672 F.3d 64 | 1st Cir. | 2012
United States Court of Appeals
For the First Circuit No. 11-1983 BRENDA KATZ, Plaintiff, Appellant, v. PERSHING, LLC, Defendant, Appellee. APPEAL FROM THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MASSACHUSETTS [Hon. Richard G. Stearns, U.S. District Judge] Before Selya, Circuit Judge, Souter, Associate Justice, [*] and Lipez, Circuit Judge. Stephen J. Calvacca, with whom Susan L. Moran and Law Offices of Calvacca Moran were on brief, for appellant. Stephen L. Ratner, with whom Margaret A. Dale, Jason D. Gerstein, Scott Harshbarger, and Proskauer Rose LLP were on brief, for appellee.
February 28, 2012 SELYA, Circuit Judge. Plaintiff-appellant Brenda Katz insists that defendant-appellee Pershing, LLC failed to protect sensitive nonpublic personal information as it was obligated to do under both contract and consumer protection laws. To vindicate this concern, she sued the defendant on her behalf and on behalf of others similarly situated. The district court dismissed her putative class action. Her appeal of that order requires us to examine both abecedarian principles of Article III standing and assorted provisions of state substantive law.
As a general matter, class action litigation has kept pace with rapid technological advances. But there are limits — constitutional, prudential, and doctrinal — to how far a class action plaintiff may extend the zone of liability. In this case, the plaintiff's reach exceeds her grasp. We conclude that, despite the dire forebodings expressed in her complaint, she not only has failed to state any contractual claim for relief but also lacks constitutional standing to assert a violation of any arguably applicable consumer protection law. Consequently, we affirm the district court's order of dismissal.
I. BACKGROUND
Because this case was decided below on a motion to dismiss, we rehearse the facts as revealed by the complaint and the documents annexed thereto. See SEC v. Tambone, 597 F.3d 436, 438 (1st Cir. 2010) (en banc).
The defendant is a Delaware limited liability company. Its single member is a Delaware corporation that maintains its principal place of business in New York. The defendant sells brokerage execution, clearance, and investment products and services to other financial organizations. Its customers are typically registered broker-dealers and investment advisers that trade securities on behalf of their clients.
One of the services that the defendant offers is called NetExchange Pro. This is an electronic platform that gives subscribing financial organizations (introducing firms) an interface for obtaining research and managing brokerage accounts via the Internet. When an introducing firm uses NetExchange Pro, end-users (employees of the introducing firm, such as investment consultants) can use the service to access remotely a wealth of information about market dynamics and customer accounts.
The introducing firm may make its clients' nonpublic personal information, including social security numbers and taxpayer identification numbers, accessible to certain authorized end-users in NetExchange Pro. Some of the defendant's employees also have access to this information.
The plaintiff is a citizen of Massachusetts. She maintains a brokerage account at National Planning Corporation (NPC), one of the introducing firms that uses the NetExchange Pro service. NPC and the defendant are parties to a clearing agreement (the Agreement), which governs their rights and responsibilities with respect to the service and the associated data. Because NPC has made its customers' account information accessible in NetExchange Pro, the plaintiff, like all NPC customers, has received a disclosure statement from the defendant alerting her to the provisions of the Agreement.
As evinced in her complaint, the plaintiff's concern is that her nonpublic personal information has been left vulnerable to prying eyes because it is inadequately protected by the defendant's service. She asserts, among other things, that authorized end- users can access and store her data at home and elsewhere, twenty- four hours a day and seven days a week, in unencrypted form; that the data, once saved by an authorized user, can potentially be accessed by hackers or other third parties; that the defendant fails adequately to monitor unauthorized access to her information; and that it employs inadequate methods for end-user authentication.
With these concerns velivolant, the plaintiff filed a putative class action against the defendant in the United States District Court for the District of Massachusetts. Citing the Class Action Fairness Act of 2005 (CAFA), 28 U.S.C. §§ 1332(d), 1453, 1711-1715, she invoked the district court's original jurisdiction by alleging diversity of citizenship between the defendant and at least one member of the putative class (herself) and the existence of an aggregate amount in controversy in excess of $5,000,000, see id. § 1332(d)(2)(A). The complaint alleged breach of contract, [1] breach of implied contract, negligent breach of contractual duties, violations of Massachusetts consumer protection laws, and other infractions not relevant here.
The defendant moved to dismiss the action on grounds that the plaintiff lacked Article III standing, see Fed. R. Civ. P. 12(b)(1), and that she failed to state a claim upon which relief could be granted, see Fed. R. Civ. P. 12(b)(6). After some backing and filling, the details of which need not concern us, the district court granted the motion to dismiss. See Katz v. Pershing, LLC, 806 F. Supp. 2d 452 (D. Mass. 2011). The court disposed of all the plaintiff's claims for want of either constitutional or statutory standing. See id. at 457-61. This timely appeal ensued.
II. ANALYSIS
"The existence vel non of standing is a legal question and, therefore, engenders de novo review." Me. People's Alliance & Natural Res. Def. Council v. Mallinckrodt, Inc., 471 F.3d 277, 283 (1st Cir. 2006). In considering the pre-discovery grant of a motion to dismiss for lack of standing, "we accept as true all well-pleaded factual averments in the plaintiff's . . . complaint and indulge all reasonable inferences therefrom in his favor." Deniz v. Mun'y of Guaynabo, 285 F.3d 142, 144 (1st Cir. 2002). A similar standard of review obtains for motions to dismiss under Rule 12(b)(6). See Nisselson v. Lernout, 469 F.3d 143, 150 (1st Cir. 2006). With respect to either type of decision, "[w]e are not wedded to the lower court's rationale, but may affirm the order of dismissal on any ground made manifest by the record." Román-Cancel v. United States, 613 F.3d 37, 41 (1st Cir. 2010); see Ruiz v. Bally Total Fitness Holding Corp., 496 F.3d 1, 5 (1st Cir. 2007).
Because no class was certified below, we evaluate only whether the plaintiff herself has constitutional and statutory standing to pursue the action. See Nat'l Org. for Women, Inc. v. Scheidler, 510 U.S. 249, 255 & n.3 (1994). We begin this evaluation with a discussion of the requirements of Article III standing. With this foundation in place, we appraise the plaintiff's claims in two groups: those alleging abridgment of her common-law rights and those alleging violations of the rights conferred by certain state consumer protection laws, see Mass. Gen. Laws ch. 93A (Chapter 93A); id. ch. 93H (Chapter 93H).
A. Principles of Constitutional Standing. The Constitution limits the judicial power of the federal courts to actual cases and controversies. U.S. Const. art. III, § 2, cl. 1. A case or controversy exists only when the party soliciting federal court jurisdiction (normally, the plaintiff) demonstrates "such a personal stake in the outcome of the controversy as to assure that concrete adverseness which sharpens the presentation of issues upon which the court so largely depends." Baker v. Carr, 369 U.S. 186, 204 (1962). The standing inquiry is claim-specific: a plaintiff must have standing to bring each and every claim that she asserts. Pagán v. Calderón, 448 F.3d 16, 26 (1st Cir. 2006).
To satisfy the personal stake requirement, a plaintiff must establish each part of a familiar triad: injury, causation, and redressability. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992). "[E]ach element must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation." Id. at 561; see Bennett v. Spear, 520 U.S. 154, 167-68 (1997).
The first element of Article III standing is injury in fact. This element is defined as "an invasion of a legally protected interest which is (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical." Defenders of Wildlife, 504 U.S. at 560 (footnote, citations, and internal quotation marks omitted). These are distinct characteristics. Particularity demands that a plaintiff must have personally suffered some harm. See id. at 560 n.1. The requirement of an actual or imminent injury ensures that the harm has either happened or is sufficiently threatening; it is not enough that the harm might occur at some future time. Id. at 564.
The second element is causation. This element requires the plaintiff to show a sufficiently direct causal connection between the challenged action and the identified harm. See id. at 560. Such a connection "cannot be overly attenuated." Donahue v. City of Boston, 304 F.3d 110, 115 (1st Cir. 2002). Because the opposing party must be the source of the harm, causation is absent if the injury stems from the independent action of a third party. See Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 41-42 (1976).
The final element is redressability. The plaintiff must show that a favorable resolution of her claim would likely redress the professed injury. Redressability is a matter of degree. To satisfy this requirement, the plaintiff "need not definitively demonstrate that a victory would completely remedy the harm." Antilles Cement Corp. v. Fortuño, ___ F.3d ___, ___ (1st Cir. 2012) [Nos. 09-1314, 09-1583, slip op. at 8].
Along with the trio of constitutional elements prescribed by Article III, standing also has prudential dimensions. These components "ordinarily require a plaintiff to show that his claim is premised on his own legal rights (as opposed to those of a third party), that his claim is not merely a generalized grievance, and that it falls within the zone of interests protected by the law invoked." Pagán, 448 F.3d at 27. Although the prudential requirements may be relaxed in some contexts, "the constitutional requirements apply with equal force in every case." Nat'l Org. for Marriage v. McKee, 649 F.3d 34, 46 (1st Cir. 2011), petition for cert. filed, 80 U.S.L.W. 3320 (U.S. Nov. 2, 2011) (No. 11-599).
It is against this backdrop that we next consider whether the plaintiff has standing as to each of her claims. B. Common-Law Claims. The invasion of a common-law right (including a right conferred by contract) can constitute an injury sufficient to create standing. See Ala. Power Co. v. Ickes, 302 U.S. 464, 479 (1938). The plaintiff alleges that she has rights deriving from the Agreement, the disclosure statement, and various online advertisements. These allegations are arrayed in support of claims for breach of an express contract, breach of an implied contract, and negligent breach of contractual duties.
The district court determined that the plaintiff lacked standing to bring these contract-based claims because she had no contract with the defendant. Katz, 806 F. Supp. 2d at 459-61. There is some question as to whether the existence of a contractual relationship between the plaintiff and the defendant is a part of an inquiry into standing (as opposed to a part of an inquiry into the merits of a claim). From an analytical standpoint, we think the better view is that when a plaintiff generally alleges the existence of a contract, express or implied, and a concomitant breach of that contract, her pleading adequately shows an injury to her rights. Even so, the present plaintiff has failed to state an actionable claim. We explain briefly.
This action is brought under our diversity jurisdiction. See 28 U.S.C. § 1332(d). It is thus clear that state substantive law must prescribe the rules of decision. See Avery v. Hughes, 661 F.3d 690, 693-94 (1st Cir. 2011). Here, however, the laws of two different states are implicated. The Agreement provides that New York law governs its construction and interpretation. Therefore, the plaintiff's claim for breach of contract is governed by that law. Nevertheless, the parties concede, at least tacitly, that Massachusetts law controls the other claims raised by the plaintiff. We are free to honor the reasonable understanding of the parties as to choice of law, see Artuso v. Vertex Pharm., Inc., 637 F.3d 1, 5 (1st Cir. 2011), and we do so here.
To survive a motion to dismiss for failure to state a claim, the "complaint must contain sufficient factual matter . . . to 'state a claim to relief that is plausible on its face.'" Ashcroft v. Iqbal, 129 S. Ct. 1937, 1949 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). This means that "[t]he complaint must include 'factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.'" Haley v. City of Boston, 657 F.3d 39, 46 (1st Cir. 2011) (quoting Iqbal, 129 S. Ct. at 1949). "If the factual allegations in the complaint are too meager, vague, or conclusory to remove the possibility of relief from the realm of mere conjecture, the complaint is open to dismissal." Tambone, 597 F.3d at 442. We review the plaintiff's complaint, including the documents annexed thereto, to see if it satisfies these standards.
To make out a breach of contract claim under New York law, the plaintiff must plead the existence of a promise that she is entitled to enforce. See Truty v. Fed. Bakers Supply Corp., 629 N.Y.S.2d 898, 899 (N.Y. App. Div. 1995). Inasmuch as she is not a party to the Agreement, the plaintiff's first contention is that she may sue as a third-party beneficiary. In this wise, she asserts that the defendant has breached the Agreement's data confidentiality provision, which requires the defendant to protect NPC's proprietary information "to the same extent and in at least the same manner as [it] protects its own confidential or proprietary information." She insists that she is an intended beneficiary of this confidentiality provision and, therefore, can sue the defendant to enforce it.
This contention is easily dispatched. The Agreement contains an explicit statement that it "is not intended to confer any benefits on third-parties including, but not limited to, customers of [NPC]." New York law on this point is transparently clear: "[w]here a provision exists in an agreement expressly negating an intent to permit enforcement by third parties, . . . that provision is decisive." Nepco Forged Prods., Inc. v. Consol. Edison Co. of N.Y., 470 N.Y.S.2d 680, 681 (N.Y. App. Div. 1984); see India.com, Inc. v. Dalal, 412 F.3d 315, 321-22 (2d Cir. 2005) (collecting cases).
The plaintiff clamors that there are exceptions to this bright-line rule. The precedents that she offers, however, contain only general principles for determining whether a party is, in fact, a third-party beneficiary. See, e.g., Flickinger v. Harold C. Brown & Co., 947 F.2d 595, 600 (2d Cir. 1991); Banco Espirito Santo de Investimento, S.A. v. Citibank, N.A., No. 03 Civ. 1537, 2003 WL 23018888, at *8-10 (S.D.N.Y. Dec. 22, 2003); Artwear, Inc. v. Hughes, 615 N.Y.S.2d 689, 692 (N.Y. App. Div. 1994). The plaintiff has not pointed to any New York case in which an explicit disclaimer of third-party beneficiary claims has been overlooked for any reason, and our research has revealed none. This makes perfect sense in view of New York's immutable requirement that the contracting parties must intend to benefit the third party: "absent such intent, the third party is merely an incidental beneficiary with no right to enforce the particular contract[]." Port Chester Elec. Constr. Corp. v. Atlas, 357 N.E.2d 983, 986 (N.Y. 1976).
Where, as here, that intent is unambiguously disclaimed, a suitor cannot attain third-party beneficiary status. See Piccoli A/S v. Calvin Klein Jeanswear Co., 19 F. Supp. 2d 157, 164 (S.D.N.Y. 1998). Whatever exceptions the plaintiff thinks there could be or should be in these circumstances, we — as federal judges sitting in diversity jurisdiction — "cannot be expected to create new doctrines expanding state law." Gill v. Gulfstream Park Racing Ass'n, 399 F.3d 391, 402 (1st Cir. 2005); see Kassel v. Gannett Co., 875 F.2d 935, 949-50 (1st Cir. 1989). After all, federal diversity courts are charged with ascertaining state law, not with reshaping it.
Relatedly, the plaintiff advocates a "public policy" exception that would block the enforcement of this disclaimer. She asseverates that by disavowing third-party beneficiaries in the Agreement, the defendant is attempting to contract away its duty to obey state and federal data security laws. This asseveration stands logic on its ear. The defendant has not contracted away its legal duties but, rather, has undertaken specific confidentiality obligations to NPC. The Agreement merely limits enforcement of those obligations to the contracting party (NPC).
The plaintiff has a fallback position. Rule 4311 of the New York Stock Exchange requires clearing firms like the defendant to notify customers of introducing firms like NPC "of the existence of the carrying agreement and the responsibilities allocated to each respective party." In compliance with this rule, the defendant sent a disclosure statement to all of NPC's customers (including the plaintiff), notifying them of the Agreement and its contents. The plaintiff alleges that this disclosure statement supersedes the Agreement's disclaimer of third-party beneficiaries and reinstates her as an intended beneficiary of the Agreement.
We fail to see how the disclosure statement modifies the express disclaimer of third-party beneficiary claims. After all, the Agreement expressly forbids subsequent modifications unless those modifications are "in writing signed by the parties." Such clauses are routinely enforced under New York law. See N.Y. Gen. Oblig. Law § 15-301(1). It follows inexorably that the express disclaimer of third-party beneficiary claims could not have been negated by the unsigned disclosure statement unilaterally formulated by one of the contracting parties.
The plaintiff extracts another argument from the disclosure statement. She says that the disclosure statement creates an implied contract between her and the defendant, thereby obligating the defendant to meet certain data confidentiality requirements. This argument lacks force.
The plaintiff couches her implied contract argument in terms of Massachusetts law. Under that law, "[a] contract implied in fact requires the same elements as an express contract and differs only in the method of expressing mutual assent." Mass. Eye & Ear Infirm. v. QLT Phototherapeutics, Inc., 412 F.3d 215, 230 (1st Cir. 2005) (internal quotation marks omitted). One of these elements is consideration. See T.F. v. B.L., 813 N.E.2d 1244, 1249 & n.4 (Mass. 2004). This element "is satisfied if there is either a benefit to the promisor or a detriment to the promisee." Marine Contractors Co. v. Hurley, 310 N.E.2d 915, 919 (Mass. 1974); see 3 Richard A. Lord, Williston on Contracts § 7:4 (4th ed. 2008).
In the case at hand, there is no allegation of consideration sufficient to support an implied contract claim. The plaintiff has not adequately alleged that she provided any bargained-for benefit or suffered any bargained-for detriment in exchange for the defendant's supposed promises. All the items that she suggests as consideration — her payment of fees and supplying of information — were furnished to NPC in exchange for its brokerage services. NPC, not the plaintiff, provided consideration to the defendant.
The plaintiff's conclusory allegation that the consideration flowed "indirectly" from her to the defendant does not withstand the test of plausibility. See Iqbal, 129 S. Ct. at 1949; Twombly, 550 U.S. at 556. In fact, the documents depict two separate sets of contractual obligations and benefits, one connecting the plaintiff to NPC and the other connecting NPC to the defendant. These sets cannot be mixed and matched. Accordingly, we cannot credit the plaintiff's ipse dixit that she has adequately pleaded the consideration needed for an implied contract.
This brings us to negligent breach of contractual duties. That claim, too, is cast in terms of Massachusetts law. In Massachusetts, such a cause of action is available when a party to a contract carelessly fails to perform as required and, as a result, foreseeably exposes third parties to injury. See Anderson v. Fox Hill Vill. Homeowners Corp., 676 N.E.2d 821, 823 (Mass. 1997).
The plaintiff's claim founders. To succeed, she must still plead the familiar elements of negligence, including duty, breach, causation, and harm. See Banaghan v. Dewey, 162 N.E.2d 807, 812-13 (Mass. 1959). Here, she has merely given lip service to the elements of causation and harm. It would serve no useful purpose at this point to cite book and verse concerning the deficiencies of these allegations. It suffices to say that the same reasoning that shows the absence of plausible allegations of causation and harm with respect to the plaintiff's consumer protection claims, see infra Part II(C), applies with equal force to the negligent breach of contract claim. These types of implausible allegations are insufficient to state a claim upon which relief can be granted. See Iqbal, 129 S. Ct. at 1949; Twombly, 550 U.S. at 555-56.
C. Consumer Protection Claims. We transition now to the claims brought under Massachusetts consumer protection laws. See Chapter 93A; Chapter 93H. When a plaintiff alleges injury to rights conferred by a statute, two separate standing-related inquiries pertain: whether the plaintiff has Article III standing (constitutional standing) and whether the statute gives that plaintiff authority to sue (statutory standing). See Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 89, 92 (1998). Article III standing presents a question of justiciability; if it is lacking, a federal court has no subject matter jurisdiction over the claim. See id. By contrast, statutory standing goes to the merits of the claim. See Bond v. United States, 131 S. Ct. 2355, 2362-63 (2011); CGM, LLC v. BellSouth Telecomms., Inc., 664 F.3d 46, 51-52 (4th Cir. 2011).
Legislatures may affect both types of standing when they enact new statutes. Specifically, they can raise to the status of legally cognizable injuries certain harms that might otherwise have been insufficient at common law, and they may confer the authority to sue for those harms on private persons or public entities. Defenders of Wildlife, 504 U.S. at 578; see Thompson v. N. Am. Stainless, LP, 131 S. Ct. 863, 869 (2011).
In order to maintain a suit, a plaintiff must both suffer a cognizable injury and locate herself within the designated group who can sue for redress. The Supreme Court has decreed that federal courts normally must decide whether a particular plaintiff has constitutional standing before considering that plaintiff's statutory standing. See Steel Co., 523 U.S. at 95-97 & n.2; see also Deniz, 285 F.3d at 149 ("When a court is confronted with motions to dismiss under both Rules 12(b)(1) and 12(b)(6), it ordinarily ought to decide the former before broaching the latter.").
Given this directive, we preface our analysis of each statutory claim with an assessment of whether the plaintiff has demonstrated Article III standing. See TrafficSchool.com, Inc. v. Edriver Inc., 653 F.3d 820, 825 (9th Cir. 2011). Only if the plaintiff has cleared this hurdle will we proceed to examine whether she has adequately alleged her membership in the class of persons who can bring suit under Massachusetts consumer protection laws.
The plaintiff posits that she has constitutional standing because (i) the defendant's services are of a lesser value than promised, thus depriving her of the "benefit of the bargain," see Rice v. Price, 164 N.E.2d 891, 894 (Mass. 1960); (ii) the defendant's statements have induced her to pay higher fees for NPC's services than she otherwise would have paid; (iii) the defendant's failure to provide notice of security breaches as required by law has injured her; (iv) the defendant's inability to furnish legally required privacy protections has necessitated her purchase of identity theft insurance; and (v) that inability has exposed her to a substantial risk of future data insecurity. We [2] group these contentions into two subsets and consider them below.
1. False Promises and Misrepresentations. The plaintiff's first theories of standing derive from state statutory protections against false advertising and misrepresentation. She says that the defendant's inaccurate boast that it adequately protects customer data — a claim made both in its advertising and in the Agreement — entitles her to bring suit under Chapter 93A. The plaintiff has offered two explanations for why she may pursue these claims: the fact that she has overpaid for a product that allegedly does not perform as promised and the fact that the false advertisements induced her to pay too much for NPC's brokerage services.
Under the first theory, she styles her loss as the benefit of the bargain. By this, she means that she is paying more to NPC than the (less secure) service provided by the defendant is actually worth. It is a bedrock proposition that "a relatively small economic loss — even an 'identifiable trifle' — is enough to confer standing." Adams v. Watson, 10 F.3d 915, 924 (1st Cir. 1993). But whether or not the plaintiff can cross that low threshold — a matter on which we take no view — her claim stumbles over the altogether different requirement of causation.
When the injury alleged is the result of actions by some third party, not the defendant, the plaintiff cannot satisfy the causation element of the standing inquiry. See Ariz. Christian Sch. Tuition Org. v. Winn, 131 S. Ct. 1436, 1447-48 (2011); Raines v. Byrd, 521 U.S. 811, 830 n.11 (1997); Allen v. Wright, 468 U.S. 737, 757-58 (1984). This is such a case.
Any loss that the plaintiff suffered derives from the fees that she pays to NPC. If she is being overcharged at all, that overcharging is at the instance of NPC, not the defendant. Simply put, her injury is not fairly traceable to the defendant's action.
The plaintiff's remonstrances about the benefit of the bargain do not change this calculus. She has no bargain with the defendant and, therefore, no entitlement to any benefit from the defendant.
The plaintiff advances a related argument. She avers that the defendant's misleading advertisements caused her injury because they likely affected her decision to pay NPC's artificially inflated fees. This argument lands wide of the mark. Although buyers who do not actually rely on false advertisements sometimes may seek protection under Massachusetts law, see, e.g., Aspinall v. Philip Morris Cos., 813 N.E.2d 476, 486 (Mass. 2004), the fact that a litigant need not prove reliance on a representation does not vitiate the altogether different requirement of causation.
To satisfy Article III, the injury alleged - here, overpayment to NPC - must be ascribable to the defendant's misrepresentations. In actions brought under Chapter 93A, this does not foreclose the possibility that overpayments to a third party might in some circumstances constitute a cognizable injury caused by the party that has made the misrepresentations. See, e.g., In re Pharm. Indus. Average Wholesale Price Litig., 582 F.3d 156, 161, 190 (1st Cir. 2009) (finding Article III injury to be overpayments in the form of elevated reimbursement, insurance, and coinsurance costs imputable to the drug company's publication of false average wholesale prices). The plaintiff tries to style herself in this position: she claims that she chose NPC and overpaid for its services because of the defendant's misrepresentations.
These allegations fall short. In order to support a finding of causation in these circumstances, a plaintiff must plausibly allege a direct causal relationship between her overpayment and the defendant's purportedly misleading statements. See id. at 160-61 (finding Article III standing when defendant's misrepresentations "directly resulted in an increase to the payments the plaintiffs were required to make"). Even when third parties are not involved (as in the prototypical Chapter 93A case), the causation requirement is usually satisfied when a consumer purchases a falsely advertised product because the defendant's misrepresentations would have artificially inflated the price paid by the consumer. Cf. Rule v. Fort Dodge Animal Health, Inc., 607 F.3d 250, 251-53 (1st Cir. 2010) (considering such a claim on the merits). The plaintiff has not satisfied this essential prerequisite here.
The plaintiff attempts to show causation by alleging that the fees she pays to NPC are higher than they otherwise would be because NPC "passed on" the inflated charges for the defendant's service to her. But the documents depict two separate sets of contractual obligations with separate fees and services: one set between NPC and the defendant and the other set between the plaintiff and NPC. Thus, the plaintiff's allegation is nothing more than a bare hypothesis that NPC possibly might push this aspect of its operational costs onto her. This is not a plausible allegation that the false advertisements caused her to pay the supposedly inflated prices for NPC's services. See Iqbal, 129 S. Ct. at 1949; Twombly, 550 U.S. at 555-56. As a result, the plaintiff has not satisfied the causation requirement for Article III standing.
2. Data Insecurity. The plaintiff's remaining claims assert injuries to rights purportedly created by Chapter 93H and other kindred privacy regulations. See, e.g., 940 Mass. Code Regs. § 3.16(3) (explaining that violation of "existing statutes, rules, regulations or laws, meant for the protection of the public's health, safety, or welfare" is an unfair trade practice). She maintains that she may bring an action for violation of Chapter 93H because she has not been notified of extant but unidentified security breaches and, in all events, the defendant has failed to conform to various encryption protocols. These shortcomings, she laments, have required her to purchase identity theft insurance and have exposed her nonpublic personal information to possible misappropriation.
The district court held that a cause of action for a violation of Chapter 93H can be brought only by the Attorney General. See Katz, 806 F. Supp. 2d at 458-59 (citing Chapter 93H, § 6). We do not decide that question today but, rather, adhere to "the general rule [] that a court should first confirm the existence of rudiments such as jurisdiction and standing before tackling the merits of a controverted case." Berner v. Delahanty, 129 F.3d 20, 23 (1st Cir. 1997). Assuming, without deciding, that a private person may pursue a cause of action under Chapter 93H — a matter best left to the Massachusetts courts — the plaintiff nonetheless cannot satisfy Article III's injury requirement.
Chapter 93H has two principal components. The first component enables various branches of the state government to adopt privacy rules and regulations to:
insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.
Chapter 93H, § 2(a). The executive branch of the state government has responded by promulgating "Standards for the Protection of Personal Information of Residents of the Commonwealth." 201 Mass. Code Regs. §§ 17.00-17.05. These standards impose duties and requirements on persons and entities that own, license, or maintain personal information about Massachusetts residents. Id. §§ 17.03- 17.04.
The second component of Chapter 93H establishes privacy notification requirements. Chapter 93H, §§ 3-4. These requirements are triggered by any "breach of security," as defined by the statute, or any unauthorized access or use of personal information. Id. §§ 1(a), 3-4. When such unauthorized access or use occurs, persons and entities that own, license, or maintain Massachusetts residents' personal information must provide notice to government officials and affected parties pursuant to various disclosure guidelines. Id. §§ 3-4.
In determining how to evaluate the plaintiff's standing to challenge alleged failures to abide by these strictures, a comparison to the environmental standing cases is instructive. Those decisions teach that an allegation that someone has failed to meet some legal requirement, without more, is insufficient to confer Article III standing. See, e.g., Defenders of Wildlife, 504 U.S. at 558-59, 572-73. Inasmuch as standing necessitates that a plaintiff "allege[] such a personal stake in the outcome of the controversy as to warrant his invocation of federal-court jurisdiction," Horne v. Flores, 129 S. Ct. 2579, 2592 (2009) (internal quotation marks omitted), an injury in fact must also be alleged. We assess the plaintiff's allegations through this prism.
Our starting point is the plaintiff's claim that she has been injured because the defendant has failed to provide notice of a security breach as required by Chapter 93H. The complaint fleshes out this claim by alleging only that a "massive number of breaches of security [] have invariably occurred" and that, as a result, some level of unauthorized access must have transpired, thereby exposing some unspecified people's nonpublic personal information to further unauthorized disclosure. She suggests that these breaches should have been reported pursuant to Chapter 93H and that the defendant's failure to do so entitles her to sue.
This claim is unavailing. Critically, the complaint does not contain an allegation that the plaintiff's nonpublic personal information has actually been accessed by any unauthorized user. To achieve standing, plaintiffs "must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent." Warth v. Seldin, 422 U.S. 490, 502 (1975). Without any reference to an identified breach of the plaintiff's data security, the complaint does not show an injury sufficient to give rise to Article III standing.
The plaintiff's next attempt to demonstrate injury in fact focuses on her purchase of identity theft insurance and credit monitoring services. In evaluating this plaint, the reasoning in the environmental standing cases is once again instructive. In Mallinckrodt, we examined the plaintiffs' assertions that they had refrained from visiting a river due to fear of mercury contamination. In assaying whether those statements were sufficient to create an injury in fact, we observed that "an individual's decision to deny herself aesthetic or recreational pleasures based on concern about pollution will constitute a cognizable injury only when the concern is premised upon a realistic threat." Mallinckrodt, 471 F.3d at 284. The Supreme Court has assumed a similar stance in both environmental and nonenvironmental cases. See, e.g., Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 184-85 (2000); City of Los Angeles v. Lyons, 461 U.S. 95, 107 n.8 (1983).
We think that an analogous requirement is in order here. When an individual alleges that her injury is having to take or forebear from some action, that choice must be premised on a reasonably impending threat. Such a requirement is fully consistent with the well-settled principle that the harm or injury must be actual or imminent, not speculative. See Defenders of Wildlife, 504 U.S. at 564 & n.2.
In this case, the plaintiff purchased identity theft insurance and credit monitoring services to guard against a possibility, remote at best, that her nonpublic personal information might someday be pilfered. Such a purely theoretical possibility simply does not rise to the level of a reasonably impending threat.
To recapitulate, the plaintiff has not alleged that her nonpublic personal information actually has been accessed by any unauthorized person. Her cause of action rests entirely on the hypothesis that at some point an unauthorized, as-yet unidentified, third party might access her data and then attempt to purloin her identity. The conjectural nature of this hypothesis renders the plaintiff's case readily distinguishable from cases in which confidential data actually has been accessed through a security breach and persons involved in that breach have acted on the ill- gotten information. Cf. Anderson v. Hannaford Bros., 659 F.3d 151, 164-65 (1st Cir. 2011) (holding purchase of identity theft insurance in such circumstances reasonable in negligence context). Given the multiple strands of speculation and surmise from which the plaintiff's hypothesis is woven, finding standing in this case would stretch the injury requirement past its breaking point.
We reach at long last the plaintiff's final theory of injury: her assertion that the defendant's failure to adhere to privacy regulations increases her risk of harms associated with the loss of her data. The courts of appeals have evidenced some disarray about the applicability of this sort of "increased risk" theory in data privacy cases. See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38, 43-46 (3d Cir. 2011) (finding no injury in fact when unauthorized person accessed but did not yet misuse plaintiffs' data); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (finding injury in fact when plaintiffs pled increased risk of harm following theft of a laptop that contained their personal data); Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (finding injury in fact when plaintiffs claimed an increased risk of data theft after their information had been accessed by a malicious and sophisticated hacker). Be that as it may, these cases have a common denominator. In each of them, the plaintiffs' data actually had been accessed by one or more unauthorized third parties. See Reilly, 664 F.3d at 40; Krottner, 628 F.3d at 1140- 41; Pisciotta, 499 F.3d at 632.
The allegations in this case do not mirror that common denominator. Here, the plaintiff alleges only that there is an increased risk that someone might access her data and that this unauthorized access (if it occurs) will increase the risk of identity theft and other inauspicious consequences. Thus, the risk of harm that she envisions is unanchored to any actual incident of data breach. This omission is fatal: because she does not identify any incident in which her data has ever been accessed by an unauthorized person, she cannot satisfy Article III's requirement of actual or impending injury. See Krottner, 628 F.3d at 1143 (noting that if the laptop containing customer data "had [not] been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future," court would be unlikely to find Article III injury).
Standing is not an "ingenious academic exercise in the conceivable. A plaintiff must allege that he has been or will in fact be perceptibly harmed . . . , not that he can imagine circumstances in which he could be affected." United States v. Students Challenging Regulatory Agency Procedures (SCRAP), 412 U.S. 669, 688-89 (1973). So it is here. Insofar as we can tell from the complaint, no interest or right of the plaintiff has been harmed by any violation of applicable privacy laws. In the absence of such a showing, we lack jurisdiction to review her statutory claims.
III. CONCLUSION
The innovations and problems of the electronic age have created new challenges for the courts. But venerable principles of our jurisprudence can guide us on this frontier. This case is illustrative: the plaintiff has asserted a litany of novel harms under freshly inked laws, but the irreducible minimum requirements of pleading and Article III doom her case.
We need go no further. For the reasons elucidated above, we affirm the judgment of the district court. Affirmed.
NOTES
[*] Hon. David H. Souter, Associate Justice (Ret.) of the Supreme Court of the United States, sitting by designation.
[1] CAFA's minimal diversity requirements apply to putative class actions. See Aguayo v. U.S. Bank, 653 F.3d 912, 917 (9th Cir. 2011); Spivey v. Adaptive Mktg. LLC, 622 F.3d 816, 821-22 & n.1 (7th Cir. 2010). We have jurisdiction to review the dismissal of her action pursuant to 28 U.S.C. § 1291.
[2] In two sentences of the complaint and a single paragraph of her sixty-page brief, the plaintiff cursorily states that the defendant's failure to employ reasonable security measures while representing that its security measures are excellent is a violation of the Federal Trade Commission Act (FTC Act), see 15 U.S.C. § 45 (prohibiting unfair trade practices), and other federal consumer protection statutes. It is common ground that unfair trade practices which violate the FTC Act can form the basis for a private action under Chapter 93A. See In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489, 496-97 (1st Cir. 2009). Standing is still required, however, and the plaintiff here alleges in support of her undeveloped FTC Act claim only the same theories of injury relied on in support of her other claims. Because we find those theories of injury constitutionally insufficient, we have no need to analyze the FTC Act claim separately.