Opinion
CIVIL 22-1217 (ADC)
03-31-2023
ROSA E. RIVERA-MARRERO, Plaintiff, v. BANCO POPULAR DE PUERTO RICO, Defendant.
OPINION AND ORDER
S/AIDA M. DELGADO-COLÓN United States District Judge
On May 12, 2022, plaintiff Rosa E. Rivera-Marrero (“plaintiff” or “Rivera-Marrero”) filed a putative class action complaint against defendant Banco Popular de Puerto Rico (“defendant” or “Popular”) alleging that she and other similarly situated customers of Popular have suffered damages as a result of its failure to adequately safeguard their personal information. See, ECF No. 1 (“Compl.”). Before the Court is Popular's motion to dismiss for lack of subject-matter jurisdiction and failure to state a claim under Fed.R.Civ.P. 12(b)(1) and (6), filed on August 1, 2022. ECF No. 17 (“Mot.”). Plaintiff filed an opposition on August 16, 2022. ECF No. 20 (“Opp'n”). Popular filed a reply on September 14, 2022, with leave of Court. ECF No. 31 (“Reply”).
I. Introduction
Plaintiff's complaint alleges that Popular failed to discharge its purported legal duty to protect and safeguard the personally identifiable information it collected from plaintiff and other customers, such as their names, addresses, accounts, and Social Security numbers (“PII”). Specifically, according to plaintiff, Popular shared the PII with an unidentified vendor who in turn used a file transfer platform called “Accellion FTA” (developed by non-party Accellion, Inc.) that was exploited by unauthorized users (i.e., hackers) in a data breach. This exposed plaintiff and other Popular customers to a risk of potential misuse of their PII in the form of identity theft and fraud. However, plaintiff does not allege that any actual misuse of her PII has actually occurred, just that she is now exposed to an increased risk of suffering such misuse in the future, and that she has incurred in mitigation costs and suffered other damages due to this increased risk. Based on the above, plaintiff sued Popular on her behalf and on behalf of similarly situated persons and included a total of five separate causes of action seeking damages, namely: negligence, breach of implied contract, invasion of privacy, breach of confidence, and unjust enrichment. Plaintiff also included a petition for injunctive relief requesting that Popular take several actions with regards to its handling of her PII.
Neither Accellion, Inc. nor Popular's unidentified vendor have been included as a party in this case. Plaintiff's putative class action complaint is directed solely as to Popular's alleged responsibility.
In its motion to dismiss, Popular asks the Court to find that plaintiff (and by extension, the proposed class) lacks standing to pursue her claims against Popular under Article III of the U.S. Constitution. U.S. Const. art. III, § 2, cl. 1. Alternatively, it requests that the Court dismiss all counts against it for failure to state a claim upon which relief could be granted. In her opposition, plaintiff withdrew her claims for invasion of privacy, breach of confidence, and unjust enrichment, but nonetheless maintained that she had standing to pursue her claims for negligence and breach of implied contract and that she was entitled to relief against Popular.
The stage thus set, the Court must first resolve the question of plaintiff's standing. The question posed by Popular's motion to dismiss, however, arises in a context not oft explored in this district or in the First Circuit. The motion to dismiss requires that the Court decide whether allegations of injury from the exposure to an increased risk of future harm are sufficiently concrete and imminent to confer standing, when said risk stems from a data breach in which PII was accessed and exfiltrated, but has not been misused.
Although a handful of district court cases in this Circuit have dealt with standing issues arising from data breaches and/or data misuse, the question presented by the particular factual scenario here seems to be unique. There is a close First Circuit analogue in Katz v. Pershing, LLC, 672 F.3d 64 (2012), but that case did not involve a data breach or unauthorized access to PII and was decided over a decade ago, during which several other federal courts have analyzed and answered standing questions similar (but not identical) to what is now before the Court. In addition, the Supreme Court issued several decisions on Article III standing after Katz that in one way or another affect the inquiry that the Court must undertake here. See, TransUnion LLC v. Ramírez, 141 S.Ct. 2190 (2021); Spokeo, Inc. v. Robins, 578 U.S. 330 (2016); Susan B. Anthony List v. Driehaus, 573 U.S. 149 (2014); Clapper v. Amnesty Intern. USA, 568 U.S. 398 (2013). Moreover, although Popular holds (and the Court ultimately agrees) that Katz is the applicable First Circuit precedent (Reply, ECF No. 31 at 1), both parties have supported their arguments with a myriad of out-of-circuit decisions post-dating Katz involving data breaches, ransomware attacks, and other types of electronic disclosures of nonpublic information. A number of these authorities, although not binding, nonetheless offer valuable guidance.
See, e.g., Webb v. Injured Workers Pharmacy, LLC, No. 22-10797-RGS, 2022 WL 10483751 (D. Mass. Oct. 17, 2022), appeal filed, No. 22-1896 (1st Cir. Nov. 16, 2022); Quintero v. Metro Santurce, Inc., No. 20-01075-WGY, 2021 WL 5855752 (D.P.R. Dec. 9, 2021); Hartigan v. Macy's, Inc., 501 F.Supp.3d 1 (D. Mass. 2020); Portier v. NEO Tech. Sols., No. 17-30111-TSH, 2019 WL 7946103 (D. Mass. Dec. 31, 2019), report and recommendation adopted, No. 17-30111, 2020 WL 877035 (D. Mass. Jan. 30, 2020).
Given the above, the Court will carefully analyze the question of plaintiff's standing, affording due respect to Katz as in-circuit precedent but will also take into account more recent developments in the Supreme Court and in other circuit and district courts. As explained in detail below, the Court concludes that plaintiff has not established that she has Article III standing. Consequently, Popular's motion to dismiss at ECF No. 17 is GRANTED.
II. Legal Standard
Motions brought under Fed.R.Civ.P. 12(b)(1) are subject to the same standard of review as Fed.R.Civ.P. 12(b)(6) motions. Torres v. Bella Vista Hosp., Inc., 523 F.Supp.2d 123, 132 (D.P.R. 2007) (citing Negrón-Gaztambide v. Hernández-Torres, 35 F.3d 25, 27 (1st Cir. 1994)). Nevertheless, “[w]hen a court is confronted with motions to dismiss under both Rules 12(b)(1) and 12(b)(6), it ordinarily ought to decide the former before broaching the latter.” González v. Otero, 172 F.Supp.3d 477, 495 (D.P.R. 2016) (citing Deniz v. Municipality of Guaynabo, 285 F.3d 142, 149 (1st Cir. 2002)). “After all, if the court lacks subject matter jurisdiction, assessment of the merits becomes a matter of purely academic interest.” Id.
A defendant may move to dismiss a complaint for lack of subject-matter jurisdiction under Fed.R.Civ.P. 12(b)(1). When reviewing a complaint under Rule 12(b)(1), courts “construe the Complaint liberally and treat all well-pleaded facts as true, according the plaintiff[s] the benefit of all reasonable inferences.” Town of Barnstable v. O'Connor, 786 F.3d 130, 138 (1st Cir. 2015) (alteration in original) (citation and internal quotation marks omitted).
Courts also favorably construe a complaint when considering a Rule 12(b)(6) motion to dismiss for failure to state a claim upon which relief can be granted. Rodríguez-Reyes v. Molina-Rodríguez, 711 F.3d 49, 53 (1st Cir. 2013). “While detailed factual allegations are not necessary to survive a motion to dismiss for failure to state a claim, a complaint nonetheless must contain more than a rote recital of the elements of a cause of action” and “must contain sufficient factual matter to state a claim to relief that is plausible on its face.” Id. (additional citations and internal quotation marks omitted) (citing Ashcroft v. Iqbal, 556 U.S. 662, 678-79 (2009)). In order to perform this plausibility inquiry, the Court must “separate factual allegations from conclusory ones and then evaluate whether the factual allegations support a ‘reasonable inference that the defendant is liable for the misconduct alleged.'” Conformis, Inc. v. Aetna, Inc., 58 F.4th 517, 528 (1st Cir. 2023) (citing Iqbal, 556 U.S. at 678, and Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). If the resulting factual allegations “are too meager, vague, or conclusory to remove the possibility of relief from the realm of mere conjecture, the complaint is open to dismissal.” S.E.C. v. Tambone, 597 F.3d 436, 442 (1st Cir. 2010) (en banc). In sum, “[t]he relevant inquiry focuses on the reasonableness of the inference of liability that the plaintiff is asking the court to draw from the facts alleged in the complaint.” Ocasio-Hernández v. Fortuño-Burset, 640 F.3d 1, 13 (1st Cir. 2011).
III. Plaintiff's Allegations
Plaintiff alleges that she was a costumer of Popular at all times relevant to the complaint. Compl., ECF No. 1 at ¶ 33. Specifically, she alleges that she opened a checking and savings account with Popular approximately 30 years prior to the filing of the complaint. Id., at ¶ 71. She alleges that, as a condition for providing its services, Popular required plaintiff to provide sensitive PII such as her name, address, account, and Social Security number. Id., at ¶¶ 1, 19, 33, 97, 136. In turn, Popular provided plaintiff's PII to an unidentified vendor which used a legacy software called “Accellion FTA” (developed by non-party Accellion, Inc.) to store and/or share the PII. Id., at ¶ 19.
Plaintiff also alleges that she is “very careful about sharing her PII,” that she has never “knowingly transmitted unencrypted PII over the internet or any other unsecured source,” that she “stores any documents containing her PII in a safe and secure location or destroys the documents,” and that she “chooses unique usernames and passwords for her various online accounts.” Id., at ¶¶ 74-75.
On or before June 25, 2021, as alleged in the complaint, Popular learned from its unidentified vendor that it had suffered a data breach (“Data Breach”) involving Popular's files via the exploitation of a vulnerability in Accellion FTA. Id., at ¶ 4. On or around that same date, Popular sent a letter to plaintiff informing her of the data breach; specifically, that an unauthorized party accessed one or more documents that contained sensitive information about Popular's current and former customers which included PII. Id., at ¶ 22, 23.
The complaint further alleges that Accellion, Inc. announced on May 18, 2021, that “75% of its customers impacted by the exploitation of the vulnerability in Accellion FTA had migrated to another Accellion product known as ‘Kiteworks,'” which it characterized as “superior” to Accellion FTA and a “'modern, secure' platform.” Id., at ¶ 25. Therefore, according to plaintiff, “Popular should have migrated to Kiteworks or another superior solution” but continued to use Accellion FTA “notwithstanding its ‘legacy' status and the availability of a ‘superior' alternative that would have better protected” her and other customers' PII. Id., ¶¶ 26-27.
As a result of the breach, plaintiff alleges a litany of possible harms to which she and other members of the putative class are now exposed to. Among these, that their PII “may end up for sale on the dark web, or simply fall into the hands of companies that will use [it] for targeted marketing without” her consent. Id., ¶ 29. Once PII is stolen, plaintiff alleges, “fraudulent use of that information and damage to victims may continue for years.” Id., ¶ 40. In that vein, she alleges that the PII “was taken by hackers to engage in identity theft or to sell to other criminals who will purchase the PII for that purpose. The fraudulent activity resulting from the Data Breach may not come to light for years.” Id., ¶ 48. Thus, she and other current and former Popular customers “now face years of constant monitoring of their financial and personal records and loss of rights. Plaintiff and Class Members are incurring and will continue to incur such damages in addition to any fraudulent use of their PII.” Id., ¶ 51. Particularly as to plaintiff, she alleges that she has “spent time dealing with the consequences of the Data Breach, which includes time spent verifying the legitimacy of the news reports of the Data Breach, exploring credit monitoring and identity theft insurance options, and self-monitoring her financial accounts. This time has been lost forever and cannot be recaptured.” Id., ¶ 73.
Plaintiff sums up her “actual injuries” as “damages to and diminution in the value of her PII-a form of intangible property… lost time, annoyance, interference, and inconvenience” as well as “anxiety and increased concerns for the loss of her privacy.” Id., at ¶¶ 76-77. She alleges “imminent and impending injury from the substantially increased risk of fraud, identity theft, and misuse” of her PII. Id., at ¶ 78. She also alleges that she has a “continuing interest in ensuring that her PII, which, upon information and belief, remains backed up in Defendant's possession, is protected and safeguarded from future breaches.” Id., at ¶ 79.
IV. Analysis
Because Popular's standing challenge concerns this Court's subject-matter jurisdiction, the Court must address it first. The Court need not proceed to consider Popular's Rule 12(b)(6) challenge if plaintiff lacks standing. Deniz, 285 F.3d at 149.
A. Popular's Standing Challenge under Rule 12(b)(1)
Popular broadly argues that plaintiff's alleged injuries are “speculative, self-inflicted, or not cognizable.” Mot., ECF No. 17 at 7. Further, Popular points out that plaintiff does not allege actual misuse of her PII, but that even if she had, those injuries would not be fairly traceable to Popular. Id. In response, plaintiff argues that the alleged injury-the unauthorized disclosure of her PII-is an intangible harm that is sufficiently concrete to confer standing under Article III. Opp'n, ECF No. 20 at 2-6. Furthermore, she argues that Popular had a duty to protect and safeguard her PII but failed to take steps to ensure its security, and therefore her injuries are fairly traceable to Popular's acts and omissions. Id., at 6-8.
A challenge to a party's standing is properly a challenge to a federal court's jurisdiction given that the standing doctrine emanates from the Constitution's grant of federal judicial power over the resolution of “Cases” and “Controversies.” See, TransUnion, 141 S.Ct. at 2203 (“Article III confines the federal judicial power to the resolution of ‘Cases' and ‘Controversies.' For there to be a case or controversy under Article III, the plaintiff must have… standing.”). The burden to establish standing is on the party invoking federal jurisdiction. See, id., at 2207; Laufer v. Acheson Hotels, LLC, 50 F.4th 259, 266 (1st Cir. 2022), cert. granted, No. 22-429 (S.Ct. Mar. 27, 2023). In order to do so at the pleadings stage, the party “must clearly allege facts demonstrating each element” of the standing inquiry. Amrhein v eClinical Works, LLC, 954 F.3d 328, 330 (2020) (citations and quotation marks omitted). “[T]the standing inquiry is claim-specific: a plaintiff must have standing to bring each and every claim that she asserts.” Katz, 672 F.3d at 71. The plaintiff must “demonstrate standing for each claim that [she] press[es] and for each form of relief that [she] seek[s] (for example, injunctive relief and damages).” TransUnion, 141 S.Ct. at 2208.
The basic inquiry before the Court is thus whether plaintiff has sufficiently alleged that she has suffered (1) an injury in fact (2) that is fairly traceable to the challenged conduct of the defendant and (3) that is likely to be redressed by a favorable judicial decision. See, Spokeo, 578 U.S. at 338 (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992)).
But before diving head-first into whether plaintiff has sufficiently alleged standing, the Court notes that the question here is presented in a very specific context: allegations of an increased risk of future harm due to a data breach in which customer PII was accessed and exfiltrated, but where no actual misuse is alleged, coupled with allegations of present monetary and emotional injuries caused by this risk. The cases reviewed by this Court show that there is no uniform formula by which to evaluate whether a risk of future harm in the data breach context is an injury in fact. However, a handful of recent out-of-circuit cases provide helpful guidance in navigating this inquiry.
Chief among them is In re 21st Century Oncology Customer Data Sec. Breach Litig., where the U.S. District Court for the Middle District of Florida surveyed a wide array of data breach cases “to distill three non-exhaustive guiding factors for determining whether a plaintiff has sufficiently alleged [ ] an injury in fact based on an increased risk of identity theft subsequent to a data breach.” In re 21st Century Oncology Customer Data Sec. Breach Litig., 380 F.Supp.3d 1243, 1254 (M.D. Fla. 2019) (hereinafter, “21st Century Oncology”). The distilled factors are: “(1) the motive of the unauthorized third-party who accessed or may access the plaintiff's sensitive information, (2) the type of sensitive information seized, and (3) whether the information was actually accessed and whether there have been prior instances of misuse stemming from the same intrusion.” Id., at 1254-55.
By this Court's count, In re 21st Century includes a comparative survey of 13 different court of appeals decisions from nine different federal circuits. 380 F.Supp.3d at 1250-1256.
This three-factor standard has not yet been analyzed or adopted by the First Circuit, but it was recently endorsed by the U.S. District Court for the District of Massachusetts in Portier v. NEO Tech. Sols., No. 17-30111-TSH, 2019 WL 7946103 (D. Mass. Dec. 31, 2019), report and recommendation adopted, No. 17-30111, 2020 WL 877035 (D. Mass. Jan. 30, 2020). Furthermore, it was later used by a sister Court in this district in Quintero v. Metro Santurce, Inc., No. 20-01075-WGY, 2021 WL 5855752 at *5 (D.P.R. Dec. 9, 2021) (Young, J.). The standard also mirrors the factors analyzed by the Third Circuit in its recent opinion in Clemens v. ExecuPharm, Inc., 48 F.4th 146, 153-54 (3rd Cir. 2022). Therefore, the Court will proceed first to evaluate the complaint's well-pleaded facts under the traditional “injury in fact” standard and then, to assist in its evaluation, under the three-factor standard for data breach cases.
1. The Injury in Fact Must Be Concrete, Particularized, and Actual or Imminent
The first and foremost of the elements of the traditional standing inquiry is “injury in fact,” and to “establish injury in fact, a plaintiff must show that he or she suffered an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Spokeo, 578 U.S. at 338-39 (citing Lujan, 504 U.S. at 560 (1992)) (quotation marks omitted).
From the outset, the Court finds that plaintiff has sufficiently alleged that the injury is particularized. An injury is particularized for Article III purposes when it “affect[s] the plaintiff in a personal and individual way.” Laufer, 50 F.4th at 275; see also, Katz, 672 F.3d at 71. Here, Popular does not argue that plaintiff has failed to allege a personal injury. Moreover, even if it did, the complaint includes a whole section titled “Plaintiff's Experience” where it chronicles plaintiff's relationship with Popular and alleges the harms she personally suffered as a result of the Data Breach. See, Compl., ECF No. 1, at 16-17, ¶¶ 71-79.
Popular addresses the particularity of plaintiff's claims in only one sentence in its motion to dismiss: “Plaintiff's alleged injuries are neither concrete no particularized, and her Complaint should therefore be dismissed.” ECF No. 17, at 5. Concreteness and particularity, however, are separate and distinct requirements under the injury in fact inquiry. See, Spokeo, 578 U.S. at 340.
Nevertheless, Popular's challenge is centered on the lack of concreteness and imminence of plaintiff's alleged injuries. Popular's argument, looked at through the lens of the injury in fact requirement, essentially boils down to plaintiff (1) failing to allege a sufficiently concrete injury to claim damages, and (2) failing to allege a sufficiently imminent risk of injury to be entitled to injunctive relief. According to Popular, plaintiff's injuries are premised solely on a risk of future harm-that her PII will at some point be misused-and that this is neither a concrete nor an imminent injury. Mot., ECF No. 17 at 7-11. Popular argues that because this risk is neither concrete nor imminent, the other alleged collateral injuries-mitigation costs, diminution of value of her PII, lost time, anxiety, annoyance-are themselves insufficiently concrete to confer standing. Id., at 11-13.
The Court agrees that plaintiff alleges, broadly speaking, two types of injuries. First, that she is now exposed to an increased risk of future harm in the form of fraud, identity theft, and misuse resulting from her PII (especially her Social Security number) having been accessed by unauthorized third parties and possibly criminals as a result of the Data Breach. See, e.g., Comp'l., ECF No. 1 at ¶¶ 78. Second, that, as a result, she is currently suffering “actual injuries” in the form of damages to and diminution in the value of her PII, lost time, annoyance, interference, inconvenience, anxiety, and increased concerns for the loss of her privacy. Id., at ¶¶ 76-77. But the second type of injuries are dependent on the first type, and this relationship between the two requires that the Court proceed with caution in its concreteness and imminence analysis.
a. Concreteness and Imminence in Risk-of-Future-Harm Injuries
The concreteness and imminence standards are well-known and worth reviewing in detail. An injury is sufficiently concrete for Article III purposes when it is real as opposed to abstract; that is, it must actually exist. See, TransUnion, 414 S.Ct. at 2204; Spokeo, 578 U.S. at 340; Laufer, 50 F.4th at 267. Both tangible (e.g., monetary damages) and intangible (e.g., disclosure of private information) harms can be concrete injuries under Article III. See, In re Evenflo Company, Inc., Marketing, Sales Practices and Products Liability Litigation, 54 F.4th 28, 39 (1st Cir. 2022) (citing TransUnion, 141 S.Ct. at 2204). What plaintiff alleges in her complaint is essentially an intangible harm in the form of disclosure of private information. See, Opp'n, ECF No. 20, at 2-3. The Supreme Court in TransUnion recognized this type of harm as sufficiently concrete to support Article III standing. TransUnion, 141 S.Ct. at 2204.
Given that intangible injuries are “less obvious,” they “can raise more of a question on whether there's an Article III case or controversy.” Laufer, 50 F.4th at 268. Therefore, in “determining whether an intangible harm rises to the level of a concrete injury, both history… and the judgment of Congress play important roles.” Laufer, 50 F.4th at 268. Specifically, the Court must look to whether the alleged intangible harm has “a close relationship to a harm traditionally recognized as a basis for a lawsuit in English or American courts” and whether “Congress has imposed a statutory prohibition or obligation on a defendant and granted a cause of action to a plaintiff to sue over any violation of such.” See, TransUnion, 141 S.Ct. at 2204; Laufer, 50 F.4th at 268.
On the other hand, the actual or imminent requirement of standing “ensures that the harm has either happened or is sufficiently threatening; [but] it is not enough that the harm might occur at some future time.” Katz, 672 F.3d at 71 (citing Lujan v. Defenders of Wildlife, 504 U.S. at 564). An injury is “actual” when it has been already suffered and “imminent” when it has yet to be suffered. Katz, 672 F.3d at 71. When a plaintiff premises his or her standing on the risk of suffering a future injury (i.e., an “imminent” injury), such an allegation may support standing “if the threatened injury is ‘certainly impending,' or [if] there is a ‘substantial risk that harm will occur.'” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (citing Clapper v. Amnesty Intern. USA, 568 U.S. 398, 414 n.5 (2013)); see also, Reddy v. Foster, 845 F.3d 493, 500 (1st Cir. 2017) (emphasizing disjunctive nature of test). Importantly, the imminence requirement has “as its purpose to ensure that the alleged injury is not too speculative for Article III purposes.” See, Clapper, 568 U.S. at 409.
In Kerin v. Titeflex Corp., 770 F.3d 978, 981-82 (1st Cir. 2014), a products liability case, the First Circuit described “[c]ases claiming standing based on risk… [as] potentially involve[ing] two injuries: (1) a possible future injury that may or may not happen (i.e., the harm threatened); and (2) a present injury that is the cost or inconvenience created by the increased risk of the first, future injury (e.g., the cost of mitigation).” Kerin, 770 F.3d at 981-82. This framework is helpful for evaluating risk-based theories of injury in data breach cases. See, Hartigan v. Macy's, Inc., 501 F.Supp.3d 1 (D. Mass. Nov. 5, 2020) (applying Kerin framework to a data breach case). In such cases where the plaintiff's injuries are based on the risk of suffering a future harm, the alleged “present injuries” are contingent on the increased risk of the “future injury,” and the Court must guard against attempts to “manufacture standing” by reacting to excessively remote or speculative threats of harm. See, Kerin, at 982 (“…although one of the alleged injuries is present, satisfying imminence, that injury may still be speculative.”); see also, Clapper, at 416 (“[Plaintiffs] cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”). As a corollary, the more speculative and abstract the future risk of injury is, the less reasonable the alleged “actual injuries” are for standing purposes. See, Katz, 672 F.3d at 79 (“When an individual alleges that her injury is having to take or forebear from some action, that choice must be premised on a reasonably impending threat.”).
Regarding imminence, the Supreme Court's decision in Clapper also urges caution. There, the Supreme Court denied standing to a group of plaintiffs seeking declaratory and injunctive relief against government surveillance of their communications. 568 U.S. at 401. In doing so, it reaffirmed prior precedent holding that “that threatened injury must be certainly impending to constitute injury in fact, and that allegations of possible future injury are not sufficient.” Clapper, 568 U.S. at 409 (citation and quotation marks omitted). The threatened harm there was not “imminent” in good part because it was premised on “a highly attenuated chain of possibilities [which] does not satisfy the requirement that threatened injury must be certainly impending.” Clapper, 568 U.S. at 410.
Notwithstanding, the majority opinion in Clapper did not address whether its use of the qualifier “certainly” in regard to “impending” implied that a plaintiff must be absolutely certain that a threatened harm will occur in order to have standing. Justice Breyer's dissent elucidates this point and suggests that “certainly” as used in this context does not necessarily imply absolute certainty but rather sufficient certainty, which allows for a less-than-absolute threshold of probability. Id., at 431-33 (Breyer, J., dissenting). “Substantial risk” in this context means “a realistic danger of sustaining a direct injury.” Pennel v. City of San Jose, 485 U.S. 1, 8 (1988) (quoting Babbit v. United Farm Workers Nat'l. Union, 442 U.S. 289, 298 (1979)); see also, Clapper, 548 U.S. at 414 n.5 (citing Pennel); Clemens 48 F.4th at 152-53 (applying definition to imminence requirement in data breach context).
As to concreteness, TransUnion presents an important obstacle to any plaintiff claiming damages for risk-based injuries. There, the Supreme Court clarified certain language included in Spokeo where it had said that “the risk of real harm” or a “material risk of harm” can satisfy the requirement of concreteness. TransUnion, 141 S.Ct. at 2210 (citing Spokeo, 578 U.S. at 341-42). The Supreme Court explained that in saying as much in Spokeo, it was relying on language from Clapper which, as discussed, involved a request for prospective injunctive relief:
To support its statement that a material risk of future harm can satisfy the concrete-harm requirement, Spokeo cited this Court's decision in Clapper. But importantly, Clapper involved a suit for injunctive relief. As this Court has recognized, a person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial…. [A] plaintiff's standing to seek injunctive relief does not necessarily mean that the plaintiff has standing to seek retrospective damages.TransUnion, 141 S.Ct. at 2210 (citations omitted) (emphasis in original).
The Supreme Court went on to endorse the petitioner's theory that “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm-at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” TransUnion, 141 S.Ct. at 2210-11 (emphasis added). Denying standing to one class of plaintiffs, the Supreme Court held that they “did not demonstrate that the risk of future harm materialized… [n]or did those plaintiffs present evidence that the class members were independently harmed by their exposure to the risk itself….” Id., at 2211. It further ruled that the plaintiffs did not “factually establish” a sufficient risk or likelihood that the harm would come about. Id., at 2212 (“[T]he plaintiffs did not demonstrate a sufficient likelihood that their individual credit information would be requested by third-party businesses and provided by TransUnion... Nor did [they] demonstrate that there was a sufficient likelihood that TransUnion would otherwise intentionally or accidentally release their information to third parties.”).
The Supreme Court declined to take a position on whether emotional or psychological harm arising from a plaintiff's knowledge that he or she has been exposed to future physical, monetary, or reputational harm would meet Article III's standing requirement. Id., at 2211 n.7.
Even though Kerin predates TransUnion, its dual-nature framework is perfectly compatible with TransUnion's holding. As explained above, in TransUnion, the Supreme Court endorsed the theory that “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm-at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” TransUnion, 141 S.Ct. at 2210-11 (emphasis added); Therefore, a claim based on the risk of future harm, coupled with present actual harm, may very well confer Article III standing-which is precisely what Kerin posits.
To recap, it is clear from the above that the Court, in analyzing both the concreteness and imminence of plaintiff's alleged injuries, must take special precaution when determining whether the risk of future harm is sufficiently substantial for imminence purposes and sufficiently likely to materialize for it to be concrete. It also must guard against attempts to “manufacture standing” in response to speculative risk-of-harm injuries. With the benefit of the foregoing, the Court now turns to examine the application of these principles to the data breach context.
b. Whether plaintiff has alleged a sufficiently imminent and concrete injury in a data breach context
As far a data breach cases go in the First Circuit, Katz holds that a plaintiff premising standing on the increased risk of identity theft, but who does not allege that her PII has been accessed or misused, lacks constitutional standing. See, Katz, 672 F.3d at 79 (“Critically, the complaint does not contain an allegation that the plaintiff's nonpublic personal information has actually been accessed by any unauthorized user…. Without any reference to an identified breach of the plaintiff's data security, the complaint does not show an injury sufficient to give rise to Article III standing.”).
Prior to Katz, the First Circuit had held in Anderson v. Hannaford Bros., 659 F.3d 151 (1st Cir. 2011), that a plaintiff who alleged both breach of PII and actual identity theft had a cognizable claim for damages under Maine law. 659 F.3d at 164-66. Anderson, however, was decided on appeal from the grant of a motion to dismiss for failure to state a claim under Maine law, not on standing grounds, and the First Circuit only validated those damages that were alleged in the form of mitigation costs. Therefore, although Anderson is illustrative, the applicable in-circuit precedent for standing purposes is Katz.
The plaintiff in Katz alleged that the defendant, a financial services company, kept her PII (including her Social Security number) in an electronic platform that allowed authorized end-users to access and store it in unencrypted form in their computers. Katz, 672 F.3d at 70. This (and the defendants inadequate monitoring practices) allegedly put her PII in danger of being hacked or accessed by unauthorized parties. Id. She did not allege that the platform had actually been hacked or that her PII had been stolen or misused. The First Circuit thus characterized her threatened injury as a “purely theoretical possibility [that] simply does not rise to the level of a reasonably impending threat” and concluded that “finding standing in this case would stretch the injury requirement past its breaking point.” Id.
This reasoning echoes that of Clapper in that “that allegations of possible future injury are not sufficient.” Clapper, 568 U.S. at 409 (citation and quotation marks omitted). Katz, however, is distinguishable from plaintiff's case in some important aspects. There, the plaintiff did not allege that an actual data breach had occurred, just that her PII (which included her Social Security number) was “inadequately protected” and could “potentially be accessed by hackers and third parties.” See, Katz, 672 F.3d at 70. Here, in contrast, plaintiff alleges that a data breach actually occurred and that her PII was accessed and exfiltrated by unauthorized users. Compl., ECF No. 1 at ¶¶ 23, 28. She also alleges her PII “was taken by hackers to engage in identity theft or to sell it to other criminals who will purchase the PII for that purpose.” Compl., ECF No. 1 at ¶ 45.Certainly, if one were to imagine a sliding scale with “speculative or abstract injury” on one end and “actual and concrete injury” on the other (with “imminent and concrete injury” lying somewhere very close to the “actual injury” end), the facts alleged here are one or two steps closer to “actual injury” than those of Katz-but not quite there.
In other words, one could say that the concerns expounded by the plaintiff in Katz, short of actual misuse of the PII, partially materialized here.
The in-circuit cases involving data breaches cited by Popular in its motion to dismiss are also factually similar but distinguishable from plaintiff's case. For example, in Hartigan v. Macy's, Inc., 501 F.Supp.3d 1 (D. Mass. 2020), the District Court for the District of Massachusetts applied Kerin's dual-nature framework to an alleged risk-of-harm injury stemming from a data breach. The information stolen there was names, addresses, phone numbers, email addresses, and credit card information of department store customers, but did not include Social Security numbers. Hartigan, 501 F.Supp.3d at 3. This is significant because Social Security numbers can be used for identity theft and are difficult to change even when stolen, as plaintiff here alleges. See, Compl., ECF No. 1 at ¶¶ 42-47; see also, Clemens, 48 F.4th at 154 (citing McMorris v. Carlos López & Assocs., 995 F.3d 295, 302 (2nd Cir. 2021) and Atias v. CareFirst, Inc., 865 F.3d 620, 628 (D.C. Cir. 2017) for the same proposition). Emphasizing this, the Court concluded that the plaintiff failed to allege standing because the stolen PII was “not highly sensitive or immutable like social security numbers.” 501 F.Supp.3d at 5. Here, on the contrary, plaintiff alleges that the compromised PII included her Social Security number. See, Compl., ECF No. 1 at ¶¶ 1, 19, 33, 97, 136.
Also cited by Popular is our sister court's decision in Quintero v. Metro Santurce, Inc., No. 20-01075-WGY, 2021 WL 5855752 at *5 (D.P.R. Dec. 9, 2021). There, and to further illustrate the complexity and variety of data breach cases, hackers breached a hospital's systems, encrypted PII from patients, and held it for ransom-a so called “pure ransomware attack.” Quintero, 2021 WL 5855752 at *5-6. Social Security numbers were included in the ransomed information. Id., at *5. However, the plaintiffs did not allege that the motive for the attack was to steal the PII in order to commit identity theft or fraud, and they did not allege that their data was actually misused. Id. Indeed, letters referenced in the complaint there stated that there was no evidence to suggest that the information was “viewed, accessed or disclosed” as a result of the ransomware attack. Id., at *2. The Court thus found that “[a]bsent plausible allegations that the information itself was accessed and misused the named Patients lack constitutional standing to sue the Hospitals because the injury is not actual or imminent, but rather is merely conjectural or hypothetical.” Id., at *8. In contrast, plaintiff here alleges that the PII “was taken by hackers to engage in identity theft or to sell to other criminals who will purchase the PII for that purpose.” Compl., ECF No. 1, ¶ 48. And although plaintiff does not allege any actual misuse of her data, she does allege that it was accessed and exfiltrated. Id., at ¶¶ 23, 28.
Katz thus stands as binding precedent for the proposition that a plaintiff who does not allege that her PII was accessed by unauthorized users does not have standing. That much is supported by Quintero, and Hartigan further draws a distinction between stolen Social Security numbers and other types of PII, the former being more significant for standing purposes.
These in-circuit guideposts, however, are not determinative as the facts alleged in the complaint are different in important respects. Looking beyond the confines of the First Circuit, similar factual scenarios can be found in other cases from other courts-which, of course, do not constitute binding precedent. Each case is decided on the particular facts they present, but these offer further insight into where the line between an injury that is concrete and imminent and one that is abstract and speculative should be drawn. For this reason, as anticipated, the Court will employ the three-factor standard laid down in In re 21st Century Oncology to further inform its decision.
c. Application the 21st Century Oncology three-factor standard
For ease of reference, the Court restates the three non-exhaustive factors established in In re 21st Century Oncology: “(1) the motive of the unauthorized third-party who accessed or may access the plaintiff's sensitive information, (2) the type of sensitive information seized, and (3) whether the information was actually accessed, and whether there have been prior instances of misuse stemming from the same intrusion.” 380 F.Supp. at 1254-55.
First, the motive behind the data breach here is alleged in the complaint to be “to engage in identity theft or to sell to other criminals who will purchase the PII for that purpose.” Compl., ECF No. 1, ¶ 48. “A plaintiff is more likely to establish an injury in fact based on the increased risk of identity theft where the plaintiff has alleged that the third party behind the data breach targeted the plaintiff's personal information with an intent to use the information fraudulently.” 21st Century Oncology, 380 F.Supp. at 1252. Given that a nefarious motive was alleged in the complaint, this factor favors a finding of standing.
Second, the information allegedly seized in the data breach comprised of names, addresses, accounts, and Social Security numbers. Compl., ECF No. 1 at ¶¶ 1, 19, 33, 97, 136. Where the type of information compromised “includes personally identifiable information, this factor will weigh in favor of a finding of injury in fact.” 21st Century Oncology, 380 F.Supp. at 1253-54. “For instance, disclosure of social security numbers… is more likely to create a risk of identity theft or fraud.” Clemens, 48 F.4th at 154. Because the PII here is alleged to have included Social Security numbers, this factor also favors a finding of standing.
Third, plaintiff alleges that her PII was accessed and exfiltrated during the data breach. Compl., ECF No. 1 at ¶¶ 23, 28. However, there is no allegation of any actual identity theft or misuse of her PII. Moreover, she does not allege that any other Popular customer has suffered any PII misuse as a result of the data breach. Her allegation is just that of an increased risk of this happening in the future. “[A]n increased risk of identity theft is more likely to constitute an injury in fact where there is evidence that a third party has accessed the sensitive information and/or already used the compromised data fraudulently.” 21st Century Oncology, 380 F.Supp. at 1254. “On the other hand, courts are less likely to find an injury in fact where there are no allegations of fraudulent misuse of the stolen information.” Portier v. NEO Tech. Sols., No. 17-30111-TSH, 2019 WL 7946103 at *8 (D. Mass. Dec. 31, 2019), report and recommendation adopted, No. 17-30111, 2020 WL 877035 (D. Mass. Jan. 30, 2020).
The careful reader will note that this third factor is not conclusive as to whether mere allegations of unauthorized access, without actual misuse, amount to an injury in fact. That is precisely the question this Court is called upon to answer today. But to this Court's knowledge, no court in this circuit has found standing in a case premised on an allegation of an increased risk of future injury due a data breach of PII where the plaintiff does not allege any actual misuse of their PII. See, e.g., Webb v. Injured Workers Pharmacy, LLC, No. 22-10797-RGS, 2022 WL 10483751 (D. Mass. Oct. 17, 2022), appeal filed, No. 22-1896 (1st Cir. Nov. 16, 2022) (dismissing complaint alleging compromised PII in data breach, which included Social Security numbers, because it “alleges neither monetary loss, the misuse of data, nor that a third party stole their PII.”); Quintero, 2021 WL 5855752 at *5-7 (finding that plaintiff lacked standing in part because there was no allegation or evidence of actual access beyond data encryption or actual misuse of the PII); Hartigan, 501 F.Supp.3d at 6 (declining standing where “although a data breach occurred, Hartigan alleges no misuse of his or any class member's data.”); Portier, 2019 WL 7946103 at *8 (finding that plaintiffs had standing in part because they alleged that hackers had accessed and used PII to file fraudulent tax returns). This is consistent with the First Circuit's holding in Katz, declining standing where the plaintiff failed to allege that her PII was accessed or misused. Katz, 672 F.3d at 79. Here, although there is an allegation of unauthorized access, which was absent from Katz, there is no allegation of actual misuse, which there was in Portier, for example.
Moreover, looking to 21st Century Oncology and Clemens, the courts there found standing in part because the PII was put on sale on “the Dark Web.” In 21st Century Oncology, the plaintiffs alleged that the hacker “accessed the information because he/she placed an advertisement for the information on the internet for sale.” 380 F.Supp. at 1255. Moreover, the plaintiffs there alleged that “an FBI informant purchased a sample of the advertised data and informed defendants that ‘the unauthorized party listed additional data beyond the sample for sale.' Thus, the intruder not only accessed the information, but has also used the information in at least one transaction….” Id. As a result, the court concluded that the plaintiffs did not “merely allege that they fear that their compromised information may be advertised and sold on the Dark Web, Plaintiffs allege that it has already happened.” Id. Similarly, the Third Circuit in Clemens premised its finding of standing on the allegation that the stolen PII at issue had been published on the Dark Web. The hacker group involved, named “CLOP,” perpetrated a ransomware attack and later “published Clemens' data on the Dark Web, a platform that facilitates criminal activity worldwide….” 48 F.4th at 157. The Third Circuit reasoned that “because we can reasonably assume that many of those who visit the Dark Web, and especially those who seek out and access CLOP's posts, do so with nefarious intent, it follows that Clemens faces a substantial risk of identity theft or fraud….” Id.; see also, id., at 159 (“[T]he risk is not hypothetical: a known hacking group intentionally stole the information, misused it, ultimately published it on the Dark Web and the sensitive information is the type that could be used to perpetrate identity theft or fraud.”).
The Court agrees with 21st Century Oncology and Clemens in that the allegation that PII stolen in a data breach has been put up for sale certainly inclines the balance towards a finding of standing. However, although plaintiff here includes allegations to the effect that the hackers who committed the data breach did so with the intent to sell her PII, she does not allege that the information has actually been put for sale or otherwise published. Compl., ECF No. 1 at ¶¶ 7, 29, 41-48. Returning to the analogy of the sliding scale, the allegations in Portier, 21st Century Oncology, and Clemens are at or past the point of “concrete and imminent injury” and thus closer to “actual injury” than those of Katz. But the allegations in the complaint here fall short of reaching the same degree of concreteness and imminency of 21st Century Oncology and Clemens. Based on the complaint's lack of allegations from which this Court can infer that the substantial risk of identity theft or fraud is realistically imminent or likely to materialize, the Court finds that this last factor, on which it places significant weight, runs against standing.
d. Plaintiff has failed to allege a sufficiently concrete and imminent risk of harm to support her standing
Given all of the above, the Court is reluctant to find standing in a data breach case where actual misuse of PII is not alleged. If the Court must draw a line, it will do so here: mere allegations that PII was accessed and exfiltrated in a data breach, without more, are insufficient to constitute a concrete or imminent injury for standing purposes.
In holding so, the Court emphasizes that Katz remains good law, and that no party has pointed to any First Circuit opinion analyzing a data breach case after Clapper and TransUnion, much less applying the three-factor standard recently adopted by the Third Circuit in Clemens and the district courts in Portier and Quintero. And while the allegations in Katz are somewhat distinguishable from those in the complaint-principally in that there was no allegation there of unauthorized access to the PII-its reasoning suggests that the First Circuit will likely find that allegations of unauthorized access without actual misuse fall short of being an injury in fact.On balance, Katz weighs too heavy on plaintiff for her to establish an injury in fact.
This is not to say that other cases do not offer persuasive grounds to conclude otherwise, but the lack of First Circuit guidance compels this Court to draw the line at actual misuse of PII for standing purposes.
For these reasons, the Court concludes that plaintiff's alleged risk of future harm is not a sufficiently concrete and imminent injury for Article III purposes. Consequently, plaintiff's requests for damages and injunctive relief under Count I (negligence) and Count II (breach of implied contract) that are based on the risk of future identity theft, fraud, or other misuse of PII are non-cognizable claims. As to plaintiff's claims for damages based on present or “actual” injuries-diminution in the value of her PII, lost time, annoyance, interference, inconvenience, anxiety, and increased concerns for the loss of her privacy-these suffer the same fate. All of these are premised on a speculative risk of harm that is too abstract to constitute an injury in fact. See, Clapper, at 416 (“[Plaintiffs] cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”); Kerin, at 982 (“…although one of the alleged injuries is present, satisfying imminence, that injury may still be speculative.”); Katz, 672 F.3d at 79 (“When an individual alleges that her injury is having to take or forebear from some action, that choice must be premised on a reasonably impending threat.”). Therefore, they too are insufficient under Article III.
V. CONCLUSION
Plaintiff here alleges that she has been injured due to the increased risk of future harm from the potential misuse of her PII caused by the Data Breach. She claims that this risk has caused her to incur in mitigation costs, that her PII has diminished in value, and that she has lost time, and suffered annoyance and anxiety. She seeks damages for these injuries as well as injunctive relief to protect the PII that is still in Popular's possession.
Based on the above analysis the Court concludes that these alleged injuries are too speculative and abstract to be considered injuries in fact for standing purposes. The Court thus need not go any further in its standing inquiry or determine whether the allegations in the complaint adequately state a claim for relief. Because this Court lacks subject-matter jurisdiction, the complaint must be dismissed without prejudice pursuant to Fed.R.Civ.P. 12(b)(1).
For the foregoing reasons, Popular's motion to dismiss at ECF No. 17 is GRANTED and the complaint at ECF No. 1 is DISMISSED WITHOUT PREJUDICE.
SO ORDERED.