In McFarlane v. Altice USA, Inc., a recent decision out of the Southern District of New York, a class of plaintiffs successfully established standing and stated a plausible claim for breach of implied contract based on a data breach caused by a cybercriminal phishing attack.

The cable company Altice was the target of a phishing scam in which employees unwittingly provided the cybercriminals access to non-encrypted customer and employee personal identifying information, including social security numbers. Plaintiffs in McFarlane are former employees whose social security numbers were compromised. Plaintiffs brought a variety of claims, including breach of implied contract. Altice moved to dismiss the lawsuit for lack of standing and the implied contract claim for failure to state a plausible claim. Altice lost on both these arguments.

Standing—a necessary component of any lawsuit—requires that plaintiffs show they have suffered an injury caused by the defendant’s conduct and that the injury may be redressed by court intervention. While the speculative injury is insufficient, a future injury may suffice so long as it is “certainly impending.” Historically, class counsel has faced difficulty connecting a defendant’s conduct to alleged harm when a data breach occurs, especially given the frequency of data breaches and the challenge in identifying which breach caused data to be compromised. In McFarlane, class counsel alleged (but has yet to explain the basis of its allegation) that the former employees’ harm arising from the breach was traceable to Altice. The Court held that Plaintiffs had standing because three of the nine Plaintiffs were victims of identity theft, and the impending prospect of the unlawful use of their misappropriated social security numbers was traceable to Altice’s failure to safeguard its data.

Because they have standing, Plaintiffs may now pursue myriad claims, including their claim for breach of implied contract. Relying in part on a decision from the District of Colorado involving consumer (rather than employee) claims, the Court held that the Plaintiffs sufficiently alleged they had provided their personal identifying information as a condition of employment, therefore creating an implied contract. That implied contract conferred upon Altice the obligation to take reasonable steps to safeguard the employees’ personal information. Altice allegedly breached that contract by failing to use adequate email filtering software, not requiring cybersecurity training, and not encrypting sensitive documents.

The lesson? Employers, virtually all of whom collect personal information from their employees, risk significant legal exposure if they do not acknowledge the real likelihood of a cyber-attack in today’s digital world. Employers must implement effective data protection policies and procedures to limit the risk of inadvertent disclosure or criminal activity that could compromise sensitive data. If a breach occurs and litigation ensues, class counsel may employ counterintuitive arguments to demonstrate standing and nudge unexpected claims from conceivable to plausible.