First Circuit Rejects Claim of Inadequate Privacy Protection as Too Speculative
In a putative class action, the U.S. Court of Appeals for the First Circuit dismissed breach of contract, misrepresentation and privacy law claims against a financial services company alleging a failure to protect sensitive personal information, holding that the plaintiff did not allege any actual harm but only speculated that her data might be stolen and misused in the future.
Customer Claimed Third Party Protection Was Inadequate
Defendant Pershing, LLC sells brokerage execution, clearance, and investment products and services to other financial organizations. Its customers are broker-dealers and investment advisors that trade securities for their clients. One of its services is NetExchangePro, an electronic platform through which subscribing financial organizations (“introducing firms”) can manage brokerage accounts on the Internet. When an introducing firm uses NetExchangePro, its employees can access information about its customers’ accounts. The introducing firm can make its customers’ non-public personal information (“NPPI”), including Social Security Numbers, accessible to authorized employees on NetExchangePro, such as investment consultants.
Plaintiff Brenda Katz had a brokerage account at National Planning Corporation (“NPC”), an introducing firm that used the NetExchangePro service. NPC and Pershing were parties to an agreement governing their use of customers’ information. Because NPC made its customers’ account information accessible in NetExchangePro, Katz and other NPC customers received a disclosure statement from Pershing about the relevant provisions of the agreement.
Katz alleged that Pershing did not adequately protect her NPPI, because authorized end-users could access and store her unencrypted data “at home and elsewhere, twenty-four hours a day and seven days a week,” which could then be accessed by hackers. She also claimed that Pershing failed to monitor unauthorized access, and used inadequate methods for inadequate end-user authentication. Katz at 4.
Katz filed a putative class action in federal court, based on diversity and claiming more than $5,000,000 in damages. She claimed breach of contract, breach of implied contract, negligent breach of contractual duties, and violation of Massachusetts consumer protection laws. Pershing moved to dismiss for lack of standing and failure to state a claim. The district court granted the motion, and Katz appealed.
Standing to Sue
As the court explained, there are two types of standing: constitutional and statutory. Under Article III of the Constitution, a plaintiff must establish injury, causation, and redressability. Injury must be “an invasion of a legally protected interest which is (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical.” Katz at 7 (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)). Causation must show a direct connection between the challenged action and the injury. Redressability requires a showing that a favorable outcome would likely redress the alleged harm. The prudential aspect of standing requires a claim not to be “merely a generalized grievance.” Id. at 8 (quoting Pagán v. Calderón, 448 F.3d 16, 27 (1st Cir. 2006)). The parties and the court agreed that New York law governed the breach-of-contract claim, while Massachusetts law governed the other claims.
Plaintiff Not a Third Party Beneficiary
The district court ruled that Katz lacked standing to bring her claims for breach of an express and implied contract, and negligent breach of contractual duties, because she had no contract with the defendant. Katz was not a party to the agreement between NCP and Pershing, but argued that she was an intended third-party beneficiary of the agreement between the two companies, which required Pershing to protect NPC’s confidential information. The First Circuit rejected this argument, noting that the agreement explicitly excluded third-party beneficiaries, including NPC’s customers. The court found that New York law clearly upholds such express negations in contracts. The court similarly rejected Katz’s breach of implied contract and negligent breach of contract claims under Massachusetts law.
Plaintiff’s Injuries Were Hypothetical
Katz brought claims under Massachusetts consumer protection laws against false promises and misrepresentation. Mass. Gen. Laws Chs. 93A & H. Before considering the merits of her claim, the court considered whether she had standing to sue under the claims, noting that:
In order to maintain a suit, a plaintiff must both suffer a cognizable injury and locate herself within the designated group who can sue for redress. The Supreme Court has decreed that federal courts normally must decide whether a particular plaintiff has constitutional standing before considering that plaintiff’s statutory standing.
(i) the defendant’s services are of a lesser value than promised, thus depriving her of the “benefit of the bargain” [citation omitted]; (ii) the defendant’s statements have induced her to pay higher fees for NPC’s services than she otherwise would have paid; (iii) the defendant’s failure to provide notice of security breaches as required by law has injured her; (iv) the defendant’s inability to furnish legally required privacy protections has necessitated her purchase of identity theft insurance; and (v) that inability has exposed her to a substantial risk of future data insecurity.
Id. at 18–19. Katz’s first and second allegations were premised on claims of false advertising under Ch. 93A. She claimed that she paid more than the service was worth because her data was not as secure as advertised.
The court held that Katz lacked standing for this claim because, among other things, she failed to show a causal relationship between her alleged overpayment and Pershing’s purportedly misleading statements. If she was overcharged, it was due to actions by NPC, not Pershing, the court observed. Therefore, she did not suffer an injury traceable to Pershing’s actions, and lacked standing.
Katz claimed Pershing violated Ch. 93H because she was not notified of unidentified security breaches and because Pershing allegedly failed to follow encryption protocols, necessitating her purchase of identity theft insurance, and exposing her personal information to possible misappropriation.
Chapter 93H authorizes state agencies to adopt privacy rules and regulations requiring businesses to insure the security and confidentiality of customer information, protect against anticipated threats or hazards to such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. The law also requires customer notification in the event of unauthorized access or use of their personal information.
Katz claimed that she had been injured by Pershing’s failure to notify her of security breaches. Her complaint, however, did not allege that her NPPI was actually accessed by an unauthorized user, but only that a “massive number of breaches of security  have invariably occurred,” exposing the NPPI of unspecified people. Id. To have standing, Katz had to show that she personally was injured, not that injury was suffered by other unidentified class members, the court wrote. The court observed that “an allegation that someone has failed to meet some legal requirement, without more, is insufficient to confer Article III standing,” and held that she lacked Article III standing for this claim. Id. at 25.
The court also rejected Katz’s assertion that she was injured by having to buy identity theft insurance and credit monitoring services. The court found that Katz was not impelled by an actual or imminent threat, but merely a speculative one based on the remote possibility that her NPPI might someday be stolen. The court wrote: “Her cause of action rests entirely on the hypothesis that at some point an unauthorized, as-yet unidentified, third party might access her data and then attempt to purloin her identity.” Id. at 27. “Given the multiple strands of speculation and surmise from which the plaintiff’s hypothesis is woven,” the court observed, Katz did not make a sufficient claim for standing. Id. at 28.
Circuit Split on Standing for Loss of Information
Finally, the court turned to Katz’s assertion that Pershing’s failure to follow privacy regulations increased her risk of harm from data loss. The court noted a split in the circuits on this issue, writing, “[t]he courts of appeals have evidenced some disarray about the applicability of this sort of ‘increased risk’ theory in data privacy cases.” Katz at 28.
The court cited Reilly v. Ceridian Corp., 664 F.3d 38, 43–46 (3d Cir. 2011) (no injury where information was accessed but not misused); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (injury found following theft of laptop with personal information); and Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007)(finding injury on claim that the plaintiff’s information was accessed by a malicious hacker).
For more information about Reilly, see New Jersey District Court Holds Risk of Identity Theft from Security Breach Does Not Confer Standing, Bloomberg Law Reports® – Privacy Law Reports, Vol. 4, No. 4 (Apr. 4, 2011). For a detailed discussion of Krottner, see Ninth Circuit Holds Threat of Identity Theft from Information Security Breach Is an Injury, Bloomberg Law Reports® – Privacy Law Reports, Vol. 4, No. 1(Jan. 5 2011).
The court concluded that despite their diverse outcomes, the cases shared the fact that plaintiffs’ data actually had been accessed by an unauthorized third party. Katz, on the other hand, alleged only that someone might access her data, which could lead to identity theft. “Thus, the risk of harm that she envisions is unanchored to any actual incident of data breach. This omission is fatal [to Article III standing],” the court held. Id. at 29. In conclusion, the court observed:
The innovations and problems of the electronic age have created new challenges for the courts. But venerable principles of our jurisprudence can guide us on this frontier. This case is illustrative: the plaintiff has asserted a litany of novel harms under freshly inked laws, but the irreducible minimum requirements of pleading and Article III doom her case.
Id. at 30. Accordingly, the court affirmed the district court’s dismissal of all the plainitff’s claims.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
©2012 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.