Enter to open, tab to navigate, enter to select
First Circuit Affirms Plaintiff's Lack of Standing in Data Privacy Suit
Practical Law Legal Update 9-518-2769 (Approx. 4 pages)
First Circuit Affirms Plaintiff's Lack of Standing in Data Privacy Suit
by PLC Intellectual Property & Technology
| Published on 01 Mar 2012 • USA (National/Federal) |
On February 28, 2012, in Katz v. Pershing, LLC, the US Court of Appeals for the First Circuit affirmed a district court decision that a plaintiff lacked Article III standing to sue a financial services company for breaching common law rights and for violation of a state consumer protection law by failing to provide adequate data security measures and prevent the potential disclosure of her nonpublic personal information.
Key Litigated Issues
In Katz v. Pershing, LLC, the key issue before the US Court of Appeals for the First Circuit was whether the plaintiff has Article III standing to sue a defendant because of its inadequate data security that fails to prevent the potential disclosure of her nonpublic personal information when the plaintiff:
- Did not contract directly with the defendant.
- Failed to allege any actual incident of a data security breach.
Background
The defendant sells investment products and services, including an electronic platform that gives subscribing financial organizations an interface for managing brokerage accounts online. A subscribing financial organization using this electronic platform can make its clients' nonpublic personal information, including social security numbers and taxpayer identification numbers, accessible to authorized employees within the organization.
The plaintiff maintains a brokerage account at National Planning Corporation (NPC), a financial organization that uses the defendant's electronic platform. NPC and the defendant are parties to a clearing agreement. The defendant and the plaintiff are not parties to any agreement. After NPC made its customers' information accessible on the defendant's electronic platform, the defendant sent the plaintiff a disclosure statement alerting her to the provisions of its clearing agreement with NPC.
The plaintiff sued the defendant and claimed that it failed to protect her nonpublic personal information as it was required to do under contract and statutory consumer protection laws. The defendant moved to dismiss on the grounds that the plaintiff lacked Article III standing. The US District Court for the District of Massachusetts found that the plaintiff lacked both constitutional and statutory standing and dismissed her claims.
Outcome
In its February 28, 2012 decision, the US Court of Appeals for the First Circuit affirmed the district court's decision and dismissed the plaintiff's common law contract and statutory consumer protection claims because she lacked Article III standing to sue.
Common Law Contract Claims
On appeal, the plaintiff argued that:
- She is a third-party beneficiary to the defendant's agreement with NPC and therefore may sue the defendant for breach of an express contract and negligent breach of contract.
- The defendant's disclosure statement creates an implied contract, which obligates the defendant to meet certain data confidentiality requirements.
Interpreting relevant New York and Massachusetts state laws, the First Circuit rejected both of these arguments and found that the plaintiff lacked Article III standing to bring common law contract claims against the defendant. The Court held that:
- The plaintiff cannot sue as a third-party beneficiary of the agreement between the defendant and NPC because that agreement contained an explicit disclaimer of third-party beneficiary claims, which is valid under New York law.
- The disclosure statement did not create an implied contract because the plaintiff never provided consideration to the defendant for this alleged contract. The plaintiff never paid fees directly to the defendant, only to NPC in exchange for its brokerage services.
Because the plaintiff did not have a contractual relationship with the defendant, she lacked standing to bring common law contract claims against it.
Statutory Consumer Protection Claims
The plaintiff argued on appeal that she had standing to sue under Massachusetts' consumer protection laws because the defendant injured her by:
- Failing to provide notice of a data security breach.
- Prompting her to purchase identity theft insurance and credit monitoring service.
- Increasing her risk of harms associated with the loss of her nonpublic personal information.
The First Circuit reviewed all three claims and found that the plaintiff lacked Article III standing because she failed to show any actual injury. The court specifically held that:
- There was no allegation that the plaintiff's nonpublic personal information had actually been accessed by any unauthorized user.
- The plaintiff's purchase of identity theft insurance was premised on the possibility that her information might someday be breached, which is not a reasonably impending threat.
- The plaintiff could not show an increased risk of harm without first showing an actual incident of data breach.
Practical Implications
Plaintiffs who bring federal suits based on data security breaches should be prepared to show that they have Article III standing to sue. Article III standing requires that plaintiffs allege that they have been or will in fact be harmed by a defendant's data security breach. Plaintiffs should be prepared to identify any incident in which their data has been accessed by an unauthorized person or that any actions they took to avoid a data security breach were premised on a reasonably impending threat.