alleged privacy failures don't violate consumer protection law

Katz v. Pershing, LLC, 672 F.3d 64 (1^st Cir. 2012)

Katz sued Pershing, which sells brokerage-related services to broker-dealers and investment advisers, for failure to protect sensitive nonpublic personal information as a violation of contract and of consumer protection laws.  The court held she lacked constitutional standing to claim a violation of the latter.  Pershing’s NetExchange Pro allows subscribers (introducing firms) to get research and manage brokerage accounts online.  Employees of the introducing firm can access “a wealth of information about market dynamics and customer accounts.”  The introducing firm can make clients’ nonpublic personal information, including SSNs and TINs, available to authorized end-users, and some Pershing employees also have access to that information.

Katz has a brokerage account at one of the introducing firms, NPC, which made customers’ account information accessible in NetExchange Pro, and Katz received a disclosure statement telling her that NPC and Pershing are parties to an agreement governing their rights and responsibilities with respect to the data.  She alleged that authorized end-users could access and store her data, at home and elsewhere, in unencrypted form, and that it could potentially be accessed by hackers or other third parties; also that Pershing failed adequately to monitor unauthorized access and to authenticate end-users.

Constitutional standing requires injury in fact, causation, and redressability.  The invasion of a common-law right, including a contract right, can constitute sufficient injury to create standing.  Katz alleged that she had rights based on the agreement between Pershing and NPC, the disclosure statement, and various ads.  Pershing argued that Katz had no contractual relationship with NPC, but the court thought that if a plaintiff generally alleges the existence of a contract, express or implied, and a concomitant breach, then her pleading adequately alleges injury. 

But there was still no actionable claim here.  Katz alleged that she was a third-party beneficiary of the agreement’s provision requiring Pershing to protect NPC's proprietary information “to the same extent and in at least the same manner as [it] protects its own confidential or proprietary information.”   But the contract explicitly said that it wasn’t intended to confer benefits on third parties, expressly including customers of entities like NPC, and the applicable NY law honored such explicit provisions.  Katz argued that applying this rule here would contravene public policy by allowing Pershing to contract away its duty to obey data securities laws, but that wasn’t what the agreement did. Rather, Pershing undertook specific confidentiality obligations to NPC, enforceable only by NPC.  Nor did the disclosure statement supersede or modify this express disclaimer, since the agreement forbade modifications that weren’t in writing and signed by the parties.

Further, the disclosure statement didn’t create an implied contract between Katz and Pershing.  There was no allegation of sufficient consideration: Katz didn’t allege the provided any bargained-for benefit or suffered any bargained-for detriment in exchange for Pershing’s alleged promises.  Her payment of fees and suppling information to NPC was in exchange for NPC’s brokerage services, and NPC was the one who provided consideration to Pershing.  Katz’s allegation that consideration flowed “indirectly” from her to Pershing wasn’t plausible.

The court turned to the Mass. Chapter 93A consumer protection claims.  As to them, Katz argued that she had constitutional standing because Pershing’s services were of lower value than promised, depriving her of the benefit of the bargain; Pershing’s statements induced her to pay higher fees for NPC’s services than she otherwise would have paid; Pershing’s failure to provide legally required notice of security breaches injured her; and Pershing’s lack of privacy protections required her to purchase identity theft insurance and exposed her to a substantial risk of future data insecurity.

On the benefit of the bargain theory, even a small economic loss will confer standing.  But she failed to allege causation: the injury alleged resulted from a third party’s actions and wasn’t fairly traceable to Pershing’s actions.  So too with the argument that Pershing’s misleading ads affected her decision to pay NPC’s artificially inflated fees.  Sometimes, overpayments to a third party might be caused by a defendant’s misrepresentations (citing drug cases where insurers overpaid).  Given that there are two distinct sets of contractual obligations here, one Pershing-NPC and one NPC-Katz, her allegation was no more than a “bare hypothesis that NPC possibly might push this aspect of its operational costs onto her,” and was not plausible.

The remaining arguments referred to rights purportedly created by privacy regulations: Katz alleged that she hadn’t been notified of existing but unidentified security breaches and that Pershing failed to conform to various encryption protocols, leading her to take self-protective actions.  Massachusetts’ Chapter 93H allows the state to adopt privacy rules and regulations for customer information, and the executive branch has promulgated regulations thereunder.  It also requires notification for security breaches.

Failure to meet a legal requirement, without more, is insufficient for constitutional standing.  But the bare allegation that a “‘massive number of breaches of security [ ] have invariably occurred’ and that, as a result, some level of unauthorized access must have transpired,” failed to allege that Katz’s nonpublic personal information had actually been accessed by an unauthorized user.  Nor did her purchase of identity theft insurance and credit monitoring services help, because “[w]hen an individual alleges that her injury is having to take or forebear from some action, that choice must be premised on a reasonably impending threat.”  The “purely theoretical possibility” that her information might someday be “pilfered” wasn’t enough, distinguishing Katz’s situation from cases in which “confidential data actually has been accessed through a security breach and persons involved in that breach have acted on the ill-gotten information.”  In the end, “[g]iven the multiple strands of speculation and surmise from which the plaintiff's hypothesis is woven, finding standing in this case would stretch the injury requirement past its breaking point.”

What about increased risk of harm due to Pershing’s failure to adhere to privacy regulations?  The case law is somewhat uncertain about this, but the cases decided on this theory all involve actual access to the plaintiff’s data by unauthorized third parties.  Increased risk of that is insufficient, unanchored in any actual breach.