United States Court of Appeals
For the First Circuit
No. 11-1983
BRENDA KATZ,
Plaintiff, Appellant,
v.
PERSHING, LLC,
Defendant, Appellee.
APPEAL FROM THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF MASSACHUSETTS
[Hon. Richard G. Stearns, U.S. District Judge]
Before
Selya, Circuit Judge,
Souter,* Associate Justice,
and Lipez, Circuit Judge.
Stephen J. Calvacca, with whom Susan L. Moran and Law Offices
of Calvacca Moran were on brief, for appellant.
Stephen L. Ratner, with whom Margaret A. Dale, Jason D.
Gerstein, Scott Harshbarger, and Proskauer Rose LLP were on brief,
for appellee.
February 28, 2012
*
Hon. David H. Souter, Associate Justice (Ret.) of the Supreme
Court of the United States, sitting by designation.
SELYA, Circuit Judge. Plaintiff-appellant Brenda Katz
insists that defendant-appellee Pershing, LLC failed to protect
sensitive nonpublic personal information as it was obligated to do
under both contract and consumer protection laws. To vindicate
this concern, she sued the defendant on her behalf and on behalf of
others similarly situated. The district court dismissed her
putative class action. Her appeal of that order requires us to
examine both abecedarian principles of Article III standing and
assorted provisions of state substantive law.
As a general matter, class action litigation has kept
pace with rapid technological advances. But there are limits —
constitutional, prudential, and doctrinal — to how far a class
action plaintiff may extend the zone of liability. In this case,
the plaintiff's reach exceeds her grasp. We conclude that, despite
the dire forebodings expressed in her complaint, she not only has
failed to state any contractual claim for relief but also lacks
constitutional standing to assert a violation of any arguably
applicable consumer protection law. Consequently, we affirm the
district court's order of dismissal.
I. BACKGROUND
Because this case was decided below on a motion to
dismiss, we rehearse the facts as revealed by the complaint and the
documents annexed thereto. See SEC v. Tambone, 597 F.3d 436, 438
(1st Cir. 2010) (en banc).
-2-
The defendant is a Delaware limited liability company.
Its single member is a Delaware corporation that maintains its
principal place of business in New York. The defendant sells
brokerage execution, clearance, and investment products and
services to other financial organizations. Its customers are
typically registered broker-dealers and investment advisers that
trade securities on behalf of their clients.
One of the services that the defendant offers is called
NetExchange Pro. This is an electronic platform that gives
subscribing financial organizations (introducing firms) an
interface for obtaining research and managing brokerage accounts
via the Internet. When an introducing firm uses NetExchange Pro,
end-users (employees of the introducing firm, such as investment
consultants) can use the service to access remotely a wealth of
information about market dynamics and customer accounts.
The introducing firm may make its clients' nonpublic
personal information, including social security numbers and
taxpayer identification numbers, accessible to certain authorized
end-users in NetExchange Pro. Some of the defendant's employees
also have access to this information.
The plaintiff is a citizen of Massachusetts. She
maintains a brokerage account at National Planning Corporation
(NPC), one of the introducing firms that uses the NetExchange Pro
service. NPC and the defendant are parties to a clearing agreement
-3-
(the Agreement), which governs their rights and responsibilities
with respect to the service and the associated data. Because NPC
has made its customers' account information accessible in
NetExchange Pro, the plaintiff, like all NPC customers, has
received a disclosure statement from the defendant alerting her to
the provisions of the Agreement.
As evinced in her complaint, the plaintiff's concern is
that her nonpublic personal information has been left vulnerable to
prying eyes because it is inadequately protected by the defendant's
service. She asserts, among other things, that authorized end-
users can access and store her data at home and elsewhere, twenty-
four hours a day and seven days a week, in unencrypted form; that
the data, once saved by an authorized user, can potentially be
accessed by hackers or other third parties; that the defendant
fails adequately to monitor unauthorized access to her information;
and that it employs inadequate methods for end-user authentication.
With these concerns velivolant, the plaintiff filed a
putative class action against the defendant in the United States
District Court for the District of Massachusetts. Citing the Class
Action Fairness Act of 2005 (CAFA), 28 U.S.C. §§ 1332(d), 1453,
1711-1715, she invoked the district court's original jurisdiction
by alleging diversity of citizenship between the defendant and at
least one member of the putative class (herself) and the existence
of an aggregate amount in controversy in excess of $5,000,000, see
-4-
id. § 1332(d)(2)(A).1 The complaint alleged breach of contract,
breach of implied contract, negligent breach of contractual duties,
violations of Massachusetts consumer protection laws, and other
infractions not relevant here.
The defendant moved to dismiss the action on grounds that
the plaintiff lacked Article III standing, see Fed. R. Civ. P.
12(b)(1), and that she failed to state a claim upon which relief
could be granted, see Fed. R. Civ. P. 12(b)(6). After some backing
and filling, the details of which need not concern us, the district
court granted the motion to dismiss. See Katz v. Pershing, LLC,
806 F. Supp. 2d 452 (D. Mass. 2011). The court disposed of all the
plaintiff's claims for want of either constitutional or statutory
standing. See id. at 457-61. This timely appeal ensued.
II. ANALYSIS
"The existence vel non of standing is a legal question
and, therefore, engenders de novo review." Me. People's Alliance
& Natural Res. Def. Council v. Mallinckrodt, Inc., 471 F.3d 277,
283 (1st Cir. 2006). In considering the pre-discovery grant of a
motion to dismiss for lack of standing, "we accept as true all
well-pleaded factual averments in the plaintiff's . . . complaint
and indulge all reasonable inferences therefrom in his favor."
1
CAFA's minimal diversity requirements apply to putative
class actions. See Aguayo v. U.S. Bank, 653 F.3d 912, 917 (9th
Cir. 2011); Spivey v. Adaptive Mktg. LLC, 622 F.3d 816, 821-22 &
n.1 (7th Cir. 2010). We have jurisdiction to review the dismissal
of her action pursuant to 28 U.S.C. § 1291.
-5-
Deniz v. Mun'y of Guaynabo, 285 F.3d 142, 144 (1st Cir. 2002). A
similar standard of review obtains for motions to dismiss under
Rule 12(b)(6). See Nisselson v. Lernout, 469 F.3d 143, 150 (1st
Cir. 2006). With respect to either type of decision, "[w]e are not
wedded to the lower court's rationale, but may affirm the order of
dismissal on any ground made manifest by the record." Román-Cancel
v. United States, 613 F.3d 37, 41 (1st Cir. 2010); see Ruiz v.
Bally Total Fitness Holding Corp., 496 F.3d 1, 5 (1st Cir. 2007).
Because no class was certified below, we evaluate only
whether the plaintiff herself has constitutional and statutory
standing to pursue the action. See Nat'l Org. for Women, Inc. v.
Scheidler, 510 U.S. 249, 255 & n.3 (1994). We begin this
evaluation with a discussion of the requirements of Article III
standing. With this foundation in place, we appraise the
plaintiff's claims in two groups: those alleging abridgment of her
common-law rights and those alleging violations of the rights
conferred by certain state consumer protection laws, see Mass. Gen.
Laws ch. 93A (Chapter 93A); id. ch. 93H (Chapter 93H).
A. Principles of Constitutional Standing.
The Constitution limits the judicial power of the federal
courts to actual cases and controversies. U.S. Const. art. III,
§ 2, cl. 1. A case or controversy exists only when the party
soliciting federal court jurisdiction (normally, the plaintiff)
demonstrates "such a personal stake in the outcome of the
-6-
controversy as to assure that concrete adverseness which sharpens
the presentation of issues upon which the court so largely
depends." Baker v. Carr, 369 U.S. 186, 204 (1962). The standing
inquiry is claim-specific: a plaintiff must have standing to bring
each and every claim that she asserts. Pagán v. Calderón, 448 F.3d
16, 26 (1st Cir. 2006).
To satisfy the personal stake requirement, a plaintiff
must establish each part of a familiar triad: injury, causation,
and redressability. See Lujan v. Defenders of Wildlife, 504 U.S.
555, 560-61 (1992). "[E]ach element must be supported in the same
way as any other matter on which the plaintiff bears the burden of
proof, i.e., with the manner and degree of evidence required at the
successive stages of the litigation." Id. at 561; see Bennett v.
Spear, 520 U.S. 154, 167-68 (1997).
The first element of Article III standing is injury in
fact. This element is defined as "an invasion of a legally
protected interest which is (a) concrete and particularized; and
(b) actual or imminent, not conjectural or hypothetical."
Defenders of Wildlife, 504 U.S. at 560 (footnote, citations, and
internal quotation marks omitted). These are distinct
characteristics. Particularity demands that a plaintiff must have
personally suffered some harm. See id. at 560 n.1. The
requirement of an actual or imminent injury ensures that the harm
-7-
has either happened or is sufficiently threatening; it is not
enough that the harm might occur at some future time. Id. at 564.
The second element is causation. This element requires
the plaintiff to show a sufficiently direct causal connection
between the challenged action and the identified harm. See id. at
560. Such a connection "cannot be overly attenuated." Donahue v.
City of Boston, 304 F.3d 110, 115 (1st Cir. 2002). Because the
opposing party must be the source of the harm, causation is absent
if the injury stems from the independent action of a third party.
See Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 41-42 (1976).
The final element is redressability. The plaintiff must
show that a favorable resolution of her claim would likely redress
the professed injury. Redressability is a matter of degree. To
satisfy this requirement, the plaintiff "need not definitively
demonstrate that a victory would completely remedy the harm."
Antilles Cement Corp. v. Fortuño, ___ F.3d ___, ___ (1st Cir. 2012)
[Nos. 09-1314, 09-1583, slip op. at 8].
Along with the trio of constitutional elements prescribed
by Article III, standing also has prudential dimensions. These
components "ordinarily require a plaintiff to show that his claim
is premised on his own legal rights (as opposed to those of a third
party), that his claim is not merely a generalized grievance, and
that it falls within the zone of interests protected by the law
invoked." Pagán, 448 F.3d at 27. Although the prudential
-8-
requirements may be relaxed in some contexts, "the constitutional
requirements apply with equal force in every case." Nat'l Org. for
Marriage v. McKee, 649 F.3d 34, 46 (1st Cir. 2011), petition for
cert. filed, 80 U.S.L.W. 3320 (U.S. Nov. 2, 2011) (No. 11-599).
It is against this backdrop that we next consider whether
the plaintiff has standing as to each of her claims.
B. Common-Law Claims.
The invasion of a common-law right (including a right
conferred by contract) can constitute an injury sufficient to
create standing. See Ala. Power Co. v. Ickes, 302 U.S. 464, 479
(1938). The plaintiff alleges that she has rights deriving from
the Agreement, the disclosure statement, and various online
advertisements. These allegations are arrayed in support of claims
for breach of an express contract, breach of an implied contract,
and negligent breach of contractual duties.
The district court determined that the plaintiff lacked
standing to bring these contract-based claims because she had no
contract with the defendant. Katz, 806 F. Supp. 2d at 459-61.
There is some question as to whether the existence of a contractual
relationship between the plaintiff and the defendant is a part of
an inquiry into standing (as opposed to a part of an inquiry into
the merits of a claim). From an analytical standpoint, we think
the better view is that when a plaintiff generally alleges the
existence of a contract, express or implied, and a concomitant
-9-
breach of that contract, her pleading adequately shows an injury to
her rights. Even so, the present plaintiff has failed to state an
actionable claim. We explain briefly.
This action is brought under our diversity jurisdiction.
See 28 U.S.C. § 1332(d). It is thus clear that state substantive
law must prescribe the rules of decision. See Avery v. Hughes, 661
F.3d 690, 693-94 (1st Cir. 2011). Here, however, the laws of two
different states are implicated. The Agreement provides that New
York law governs its construction and interpretation. Therefore,
the plaintiff's claim for breach of contract is governed by that
law. Nevertheless, the parties concede, at least tacitly, that
Massachusetts law controls the other claims raised by the
plaintiff. We are free to honor the reasonable understanding of
the parties as to choice of law, see Artuso v. Vertex Pharm., Inc.,
637 F.3d 1, 5 (1st Cir. 2011), and we do so here.
To survive a motion to dismiss for failure to state a
claim, the "complaint must contain sufficient factual matter
. . . to 'state a claim to relief that is plausible on its face.'"
Ashcroft v. Iqbal, 129 S. Ct. 1937, 1949 (2009) (quoting Bell Atl.
Corp. v. Twombly, 550 U.S. 544, 570 (2007)). This means that
"[t]he complaint must include 'factual content that allows the
court to draw the reasonable inference that the defendant is liable
for the misconduct alleged.'" Haley v. City of Boston, 657 F.3d
39, 46 (1st Cir. 2011) (quoting Iqbal, 129 S. Ct. at 1949). "If
-10-
the factual allegations in the complaint are too meager, vague, or
conclusory to remove the possibility of relief from the realm of
mere conjecture, the complaint is open to dismissal." Tambone, 597
F.3d at 442. We review the plaintiff's complaint, including the
documents annexed thereto, to see if it satisfies these standards.
To make out a breach of contract claim under New York
law, the plaintiff must plead the existence of a promise that she
is entitled to enforce. See Truty v. Fed. Bakers Supply Corp., 629
N.Y.S.2d 898, 899 (N.Y. App. Div. 1995). Inasmuch as she is not a
party to the Agreement, the plaintiff's first contention is that
she may sue as a third-party beneficiary. In this wise, she
asserts that the defendant has breached the Agreement's data
confidentiality provision, which requires the defendant to protect
NPC's proprietary information "to the same extent and in at least
the same manner as [it] protects its own confidential or
proprietary information." She insists that she is an intended
beneficiary of this confidentiality provision and, therefore, can
sue the defendant to enforce it.
This contention is easily dispatched. The Agreement
contains an explicit statement that it "is not intended to confer
any benefits on third-parties including, but not limited to,
customers of [NPC]." New York law on this point is transparently
clear: "[w]here a provision exists in an agreement expressly
negating an intent to permit enforcement by third parties,
-11-
. . . that provision is decisive." Nepco Forged Prods., Inc. v.
Consol. Edison Co. of N.Y., 470 N.Y.S.2d 680, 681 (N.Y. App. Div.
1984); see India.com, Inc. v. Dalal, 412 F.3d 315, 321-22 (2d Cir.
2005) (collecting cases).
The plaintiff clamors that there are exceptions to this
bright-line rule. The precedents that she offers, however, contain
only general principles for determining whether a party is, in
fact, a third-party beneficiary. See, e.g., Flickinger v. Harold
C. Brown & Co., 947 F.2d 595, 600 (2d Cir. 1991); Banco Espirito
Santo de Investimento, S.A. v. Citibank, N.A., No. 03 Civ. 1537,
2003 WL 23018888, at *8-10 (S.D.N.Y. Dec. 22, 2003); Artwear, Inc.
v. Hughes, 615 N.Y.S.2d 689, 692 (N.Y. App. Div. 1994). The
plaintiff has not pointed to any New York case in which an explicit
disclaimer of third-party beneficiary claims has been overlooked
for any reason, and our research has revealed none. This makes
perfect sense in view of New York's immutable requirement that the
contracting parties must intend to benefit the third party: "absent
such intent, the third party is merely an incidental beneficiary
with no right to enforce the particular contract[]." Port Chester
Elec. Constr. Corp. v. Atlas, 357 N.E.2d 983, 986 (N.Y. 1976).
Where, as here, that intent is unambiguously disclaimed,
a suitor cannot attain third-party beneficiary status. See Piccoli
A/S v. Calvin Klein Jeanswear Co., 19 F. Supp. 2d 157, 164
(S.D.N.Y. 1998). Whatever exceptions the plaintiff thinks there
-12-
could be or should be in these circumstances, we — as federal
judges sitting in diversity jurisdiction — "cannot be expected to
create new doctrines expanding state law." Gill v. Gulfstream Park
Racing Ass'n, 399 F.3d 391, 402 (1st Cir. 2005); see Kassel v.
Gannett Co., 875 F.2d 935, 949-50 (1st Cir. 1989). After all,
federal diversity courts are charged with ascertaining state law,
not with reshaping it.
Relatedly, the plaintiff advocates a "public policy"
exception that would block the enforcement of this disclaimer. She
asseverates that by disavowing third-party beneficiaries in the
Agreement, the defendant is attempting to contract away its duty to
obey state and federal data security laws. This asseveration
stands logic on its ear. The defendant has not contracted away its
legal duties but, rather, has undertaken specific confidentiality
obligations to NPC. The Agreement merely limits enforcement of
those obligations to the contracting party (NPC).
The plaintiff has a fallback position. Rule 4311 of the
New York Stock Exchange requires clearing firms like the defendant
to notify customers of introducing firms like NPC "of the existence
of the carrying agreement and the responsibilities allocated to
each respective party." In compliance with this rule, the
defendant sent a disclosure statement to all of NPC's customers
(including the plaintiff), notifying them of the Agreement and its
contents. The plaintiff alleges that this disclosure statement
-13-
supersedes the Agreement's disclaimer of third-party beneficiaries
and reinstates her as an intended beneficiary of the Agreement.
We fail to see how the disclosure statement modifies the
express disclaimer of third-party beneficiary claims. After all,
the Agreement expressly forbids subsequent modifications unless
those modifications are "in writing signed by the parties." Such
clauses are routinely enforced under New York law. See N.Y. Gen.
Oblig. Law § 15-301(1). It follows inexorably that the express
disclaimer of third-party beneficiary claims could not have been
negated by the unsigned disclosure statement unilaterally
formulated by one of the contracting parties.
The plaintiff extracts another argument from the
disclosure statement. She says that the disclosure statement
creates an implied contract between her and the defendant, thereby
obligating the defendant to meet certain data confidentiality
requirements. This argument lacks force.
The plaintiff couches her implied contract argument in
terms of Massachusetts law. Under that law, "[a] contract implied
in fact requires the same elements as an express contract and
differs only in the method of expressing mutual assent." Mass. Eye
& Ear Infirm. v. QLT Phototherapeutics, Inc., 412 F.3d 215, 230
(1st Cir. 2005) (internal quotation marks omitted). One of these
elements is consideration. See T.F. v. B.L., 813 N.E.2d 1244, 1249
& n.4 (Mass. 2004). This element "is satisfied if there is either
-14-
a benefit to the promisor or a detriment to the promisee." Marine
Contractors Co. v. Hurley, 310 N.E.2d 915, 919 (Mass. 1974); see 3
Richard A. Lord, Williston on Contracts § 7:4 (4th ed. 2008).
In the case at hand, there is no allegation of
consideration sufficient to support an implied contract claim. The
plaintiff has not adequately alleged that she provided any
bargained-for benefit or suffered any bargained-for detriment in
exchange for the defendant's supposed promises. All the items that
she suggests as consideration — her payment of fees and supplying
of information — were furnished to NPC in exchange for its
brokerage services. NPC, not the plaintiff, provided consideration
to the defendant.
The plaintiff's conclusory allegation that the
consideration flowed "indirectly" from her to the defendant does
not withstand the test of plausibility. See Iqbal, 129 S. Ct. at
1949; Twombly, 550 U.S. at 556. In fact, the documents depict two
separate sets of contractual obligations and benefits, one
connecting the plaintiff to NPC and the other connecting NPC to the
defendant. These sets cannot be mixed and matched. Accordingly,
we cannot credit the plaintiff's ipse dixit that she has adequately
pleaded the consideration needed for an implied contract.
This brings us to negligent breach of contractual duties.
That claim, too, is cast in terms of Massachusetts law. In
Massachusetts, such a cause of action is available when a party to
-15-
a contract carelessly fails to perform as required and, as a
result, foreseeably exposes third parties to injury. See Anderson
v. Fox Hill Vill. Homeowners Corp., 676 N.E.2d 821, 823 (Mass.
1997).
The plaintiff's claim founders. To succeed, she must
still plead the familiar elements of negligence, including duty,
breach, causation, and harm. See Banaghan v. Dewey, 162 N.E.2d
807, 812-13 (Mass. 1959). Here, she has merely given lip service
to the elements of causation and harm. It would serve no useful
purpose at this point to cite book and verse concerning the
deficiencies of these allegations. It suffices to say that the
same reasoning that shows the absence of plausible allegations of
causation and harm with respect to the plaintiff's consumer
protection claims, see infra Part II(C), applies with equal force
to the negligent breach of contract claim. These types of
implausible allegations are insufficient to state a claim upon
which relief can be granted. See Iqbal, 129 S. Ct. at 1949;
Twombly, 550 U.S. at 555-56.
C. Consumer Protection Claims.
We transition now to the claims brought under
Massachusetts consumer protection laws. See Chapter 93A; Chapter
93H. When a plaintiff alleges injury to rights conferred by a
statute, two separate standing-related inquiries pertain: whether
the plaintiff has Article III standing (constitutional standing)
-16-
and whether the statute gives that plaintiff authority to sue
(statutory standing). See Steel Co. v. Citizens for a Better
Env't, 523 U.S. 83, 89, 92 (1998). Article III standing presents
a question of justiciability; if it is lacking, a federal court has
no subject matter jurisdiction over the claim. See id. By
contrast, statutory standing goes to the merits of the claim. See
Bond v. United States, 131 S. Ct. 2355, 2362-63 (2011); CGM, LLC v.
BellSouth Telecomms., Inc., 664 F.3d 46, 51-52 (4th Cir. 2011).
Legislatures may affect both types of standing when they
enact new statutes. Specifically, they can raise to the status of
legally cognizable injuries certain harms that might otherwise have
been insufficient at common law, and they may confer the authority
to sue for those harms on private persons or public entities.
Defenders of Wildlife, 504 U.S. at 578; see Thompson v. N. Am.
Stainless, LP, 131 S. Ct. 863, 869 (2011).
In order to maintain a suit, a plaintiff must both suffer
a cognizable injury and locate herself within the designated group
who can sue for redress. The Supreme Court has decreed that
federal courts normally must decide whether a particular plaintiff
has constitutional standing before considering that plaintiff's
statutory standing. See Steel Co., 523 U.S. at 95-97 & n.2; see
also Deniz, 285 F.3d at 149 ("When a court is confronted with
motions to dismiss under both Rules 12(b)(1) and 12(b)(6), it
-17-
ordinarily ought to decide the former before broaching the
latter.").
Given this directive, we preface our analysis of each
statutory claim with an assessment of whether the plaintiff has
demonstrated Article III standing. See TrafficSchool.com, Inc. v.
Edriver Inc., 653 F.3d 820, 825 (9th Cir. 2011). Only if the
plaintiff has cleared this hurdle will we proceed to examine
whether she has adequately alleged her membership in the class of
persons who can bring suit under Massachusetts consumer protection
laws.
The plaintiff posits that she has constitutional standing
because (i) the defendant's services are of a lesser value than
promised, thus depriving her of the "benefit of the bargain," see
Rice v. Price, 164 N.E.2d 891, 894 (Mass. 1960); (ii) the
defendant's statements have induced her to pay higher fees for
NPC's services than she otherwise would have paid; (iii) the
defendant's failure to provide notice of security breaches as
required by law has injured her; (iv) the defendant's inability to
furnish legally required privacy protections has necessitated her
purchase of identity theft insurance; and (v) that inability has
-18-
exposed her to a substantial risk of future data insecurity.2 We
group these contentions into two subsets and consider them below.
1. False Promises and Misrepresentations. The
plaintiff's first theories of standing derive from state statutory
protections against false advertising and misrepresentation. She
says that the defendant's inaccurate boast that it adequately
protects customer data — a claim made both in its advertising and
in the Agreement — entitles her to bring suit under Chapter 93A.
The plaintiff has offered two explanations for why she may pursue
these claims: the fact that she has overpaid for a product that
allegedly does not perform as promised and the fact that the false
advertisements induced her to pay too much for NPC's brokerage
services.
Under the first theory, she styles her loss as the
benefit of the bargain. By this, she means that she is paying more
to NPC than the (less secure) service provided by the defendant is
2
In two sentences of the complaint and a single paragraph of
her sixty-page brief, the plaintiff cursorily states that the
defendant's failure to employ reasonable security measures while
representing that its security measures are excellent is a
violation of the Federal Trade Commission Act (FTC Act), see 15
U.S.C. § 45 (prohibiting unfair trade practices), and other federal
consumer protection statutes. It is common ground that unfair
trade practices which violate the FTC Act can form the basis for a
private action under Chapter 93A. See In re TJX Cos. Retail Sec.
Breach Litig., 564 F.3d 489, 496-97 (1st Cir. 2009). Standing is
still required, however, and the plaintiff here alleges in support
of her undeveloped FTC Act claim only the same theories of injury
relied on in support of her other claims. Because we find those
theories of injury constitutionally insufficient, we have no need
to analyze the FTC Act claim separately.
-19-
actually worth. It is a bedrock proposition that "a relatively
small economic loss — even an 'identifiable trifle' — is enough to
confer standing." Adams v. Watson, 10 F.3d 915, 924 (1st Cir.
1993). But whether or not the plaintiff can cross that low
threshold — a matter on which we take no view — her claim stumbles
over the altogether different requirement of causation.
When the injury alleged is the result of actions by some
third party, not the defendant, the plaintiff cannot satisfy the
causation element of the standing inquiry. See Ariz. Christian
Sch. Tuition Org. v. Winn, 131 S. Ct. 1436, 1447-48 (2011); Raines
v. Byrd, 521 U.S. 811, 830 n.11 (1997); Allen v. Wright, 468 U.S.
737, 757-58 (1984). This is such a case.
Any loss that the plaintiff suffered derives from the
fees that she pays to NPC. If she is being overcharged at all,
that overcharging is at the instance of NPC, not the defendant.
Simply put, her injury is not fairly traceable to the defendant's
action.
The plaintiff's remonstrances about the benefit of the
bargain do not change this calculus. She has no bargain with the
defendant and, therefore, no entitlement to any benefit from the
defendant.
The plaintiff advances a related argument. She avers
that the defendant's misleading advertisements caused her injury
because they likely affected her decision to pay NPC's artificially
-20-
inflated fees. This argument lands wide of the mark. Although
buyers who do not actually rely on false advertisements sometimes
may seek protection under Massachusetts law, see, e.g., Aspinall v.
Philip Morris Cos., 813 N.E.2d 476, 486 (Mass. 2004), the fact that
a litigant need not prove reliance on a representation does not
vitiate the altogether different requirement of causation.
To satisfy Article III, the injury alleged - here,
overpayment to NPC - must be ascribable to the defendant's
misrepresentations. In actions brought under Chapter 93A, this
does not foreclose the possibility that overpayments to a third
party might in some circumstances constitute a cognizable injury
caused by the party that has made the misrepresentations. See,
e.g., In re Pharm. Indus. Average Wholesale Price Litig., 582 F.3d
156, 161, 190 (1st Cir. 2009) (finding Article III injury to be
overpayments in the form of elevated reimbursement, insurance, and
coinsurance costs imputable to the drug company's publication of
false average wholesale prices). The plaintiff tries to style
herself in this position: she claims that she chose NPC and
overpaid for its services because of the defendant's
misrepresentations.
These allegations fall short. In order to support a
finding of causation in these circumstances, a plaintiff must
plausibly allege a direct causal relationship between her
overpayment and the defendant's purportedly misleading statements.
-21-
See id. at 160-61 (finding Article III standing when defendant's
misrepresentations "directly resulted in an increase to the
payments the plaintiffs were required to make"). Even when third
parties are not involved (as in the prototypical Chapter 93A case),
the causation requirement is usually satisfied when a consumer
purchases a falsely advertised product because the defendant's
misrepresentations would have artificially inflated the price paid
by the consumer. Cf. Rule v. Fort Dodge Animal Health, Inc., 607
F.3d 250, 251-53 (1st Cir. 2010) (considering such a claim on the
merits). The plaintiff has not satisfied this essential
prerequisite here.
The plaintiff attempts to show causation by alleging that
the fees she pays to NPC are higher than they otherwise would be
because NPC "passed on" the inflated charges for the defendant's
service to her. But the documents depict two separate sets of
contractual obligations with separate fees and services: one set
between NPC and the defendant and the other set between the
plaintiff and NPC. Thus, the plaintiff's allegation is nothing
more than a bare hypothesis that NPC possibly might push this
aspect of its operational costs onto her. This is not a plausible
allegation that the false advertisements caused her to pay the
supposedly inflated prices for NPC's services. See Iqbal, 129 S.
Ct. at 1949; Twombly, 550 U.S. at 555-56. As a result, the
-22-
plaintiff has not satisfied the causation requirement for Article
III standing.
2. Data Insecurity. The plaintiff's remaining claims
assert injuries to rights purportedly created by Chapter 93H and
other kindred privacy regulations. See, e.g., 940 Mass. Code Regs.
§ 3.16(3) (explaining that violation of "existing statutes, rules,
regulations or laws, meant for the protection of the public's
health, safety, or welfare" is an unfair trade practice). She
maintains that she may bring an action for violation of Chapter 93H
because she has not been notified of extant but unidentified
security breaches and, in all events, the defendant has failed to
conform to various encryption protocols. These shortcomings, she
laments, have required her to purchase identity theft insurance and
have exposed her nonpublic personal information to possible
misappropriation.
The district court held that a cause of action for a
violation of Chapter 93H can be brought only by the Attorney
General. See Katz, 806 F. Supp. 2d at 458-59 (citing Chapter 93H,
§ 6). We do not decide that question today but, rather, adhere to
"the general rule [] that a court should first confirm the
existence of rudiments such as jurisdiction and standing before
tackling the merits of a controverted case." Berner v. Delahanty,
129 F.3d 20, 23 (1st Cir. 1997). Assuming, without deciding, that
a private person may pursue a cause of action under Chapter 93H —
-23-
a matter best left to the Massachusetts courts — the plaintiff
nonetheless cannot satisfy Article III's injury requirement.
Chapter 93H has two principal components. The first
component enables various branches of the state government to adopt
privacy rules and regulations to:
insure the security and confidentiality of
customer information in a manner fully
consistent with industry standards; protect
against anticipated threats or hazards to the
security or integrity of such information; and
protect against unauthorized access to or use
of such information that may result in
substantial harm or inconvenience to any
consumer.
Chapter 93H, § 2(a). The executive branch of the state government
has responded by promulgating "Standards for the Protection of
Personal Information of Residents of the Commonwealth." 201 Mass.
Code Regs. §§ 17.00-17.05. These standards impose duties and
requirements on persons and entities that own, license, or maintain
personal information about Massachusetts residents. Id. §§ 17.03-
17.04.
The second component of Chapter 93H establishes privacy
notification requirements. Chapter 93H, §§ 3-4. These
requirements are triggered by any "breach of security," as defined
by the statute, or any unauthorized access or use of personal
information. Id. §§ 1(a), 3-4. When such unauthorized access or
use occurs, persons and entities that own, license, or maintain
Massachusetts residents' personal information must provide notice
-24-
to government officials and affected parties pursuant to various
disclosure guidelines. Id. §§ 3-4.
In determining how to evaluate the plaintiff's standing
to challenge alleged failures to abide by these strictures, a
comparison to the environmental standing cases is instructive.
Those decisions teach that an allegation that someone has failed to
meet some legal requirement, without more, is insufficient to
confer Article III standing. See, e.g., Defenders of Wildlife, 504
U.S. at 558-59, 572-73. Inasmuch as standing necessitates that a
plaintiff "allege[] such a personal stake in the outcome of the
controversy as to warrant his invocation of federal-court
jurisdiction," Horne v. Flores, 129 S. Ct. 2579, 2592 (2009)
(internal quotation marks omitted), an injury in fact must also be
alleged. We assess the plaintiff's allegations through this prism.
Our starting point is the plaintiff's claim that she has
been injured because the defendant has failed to provide notice of
a security breach as required by Chapter 93H. The complaint
fleshes out this claim by alleging only that a "massive number of
breaches of security [] have invariably occurred" and that, as a
result, some level of unauthorized access must have transpired,
thereby exposing some unspecified people's nonpublic personal
information to further unauthorized disclosure. She suggests that
these breaches should have been reported pursuant to Chapter 93H
and that the defendant's failure to do so entitles her to sue.
-25-
This claim is unavailing. Critically, the complaint does
not contain an allegation that the plaintiff's nonpublic personal
information has actually been accessed by any unauthorized user.
To achieve standing, plaintiffs "must allege and show that they
personally have been injured, not that injury has been suffered by
other, unidentified members of the class to which they belong and
which they purport to represent." Warth v. Seldin, 422 U.S. 490,
502 (1975). Without any reference to an identified breach of the
plaintiff's data security, the complaint does not show an injury
sufficient to give rise to Article III standing.
The plaintiff's next attempt to demonstrate injury in
fact focuses on her purchase of identity theft insurance and credit
monitoring services. In evaluating this plaint, the reasoning in
the environmental standing cases is once again instructive. In
Mallinckrodt, we examined the plaintiffs' assertions that they had
refrained from visiting a river due to fear of mercury
contamination. In assaying whether those statements were
sufficient to create an injury in fact, we observed that "an
individual's decision to deny herself aesthetic or recreational
pleasures based on concern about pollution will constitute a
cognizable injury only when the concern is premised upon a
realistic threat." Mallinckrodt, 471 F.3d at 284. The Supreme
Court has assumed a similar stance in both environmental and
nonenvironmental cases. See, e.g., Friends of the Earth, Inc. v.
-26-
Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 184-85 (2000);
City of Los Angeles v. Lyons, 461 U.S. 95, 107 n.8 (1983).
We think that an analogous requirement is in order here.
When an individual alleges that her injury is having to take or
forebear from some action, that choice must be premised on a
reasonably impending threat. Such a requirement is fully
consistent with the well-settled principle that the harm or injury
must be actual or imminent, not speculative. See Defenders of
Wildlife, 504 U.S. at 564 & n.2.
In this case, the plaintiff purchased identity theft
insurance and credit monitoring services to guard against a
possibility, remote at best, that her nonpublic personal
information might someday be pilfered. Such a purely theoretical
possibility simply does not rise to the level of a reasonably
impending threat.
To recapitulate, the plaintiff has not alleged that her
nonpublic personal information actually has been accessed by any
unauthorized person. Her cause of action rests entirely on the
hypothesis that at some point an unauthorized, as-yet unidentified,
third party might access her data and then attempt to purloin her
identity. The conjectural nature of this hypothesis renders the
plaintiff's case readily distinguishable from cases in which
confidential data actually has been accessed through a security
breach and persons involved in that breach have acted on the ill-
-27-
gotten information. Cf. Anderson v. Hannaford Bros., 659 F.3d 151,
164-65 (1st Cir. 2011) (holding purchase of identity theft
insurance in such circumstances reasonable in negligence context).
Given the multiple strands of speculation and surmise from which
the plaintiff's hypothesis is woven, finding standing in this case
would stretch the injury requirement past its breaking point.
We reach at long last the plaintiff's final theory of
injury: her assertion that the defendant's failure to adhere to
privacy regulations increases her risk of harms associated with the
loss of her data. The courts of appeals have evidenced some
disarray about the applicability of this sort of "increased risk"
theory in data privacy cases. See, e.g., Reilly v. Ceridian Corp.,
664 F.3d 38, 43-46 (3d Cir. 2011) (finding no injury in fact when
unauthorized person accessed but did not yet misuse plaintiffs'
data); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir.
2010) (finding injury in fact when plaintiffs pled increased risk
of harm following theft of a laptop that contained their personal
data); Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir.
2007) (finding injury in fact when plaintiffs claimed an increased
risk of data theft after their information had been accessed by a
malicious and sophisticated hacker). Be that as it may, these
cases have a common denominator. In each of them, the plaintiffs'
data actually had been accessed by one or more unauthorized third
-28-
parties. See Reilly, 664 F.3d at 40; Krottner, 628 F.3d at 1140-
41; Pisciotta, 499 F.3d at 632.
The allegations in this case do not mirror that common
denominator. Here, the plaintiff alleges only that there is an
increased risk that someone might access her data and that this
unauthorized access (if it occurs) will increase the risk of
identity theft and other inauspicious consequences. Thus, the risk
of harm that she envisions is unanchored to any actual incident of
data breach. This omission is fatal: because she does not identify
any incident in which her data has ever been accessed by an
unauthorized person, she cannot satisfy Article III's requirement
of actual or impending injury. See Krottner, 628 F.3d at 1143
(noting that if the laptop containing customer data "had [not] been
stolen, and Plaintiffs had sued based on the risk that it would be
stolen at some point in the future," court would be unlikely to
find Article III injury).
Standing is not an "ingenious academic exercise in the
conceivable. A plaintiff must allege that he has been or will in
fact be perceptibly harmed . . . , not that he can imagine
circumstances in which he could be affected." United States v.
Students Challenging Regulatory Agency Procedures (SCRAP), 412 U.S.
669, 688-89 (1973). So it is here. Insofar as we can tell from
the complaint, no interest or right of the plaintiff has been
harmed by any violation of applicable privacy laws. In the absence
-29-
of such a showing, we lack jurisdiction to review her statutory
claims.
III. CONCLUSION
The innovations and problems of the electronic age have
created new challenges for the courts. But venerable principles of
our jurisprudence can guide us on this frontier. This case is
illustrative: the plaintiff has asserted a litany of novel harms
under freshly inked laws, but the irreducible minimum requirements
of pleading and Article III doom her case.
We need go no further. For the reasons elucidated above,
we affirm the judgment of the district court.
Affirmed.
-30-