                 United States Court of Appeals
                            For the Eighth Circuit
                        ___________________________

                                No. 16-3426
                                No. 16-3542
                        ___________________________

    Matthew Kuhns, Individually and on behalf of all others similarly situated

               lllllllllllllllllllll Plaintiff - Appellant/Cross-Appellee

                                          v.

                      Scottrade, Inc., a Missouri Corporation

              lllllllllllllllllllll Defendant - Appellee/Cross-Appellant
                                       ____________

                    Appeals from United States District Court
                  for the Eastern District of Missouri - St. Louis
                                  ____________

                              Submitted: April 5, 2017
                              Filed: August 21, 2017
                                  ____________

Before WOLLMAN and LOKEN, Circuit Judges, and ROSSITER,* District Judge.
                         ____________

LOKEN, Circuit Judge.

      In 2013, hackers accessed the internal database of Scottrade, a securities
brokerage firm based in St. Louis, Missouri. The hackers acquired personal


      *
       The Honorable Robert F. Rossiter, Jr., United States District Judge for the
District of Nebraska, sitting by designation.
identifying information (“PII”) of over 4.6 million Scottrade customers, including
plaintiff Matthew Kuhns, and exploited the information to operate a stock price
manipulation scheme, illegal gambling websites, and a Bitcoin exchange. Kuhns and
three others affected by the data breach brought putative class actions against
Scottrade. After the actions were consolidated in the United States District Court for
the Eastern District of Missouri, plaintiffs filed a Consolidated Class Action
Complaint under the Class Action Fairness Act, 28 U.S.C. § 1332(d), asserting, as
relevant here, claims of breach of contract, breach of implied contract, unjust
enrichment, declaratory judgment, and violation of the Missouri Merchandising
Practices Act (“MMPA”), Mo. Rev. Stat. § 407.025. The district court1 concluded
plaintiffs lacked Article III standing because they had not suffered injury in fact and
dismissed the Consolidated Complaint for lack of subject matter jurisdiction. The
court’s judgment dismissed the Consolidated Complaint with prejudice. Kuhns
appealed, and Scottrade filed a cross-appeal arguing that, even if plaintiffs have
standing, Kuhns failed to state a claim upon which relief can be granted. We
conclude that plaintiffs have Article III standing, at least for their contract-related
claims. We affirm the dismissal with prejudice because the Consolidated Complaint
did not state claims upon which relief can be granted.

                                  I. Background.

       When Kuhns opened a Scottrade account in 2005, he signed a Brokerage
Agreement and provided Scottrade with his name, address, social security number,
tax identification number, telephone number, employer information, and work
history. The Brokerage Agreement provided that Kuhns agreed to pay Scottrade
brokerage fees and commissions for purchases and sales of securities “on a per order


      1
       The Honorable Shirley Padmore Mensah, United States Magistrate Judge for
the Eastern District of Missouri, who was designated to exercise jurisdiction over the
proceedings with the consent of the parties. See 28 U.S.C. § 636(c)(1).

                                         -2-
basis.” Addendum 2 of the Brokerage Agreement was Scottrade’s “Privacy Policy
and Security Statement” describing “how we protect your personal and financial
information that we collect in the course of providing our financial services.”

       The Statement explained that Scottrade collects customers’ PII but will
“maintain physical, electronic and procedural safeguards that comply with federal
regulations to guard your nonpublic personal information,” and “offers a secure
server and password-protected environment . . . protected by Secure Socket Layer
(SSL) encryption.” In addition, the Consolidated Complaint alleges that an Online
Privacy Statement represented: “We comply with applicable laws and regulations
regarding the protection of personal information. . . . We use industry leading security
technologies, including layered security and access controls over personal
information.”2 A document available on Scottrade’s website represented: “We keep
all customer information confidential and maintain strict physical, electronic and
procedural safeguards to protect against unauthorized access to your information.”

       Between September 2013 and February 2014, hackers successfully accessed
Scottrade’s customer databases, extracting the PII of more than 4.6 million Scottrade
customers, including Kuhns. The hackers used the acquired PII to operate a stock
price manipulation scheme and “operated a dozen illegal Internet gambling websites,
and a Bitcoin exchange.” The FBI informed Scottrade of the data breach in August
2015. Scottrade sent affected customers a notice of the data breach on October 2, one
week after the FBI advised Scottrade that it could inform its customers. The notice
explained that customer PII may have been compromised and encouraged customers
to be “vigilant for the next 12 to 24 months and report any suspected incidents of

      2
        The Online Privacy Statement did not apply to Kuhns’s account. It explicitly
stated that “[i]f you are a United States resident . . . how we collect, use, and share
your account information is governed by the Scottrade Privacy Statement. To the
extent that there is a discrepancy between the Online Privacy Policy and the Scottrade
Privacy Statement, you should look to the Scottrade Privacy Statement.”

                                          -3-
fraud.” Scottrade arranged to have customers pre-qualified for one year of identity
repair and protection services “with no enrollment required,” and offered customers
free enrollment in one year of credit monitoring and identity theft insurance.

       Plaintiffs’ Consolidated Class Action Complaint asserted that Scottrade
provided deficient cybersecurity in violation of its “contractual and other
obligations,” resulting in a data breach “by people willing to use the information for
any number of improper purposes and scams, including making the information
available for sale on the black-market.” Kuhns alleged that a portion of the fees paid
in connection with his Scottrade account “were used for data management and
security,” but “one or more data thieves . . . transferred, sold, opened, read, mined and
otherwise used Mr. Kuhns’ PII, without his authorization, to their financial benefit
and his financial and other detriment.” The Complaint alleged that plaintiffs faced
an immediate and continuing increased risk of identity theft and identity fraud;
incurred financial costs of monitoring their credit and financial accounts to mitigate
against that risk; received Brokerage Agreement services diminished in value and
therefore overpaid Scottrade for those services; suffered economic damage from the
decline in value of their PII; and suffered invasion of privacy and breach of
confidentiality.

       Scottrade filed a Motion to Dismiss for lack of subject matter jurisdiction and
for failure to state a claim. The district court granted the Rule 12(b)(1) Motion to
Dismiss for lack of subject matter jurisdiction because plaintiffs did not have standing
to bring their claims. Kuhns (but not the other plaintiffs) appeals that ruling. The
district court did not address Scottrade’s fully briefed Rule 12(b)(6) Motion to
Dismiss for failure to state a claim. Scottrade urges us to affirm the Rule 12(b)(1)
dismissal and in a cross appeal urges us to dismiss for failure to state a claim. With
the appeal fully briefed and awaiting oral argument before this court, Kuhns filed a
motion to voluntarily dismiss his appeal and to dismiss Scottrade’s cross-appeal.
Kuhns argued that the litigation should proceed in a California action filed by

                                          -4-
Kuhns’s attorneys on behalf of a non-appealing co-plaintiff following the district
court’s dismissal, which had been remanded to state court based on the district court’s
ruling that there was no federal subject matter jurisdiction.

                                     II. Standing.

       We review a district court’s dismissal for lack of subject matter jurisdiction de
novo. Diversified Ingredients, Inc. v. Testa, 846 F.3d 994, 995 (8th Cir.), cert.
denied, 2017 WL 1426363 (2017). Like the district court, we consider Scottrade’s
facial attack on jurisdiction based on the face of the Consolidated Complaint and on
other materials necessarily embraced by the pleadings, such as relevant contract
documents. See Zean v. Fairview Health Servs., 858 F.3d 520, 526-27 (8th Cir.
2017). We accept all fact allegations as true, and make all reasonable inferences in
favor of Kuhns. Carlsen v. GameStop, Inc., 833 F.3d 903, 908 (8th Cir. 2016).

       Constitutional standing (as opposed to statutory standing) is a threshold
question that determines whether a federal court has jurisdiction over a plaintiff’s
claims. Article III extends judicial power only to “cases” and “controversies.” This
limitation imposes as an “irreducible constitutional minimum” the burden on plaintiff
Kuhns to establish that he personally “(1) suffered an injury in fact, (2) that is fairly
traceable to the challenged conduct of the defendant, and (3) that is likely to be
redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540,
1547 (2016) (quotation omitted). In this case, the issue is whether Kuhns suffered an
injury in fact, that is, “an invasion of a legally protected interest that is concrete and
particularized and actual or imminent, not conjectural or hypothetical.” Id. at 1548
(quotations omitted); see Clapper v. Amnesty Int’l, USA, 133 S. Ct. 1138, 1147
(2013).

      Though Kuhns asserted, and the parties briefed, additional alleged types of
injury in fact, we conclude he has standing regarding his breach of contract and

                                           -5-
contract-related claims based on allegations that he did not receive the full benefit of
his bargain with Scottrade. Kuhns alleges that a portion of the fees paid in
connection with his Scottrade account were used to meet Scottrade’s contractual
obligations to provide data management and security to protect his PII. When
Scottrade breached those obligations, Kuhns received brokerage services of lesser
value. He asserts that the difference between the amount he paid and the value of the
services received is an actual economic injury that establishes injury in fact for his
contract-related claims.

       We have previously explained that “a party to a breached contract has a
judicially cognizable interest for standing purposes, regardless of the merits of the
breach alleged.” Gamestop, 833 F.3d at 909 (quotation omitted). In Gamestop, a
customer of an online video-game publisher sued the publisher for breach of contract,
alleging the publisher breached its contractual privacy policy by sharing the
customer’s PII with Facebook, and the customer suffered damages in the form of a
devaluation of his subscription. The district court dismissed for lack of subject matter
jurisdiction, concluding the alleged overpayment was not injury in fact. Though we
affirmed the dismissal because plaintiff’s complaint failed to state a claim, we
reversed the district court’s conclusion that plaintiff lacked standing. Noting that “it
is crucial . . . not to conflate Article III’s requirement of injury in fact with a
plaintiff’s potential causes of action,” we concluded plaintiff alleged a concrete and
particularized breach of contract and “actual” injury. Id. (alterations omitted); cf.
Spokeo, 136 S. Ct. at 1551 (Thomas, J., concurring).

       Gamestop is controlling here. Kuhns alleged that he bargained for and
expected protection of his PII, that Scottrade breached the contract when it failed to
provide promised reasonable safeguards, and that Kuhns suffered actual injury, the
diminished value of his bargain. Whatever the merits of Kuhns’s contract claim, and
his related claims for breach of implied contract and unjust enrichment, he has Article



                                          -6-
III standing to assert them. See ABF Freight Sys., Inc. v. Int’l Bhd. of Teamsters, 645
F.3d 954, 960-61 (8th Cir. 2011). We decline to consider the other standing issues.

                            III. Failure to State a Claim.

       “When a district court erroneously dismisses under Rule 12(b)(1) a claim that
is clearly meritless, an appellate court may affirm under Rule 12(b)(6).” GameStop,
833 F.3d at 910 (quotations omitted); see Morrison v. Nat’l Australia Bank Ltd., 130
S. Ct. 2869, 2877 (2010). Because Scottrade filed a cross appeal, we may take up the
Rule 12(b)(6) issue even if it would afford additional relief. See Remijas v. Neiman
Marcus Grp., LLC, 794 F.3d 688, 697 (7th Cir. 2015). We consider whether Kuhns
failed to state a claim because the parties fully briefed the issue on appeal.

       “To survive [a] motion to dismiss for failure to state a claim,” a Complaint
must “alleg[e] sufficient factual matter, accepted as true, to state a claim to relief that
is plausible on its face.” OmegaGenesis Corp. v. Mayo Found. for Med. Educ. &
Research, 851 F.3d 800, 804 (8th Cir. 2017) (quotation omitted). A claim is plausibly
pleaded when its “factual context . . . allows the court to draw the reasonable
inference that the defendant is liable for the misconduct alleged.” Id. (quotation
omitted).

      1. The Consolidated Complaint alleges that Scottrade breached an express
contract, because Kuhns paid for data security services that Scottrade did not provide.
Both parties agree that the Brokerage Agreement governed the relationship and
incorporated the Privacy Statement. The Privacy Statement represented that, “[t]o
protect your personal information from unauthorized access and use, we use security
measures that comply with federal law. These measures include computer safeguards
and secured files and buildings.” The contract also represented that Scottrade
provides Secure Socket Layer encryption.



                                           -7-
       The Consolidated Complaint alleges that Scottrade breached the Brokerage
Agreement because it “did not comply with applicable laws and regulations as
described herein or otherwise adequately safeguard or protect Plaintiffs’ . . . personal
data from being accessed and taken. Scottrade did not maintain sufficient security
measures and procedures to prevent unauthorized access.” These assertions do not
plausibly allege a breach of contract. First, representations of conditions Scottrade
will maintain are in the nature of contract recitals. If Scottrade misrepresented those
conditions, Kuhns might have a claim for fraud in the inducement of the contract.
But no such claim was asserted. Indeed, there was no alleged misrepresentation, just
bare assertions that Scottrade’s efforts failed to protect customer PII.

       Second, even if the security representations can be construed as promises of
contract performance, the lengthy Consolidated Complaint fails to allege a specific
breach of the express contract. Plaintiffs do not identify a single “applicable law and
regulation” that Scottrade allegedly breached regarding its data security practices.3
Kuhns does not allege that Scottrade affirmatively promised that its customer data
would not be hacked, and such a promise may not be plausibly implied. The
allegation that “Scottrade did not maintain sufficient security measures and
procedures to prevent unauthorized access” does not assert more than the mere
possibility of misconduct: it is possible that Scottrade breached the Brokerage
Agreement, but we have no idea how. The implied premise that because data was
hacked Scottrade’s protections must have been inadequate is a “naked assertion[]
devoid of further factual enhancement” that cannot survive a motion to dismiss.
Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quotations omitted).

      Third, though we have concluded it alleged breach-of-contract injury in fact,
the Consolidated Complaint failed to plausibly allege the actual damage that is an


      3
       Kuhns’s brief on appeal acknowledged that his breach of contract claim “does
not specifically rely on Scottrade’s failure to comply with federal law.”

                                          -8-
element of a breach of contract claim. As described, the hackers stole PII data and
used that data in several illegal schemes. But Kuhns does not contest Scottrade’s
assertion that no customer affected by the 2013 data breach suffered fraud or identity
theft that resulted in financial loss from use of their stolen PII in the more than two
years that passed between the data breach and the filing of the Consolidated
Complaint. See In re Barnes & Noble Pin Pad Litig., No. 12-CV-08617, 2016 WL
5720370 at *1, *4-5 (N.D. Ill. Oct. 3, 2016). Massive class action litigation should
be based on more than allegations of worry and inconvenience.

       The Complaint alleged that Kuhns overpaid for Scottrade because a portion of
its services were for data management and security. But the Brokerage Agreement
expressly provided for the purchase and sale of brokerage services in executing
securities transactions “on a per order basis.” Given the express terms of this
contract, the allegation that the failure of Scottrade’s security measures was a breach
of contract that diminished the benefit of Kuhns’s bargain is not plausible. See
Gamestop, 833 F.3d at 911-12.

      2. Kuhns’s claims for breach of implied contract and unjust enrichment must
be dismissed for the same failure to allege plausible claims. Kuhns alleges that
Scottrade led him to believe it would protect PII and asserts breach of this implied
contract because Scottrade did not take reasonable measures to protect the data. But
we are left to guess how Scottrade failed to take “industry leading” security measures.
The unjust enrichment claim also fails because, under Missouri and Florida law (one
of which governs Kuhns’ claims), a plaintiff cannot recover under an equitable theory
such as unjust enrichment when an express agreement covers the same subject matter.
See 32nd St. Surgery Ctr., LLC v. Right Choice Managed Care, 820 F.3d 950, 955-56
(8th Cir. 2016); White Constr. Co. v. Martin Marietta Materials, Inc., 633 F. Supp.
2d 1302, 1334 (M.D. Fla. 2009). Kuhns concedes the Brokerage Agreement
expressly covered the subject of customer data security. The claim also fails because



                                         -9-
the Consolidated Complaint “does not allege that any specific portion of [Kuhns’s
brokerage services fees] went toward data protection.” Gamestop, 833 F.3d at 912.

       3. Kuhns’s bare bones claim for declaratory relief is virtually unintelligible,
asking the court to declare that Scottrade must “stop its illegal practices.” Kuhns’s
appeal briefs explained that this claim seeks relief regarding Scottrade’s current
practices and compliance with the Brokerage Agreement. But the Consolidated
Complaint focuses on past conduct, the 2013 data breach, not on Scottrade’s current
practices. Kuhns cites no precedent for the notion that the Declaratory Judgment Act
provides federal courts with authority to order a party to “obey your contract.” In an
action seeking declaratory judgment relief in a contract dispute, “Article III
considerations include whether the contractual dispute . . . can be immediately
resolved by a judicial declaration of the parties’ contractual rights and duties.”
Maytag Corp. v. International Union, UAW, 687 F.3d 1076, 1082 (8th Cir. 2012).
At a minimum, this claim does not meet Iqbal’s pleading standard.

       4. Finally, Kuhns asserted a claim under the MMPA, a state consumer
protection statute. The MMPA provides a private right of action to any person who
sustains ascertainable loss in connection with the purchase or lease of merchandise
as a result of certain practices declared unlawful. Mo. Rev. Stat. § 407.025(1). The
statute supplements the common law definition of fraud. See Amburgy v. Express
Scripts, Inc., 671 F. Supp. 2d 1046, 1057 (E.D. Mo. 2009). Section 407.020(1)
declares unlawful the use of “any deception, fraud, false pretense, false promise,
misrepresentation, unfair practice or the concealment, suppression, or omission of any
material fact in connection with the sale or advertisement of any merchandise.”

      Kuhns asserts that Scottrade engaged in “fraudulent and deceptive acts and
omissions” from its “failure to properly implement adequate, commercially
reasonable security measures . . . in the face of Scottrade’s repeated representations
and assurances to the contrary,” its failure to warn plaintiffs their information was at

                                         -10-
risk, and its failure to discover and immediately notify affected customers of the data
breach. Kuhns alleges that he suffered “lost money and property as a result of
Scottrade’s violations.” This claim must be dismissed for several reasons. First, the
allegation that Scottrade engaged in “fraudulent and deceptive acts” is a claim that
sounds in fraud that was not pleaded with the particularity required by Rule 9(b) of
the Federal Rules of Civil Procedure. See OmegaGenesis, 851 F.3d at 804. Second,
to be actionable under the MMPA, the alleged unlawful act must occur in relation to
a sale of merchandise, and an ascertainable pecuniary loss must occur in relation to
the plaintiff’s purchase or lease of that merchandise. See Grawitch v. Charter
Commc’n, Inc., 750 F.3d 956, 960 (8th Cir. 2014); Amburgy, 671 F. Supp. 2d at
1057. While intangible services may qualify as merchandise, Scottrade did not sell
data security services; it put data security measures in place to induce customers to
voluntarily transfer their PII to Scottrade to obtain its brokerage services. Cf.
Amburgy, 671 F. Supp. 2d at 1057-58. The Consolidated Complaint also fails to
plausibly allege how failing to discover and notify customers of the data breach
qualifies as an unfair or deceptive trade practice under the statute.

      For the foregoing reasons, the judgment of the district court dismissing the
Consolidated Class Action Complaint is affirmed. We deny Kuhns’s untimely motion
to dismiss the appeal and the cross appeal.
                       ______________________________




                                         -11-
