Do You Have Standing to Bring an Internet Security Claim?
As Anonymous continues hacking websites and teaching the online world lessons in Internet security, more consumers will receive disconcerting email messages from businesses saying, "We're sorry, but your personal information stored on our website has been compromised."
When we learn that a website which contains our personal information doesn't meet proper Internet security standards, we have the same reaction as Brenda Katz, today's First Circuit Court of Appeals appellee: We wanted to hold someone accountable.
Unfortunately, the First Circuit ruled this week that Katz lacked Article III standing to bring a putative class action lawsuit against a financial services company for failing to protect her sensitive, nonpublic personal information under contract and consumer protection laws.
In affirming the district court's dismissal of Katz's case, the First Circuit concluded that, "despite the dire forebodings expressed in her complaint," Katz failed to state any contractual claim for relief, and lacked constitutional standing to assert a violation of any arguably applicable consumer protection law.
Defendant Pershing LLC sells brokerage execution, clearance, and investment products and services to other financial organizations. Its customers are typically registered broker-dealers and investment advisers that trade securities on behalf of their clients. One of Pershing's services is NetExchange Pro, a subscription-based electronic platform for obtaining research and managing brokerage accounts online.
Katz, who maintains a brokerage account at National Planning Corporation, a NetExchange Pro client, filed a putative class action lawsuit against Pershing under the Class Action Fairness Act, alleging that her nonpublic personal information was vulnerable to prying eyes because it was inadequately protected by the Pershing's service.
The district court dismissed Katz's case for lack of Article III standing, and the First Circuit Court of Appeals affirmed.
Here, the First Circuit notes that Katz did not identify any incident in which her data had ever been accessed by an unauthorized person, thus she could not satisfy Article III's requirement of actual or impending injury. To bring a claim, a plaintiff must allege that she has been, or will in fact be, perceptibly harmed, not that she can imagine circumstances in which she could be affected.
What does that mean for your practice?
If an Anonymous victim wants to sue an Internet-based company for failure to protect sensitive information, she probably has a valid claim because she has suffered an actual harm. But if a potential client wants to sue simply because Anonymous could conceivably access her information, she probably lacks Article III standing.