Class-Action Suits Over Data Breaches No Longer Require Proof of Actual Harm, According to Federal Appeals Court Ruling

Requirements are loosening for an organization to be held legally and financially responsible for stolen private data, cybersecurity attorney explains

• By Kristal Kuykendall
• 09/27/22

As ransomware attacks targeting the education sector grab more headlines every week, a new ruling from a federal appeals court has made it easier for people whose data is breached and leaked on the dark web to sue the organizations where the data was compromised.

The ruling from U.S. Court of Appeals for the Third Circuit means that the requirement for a data breach plaintiff to have suffered "actual or imminent harm" is shifting along with the fast-changing landscape of cybersecurity and data privacy, said attorney Harris S. Freier, partner at Genova Burns and head of the firm's Privacy and Cybersecurity Practice.

Freier, whose litigation specialties include employment and trade secret cases as well as data privacy law, wrote about the Third Circuit decision in a recent blog post.

Earlier this month, the Third Circuit Court of Appeals' three-judge panel unanimously reinstated a putative class-action suit against a company that suffered a ransomware attack, leading to her sensitive information being released onto the dark web.

Lead plaintiff Jennifer Clemens, a former employee of ExecuPharm based in Massachusetts, sued after the company experienced a ransomware attack and the data stored on its servers was published on the dark web, according to court documents.

Notably, Clemens did not suffer identity theft following the breach. After the company notified employees of the breach, Clemens "took swift action by reviewing her financial records and credit reports, switching banks and purchasing credit monitoring services," according to court documents summarized by Freier.

In February 2021, the District Court for the Eastern District of Pennsylvania dismissed her case for lack of standing, due to the "speculative nature" of the injuries to the employees. But the decision issued on Sept. 2, 2022, by the Third Circuit Court of Appeals vacated the dismissal and remanded the case for consideration on the merits — giving the potential class of plaintiffs a new chance for relief and putting organizations that store PII data on notice, Freier explained.

The nature of the cyberattack targeting the company is spelled out in the appellate court ruling: "A hacking group known as CLOP accessed ExecuPharm's servers through a phishing attack in March 2020, stealing sensitive information pertaining to current and former employees, including Clemens. Specifically, the stolen information contained Social Security numbers, dates of birth, full names, home addresses, taxpayer identification numbers, banking information, credit card numbers, driver's license numbers, sensitive tax forms, and passport numbers. In addition to exfiltrating the data, CLOP installed malware to encrypt the data stored on ExecuPharm's servers. Then, CLOP held the decryption tools for ransom, threatening to release the information if ExecuPharm did not pay the ransom. Either because ExecuPharm refused to pay or for nefarious reasons unknown, the hackers made good on their threat and posted the data on underground websites located on the dark web."

Clemens sued under the Class Action Fairness Act, with claims for negligence, breach of contract, breach of fiduciary duty and breach of confidence.

The Third Court Court of Appeals clarified that an injury can be "imminent" in order to qualify for standing, and does not need to have actually taken place at the time of suit being filed. Based on precedent in recent data breaches, the Court of Appeals "determined that the substantial risk of future injury qualifies for standing based on imminence, especially in the event of an intentional, targeted attack by a hacking group," Freier wrote in his case analysis.