been deprived of the benefit of data management and security services they paid for when they opened their accounts did not constitute a sufficiently concrete injury. 

Overpayment = Concrete Injury

On appeal, the Eighth Circuit rejected that analysis. The Eighth Circuit pointed to an earlier data-privacy decision involving claims premised on an overpayment theory.  In that case, the court held that “a party to a breached contract has a judicially cognizable interest for standing purposes, regardless of the merits of the breach alleged.” 

The Scottrade plaintiffs satisfied that test. Their complaint alleged that they bargained for and expected protection of their personal information, and suffered a diminished value of that bargain when Scottrade failed to prevent the data breach.  Thus, the Eighth Circuit concluded, the plaintiffs had standing to assert the breach of contract claims, “whatever the merits” might be of those claims.

Show Me the Breach

As to the merits, Scottrade argued that even if the plaintiffs had standing, their contract claims that relied on the overpayment theory should still be dismissed under Rule 12(b)(6).

Scottrade argued that the plaintiffs did not allege any specific facts to establish that Scottrade breached its promises regarding data security. To that end, Scottrade observed, the plaintiffs hadn’t alleged any specific security measures that Scottrade had promised but failed to implement.  Nor had they specified any particular laws with which Scottrade’s data security practices failed to comply. 

Data Breach ≠ Contract Breach (necessarily)

The Eighth Circuit agreed with Scottrade.

It concluded that the plaintiffs had failed to allege any specific breach of the security representations in the brokerage agreement.   To that end, the court observed that:

  • the plaintiffs did not identify any specific law or regulation that Scottrade’s data security practices violated; and
  • Scottrade never affirmatively promised that its customers’ data would not be hacked.

Acknowledging that the complaint presented the “possibility” of misconduct, the court nonetheless held that more was required: “It is possible that Scottrade breached the Brokerage Agreement, but we have no idea how.” 

Critically, the court concluded that the mere fact that data breach occurred could not supply the requisite factual basis for the breach of contract claims. It explained that “the implied premise that because data was hacked Scottrade’s protections must have been inadequate” amounted to a “naked assertion devoid of further factual enhancement” that could not survive a motion to dismiss under the Supreme Court’s ruling in Ashcroft v. Iqbal.

The court thus affirmed the district court’s dismissal of the action, albeit under Rule 12(b)(6) rather than Rule 12(b)(1).

Lessons for Litigants

The holding in Scottrade will be a welcome addition to data-breach defendants’ Rule 12(b)(6) arsenal.

It suggests that data-breach plaintiffs who rely on an “overpayment” theory must allege specific facts not only about the data security promises for which they paid, but also about the specific ways in which a defendant’s practices failed to live up to those promises.

And just as importantly, the decision makes clear that neither conclusory allegations of broken security promises, nor the mere fact of a data breach, are sufficient to satisfy that burden.

Author: Alex Pearce

Does the Fair Credit Reporting Act Preempt State-Law Claims for Unfair and Deceptive Trade Practices?

In cases that involve claims brought under North Carolina’s Unfair and Deceptive Trade Practices Act, an often overlooked issue is whether federal law preempts the 75-1.1 claim.

In a case of apparent first impression, a federal district court in North Carolina recently ruled that the federal Fair Credit Reporting Act (FCRA) can preempt a 75-1.1 claim, at least where there is no evidence that the defendant’s acts were willful or malicious.

Equifax doesn’t report the bankruptcy discharge of a consumer’s debt

Myrick v. Equifax Information Services, LLC involves a consumer whose obligations under a mortgage that had been discharged in bankruptcy. The consumer alleged that Equifax failed to properly report the status of the debt on the consumer’s credit report. Equifax was reporting that the consumer’s loan payments were past due, but did not note the discharge of the obligation.

The consumer disputed the report with Equifax through Equifax’s website. The consumer asserted that the credit report should reflect the discharge.

After Equifax received the dispute, Equifax contacted the bank that had extended the credit line and attempted to verify the status of the debt. The bank indicated that the consumer had an open account. The bank did not verify to Equifax that the account had been discharged. Equifax then informed the consumer that Equifax believed that the account reporting was correct.

Several months later, the consumer sent a dispute letter to Equifax. In the letter, the consumer reiterated that this debt had been discharged.  The consumer also attached a copy of the bankruptcy court’s order of discharge. As is typical, the discharge order did not specifically identify the bank’s debt.  The order further indicated that the bankruptcy had discharged at least some of the consumer’s debts, but may not have discharged all of them.

In response to the letter, Equifax requested that the consumer “be specific with [his] concerns by listing the names, numbers, and the nature of the dispute.”

The consumer sues Equifax for its reporting and dispute investigation procedures

The consumer did not provide the information requested. Instead, the consumer sued both the bank and Equifax in the United States District Court for the Eastern District of North Carolina. The lawsuit alleged that the companies violated both the FCRA and section 75-1.1.

The FCRA is a federal statutory scheme that governs the reporting of consumer debt. The FCRA imposes statutory duties on consumer reporting agencies about how they maintain and report consumer credit histories. The FCRA creates a private right of action, and provides for the recovery of actual damages, for the negligent or willful violation of any duty that the statute imposes. An aggrieved consumer can also recover punitive damages, but only if the consumer can prove that the reporting agency was willfully non-compliant.

After the consumer filed the lawsuit, the bank verified to Equifax that the debt had been discharged and settled with the consumer.  The consumer and Equifax proceeded to litigate the matter.  At the conclusion of discovery, Equifax moved for summary judgment.

Senior District Judge W. Earl Britt partially denied summary judgment as to the FCRA claims, but granted summary judgment to Equifax on the 75-1.1 claim.

The consumer alleged that Equifax violated the FCRA through both its procedures for preparing credit reports, and for conducting post-dispute investigations. As to its investigation, the consumer contended that Equifax had an independent duty to verify that the disputed debt had been discharged once Equifax received notice of the general bankruptcy discharge.

Judge Britt determined that the evidence was insufficient to make out a FCRA violation for Equifax’s original credit reporting, but denied summary judgment as to the FCRA claim premised on Equifax’s post-dispute investigation procedures. The judge did not believe that the consumer forecast sufficient evidence of willful non-compliance to take a punitive-damages claim to a jury.

The FCRA preempts the consumer’s 75-1.1 claim

Equifax also sought summary judgment on the 75-1.1 claim. Equifax argued that the 75-1.1 claim was preempted by the FCRA. The FCRA broadly limits consumers from bringing a suit against a reporting agency under state law “except as to false information furnished with malice or willful intent to injure such consumer.”

In a decision of apparent first impression, Judge Britt determined that the FCRA preempted the 75-1.1 claim in this particular case because Equifax’s conduct was, at most, negligent. In his decision, Judge Britt referenced Congress’s intent to allow state-law claims only in very narrow circumstances. Because the consumer failed to forecast any malice or willful intent to injure by Equifax, the consumer could not maintain his state-law claim for unfair and deceptive trade practices.

As Myrick shows, preemption can be a powerful way for a defendant to eliminate potential treble-damages liability under a state unfair and deceptive practices statute. The FCRA is one of a few federal statutes with an express preemption statute. Defendants have been successful, however, in arguing that other federal statutes so pervasively regulate conduct impliedly as to preempt state-law claims

Myrick is a reminder that plaintiffs and defendants alike should consider potential preemption arguments where federal statutes or regulations may also regulate conduct that allegedly violates section 75-1.1.

Author: George Sanderson

How Variations in the Law on Deceptive Conduct Can Affect Litigation Strategy

North Carolina is not the only jurisdiction with a statute that prohibits deceptive conduct. These statutes, however, are not identical.

Today’s post shows how the variations among these statutes can affect litigation strategy.

The recent decision in Greene v. Gerber Products Co. provides the backdrop. Greene is a putative class action about advertisements and marketing for baby formula. The plaintiffs claim that Gerber falsely advertised that its formula reduces the risk that infants will develop allergies.

Greene features three sets of putative named plaintiffs. The plaintiffs bought the formula in three different states: Ohio, New York, and North Carolina. Each plaintiff alleged a violation of the statutory prohibition on deception in the state of purchase (for North Carolina, N.C. Gen. Stat. § 75-1.1). The plaintiffs sued Gerber in federal court in New York.

Gerber moved to dismiss. Its arguments for dismissing the statutory claims, however, varied significantly as to each set of plaintiffs.

Our inquiry: if the plaintiffs all alleged basically the same facts, and if each state prohibits deceptive advertisements, why do the arguments vary so much?

Good Start, but Bad Ending

Gerber sells a line of baby formula called “Good Start.” The plaintiffs took issue with statements on the label of this formula and with certain print and television advertising. Good Start contains partially hydrolyzed whey protein, an ingredient that Gerber claimed reduces the risk of developing allergies.

The plaintiffs alleged that these claims are false or deceptive. They then alleged that, when they decided to buy Good Start, they reviewed the representations about the formula’s alleged effects on allergies. They further alleged that Gerber used those statements to lure the plaintiffs—and all putative class members—to pay an inflated price.

Three Statutes, Three Sets of Arguments

Gerber moved to dismiss the statutory claims under Ohio, New York, and North Carolina law.

  1. Ohio

The Ohio plaintiffs alleged a violation of the Ohio Consumer Sales Practice Act. To pursue a class action under that act, a plaintiff must show that the defendant had notice that the alleged violation is substantially similar to an act or practice previously declared to be deceptive.

Gerber argued that it never had the required notice. In response, the plaintiffs argued that Gerber did have notice, based on (a) a rule promulgated by the Ohio attorney general, and (b) certain consent decrees between the attorney general and parties that allegedly made false health claims. The court agreed with Gerber, concluding—without getting into the weeds—that neither the rule nor the consent judgments count as prior determinations of deceptive conduct.

The court also dismissed the Ohio plaintiffs’ claims under the Ohio Deceptive Trade Practices Act. That act has mainly been interpreted as an analogue of the federal Lanham Act—and therefore does not confer standing on consumers.

Notably, Gerber’s arguments as to the Ohio plaintiffs have no application to a section 75-1.1 claim. Consumers can sue under section 75-1.1, and there’s no notice requirement for a class action.

  1. New York

The New York plaintiffs sued for violation of New York General Business Law § 349, which prohibits deceptive acts or practices against consumers. Gerber primarily argued that the New York plaintiffs couldn’t make out a violation of this statute because the plaintiffs didn’t suffer an actual injury, which section 349 requires.

The court disagreed. The complaint alleged that the New York plaintiffs would have purchased less-expensive formula but for the statements about allergies. That theory was sufficient, the court concluded, because it reflected a loss of money directly connected to an allegedly deceptive statement.

Would a “no injury” argument have fared better for an alleged violation of section 75-1.1? In 75-1.1 jurisprudence, courts have tended to refer to this issue as one of “standing.”  Courts have dismissed section 75-1.1 claims for failing to connect allegedly unfair or deceptive conduct to a real injury.

  1. North Carolina

Gerber, however, didn’t seek dismissal of the 75-1.1 claim in Greene based on an absence of injury. Instead, Gerber turned to a relatively recent line of cases that require a misrepresentation-based claim under section 75-1.1 to be pleaded with particularity.

The plaintiffs, citing earlier caselaw, argued against the particularity requirement.

The court then sidestepped the issue. It ruled that, even if the law requires particularity, the plaintiffs had satisfied that requirement. The court showed that the complaint:

  • specified and attached the alleged misrepresentations,
  • described where the misrepresentations were located,
  • explained why the statements were false or deceptive, and
  • included a statement of the plaintiffs’ reliance on the statements.

Interestingly, Gerber did not seek dismissal of the 75-1.1 claim based on the economic-loss rule. That tactical decision could be because of recent decisions about the interplay between that doctrine and section 75-1.1.

Know Your Geography

Gerber offers a vivid example of the havoc that a multistate consumer class action can wreak. Even when the case involves fundamentally a single fact pattern, state-by-state differences in the law on deceptive trade practices mean that a defendant that wants to file a Rule 12(b)(6) motion can raise a deluge of arguments.

That deluge, of course, can drown a reader. These cases therefore require careful strategic and tactical decisions in selecting the best arguments. Those decisions, in turn, call for a deep understanding of the law in each relevant state.

Plaintiffs, too, face hard decisions in (a) selecting which state’s law on deceptive conduct might be the best for a putative class action, and (b) crafting a complaint to anticipate the Rule 12(b)(6) arguments to come.

On top of these considerations, both plaintiffs and defendants in consumer class actions must assess the extraterritorial effect of statutory prohibitions on deceptive conduct, as well as questions of personal jurisdiction.

As these points show, there’s simply no magic bullet—for any party—in multistate claims about deceptive conduct. Even if a single theme might apply across all claims, the claims themselves might turn on different elements and defenses, and attention to these nuances can determine success or defeat.

Author: Stephen Feldman