The Third Circuit recently reinstated the putative class action Clemens v. ExecuPharm Inc., concluding there was sufficient risk of imminent harm after a data breach to confer standing on the named plaintiff when the information had been posted on the Dark Web.

In March 2020, the known hacker group “CLOP” allegedly stole employee data held by ExecuPharm Inc., including social security numbers, birthdates, names, addresses, taxpayer identification numbers, banking information, credit card numbers, driver’s license numbers, tax forms, and passport numbers.  The hackers then purportedly posted the stolen data on the Dark Web, a portion of the Internet hidden from search engines that the Third Circuit described as being widely used for illicit sales.

After ExecuPharm warned of potential harm, Jennifer Clemens, a former ExecuPharm employee, claimed that she took extensive action to prevent identity theft and fraud.  Clemens allegedly invested time and money such as paying for credit monitoring services, experienced emotional distress and related therapy costs, and suffered a risk of future identity theft and fraud.

Clemens then brought a putative class action on behalf of other current and former ExecuPharm employees raising claims for negligence, breach of contract, breach of fiduciary duty, and breach of confidence against ExecuPharm.  The Eastern District of Pennsylvania dismissed the action in February 2021, concluding that allegations of increased risk of identity theft resulting from a data breach do not confer standing.  The district court relied on the Third Circuit’s decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011).

A unanimous panel of the Third Circuit reversed on all claims, with Judge Peter Phipps concurring in the judgment.  Judges Joseph Greenaway Jr. and Cheryl Ann Krause distinguished Reilly because the Reilly plaintiffs had only alleged hypothetical future harm and lacked evidence that harm was imminent.  The majority clarified that Reilly did not create a bright-line rule precluding standing based on alleged risks of future identity theft or fraud and stated that the U.S. Supreme Court’s decision in Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334 (2014), authorized lawsuits where there is a “substantial risk” of future harm.

The majority decided that Clemens faced imminent “substantial risk” of future identify theft because a known hacker group, CLOP, intentionally misused stolen data by posting it on the Dark Web.  The combination of stolen financial and personal information was “particularly concerning as it could be used to perpetrate both identity theft and fraud.”

The majority also decided that plaintiffs suing for damages due to data breach can satisfy the “concreteness” standing requirement if they allege that the exposure to future substantial risk of identity theft caused additional current concrete harms.  Emotional distress or the money spent on mitigation measures like credit monitoring services made Clemens’s injury concrete under the panel’s analysis.  The panel vacated the district court’s decision and reinstated all claims.

Judge Phipps concurred in the judgment but would have gone even further.  He concluded that Clemens had standing simply because the claims she pursued for negligence, breach of contract, breach of confidence, and breach of fiduciary duty are traditional causes of action well suited for judicial resolution at the time of the Constitution’s adoption.  Judge Phipps believed the panel need not analyze standing through the tripartite test laid out in Spokeo, Inc. v. Robins, 578 U.S. 330 (2016).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer…

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer products, and financial services. Kate has also played a key role in developing the firm’s mass arbitration defense practice. She regularly advises companies on the risks associated with mass arbitration and has a proven track record of successfully defending clients against these challenges.

Leveraging her success in class action litigation and arbitration, Kate helps clients develop strategic and innovative solutions to their most challenging legal issues. She has extensive experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), along with common law and constitutional rights of privacy, among others.

Recent Successes:

Represented Meta (formerly Facebook) in a putative nationwide advertiser class action alleging violations under the California Unfair Competition Law (UCL) related to charges from allegedly “fake” accounts. Successfully narrowed claims at the pleadings stage, defeated class certification, opposed a Rule 23(f) petition, won summary judgment, and defended the victory on appeal to the Ninth Circuit. The Daily Journal selected Covington’s defense of Meta as one of its 2021 Top Verdicts, and Law.com recognized Kate as a Litigator of the Week Shoutout.
Defeated a landmark class action lawsuit against Microsoft and OpenAI contending that the defendants scraped data from the internet for training generative AI services and incorporated data from users’ prompts, allegedly in violation of CIPA, the Computer Fraud and Abuse Act (CFAA), and other privacy and consumer protection laws.

Kate regularly contributes to the firm’s blog, Inside Class Actions, and was recently featured in a Litigation Daily interview titled “Where Privacy Laws and Litigation Trends Collide.” In recognition of her achievements in privacy and antitrust class action litigation, the Daily Journal named her as one of their Top Antitrust Lawyers (2024), Top Cyber Lawyers (2022), and Top Women Lawyers in California (2023). Additionally, she received the Women of Influence award from the Silicon Valley Business Journal and was recognized by Daily Journal as a Top Attorney Under 40.