Potential Harm Enough For Class Action to Proceed in Data Breach Litigation
The Third Circuit Court of Appeals has given new life to a putative class action suit led by a former employee of a company that suffered a ransomware attack, leading to her sensitive information being released onto the Dark Web. In February 2021, the District Court for the Eastern District of Pennsylvania dismissed her case for lack of standing, due to the “speculative nature” of the injuries to the employees. However, on September 2, 2022, the United States Court of Appeals for the Third Circuit vacated the judgment of the District Court, and remanded the case for consideration on the merits (a fresh examination of the evidence and facts presented), giving the potential class of plaintiffs a new chance for relief.
Jennifer Clemens is a former employee of biopharmaceutical company ExecuPharm, Inc. (“ExecuPharm”), a subsidiary of Parexel International Corp., headquartered in Newton, Massachusetts. Upon her hire, Clemens was required to provide to the company a long list of personal information, including her address, social security number, bank and financial account numbers, insurance and tax information, her passport, and information relating to her husband and child. Her employment agreement provided that ExecuPharm would “take appropriate measures to protect the confidentiality and security” of the personal information.
However, in March 2020, after Clemens had already left the company, ExecuPharm was subject to a phishing attack, in which their servers were hacked, and sensitive information of former and current employees was stolen. The hackers initiated a ransomware attack, installing malware to encrypt the hacked data, and threatening to release the information from the server if ExecuPharm did not pay a ransom. ExecuPharm did not pay this ransom, and as a result, this personal data, including the sensitive information of Clemens, was posted on the Dark Web, a hidden portion of the Internet where individuals sell and purchase illegal products such as stolen personal data, to commit identity theft or fraud.
After Clemens was informed by ExecuPharm of the breach, she took swift action by reviewing her financial records and credit reports, switching banks and purchasing credit monitoring services.
Clemens did not suffer any actual identity theft or fraud. However, she still feared that she would suffer harm from this incident in the future. As a result, she sued ExecuPharm and Parexel in the United States District Court for the Eastern District of Pennsylvania under the Class Action Fairness Act, with claims for negligence, breach of contract, breach of fiduciary duty and breach of confidence.
District Court Dismisses the Case
In February 2021, the District Court dismissed Clemens’s case based on lack of standing. To bring a suit in federal court, a plaintiff must have Constitutional standing, known as “Article III Standing.” That means that the plaintiff must demonstrate a personal stake in the suit's outcome. In order to show standing, a plaintiff must, among other things, demonstrate that “he or she suffered an injury in fact that is concrete, particularized, and actual or imminent.” The District Court found that allegations of an increased risk of identity theft based on a data breach, without actual identity theft occurring, are insufficient to establish standing in federal court. The Court reasoned that the risk of future harm as a result of the hack was “speculative” in nature, and the money that she spent mitigating this speculative risk was insufficient to create standing.
Clemens appealed this dismissal with the Third Circuit Court of Appeals, in front of a three-judge panel.
Court of Appeals Decision
The Third Circuit Court of Appeals unanimously vacated the District Court’s dismissal of Clemens’s complaint, and remanded the entire case for consideration on the merits of Clemens’s claims.
The Court clarified that an injury can be “imminent” in order to qualify for standing, and does not need to have actually taken place at the time of suit being filed. Based on precedent in the area of data breaches, the Court of Appeals determined that the substantial risk of future injury qualifies for standing based on imminence, especially in the event of an intentional, targeted attack by a hacking group.
The Court followed the trend of other jurisdictions, which found that actual misuse of the data is not necessarily required in this context. Finally, to conclude its analysis for standing, the Court also determined that an intangible injury, such as the injury in question, can count as sufficiently concrete. The emotional distress that a victim of a data breach experiences is sufficient.
As for the contract, tort and secondary contract claims, the Court of Appeals determined that for the pleading stage of the litigation, Clemens had successfully set forth that her injuries came as a “direct and proximate” result of ExecuPharm’s failure to safeguard her information, which they had contracted to do, and established a duty to do. As a result, the Court of Appeals ruled that the District Court should consider her claims on their merits.
From a public policy perspective, the Court of Appeals warned of “uniquely drastic consequences” of failing to uphold these provisions in the digital age.
In this new age of cybersecurity threats, companies must make a considerable effort to protect their employees’ personal and sensitive information stored on their servers. Businesses must engage in data minimization by attempting to only collect the personally identifiable information of employees and customers which is absolutely needed for their business.
The Third Circuit decision makes it easier than ever for victims of data breaches to pursue class actions even if they have not yet been harmed. Businesses should also consider cyber insurance due to the increasing threats of data breaches and resulting class action litigation.
Obviously preventing cyber security attacks and responding appropriately if and when the breaches occur, are the best ways to reduce potential class action liability. Our firm is well equipped to assist your company both in the prevention and response to cyber-attacks. Even the best preparation cannot always prevent litigation, and to the extent you are faced with a class action resulting from a data breach, our litigators will work with you to put your company in the best possible position for success.
For more information, please contact: Harris S. Freier, Esq., lead Partner of the Privacy & Cybersecurity Practice Group via email here or William F. Megna, Esq., Partner in the Insurance & Reinsurance Industry Group via email here or call 973.533.0777.