[co-author: Winnie Johnson]
The United States Court of Appeals for the Third Circuit recently held that a plaintiff had standing to sue her former employer for a data breach that exposed her personal information to the “Dark Web” because she sufficiently alleged an “imminent” and “concrete” injury, despite not yet having her identity stolen as a result of the breach. Clemens v. ExecuPharm Inc., No. 21-1506, slip op. (3d Cir. Sept. 2, 2022). The Court also admonished employers, noting that “an employer’s duty to protect its employees’ sensitive information has significantly broadened . . . . In order to protect [employees’] data, they must implement appropriate security measures.”
Overview of the Case
In 2020, a hacking group known as CLOP gained access to a company’s servers through a phishing attack, stealing sensitive personal information (such as social security numbers, addresses, credit card numbers, and driver’s license numbers) related to current and former employees and holding it for ransom. When the company refused to pay the ransom, the hackers released the information on the Dark Web, an “online underground market” where stolen data can be purchased to commit identity theft. After the company notified current and former employees of the incident, the future plaintiff, a former employee, took steps to mitigate the risk of identity theft by instituting fraud alerts on her credit reports, transferring to a new bank, enrolling in the company’s credit monitoring service, and purchasing a credit monitoring service for her and her family. However, her identity was never actually stolen.
The plaintiff then sued the company on behalf of herself and others similarly affected by the breach, asserting claims for negligence, breach of contract, breach of fiduciary duty, and breach of confidence. The hack allegedly constituted a breach of the employees’ employment agreement, which included a provision stating that the company would protect the personal data that the employees disclosed as a condition of their employment. The defendant then filed a motion to dismiss on the basis that the plaintiff lacked Article III standing because she had not experienced actual identity theft, which was granted. In dismissing the plaintiff’s claims, the district court interpreted a previous Third Circuit decision, Reilly v. Ceridian Corp., 664 F.3d 38, 40 (3d Cir. 2011), as creating “a bright line rule precluding standing based on the alleged risk of identity theft or fraud,” reasoning that a risk of such harm is necessarily speculative, and thus not “imminent, concrete and particularized,” as required for Article III standing.
On appeal, the Third Circuit disagreed that Reilly created such a bright line rule, stating that a data breach can create a “substantial risk” that future harm will result to the victim, thus establishing an “imminent” future injury. Also, in the case at hand, CLOP had already attacked the company and released the data to the Dark Web, whereas Reilly concerned the “entirely speculative, future actions of an unknown third-party [sic].” The court pointed to three other factors weighing in favor of finding imminence in the Clemens case: (1) the hackers gained access to the data intentionally; (2) the hackers misused the data; and (3) the data contained a combination of financial and personal information useful to committing identity theft. As to a finding of “concrete” injury, the Third Circuit concluded it is sufficient for the plaintiff to allege “additional, currently felt concrete harms” as a result of that risk. The plaintiff in Clemens satisfied this requirement by pointing to her emotional distress and time and money expended to mitigate the risk from the data breach. As a result, the court concluded that the plaintiff had established standing to sue the company on all of her claims and vacated the district court’s dismissal of the case.
What This Means for You
This case alerts employers to the range of circumstances giving rise to liability in the event of a phishing attack or other data breach. Even if current and former employees do not actually suffer identity theft as a result of a data breach, the employees could still have standing to sue the employer if the circumstances establish an “imminent” and “concrete” injury. Complicating the mix is that courts around the country may take a different view of these cases. Nonetheless, employers should implement reasonable and appropriate security measures in compliance with industry standards to avoid liability. Employers should also consider obtaining cyber insurance that would cover this type of claim. Employers should also review the wording of data-related provisions in employment agreements, which may be important to a breach of contract claim in the event of a data breach.
*Winnie Johnson is a law clerk in our Houston office.