View

Third Circuit Charts Path for Standing in Data Breach Litigation

Article by Daniel W. Inadomi, Esq.

In a precedential opinion, the Third Circuit clarified the nature of the “injury-in-fact” that could give rise to Article III standing to bring claims arising out of a data breach, and held that a plaintiff had standing to sue because she faced a “substantial risk” of imminent harm after her personal information obtained from a data breach had been posted on the Dark Web.  See Clemens v. ExecuPharm, Inc. et al., No. 21-1506, 2022 WL 4005322 (3d Cir. Sept. 2, 2022).

In Clemens, the plaintiff provided her employer with sensitive personal and financial information, including her address, social security number, bank and financial account numbers, insurance and tax information, passport, and information related to her family members.  After the plaintiff left her employer, a known hacking group “CLOP” accessed the employer’s servers and stole sensitive information pertaining to current and former employees, including plaintiff.  The hackers allegedly held the data for ransom and later posted it on the Dark Web.

The employer notified its current and former employees of the breach and encouraged them to take precautionary measures.  Plaintiff immediately conducted a review of her financial records and credit reports for unauthorized activity, placed fraud alerts on her credit reports, transferred her account to a new bank, enrolled in complimentary credit-monitoring services offered by her prior employer, and purchased additional credit monitoring services for herself and her family.

Plaintiff subsequently brought a proposed class action against her prior employer in which she asserted claims for negligence, breach of contract, breach of confidence, and breach of fiduciary duty.  Plaintiff alleged that she sustained a variety of injuries, primarily the risk of identity theft and fraud, in addition to the investment of time and money to mitigate potential harm.

The District Court granted the employer’s motion to dismiss based on lack of Article III standing after finding that plaintiff’s risk of harm was not imminent, but “speculative,” because she had not yet experienced actual identity theft or fraud.  Plaintiff appealed.

The Third Circuit reversed the District Court on all claims and reinstated plaintiff’s putative class action.  The Third Circuit noted that the first prong of the tri-partite test for Article III standing requires that a plaintiff suffer an injury-in-fact that is both “concrete” and “actual or imminent.”

In finding that plaintiff’s injury was imminent, the Third Circuit looked to the Supreme Court’s decision in Susan B. Anthony List v. Driehaus, 573 U.S. 149 (2014), which held that an allegation of future injury can give rise to standing as long as there is a “substantial risk” that harm will occur.  The Third Circuit identified several factors on which courts in other circuits rely to determine if there is a substantial risk of harm in the data breach context: whether the data breach was intentional, whether the data was misused, and whether the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft.

The Third Circuit concluded that plaintiff faced a substantial risk of future identity theft because a known hacker group intentionally misused stolen data by posting it on the Dark Web.  Moreover, the personal and financial data obtained by the hacker group was the type of data that could be used to perpetrate identity theft or fraud.

In finding that plaintiff suffered a concrete injury, the Third Circuit looked to the Supreme Court’s recent opinion in TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021), which clarified the types of intangible harms that could nevertheless qualify as concrete.  The Third Circuit held that “in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms.”

The Third Circuit concluded that plaintiff’s injury was concrete because her risk of identity theft was accompanied by additional concrete harms that she had already experienced as a result of that risk, namely her emotional distress and time and money involved in mitigating the effects of the data breach.

Having found that plaintiff sufficiently asserted her standing to bring data breach-related causes of action against her former employer, the Third Circuit vacated the judgment of the District Court and remanded for consideration on the merits.