Imminent and Substantial: The Third Circuit Holds That the Leak of Personal Information onto the Dark Web is Sufficient to Establish an “Injury-In-Fact”

Gregory Archibald, Devin Chwastyk
McNees Wallace & Nurick LLC
Contact
LinkedIn
Facebook
X
Send
Embed

McNees Wallace & Nurick LLC

A recent decision from the Third Circuit suggests that the leak of information onto the Dark Web provides standing to class action plaintiffs in data breach litigation. In Clemens v. ExecuPharm, Inc., 48 F.4th 146 (3d Cir. 2022), the Defendant employer suffered a data breach that permitted a ransomware gang to steal sensitive information pertaining to the Defendant’s current and former employees. Eventually, the hackers posted the data on underground websites located on the Dark Web.

The plaintiff, a former employee whose data was stolen by the hackers, filed a class action lawsuit on behalf of herself and other employees whose information was accessed. However, the plaintiff did not allege that she (or any other employees) suffered any financial losses as a result of the breach. Since showing financial harm is traditionally a required element to establish standing, the District Court dismissed the case.

However, the Third Circuit reversed. Interpreting the U.S. Supreme Court’s holding in Transunion[1], the Third Circuit held that the leak of information onto the Dark Web by itself constitutes an “injury-in-fact” sufficient to provide standing to sue in federal court. Explaining their decision, the Third Circuit wrote, “Because we can reasonably assume that many of those who visit the Dark Web, and especially those who seek out and access [the ransomware group’s] posts, do so with nefarious intent, it follows that Clemens faces a substantial risk of identify theft or fraud by virtue of her personal information being made available on underground websites…”

In light of this decision, and the increasingly digitized world, employers are strongly encouraged to implement appropriate security measures and ensure that those measures continue to comply with ever-changing industry standards. Failure to take these preventative measures could leave employer networks vulnerable to data breach, subjecting employers to potential liability for the breach of employee or customer data itself, let alone the financial consequences that could result if such information is misused.

[1] In this case, the U.S. Supreme Court held that an allegation of a risk of future harm is sufficient to establish an injury-in-fact for standing purposes, if such risk of future harm is “sufficiently imminent and substantial.” TransUnion LLC v. Ramirez, __ U.S. __, 141 S.Ct. 2190, 2210-11 (2021).

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McNees Wallace & Nurick LLC | Attorney Advertising

Written by:

McNees Wallace & Nurick LLC
McNees Wallace & Nurick LLC
Contact
more
less

McNees Wallace & Nurick LLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide