The Third Circuit recently reinstated the putative class action Clemens v. ExecuPharm Inc., concluding there was sufficient risk of imminent harm after a data breach to confer standing on the named plaintiff when the information had been posted on the Dark Web.

In March 2020, the known hacker group “CLOP” allegedly stole employee data held by ExecuPharm Inc., including social security numbers, birthdates, names, addresses, taxpayer identification numbers, banking information, credit card numbers, driver’s license numbers, tax forms, and passport numbers.  The hackers then purportedly posted the stolen data on the Dark Web, a portion of the Internet hidden from search engines that the Third Circuit described as being widely used for illicit sales.

After ExecuPharm warned of potential harm, Jennifer Clemens, a former ExecuPharm employee, claimed that she took extensive action to prevent identity theft and fraud.  Clemens allegedly invested time and money such as paying for credit monitoring services, experienced emotional distress and related therapy costs, and suffered a risk of future identity theft and fraud.

Clemens then brought a putative class action on behalf of other current and former ExecuPharm employees raising claims for negligence, breach of contract, breach of fiduciary duty, and breach of confidence against ExecuPharm.  The Eastern District of Pennsylvania dismissed the action in February 2021, concluding that allegations of increased risk of identity theft resulting from a data breach do not confer standing.  The district court relied on the Third Circuit’s decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011).

A unanimous panel of the Third Circuit reversed on all claims, with Judge Peter Phipps concurring in the judgment.  Judges Joseph Greenaway Jr. and Cheryl Ann Krause distinguished Reilly because the Reilly plaintiffs had only alleged hypothetical future harm and lacked evidence that harm was imminent.  The majority clarified that Reilly did not create a bright-line rule precluding standing based on alleged risks of future identity theft or fraud and stated that the U.S. Supreme Court’s decision in Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334 (2014), authorized lawsuits where there is a “substantial risk” of future harm.

The majority decided that Clemens faced imminent “substantial risk” of future identify theft because a known hacker group, CLOP, intentionally misused stolen data by posting it on the Dark Web.  The combination of stolen financial and personal information was “particularly concerning as it could be used to perpetrate both identity theft and fraud.”

The majority also decided that plaintiffs suing for damages due to data breach can satisfy the “concreteness” standing requirement if they allege that the exposure to future substantial risk of identity theft caused additional current concrete harms.  Emotional distress or the money spent on mitigation measures like credit monitoring services made Clemens’s injury concrete under the panel’s analysis.  The panel vacated the district court’s decision and reinstated all claims.

Judge Phipps concurred in the judgment but would have gone even further.  He concluded that Clemens had standing simply because the claims she pursued for negligence, breach of contract, breach of confidence, and breach of fiduciary duty are traditional causes of action well suited for judicial resolution at the time of the Constitution’s adoption.  Judge Phipps believed the panel need not analyze standing through the tripartite test laid out in Spokeo, Inc. v. Robins, 578 U.S. 330 (2016).