Third Circuit Makes Precedent Setting Decision in Data Breach Case
August 22, 2023
By: Stephen B. Stern
In Clemens v. ExecuPharm, Inc., 48 F.4th 146 (3d Cir. 2022), the United States Court of Appeals for the Third Circuit vacated the lower court’s decision to dismiss the complaint filed by Jennifer Clemens (“Clemens”), finding that she alleged facts about the publication of sensitive personal information on the Dark Web that were sufficient to establish an injury-in-fact for standing purposes.
Clemens worked for ExecuPharm, Inc. (“ExecuPharm”), a subsidiary of Parexel International Corp. (“Parexel”). As a condition of her employment, Clemens was required to disclose sensitive personal information to ExecuPharm, including her address, social security number, bank and financial account numbers, insurance and tax information, passport, and information related to her husband and child. In return, ExecuPharm committed to “take appropriate measures to protect the confidentiality and security” of the personal information Clemens provided.
After Clemens left the company, a hacking group known as CLOP accessed ExecuPharm’s servers through a phishing attack in March 2020 and stole sensitive information for current and former employees. The stolen information included social security numbers, dates of birth, full names, home addresses, taxpayer identification numbers, banking information, credit card numbers, driver’s license numbers, sensitive tax forms, and passport numbers. The hackers posted the data on the Dark Web, which the court described as “a portion of the Internet that is intentionally hidden from search engines and requires the use of an anonymizing browser to be accessed. It is most widely used as an underground black market where individuals sell illegal products like . . . sensitive stolen data that can be used to commit identity theft or fraud.”
ExecuPharm acknowledged in communications with current and former employees that “[u]nauthorized access to [the compromised] information may potentially lead to the misuse of [their] personal data to impersonate [them] and/or to commit, or allow third parties to commit, fraudulent acts such as securing credit in [their] name.” To mitigate against this risk, Clemens, whose data was stolen, reviewed her financial records and credit reports for unauthorized activity, placed fraud alerts on her credit reports, transferred her account to a new bank, enrolled in ExecuPharm’s complimentary one-year credit monitoring services, and purchased three bureau credit monitoring services for herself and her family for $39.99 per month.
Clemens also filed suit in the United States District Court for the Eastern District of Pennsylvania, seeking class certification and alleging that she sustained a variety of injuries, including the risk of identity theft and fraud, as well as the investment of time and money to mitigate against that risk. Her complaint included claims for negligence, negligence per se, breach of implied contract, breach of contract, breach of fiduciary duty, breach of confidence, and declaratory judgment. ExecuPharm and Parexel filed motions to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6). The district court applied what it described as a “bright line” rule established by the Third Circuit in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), and found that the risk of future harm resulting from the data breach was speculative, not imminent, and, therefore, Clemens did not have standing to pursue her claims. Clemens appealed to the Third Circuit.
The Third Circuit started its analysis by explaining Article III standing requires a plaintiff to demonstrate that he or she “suffered an injury in fact that is concrete, particularized, and actual or imminent,” “that the injury was caused by the defendant,” and “the injury would likely be redressed by the requested judicial relief.” The court went on to explain that the disjunctive nature of the “actual or imminent” factor is critical because it indicates “a plaintiff need not wait until he or she has actually sustained the feared harm in order to seek judicial redress, but can file suit when the risk of harm becomes imminent.” (emphasis added by court). “This is especially important in the data breach context, where the disclosure of the data may cause future harm as opposed to currently felt harm[,]” which the court noted differs from “traditional tort claims like defamation or invasion of privacy.” While a data breach itself does not cause “inherent harm to the victim[,]” the court noted that “it can still poise the victim to endure the kind of future harm that qualifies as ‘imminent.’” The court further explained that allegations of future injury suffice if “there is a ‘substantial risk’ that the harm will occur” and “substantial risk” means a “realistic danger of sustaining a direct injury.”
The court then went on to explain that it did not create a “bright line” rule in Reilly that precluded standing in data breach cases based on the risk of identity theft or fraud. Instead, the court clarified that the standing analysis requires consideration of “whether an injury is present versus future, and imminent versus hypothetical.” The court then included a non-exhaustive list of factors that courts should consider when evaluating whether a risk of harm is imminent. Those factors include whether the data breach was intentional, whether the data was misused, and whether the nature of the information accessed through a data breach could subject the plaintiff to a risk of identity theft.
As for the requirement that the injury be “concrete,” the Third Circuit noted that the United States Supreme Court had recently clarified in TransUnion, LLC v. Ramirez, 141 S. Ct. 2190 (2021), that “[c]entral to assessing concreteness is whether the asserted harm has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts – such as physical harm, monetary harm, or various intangible harms.” According to the Third Circuit, in the data breach context, unauthorized exposure to personal identifying information that results in risk of identity theft or fraud is “closely related to that [injury] contemplated by privacy torts that are ‘well-ensconced in the fabric of American law.’” The Third Circuit further noted that the Supreme Court’s decision in TransUnion also made the type of relief sought relevant. In this regard, the Third Circuit explained that, when a plaintiff only seeks monetary relief, “something more [than risk of future harm] is required” while a plaintiff seeking injunctive relief can satisfy the concrete requirement more easily. The Third Circuit then held that, “in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he [or she] alleges that the exposure to that substantial risk caused additional, currently felt concrete harms.” As an illustration, the Third Circuit noted that “if the plaintiff’s knowledge of the substantial risk of identity theft causes him [or her] to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury.”
When applying these principles to the case at hand, the Third Circuit found Clemens alleged sufficient facts to state a claim. With respect to the contract claim, the court found that Clemens alleged sufficient facts to show ExecuPharm breached its obligation to “take appropriate measures to protect the confidentiality and security” of the information obtained from Clemens (and other employees), and the risk of future identity theft was sufficient to establish imminent and concrete harm. The court further explained that victims of data breaches must “live with the perpetual, well-founded fear and risk that hackers will misuse their data” and “[t]he only way to allay those concerns is to invest time and money into precautionary measures that could mitigate the potential misuse.” (emphasis added by court). In this particular case, because Clemens alleged that CLOP had intentionally hacked ExecuPharm and had already disseminated personal identifying information on the Dark Web, and the Dark Web is used for nefarious purposes, including identity theft, the court found that Clemens alleged a substantial risk of imminent injury (more so than the injuries that were more hypothetical in nature in Reilly). Plus, Clemens alleged other concrete injuries, including the mitigation measures she spent money on and the emotional distress for which she incurred the costs of therapy. The court also found that Clemens alleged sufficient facts to satisfy the “traceability” and redressability requirements in that Clemens alleged that her damages were the direct and proximate result of ExecuPharm breaching its contractual commitment to protect the information it obtained. The court then conducted its analysis of Clemens’ tort claims and found that the tort claims should survive for reasons similar to why the contract claim survived.
The Third Circuit’s decision in Clemens is significant for multiple reasons. First, the court’s decision in Clemens further illustrates that the landscape of standing decisions in data breach cases – particularly fear of identity theft cases – continues to evolve. Second, and perhaps more important, the court’s decision in Clemens makes it somewhat easier for individuals to file claims against companies from which their data was stolen, as fear of identity theft could be sufficient to state a claim (in several prior decisions it was not). Third, with so much sensitive data stored on company networks, including employee data, and companies needing to entice employees and consumers to provide such data, companies may want to rethink what sort of contractual “commitments” they make and whether there are ways to avoid breach of contract claims in the event of a data breach. Even if disclaimers are modified to avoid such contract claims, companies that are the targets of data breaches likely will remain vulnerable to tort claims filed by individuals whose data is stolen.