Press "Enter" to skip to content

Third Circuit: Risk of Future Harm from Data Breach Enough for Article III Standing

The U.S. Court of Appeals for the Third Circuit recently held in Clemens v. ExecuPharm Inc. that the risk of future harm from a data breach can be enough for Article III standing, taking into consideration whether the breach was intentional, whether the data was misused, and the nature of the data accessed.

As a condition of employment, a consumer was required to provide her employer “with sensitive personal and financial information, including her address, social security number, bank and financial account numbers, insurance and tax information, her passport, and information relating to her husband and child.”  The employment agreement stated that the employer “would ‘take appropriate measures to protect the confidentiality and security’ of this information.”

Sometime after the consumer left that employment, a hacking group used a phishing attack to steal her information, as well as that of other current and former employees. Ultimately, the hackers posted the data on the Dark Web, which “is most widely used as an underground black market where individuals sell illegal products like . . . sensitive stolen data that can be used to commit identity theft or fraud.”

The consumer filed suit against the employer alleging she was injured by the risk of identity theft and her investment of time and money to mitigate potential harm through measures such as fraud alerts and credit monitoring. Specifically, her claims were for negligence, negligence per se, breach of implied contract, breach of contract, breach of fiduciary duty, and breach of confidence.

The trial court dismissed the suit based on lack of Article III standing, holding that “allegations of an increased risk of identity theft resulting from a security breach are insufficient for standing,” and that the “risk of future harm was not imminent, but ‘speculative,’ because she had not yet experienced actual identity theft or fraud.”

On appeal, the U.S. Court of Appeals for the Third Circuit explained that for Article III standing, a plaintiff must demonstrate, among other things, “that he or she suffered an injury in fact that is concrete, particularized, and actual or imminent.”  Regarding data breaches, the Court noted that factors to be considered are whether the breach was intentional, whether the data was misused, and the nature of the data accessed.

Here, the unauthorized access was clearly intentional and, by being made available on the Dark Web, was misused. The data “was also the type of data that could be used to perpetrate identity theft or fraud. . . Together, these factors show that [the consumer] has alleged a ‘substantial risk that the harm will occur’ sufficient to establish an ‘imminent’ injury.”

The Court noted that “although the substantial risk of identity theft is a risk of future harm and this is a suit for damages, which may under other circumstances pose a problem for concreteness, [the consumer] has alleged several additional concrete harms that she has already experienced as a result of that risk . . . Thus, her injury is also “concrete.”

Based on this reasoning, the Court vacated the trial court’s judgment and remanded the case for consideration on the merits.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.