The U.S. Court of Appeals for the Third Circuit recently held in Clemens v. ExecuPharm Inc. that the risk of future harm from a data breach can be enough for Article III standing, taking into consideration whether the breach was intentional, whether the data was misused, and the nature of the data accessed.
As a condition of employment, a consumer was required to provide her employer “with sensitive personal and financial information, including her address, social security number, bank and financial account numbers, insurance and tax information, her passport, and information relating to her husband and child.” The employment agreement stated that the employer “would ‘take appropriate measures to protect the confidentiality and security’ of this information.”
Sometime after the consumer left that employment, a hacking group used a phishing attack to steal her information, as well as that of other current and former employees. Ultimately, the hackers posted the data on the Dark Web, which “is most widely used as an underground black market where individuals sell illegal products like . . . sensitive stolen data that can be used to commit identity theft or fraud.”
The consumer filed suit against the employer alleging she was injured by the risk of identity theft and her investment of time and money to mitigate potential harm through measures such as fraud alerts and credit monitoring. Specifically, her claims were for negligence, negligence per se, breach of implied contract, breach of contract, breach of fiduciary duty, and breach of confidence.
The trial court dismissed the suit based on lack of Article III standing, holding that “allegations of an increased risk of identity theft resulting from a security breach are insufficient for standing,” and that the “risk of future harm was not imminent, but ‘speculative,’ because she had not yet experienced actual identity theft or fraud.”
On appeal, the U.S. Court of Appeals for the Third Circuit explained that for Article III standing, a plaintiff must demonstrate, among other things, “that he or she suffered an injury in fact that is concrete, particularized, and actual or imminent.” Regarding data breaches, the Court noted that factors to be considered are whether the breach was intentional, whether the data was misused, and the nature of the data accessed.
Here, the unauthorized access was clearly intentional and, by being made available on the Dark Web, was misused. The data “was also the type of data that could be used to perpetrate identity theft or fraud. . . Together, these factors show that [the consumer] has alleged a ‘substantial risk that the harm will occur’ sufficient to establish an ‘imminent’ injury.”
The Court noted that “although the substantial risk of identity theft is a risk of future harm and this is a suit for damages, which may under other circumstances pose a problem for concreteness, [the consumer] has alleged several additional concrete harms that she has already experienced as a result of that risk . . . Thus, her injury is also “concrete.”
Based on this reasoning, the Court vacated the trial court’s judgment and remanded the case for consideration on the merits.