First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

[Post by Venkat Balasubramani]

Katz v. Pershing, 11-1983 (1st Cir.; Feb. 28, 2012)

[This is an old catch up post that fell by the wayside.]

Pershing provides services to brokerage firms, and it makes available a platform (NetExchange Pro) for these firms to access information regarding the accounts of their customers. Katz’s brokerage firm was one of those customers. She received a “disclosure statement” alerting her to the provisions of the agreement between her brokerage firm and Pershing. There was no breach as such, but because the disclosure statement advised of the risks of her information being made available through NetExchange Pro, she sued, asserting a variety of state law claims. The district court dismissed the lawsuit on the basis of either Article III or statutory standing. (Here’s my blog post on the trial court ruling: “Massachusetts Court Dismisses Lawsuit Alleging Failure to Adequately Safeguard Personal Information — Katz v. Pershing.”) The First Circuit affirms.

Contract claims: the court says Katz can’t bring a contract claim because she is not a party to any agreement with Pershing. She tried to argue that she was a third party beneficiary to the agreement between her brokerage firm and Katz, but an express disclaimer of intent to benefit third parties kills her third party beneficiary argument. (See also Balsam v. Tucows, and the other cases mentioned in my blog post.) Katz also says public policy bars enforcement of this no-third party beneficiary provision but the court doesn’t buy the vague public policy argument. She also argued that the disclosure statement creates an implied contract between her and Pershing, but the court says there is no consideration and thus no implied contract.

Consumer Protection Act claims: The court says that she has to show Article III standing as well as that she fits under the category of individuals entitled to assert rights under a particular statute. The court divides her various alleged injuries into two groups and finds both insufficient.

The first category of injury consists of misrepresentation-related injuries: (1) that she overpaid for a product that didn’t have the requisite security measures, and (2) false advertisements induced her to pay too much for her brokerage services. Neither of these suffice because any overpayment is made by her to the brokerage firm. She hasn’t paid Pershing anything. There is also no allegation that any overpayment was tied to the alleged misstatements. Finally, she argued that her brokerage firm paid artificially high prices and passed these costs on to her, but the court rejects this as speculative.

The second type of injury includes “data-security” related claims, which are premised on Massachusetts data security law. She brings the typical litany of arguments that apprehension over the loss of her data caused her harm and required her to purchase identity theft insurance. The court says that the data security statute has two components. First, it directs various government entities to adopt standards for data protection. Second, in the event of a “breach of security,” persons and companies that handle personal information must notify government officials and affected parties. The key problem with Katz’s claim is that she fails to allege that her own information “ha[d] actually been accessed by any unauthorized user.”

The court also says that Katz’s purchase of identity theft insurance is insufficient for a related reason. Her decision to purchase this insurance was to “guard against a possibility, remote at best, that her nonpublic personal information might someday be pilfered.” The court finally addresses her argument that increased risk alone is sufficient harm. Although other courts have acknowledged that increased risk of harm can satisfy standing (citing to Reilly v. Ceridian, Krottner v. Starbucks, and Pisciotta v. Old Nat’l Bancorp), the court says these cases have one thing in common: there was an actual unauthorized access of the plaintiff’s data.

There’s not a whole lot to add. Data security plaintiffs have tried to crack the code in a variety of different ways, but courts are unreceptive at best. One of these days, a class of plaintiffs will come along who have suffered out of pocket loss. Until then, expect to see more opinions like this one.

[NB: the opinion is worth reading, but be forewarned, keep a dictionary handy when you read it. I encountered more than a few words that I had to look up.]

Additional coverage:

Rebecca Tushnet: alleged privacy failures don’t violate consumer protection law

Prior posts:

Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark

Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

Ikon Office Solutions Had no Duty to Disclose That Office Equipment Retained Data — Putnam Bank v. Ikon Office Solutions

Mass Ct: ZIP Code is Personal Identification Info Under Credit Card Statute But Plaintiff Must Still Allege Harm — Tyler v. Michaels Stores