          United States Court of Appeals
                      For the First Circuit

No. 11-1983

                           BRENDA KATZ,

                      Plaintiff, Appellant,

                                v.

                          PERSHING, LLC,

                       Defendant, Appellee.


          APPEAL FROM THE UNITED STATES DISTRICT COURT

                FOR THE DISTRICT OF MASSACHUSETTS

         [Hon. Richard G. Stearns, U.S. District Judge]


                              Before

                      Selya, Circuit Judge,
                   Souter,* Associate Justice,
                    and Lipez, Circuit Judge.


     Stephen J. Calvacca, with whom Susan L. Moran and Law Offices
of Calvacca Moran were on brief, for appellant.
     Stephen L. Ratner, with whom Margaret A. Dale, Jason D.
Gerstein, Scott Harshbarger, and Proskauer Rose LLP were on brief,
for appellee.


                        February 28, 2012




     *
      Hon. David H. Souter, Associate Justice (Ret.) of the Supreme
Court of the United States, sitting by designation.
           SELYA, Circuit Judge.   Plaintiff-appellant Brenda Katz

insists that defendant-appellee Pershing, LLC failed to protect

sensitive nonpublic personal information as it was obligated to do

under both contract and consumer protection laws.     To vindicate

this concern, she sued the defendant on her behalf and on behalf of

others similarly situated.     The district court dismissed her

putative class action.   Her appeal of that order requires us to

examine both abecedarian principles of Article III standing and

assorted provisions of state substantive law.

           As a general matter, class action litigation has kept

pace with rapid technological advances.    But there are limits —

constitutional, prudential, and doctrinal — to how far a class

action plaintiff may extend the zone of liability.   In this case,

the plaintiff's reach exceeds her grasp. We conclude that, despite

the dire forebodings expressed in her complaint, she not only has

failed to state any contractual claim for relief but also lacks

constitutional standing to assert a violation of any arguably

applicable consumer protection law.    Consequently, we affirm the

district court's order of dismissal.

I.   BACKGROUND

           Because this case was decided below on a motion to

dismiss, we rehearse the facts as revealed by the complaint and the

documents annexed thereto.   See SEC v. Tambone, 597 F.3d 436, 438

(1st Cir. 2010) (en banc).


                                -2-
            The defendant is a Delaware limited liability company.

Its single member is a Delaware corporation that maintains its

principal place of business in New York.                    The defendant sells

brokerage    execution,       clearance,       and   investment      products    and

services to other financial organizations.                    Its customers are

typically registered broker-dealers and investment advisers that

trade securities on behalf of their clients.

            One of the services that the defendant offers is called

NetExchange   Pro.      This    is   an    electronic platform         that    gives

subscribing       financial    organizations         (introducing      firms)     an

interface for obtaining research and managing brokerage accounts

via the Internet.      When an introducing firm uses NetExchange Pro,

end-users (employees of the introducing firm, such as investment

consultants) can use the service to access remotely a wealth of

information about market dynamics and customer accounts.

            The introducing firm may make its clients' nonpublic

personal    information,       including       social     security   numbers    and

taxpayer identification numbers, accessible to certain authorized

end-users in NetExchange Pro.             Some of the defendant's employees

also have access to this information.

            The    plaintiff    is   a    citizen    of    Massachusetts.        She

maintains a brokerage account at National Planning Corporation

(NPC), one of the introducing firms that uses the NetExchange Pro

service. NPC and the defendant are parties to a clearing agreement


                                         -3-
(the Agreement), which governs their rights and responsibilities

with respect to the service and the associated data.           Because NPC

has   made    its   customers'   account   information      accessible    in

NetExchange    Pro,   the   plaintiff,   like   all   NPC   customers,   has

received a disclosure statement from the defendant alerting her to

the provisions of the Agreement.

             As evinced in her complaint, the plaintiff's concern is

that her nonpublic personal information has been left vulnerable to

prying eyes because it is inadequately protected by the defendant's

service.     She asserts, among other things, that authorized end-

users can access and store her data at home and elsewhere, twenty-

four hours a day and seven days a week, in unencrypted form; that

the data, once saved by an authorized user, can potentially be

accessed by hackers or other third parties; that the defendant

fails adequately to monitor unauthorized access to her information;

and that it employs inadequate methods for end-user authentication.

             With these concerns velivolant, the plaintiff filed a

putative class action against the defendant in the United States

District Court for the District of Massachusetts. Citing the Class

Action Fairness Act of 2005 (CAFA), 28 U.S.C. §§ 1332(d), 1453,

1711-1715, she invoked the district court's original jurisdiction

by alleging diversity of citizenship between the defendant and at

least one member of the putative class (herself) and the existence

of an aggregate amount in controversy in excess of $5,000,000, see


                                   -4-
id. § 1332(d)(2)(A).1    The complaint alleged breach of contract,

breach of implied contract, negligent breach of contractual duties,

violations of Massachusetts consumer protection laws, and other

infractions not relevant here.

            The defendant moved to dismiss the action on grounds that

the plaintiff lacked Article III standing, see Fed. R. Civ. P.

12(b)(1), and that she failed to state a claim upon which relief

could be granted, see Fed. R. Civ. P. 12(b)(6).   After some backing

and filling, the details of which need not concern us, the district

court granted the motion to dismiss.      See Katz v. Pershing, LLC,

806 F. Supp. 2d 452 (D. Mass. 2011).    The court disposed of all the

plaintiff's claims for want of either constitutional or statutory

standing.    See id. at 457-61.   This timely appeal ensued.

II.   ANALYSIS

            "The existence vel non of standing is a legal question

and, therefore, engenders de novo review."     Me. People's Alliance

& Natural Res. Def. Council v. Mallinckrodt, Inc., 471 F.3d 277,

283 (1st Cir. 2006).    In considering the pre-discovery grant of a

motion to dismiss for lack of standing, "we accept as true all

well-pleaded factual averments in the plaintiff's . . . complaint

and indulge all reasonable inferences therefrom in his favor."


      1
       CAFA's minimal diversity requirements apply to putative
class actions. See Aguayo v. U.S. Bank, 653 F.3d 912, 917 (9th
Cir. 2011); Spivey v. Adaptive Mktg. LLC, 622 F.3d 816, 821-22 &
n.1 (7th Cir. 2010). We have jurisdiction to review the dismissal
of her action pursuant to 28 U.S.C. § 1291.

                                  -5-
Deniz v. Mun'y of Guaynabo, 285 F.3d 142, 144 (1st Cir. 2002).                           A

similar standard of review obtains for motions to dismiss under

Rule 12(b)(6).       See Nisselson v. Lernout, 469 F.3d 143, 150 (1st

Cir. 2006).    With respect to either type of decision, "[w]e are not

wedded to the lower court's rationale, but may affirm the order of

dismissal on any ground made manifest by the record." Román-Cancel

v. United States, 613 F.3d 37, 41 (1st Cir. 2010); see Ruiz v.

Bally Total Fitness Holding Corp., 496 F.3d 1, 5 (1st Cir. 2007).

            Because no class was certified below, we evaluate only

whether the plaintiff herself has constitutional and statutory

standing to pursue the action.               See Nat'l Org. for Women, Inc. v.

Scheidler,    510    U.S.       249,   255    &    n.3   (1994).         We   begin   this

evaluation with a discussion of the requirements of Article III

standing.      With    this       foundation        in   place,     we    appraise     the

plaintiff's claims in two groups: those alleging abridgment of her

common-law rights and those alleging violations of the rights

conferred by certain state consumer protection laws, see Mass. Gen.

Laws ch. 93A (Chapter 93A); id. ch. 93H (Chapter 93H).

              A.    Principles of Constitutional Standing.

            The Constitution limits the judicial power of the federal

courts to actual cases and controversies.                     U.S. Const. art. III,

§ 2, cl. 1.        A case or controversy exists only when the party

soliciting federal court jurisdiction (normally, the plaintiff)

demonstrates       "such    a    personal      stake     in   the    outcome     of    the


                                             -6-
controversy as to assure that concrete adverseness which sharpens

the   presentation    of    issues    upon      which     the      court    so    largely

depends."      Baker v. Carr, 369 U.S. 186, 204 (1962).                    The standing

inquiry is claim-specific: a plaintiff must have standing to bring

each and every claim that she asserts.                Pagán v. Calderón, 448 F.3d

16, 26 (1st Cir. 2006).

            To satisfy the personal stake requirement, a plaintiff

must establish each part of a familiar triad: injury, causation,

and redressability.        See Lujan v. Defenders of Wildlife, 504 U.S.

555, 560-61 (1992).        "[E]ach element must be supported in the same

way as any other matter on which the plaintiff bears the burden of

proof, i.e., with the manner and degree of evidence required at the

successive stages of the litigation."                 Id. at 561; see Bennett v.

Spear, 520 U.S. 154, 167-68 (1997).

            The first element of Article III standing is injury in

fact.      This element is defined as "an invasion of a legally

protected interest which is (a) concrete and particularized; and

(b)   actual    or   imminent,      not    conjectural        or     hypothetical."

Defenders of Wildlife, 504 U.S. at 560 (footnote, citations, and

internal     quotation      marks     omitted).              These       are      distinct

characteristics.      Particularity demands that a plaintiff must have

personally     suffered    some   harm.         See    id.   at    560     n.1.      The

requirement of an actual or imminent injury ensures that the harm




                                          -7-
has either happened or is sufficiently threatening; it is not

enough that the harm might occur at some future time.             Id. at 564.

            The second element is causation.        This element requires

the plaintiff to show a sufficiently direct causal connection

between the challenged action and the identified harm.             See id. at

560.   Such a connection "cannot be overly attenuated."            Donahue v.

City of Boston, 304 F.3d 110, 115 (1st Cir. 2002).                Because the

opposing party must be the source of the harm, causation is absent

if the injury stems from the independent action of a third party.

See Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 41-42 (1976).

            The final element is redressability.       The plaintiff must

show that a favorable resolution of her claim would likely redress

the professed injury.        Redressability is a matter of degree.         To

satisfy this requirement, the plaintiff "need not definitively

demonstrate that a victory would completely remedy the harm."

Antilles Cement Corp. v. Fortuño, ___ F.3d ___, ___ (1st Cir. 2012)

[Nos. 09-1314, 09-1583, slip op. at 8].

            Along with the trio of constitutional elements prescribed

by Article III, standing also has prudential dimensions.                These

components "ordinarily require a plaintiff to show that his claim

is premised on his own legal rights (as opposed to those of a third

party), that his claim is not merely a generalized grievance, and

that it falls within the zone of interests protected by the law

invoked."     Pagán,   448    F.3d   at    27.   Although   the    prudential


                                     -8-
requirements may be relaxed in some contexts, "the constitutional

requirements apply with equal force in every case." Nat'l Org. for

Marriage v. McKee, 649 F.3d 34, 46 (1st Cir. 2011), petition for

cert. filed, 80 U.S.L.W. 3320 (U.S. Nov. 2, 2011) (No. 11-599).

           It is against this backdrop that we next consider whether

the plaintiff has standing as to each of her claims.

                         B.   Common-Law Claims.

           The invasion of a common-law right (including a right

conferred by contract) can constitute an injury sufficient to

create standing.    See Ala. Power Co. v. Ickes, 302 U.S. 464, 479

(1938).   The plaintiff alleges that she has rights deriving from

the   Agreement,   the   disclosure   statement,   and   various   online

advertisements. These allegations are arrayed in support of claims

for breach of an express contract, breach of an implied contract,

and negligent breach of contractual duties.

           The district court determined that the plaintiff lacked

standing to bring these contract-based claims because she had no

contract with the defendant.       Katz, 806 F. Supp. 2d at 459-61.

There is some question as to whether the existence of a contractual

relationship between the plaintiff and the defendant is a part of

an inquiry into standing (as opposed to a part of an inquiry into

the merits of a claim).       From an analytical standpoint, we think

the better view is that when a plaintiff generally alleges the

existence of a contract, express or implied, and a concomitant


                                   -9-
breach of that contract, her pleading adequately shows an injury to

her rights.     Even so, the present plaintiff has failed to state an

actionable claim.       We explain briefly.

            This action is brought under our diversity jurisdiction.

See 28 U.S.C. § 1332(d).       It is thus clear that state substantive

law must prescribe the rules of decision.          See Avery v. Hughes, 661

F.3d 690, 693-94 (1st Cir. 2011).          Here, however, the laws of two

different states are implicated.          The Agreement provides that New

York law governs its construction and interpretation.            Therefore,

the plaintiff's claim for breach of contract is governed by that

law.     Nevertheless, the parties concede, at least tacitly, that

Massachusetts     law    controls   the    other   claims   raised    by   the

plaintiff.      We are free to honor the reasonable understanding of

the parties as to choice of law, see Artuso v. Vertex Pharm., Inc.,

637 F.3d 1, 5 (1st Cir. 2011), and we do so here.

            To survive a motion to dismiss for failure to state a

claim,    the   "complaint   must   contain   sufficient    factual   matter

. . . to 'state a claim to relief that is plausible on its face.'"

Ashcroft v. Iqbal, 129 S. Ct. 1937, 1949 (2009) (quoting Bell Atl.

Corp. v. Twombly, 550 U.S. 544, 570 (2007)).                This means that

"[t]he complaint must include 'factual content that allows the

court to draw the reasonable inference that the defendant is liable

for the misconduct alleged.'"        Haley v. City of Boston, 657 F.3d

39, 46 (1st Cir. 2011) (quoting Iqbal, 129 S. Ct. at 1949).                "If


                                    -10-
the factual allegations in the complaint are too meager, vague, or

conclusory to remove the possibility of relief from the realm of

mere conjecture, the complaint is open to dismissal." Tambone, 597

F.3d at 442.      We review the plaintiff's complaint, including the

documents annexed thereto, to see if it satisfies these standards.

             To make out a breach of contract claim under New York

law, the plaintiff must plead the existence of a promise that she

is entitled to enforce.          See Truty v. Fed. Bakers Supply Corp., 629

N.Y.S.2d 898, 899 (N.Y. App. Div. 1995).           Inasmuch as she is not a

party to the Agreement, the plaintiff's first contention is that

she may sue as a third-party beneficiary.                In this wise, she

asserts that the defendant has breached the Agreement's data

confidentiality provision, which requires the defendant to protect

NPC's proprietary information "to the same extent and in at least

the   same    manner   as    [it]    protects   its   own     confidential   or

proprietary information."           She insists that she is an intended

beneficiary of this confidentiality provision and, therefore, can

sue the defendant to enforce it.

             This contention is easily dispatched.              The Agreement

contains an explicit statement that it "is not intended to confer

any benefits on third-parties including, but not limited to,

customers of [NPC]."        New York law on this point is transparently

clear: "[w]here a provision exists in an agreement expressly

negating     an   intent    to    permit   enforcement   by    third   parties,


                                       -11-
. . . that provision is decisive."    Nepco Forged Prods., Inc. v.

Consol. Edison Co. of N.Y., 470 N.Y.S.2d 680, 681 (N.Y. App. Div.

1984); see India.com, Inc. v. Dalal, 412 F.3d 315, 321-22 (2d Cir.

2005) (collecting cases).

          The plaintiff clamors that there are exceptions to this

bright-line rule. The precedents that she offers, however, contain

only general principles for determining whether a party is, in

fact, a third-party beneficiary.   See, e.g., Flickinger v. Harold

C. Brown & Co., 947 F.2d 595, 600 (2d Cir. 1991); Banco Espirito

Santo de Investimento, S.A. v. Citibank, N.A., No. 03 Civ. 1537,

2003 WL 23018888, at *8-10 (S.D.N.Y. Dec. 22, 2003); Artwear, Inc.

v. Hughes, 615 N.Y.S.2d 689, 692 (N.Y. App. Div. 1994).          The

plaintiff has not pointed to any New York case in which an explicit

disclaimer of third-party beneficiary claims has been overlooked

for any reason, and our research has revealed none.     This makes

perfect sense in view of New York's immutable requirement that the

contracting parties must intend to benefit the third party: "absent

such intent, the third party is merely an incidental beneficiary

with no right to enforce the particular contract[]."   Port Chester

Elec. Constr. Corp. v. Atlas, 357 N.E.2d 983, 986 (N.Y. 1976).

          Where, as here, that intent is unambiguously disclaimed,

a suitor cannot attain third-party beneficiary status. See Piccoli

A/S v. Calvin Klein Jeanswear Co., 19 F. Supp. 2d 157, 164

(S.D.N.Y. 1998).   Whatever exceptions the plaintiff thinks there


                               -12-
could be or should be in these circumstances, we — as federal

judges sitting in diversity jurisdiction — "cannot be expected to

create new doctrines expanding state law." Gill v. Gulfstream Park

Racing Ass'n, 399 F.3d 391, 402 (1st Cir. 2005); see Kassel v.

Gannett Co., 875 F.2d 935, 949-50 (1st Cir. 1989).                After all,

federal diversity courts are charged with ascertaining state law,

not with reshaping it.

            Relatedly, the plaintiff advocates a "public policy"

exception that would block the enforcement of this disclaimer. She

asseverates that by disavowing third-party beneficiaries in the

Agreement, the defendant is attempting to contract away its duty to

obey state and federal data security laws.             This asseveration

stands logic on its ear.      The defendant has not contracted away its

legal duties but, rather, has undertaken specific confidentiality

obligations to NPC.     The Agreement merely limits enforcement of

those obligations to the contracting party (NPC).

            The plaintiff has a fallback position.         Rule 4311 of the

New York Stock Exchange requires clearing firms like the defendant

to notify customers of introducing firms like NPC "of the existence

of the carrying agreement and the responsibilities allocated to

each   respective   party."      In    compliance   with   this   rule,   the

defendant sent a disclosure statement to all of NPC's customers

(including the plaintiff), notifying them of the Agreement and its

contents.    The plaintiff alleges that this disclosure statement


                                      -13-
supersedes the Agreement's disclaimer of third-party beneficiaries

and reinstates her as an intended beneficiary of the Agreement.

          We fail to see how the disclosure statement modifies the

express disclaimer of third-party beneficiary claims.          After all,

the Agreement expressly forbids subsequent modifications unless

those modifications are "in writing signed by the parties."           Such

clauses are routinely enforced under New York law.         See N.Y. Gen.

Oblig. Law § 15-301(1).       It follows inexorably that the express

disclaimer of third-party beneficiary claims could not have been

negated   by    the   unsigned   disclosure    statement   unilaterally

formulated by one of the contracting parties.

          The    plaintiff    extracts    another   argument   from   the

disclosure statement.        She says that the disclosure statement

creates an implied contract between her and the defendant, thereby

obligating the defendant to meet certain data confidentiality

requirements.    This argument lacks force.

          The plaintiff couches her implied contract argument in

terms of Massachusetts law.      Under that law, "[a] contract implied

in fact requires the same elements as an express contract and

differs only in the method of expressing mutual assent." Mass. Eye

& Ear Infirm. v. QLT Phototherapeutics, Inc., 412 F.3d 215, 230

(1st Cir. 2005) (internal quotation marks omitted).        One of these

elements is consideration. See T.F. v. B.L., 813 N.E.2d 1244, 1249

& n.4 (Mass. 2004).    This element "is satisfied if there is either


                                   -14-
a benefit to the promisor or a detriment to the promisee."                    Marine

Contractors Co. v. Hurley, 310 N.E.2d 915, 919 (Mass. 1974); see 3

Richard A. Lord, Williston on Contracts § 7:4 (4th ed. 2008).

            In     the    case   at   hand,   there      is    no     allegation    of

consideration sufficient to support an implied contract claim. The

plaintiff    has    not    adequately    alleged      that      she    provided    any

bargained-for benefit or suffered any bargained-for detriment in

exchange for the defendant's supposed promises. All the items that

she suggests as consideration — her payment of fees and supplying

of   information     —    were   furnished    to   NPC    in    exchange    for    its

brokerage services. NPC, not the plaintiff, provided consideration

to the defendant.

            The     plaintiff's       conclusory         allegation       that     the

consideration flowed "indirectly" from her to the defendant does

not withstand the test of plausibility.               See Iqbal, 129 S. Ct. at

1949; Twombly, 550 U.S. at 556.          In fact, the documents depict two

separate    sets     of    contractual    obligations          and    benefits,    one

connecting the plaintiff to NPC and the other connecting NPC to the

defendant.    These sets cannot be mixed and matched.                   Accordingly,

we cannot credit the plaintiff's ipse dixit that she has adequately

pleaded the consideration needed for an implied contract.

            This brings us to negligent breach of contractual duties.

That claim, too, is cast in terms of Massachusetts law.                             In

Massachusetts, such a cause of action is available when a party to


                                       -15-
a contract carelessly fails to perform as required and, as a

result, foreseeably exposes third parties to injury.               See Anderson

v. Fox Hill Vill. Homeowners Corp., 676 N.E.2d 821, 823 (Mass.

1997).

            The plaintiff's claim founders.                To succeed, she must

still plead the familiar elements of negligence, including duty,

breach, causation, and harm.             See Banaghan v. Dewey, 162 N.E.2d

807, 812-13 (Mass. 1959).          Here, she has merely given lip service

to the elements of causation and harm.                It would serve no useful

purpose at this point to cite book and verse concerning the

deficiencies of these allegations.               It suffices to say that the

same reasoning that shows the absence of plausible allegations of

causation    and    harm    with   respect      to   the   plaintiff's   consumer

protection claims, see infra Part II(C), applies with equal force

to   the   negligent      breach   of    contract     claim.    These    types   of

implausible allegations are insufficient to state a claim upon

which relief can be granted.               See Iqbal, 129 S. Ct. at 1949;

Twombly, 550 U.S. at 555-56.

                     C.    Consumer Protection Claims.

            We     transition      now    to    the    claims    brought    under

Massachusetts consumer protection laws.               See Chapter 93A; Chapter

93H.     When a plaintiff alleges injury to rights conferred by a

statute, two separate standing-related inquiries pertain: whether

the plaintiff has Article III standing (constitutional standing)


                                         -16-
and whether the statute gives that plaintiff authority to sue

(statutory standing).    See Steel Co. v. Citizens for a Better

Env't, 523 U.S. 83, 89, 92 (1998).    Article III standing presents

a question of justiciability; if it is lacking, a federal court has

no subject matter jurisdiction over the claim.        See id.    By

contrast, statutory standing goes to the merits of the claim.   See

Bond v. United States, 131 S. Ct. 2355, 2362-63 (2011); CGM, LLC v.

BellSouth Telecomms., Inc., 664 F.3d 46, 51-52 (4th Cir. 2011).

          Legislatures may affect both types of standing when they

enact new statutes.   Specifically, they can raise to the status of

legally cognizable injuries certain harms that might otherwise have

been insufficient at common law, and they may confer the authority

to sue for those harms on private persons or public entities.

Defenders of Wildlife, 504 U.S. at 578; see Thompson v. N. Am.

Stainless, LP, 131 S. Ct. 863, 869 (2011).

          In order to maintain a suit, a plaintiff must both suffer

a cognizable injury and locate herself within the designated group

who can sue for redress.      The Supreme Court has decreed that

federal courts normally must decide whether a particular plaintiff

has constitutional standing before considering that plaintiff's

statutory standing.   See Steel Co., 523 U.S. at 95-97 & n.2; see

also Deniz, 285 F.3d at 149 ("When a court is confronted with

motions to dismiss under both Rules 12(b)(1) and 12(b)(6), it




                               -17-
ordinarily     ought    to   decide   the    former   before   broaching    the

latter.").

             Given this directive, we preface our analysis of each

statutory claim with an assessment of whether the plaintiff has

demonstrated Article III standing.           See TrafficSchool.com, Inc. v.

Edriver Inc., 653 F.3d 820, 825 (9th Cir. 2011).                 Only if the

plaintiff has cleared this hurdle will we proceed to examine

whether she has adequately alleged her membership in the class of

persons who can bring suit under Massachusetts consumer protection

laws.

             The plaintiff posits that she has constitutional standing

because (i) the defendant's services are of a lesser value than

promised, thus depriving her of the "benefit of the bargain," see

Rice    v.   Price,    164   N.E.2d   891,   894   (Mass.   1960);   (ii)   the

defendant's statements have induced her to pay higher fees for

NPC's services than she otherwise would have paid; (iii) the

defendant's failure to provide notice of security breaches as

required by law has injured her; (iv) the defendant's inability to

furnish legally required privacy protections has necessitated her

purchase of identity theft insurance; and (v) that inability has




                                      -18-
exposed her to a substantial risk of future data insecurity.2    We

group these contentions into two subsets and consider them below.

            1.   False    Promises   and   Misrepresentations.   The

plaintiff's first theories of standing derive from state statutory

protections against false advertising and misrepresentation.     She

says that the defendant's inaccurate boast that it adequately

protects customer data — a claim made both in its advertising and

in the Agreement — entitles her to bring suit under Chapter 93A.

The plaintiff has offered two explanations for why she may pursue

these claims: the fact that she has overpaid for a product that

allegedly does not perform as promised and the fact that the false

advertisements induced her to pay too much for NPC's brokerage

services.

            Under the first theory, she styles her loss as the

benefit of the bargain.   By this, she means that she is paying more

to NPC than the (less secure) service provided by the defendant is


     2
       In two sentences of the complaint and a single paragraph of
her sixty-page brief, the plaintiff cursorily states that the
defendant's failure to employ reasonable security measures while
representing that its security measures are excellent is a
violation of the Federal Trade Commission Act (FTC Act), see 15
U.S.C. § 45 (prohibiting unfair trade practices), and other federal
consumer protection statutes.    It is common ground that unfair
trade practices which violate the FTC Act can form the basis for a
private action under Chapter 93A. See In re TJX Cos. Retail Sec.
Breach Litig., 564 F.3d 489, 496-97 (1st Cir. 2009). Standing is
still required, however, and the plaintiff here alleges in support
of her undeveloped FTC Act claim only the same theories of injury
relied on in support of her other claims. Because we find those
theories of injury constitutionally insufficient, we have no need
to analyze the FTC Act claim separately.

                                 -19-
actually worth.     It is a bedrock proposition that "a relatively

small economic loss — even an 'identifiable trifle' — is enough to

confer standing."     Adams v. Watson, 10 F.3d 915, 924 (1st Cir.

1993).    But whether or not the plaintiff can cross that low

threshold — a matter on which we take no view — her claim stumbles

over the altogether different requirement of causation.

          When the injury alleged is the result of actions by some

third party, not the defendant, the plaintiff cannot satisfy the

causation element of the standing inquiry.     See Ariz. Christian

Sch. Tuition Org. v. Winn, 131 S. Ct. 1436, 1447-48 (2011); Raines

v. Byrd, 521 U.S. 811, 830 n.11 (1997); Allen v. Wright, 468 U.S.

737, 757-58 (1984).    This is such a case.

          Any loss that the plaintiff suffered derives from the

fees that she pays to NPC.     If she is being overcharged at all,

that overcharging is at the instance of NPC, not the defendant.

Simply put, her injury is not fairly traceable to the defendant's

action.

          The plaintiff's remonstrances about the benefit of the

bargain do not change this calculus.    She has no bargain with the

defendant and, therefore, no entitlement to any benefit from the

defendant.

          The plaintiff advances a related argument.      She avers

that the defendant's misleading advertisements caused her injury

because they likely affected her decision to pay NPC's artificially


                                -20-
inflated fees.      This argument lands wide of the mark.                   Although

buyers who do not actually rely on false advertisements sometimes

may seek protection under Massachusetts law, see, e.g., Aspinall v.

Philip Morris Cos., 813 N.E.2d 476, 486 (Mass. 2004), the fact that

a litigant need not prove reliance on a representation does not

vitiate the altogether different requirement of causation.

            To satisfy Article III, the injury alleged - here,

overpayment    to   NPC    -    must    be   ascribable     to    the    defendant's

misrepresentations.        In actions brought under Chapter 93A, this

does not foreclose the possibility that overpayments to a third

party might in some circumstances constitute a cognizable injury

caused by the party that has made the misrepresentations.                         See,

e.g., In re Pharm. Indus. Average Wholesale Price Litig., 582 F.3d

156, 161, 190 (1st Cir. 2009) (finding Article III injury to be

overpayments in the form of elevated reimbursement, insurance, and

coinsurance costs imputable to the drug company's publication of

false average wholesale prices).               The plaintiff tries to style

herself in this position: she claims that she chose NPC and

overpaid    for     its        services      because   of        the     defendant's

misrepresentations.

            These allegations fall short.              In order to support a

finding of causation in these circumstances, a plaintiff must

plausibly     allege   a       direct     causal   relationship         between   her

overpayment and the defendant's purportedly misleading statements.


                                        -21-
See id. at 160-61 (finding Article III standing when defendant's

misrepresentations    "directly   resulted    in   an    increase   to   the

payments the plaintiffs were required to make").          Even when third

parties are not involved (as in the prototypical Chapter 93A case),

the causation requirement is usually satisfied when a consumer

purchases a falsely advertised product because the defendant's

misrepresentations would have artificially inflated the price paid

by the consumer.   Cf. Rule v. Fort Dodge Animal Health, Inc., 607

F.3d 250, 251-53 (1st Cir. 2010) (considering such a claim on the

merits).     The   plaintiff   has   not     satisfied    this   essential

prerequisite here.

           The plaintiff attempts to show causation by alleging that

the fees she pays to NPC are higher than they otherwise would be

because NPC "passed on" the inflated charges for the defendant's

service to her.      But the documents depict two separate sets of

contractual obligations with separate fees and services: one set

between NPC and the defendant and the other set between the

plaintiff and NPC.     Thus, the plaintiff's allegation is nothing

more than a bare hypothesis that NPC possibly might push this

aspect of its operational costs onto her.       This is not a plausible

allegation that the false advertisements caused her to pay the

supposedly inflated prices for NPC's services.           See Iqbal, 129 S.

Ct. at 1949; Twombly, 550 U.S. at 555-56.               As a result, the




                                  -22-
plaintiff has not satisfied the causation requirement for Article

III standing.

            2.    Data Insecurity.         The plaintiff's remaining claims

assert injuries to rights purportedly created by Chapter 93H and

other kindred privacy regulations. See, e.g., 940 Mass. Code Regs.

§ 3.16(3) (explaining that violation of "existing statutes, rules,

regulations or laws, meant for the protection of the public's

health, safety, or welfare" is an unfair trade practice).                     She

maintains that she may bring an action for violation of Chapter 93H

because she has not been notified of extant but unidentified

security breaches and, in all events, the defendant has failed to

conform to various encryption protocols.             These shortcomings, she

laments, have required her to purchase identity theft insurance and

have    exposed   her    nonpublic   personal      information      to   possible

misappropriation.

            The district court held that a cause of action for a

violation of Chapter 93H can be brought only by the Attorney

General.    See Katz, 806 F. Supp. 2d at 458-59 (citing Chapter 93H,

§ 6).    We do not decide that question today but, rather, adhere to

"the    general   rule   []   that   a    court   should    first   confirm   the

existence of rudiments such as jurisdiction and standing before

tackling the merits of a controverted case."               Berner v. Delahanty,

129 F.3d 20, 23 (1st Cir. 1997).           Assuming, without deciding, that

a private person may pursue a cause of action under Chapter 93H —


                                         -23-
a matter best left to the Massachusetts courts — the plaintiff

nonetheless cannot satisfy Article III's injury requirement.

          Chapter 93H has two principal components.             The first

component enables various branches of the state government to adopt

privacy rules and regulations to:

          insure the security and confidentiality of
          customer information in a manner fully
          consistent with industry standards; protect
          against anticipated threats or hazards to the
          security or integrity of such information; and
          protect against unauthorized access to or use
          of such information that may result in
          substantial harm or inconvenience to any
          consumer.

Chapter 93H, § 2(a).   The executive branch of the state government

has responded by promulgating "Standards for the Protection of

Personal Information of Residents of the Commonwealth."         201 Mass.

Code Regs. §§ 17.00-17.05.     These standards impose duties and

requirements on persons and entities that own, license, or maintain

personal information about Massachusetts residents.      Id. §§ 17.03-

17.04.

          The second component of Chapter 93H establishes privacy

notification   requirements.       Chapter   93H,   §§   3-4.       These

requirements are triggered by any "breach of security," as defined

by the statute, or any unauthorized access or use of personal

information.   Id. §§ 1(a), 3-4.    When such unauthorized access or

use occurs, persons and entities that own, license, or maintain

Massachusetts residents' personal information must provide notice


                                -24-
to government officials and affected parties pursuant to various

disclosure guidelines.     Id. §§ 3-4.

          In determining how to evaluate the plaintiff's standing

to challenge alleged failures to abide by these strictures, a

comparison to the environmental standing cases is instructive.

Those decisions teach that an allegation that someone has failed to

meet some legal requirement, without more, is insufficient to

confer Article III standing. See, e.g., Defenders of Wildlife, 504

U.S. at 558-59, 572-73.     Inasmuch as standing necessitates that a

plaintiff "allege[] such a personal stake in the outcome of the

controversy   as   to   warrant   his    invocation    of   federal-court

jurisdiction," Horne v. Flores, 129 S. Ct. 2579, 2592 (2009)

(internal quotation marks omitted), an injury in fact must also be

alleged. We assess the plaintiff's allegations through this prism.

          Our starting point is the plaintiff's claim that she has

been injured because the defendant has failed to provide notice of

a security breach as required by Chapter 93H.               The complaint

fleshes out this claim by alleging only that a "massive number of

breaches of security [] have invariably occurred" and that, as a

result, some level of unauthorized access must have transpired,

thereby exposing    some   unspecified people's       nonpublic personal

information to further unauthorized disclosure.        She suggests that

these breaches should have been reported pursuant to Chapter 93H

and that the defendant's failure to do so entitles her to sue.


                                  -25-
            This claim is unavailing. Critically, the complaint does

not contain an allegation that the plaintiff's nonpublic personal

information has actually been accessed by any unauthorized user.

To achieve standing, plaintiffs "must allege and show that they

personally have been injured, not that injury has been suffered by

other, unidentified members of the class to which they belong and

which they purport to represent."              Warth v. Seldin, 422 U.S. 490,

502 (1975).    Without any reference to an identified breach of the

plaintiff's data security, the complaint does not show an injury

sufficient to give rise to Article III standing.

            The plaintiff's next attempt to demonstrate injury in

fact focuses on her purchase of identity theft insurance and credit

monitoring services.         In evaluating this plaint, the reasoning in

the environmental standing cases is once again instructive.                        In

Mallinckrodt, we examined the plaintiffs' assertions that they had

refrained     from   visiting     a     river     due    to     fear   of   mercury

contamination.         In    assaying     whether       those    statements   were

sufficient to create an injury in fact, we observed that "an

individual's decision to deny herself aesthetic or recreational

pleasures based on concern about pollution will constitute a

cognizable    injury    only    when    the    concern    is    premised    upon    a

realistic threat."          Mallinckrodt, 471 F.3d at 284.             The Supreme

Court has assumed a similar stance in both environmental and

nonenvironmental cases.         See, e.g., Friends of the Earth, Inc. v.


                                        -26-
Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 184-85 (2000);

City of Los Angeles v. Lyons, 461 U.S. 95, 107 n.8 (1983).

            We think that an analogous requirement is in order here.

When an individual alleges that her injury is having to take or

forebear from some action, that choice must be premised on a

reasonably     impending     threat.      Such     a     requirement     is    fully

consistent with the well-settled principle that the harm or injury

must be actual or imminent, not speculative.                    See Defenders of

Wildlife, 504 U.S. at 564 & n.2.

            In this case, the plaintiff purchased identity theft

insurance    and    credit   monitoring       services    to    guard    against   a

possibility,       remote    at   best,   that     her     nonpublic      personal

information might someday be pilfered.            Such a purely theoretical

possibility simply does not rise to the level of a reasonably

impending threat.

            To recapitulate, the plaintiff has not alleged that her

nonpublic personal information actually has been accessed by any

unauthorized person.         Her cause of action rests entirely on the

hypothesis that at some point an unauthorized, as-yet unidentified,

third party might access her data and then attempt to purloin her

identity.     The conjectural nature of this hypothesis renders the

plaintiff's    case    readily    distinguishable        from    cases    in   which

confidential data actually has been accessed through a security

breach and persons involved in that breach have acted on the ill-


                                       -27-
gotten information. Cf. Anderson v. Hannaford Bros., 659 F.3d 151,

164-65   (1st   Cir.   2011)   (holding   purchase   of   identity   theft

insurance in such circumstances reasonable in negligence context).

Given the multiple strands of speculation and surmise from which

the plaintiff's hypothesis is woven, finding standing in this case

would stretch the injury requirement past its breaking point.

           We reach at long last the plaintiff's final theory of

injury: her assertion that the defendant's failure to adhere to

privacy regulations increases her risk of harms associated with the

loss of her data.       The courts of appeals have evidenced some

disarray about the applicability of this sort of "increased risk"

theory in data privacy cases. See, e.g., Reilly v. Ceridian Corp.,

664 F.3d 38, 43-46 (3d Cir. 2011) (finding no injury in fact when

unauthorized person accessed but did not yet misuse plaintiffs'

data); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir.

2010) (finding injury in fact when plaintiffs pled increased risk

of harm following theft of a laptop that contained their personal

data); Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir.

2007) (finding injury in fact when plaintiffs claimed an increased

risk of data theft after their information had been accessed by a

malicious and sophisticated hacker).         Be that as it may, these

cases have a common denominator.     In each of them, the plaintiffs'

data actually had been accessed by one or more unauthorized third




                                   -28-
parties.   See Reilly, 664 F.3d at 40; Krottner, 628 F.3d at 1140-

41; Pisciotta, 499 F.3d at 632.

           The allegations in this case do not mirror that common

denominator.   Here, the plaintiff alleges only that there is an

increased risk that someone might access her data and that this

unauthorized access (if it occurs) will increase the risk of

identity theft and other inauspicious consequences. Thus, the risk

of harm that she envisions is unanchored to any actual incident of

data breach. This omission is fatal: because she does not identify

any incident in which her data has ever been accessed by an

unauthorized person, she cannot satisfy Article III's requirement

of actual or impending injury.    See Krottner, 628 F.3d at 1143

(noting that if the laptop containing customer data "had [not] been

stolen, and Plaintiffs had sued based on the risk that it would be

stolen at some point in the future," court would be unlikely to

find Article III injury).

           Standing is not an "ingenious academic exercise in the

conceivable.   A plaintiff must allege that he has been or will in

fact be perceptibly harmed . . . , not that he can imagine

circumstances in which he could be affected."     United States v.

Students Challenging Regulatory Agency Procedures (SCRAP), 412 U.S.

669, 688-89 (1973).   So it is here.   Insofar as we can tell from

the complaint, no interest or right of the plaintiff has been

harmed by any violation of applicable privacy laws. In the absence


                               -29-
of such a showing, we lack jurisdiction to review her statutory

claims.

III.   CONCLUSION

            The innovations and problems of the electronic age have

created new challenges for the courts. But venerable principles of

our jurisprudence can guide us on this frontier.       This case is

illustrative: the plaintiff has asserted a litany of novel harms

under freshly inked laws, but the irreducible minimum requirements

of pleading and Article III doom her case.

            We need go no further. For the reasons elucidated above,

we affirm the judgment of the district court.



Affirmed.




                                -30-
