The Third Circuit recently reinstated the putative class action Clemens v. ExecuPharm Inc., concluding there was sufficient risk of imminent harm after a data breach to confer standing on the named plaintiff when the information had been posted on the Dark Web.

In March 2020, the known hacker group “CLOP” allegedly stole employee data held by ExecuPharm Inc., including social security numbers, birthdates, names, addresses, taxpayer identification numbers, banking information, credit card numbers, driver’s license numbers, tax forms, and passport numbers.  The hackers then purportedly posted the stolen data on the Dark Web, a portion of the Internet hidden from search engines that the Third Circuit described as being widely used for illicit sales.

After ExecuPharm warned of potential harm, Jennifer Clemens, a former ExecuPharm employee, claimed that she took extensive action to prevent identity theft and fraud.  Clemens allegedly invested time and money such as paying for credit monitoring services, experienced emotional distress and related therapy costs, and suffered a risk of future identity theft and fraud.

Clemens then brought a putative class action on behalf of other current and former ExecuPharm employees raising claims for negligence, breach of contract, breach of fiduciary duty, and breach of confidence against ExecuPharm.  The Eastern District of Pennsylvania dismissed the action in February 2021, concluding that allegations of increased risk of identity theft resulting from a data breach do not confer standing.  The district court relied on the Third Circuit’s decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011).

A unanimous panel of the Third Circuit reversed on all claims, with Judge Peter Phipps concurring in the judgment.  Judges Joseph Greenaway Jr. and Cheryl Ann Krause distinguished Reilly because the Reilly plaintiffs had only alleged hypothetical future harm and lacked evidence that harm was imminent.  The majority clarified that Reilly did not create a bright-line rule precluding standing based on alleged risks of future identity theft or fraud and stated that the U.S. Supreme Court’s decision in Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334 (2014), authorized lawsuits where there is a “substantial risk” of future harm.

The majority decided that Clemens faced imminent “substantial risk” of future identify theft because a known hacker group, CLOP, intentionally misused stolen data by posting it on the Dark Web.  The combination of stolen financial and personal information was “particularly concerning as it could be used to perpetrate both identity theft and fraud.”

The majority also decided that plaintiffs suing for damages due to data breach can satisfy the “concreteness” standing requirement if they allege that the exposure to future substantial risk of identity theft caused additional current concrete harms.  Emotional distress or the money spent on mitigation measures like credit monitoring services made Clemens’s injury concrete under the panel’s analysis.  The panel vacated the district court’s decision and reinstated all claims.

Judge Phipps concurred in the judgment but would have gone even further.  He concluded that Clemens had standing simply because the claims she pursued for negligence, breach of contract, breach of confidence, and breach of fiduciary duty are traditional causes of action well suited for judicial resolution at the time of the Constitution’s adoption.  Judge Phipps believed the panel need not analyze standing through the tripartite test laid out in Spokeo, Inc. v. Robins, 578 U.S. 330 (2016).

Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She specializes in defending clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved…

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She specializes in defending clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories for clients in the technology, entertainment, consumer product, and financial services industries. In addition, Kate has substantial experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and common law and constitutional rights of privacy, among others.

Photo of Tomoaki Takaki Tomoaki Takaki

Tomo Takaki is an associate in the Los Angeles office, where his practice focuses on litigation, white collar criminal defense, and internal investigations.