The Third Circuit recently became the first federal appellate court to address the question of whether the victim of a data breach has Article III standing to bring a claim for damages based on the fear of identity theft since the Supreme Court’s decision in TransUnion v. Ramirez in 2021.  The Third Circuit, in Clemens v. ExecuPharm Inc., found that the plaintiff had established an injury in fact sufficient to satisfy federal standing requirements despite TransUnion’s holding that the mere fear of future harm was generally insufficient to establish a claim for monetary damages under Article III.  The Third Circuit’s opinion may provide a roadmap for plaintiff’s attorneys seeking to bring future data breach claims premised on the fear of identity theft.

The plaintiff in Clemens was a former ExecuPharm employee whose sensitive personal data, including her social security number, was stolen by threat actors in a 2020 ransomware attack against ExecuPharm.  After ExecuPharm declined to pay the ransom, the threat actors published the stolen data on the dark web.  When plaintiff became aware of the theft and publication of her sensitive personal information, she purchased credit monitoring, placed fraud alerts on her accounts, and spent time monitoring those accounts for signs of fraud or identity theft.  Plaintiff brought suit against ExecuPharm in 2020 in the Eastern District of Pennsylvania, asserting claims for negligence, negligence per se and breach of implied contract.  The District Court dismissed the case, relying on a pre-TransUnion Third Circuit case – Reilly v. Ceridian Corp. – which held that the risk of future harm was too speculative to establish Article III standing.  However, notwithstanding the TransUnion decision, the Third Circuit came to the opposite conclusion here and reversed.

Most of the Court’s standing analysis was focused on the “injury in fact” requirement of Article III.  This requires that a plaintiff demonstrate that he or she has suffered an injury in fact that is concrete, particularized and actual or imminent.  The Third Circuit noted that there are a number of factors that serve as guideposts to determining whether an injury is “imminent or certainly impending” in the data breach context, including whether the breach was intentional, whether data was misused, as well as the nature of the information accessed through the breach, with sensitive data that could be used to commit fraud or identity theft increasing the likelihood of harm. 

Applying these guideposts, the Third Circuit noted that the breach had been perpetrated by a known ransomware gang – and was thus clearly intentional — involved sensitive data such as the p-plaintiff’s social security number, and had been misused already through publication of the data on the dark web, which is used as a marketplace for illegal sale of personal data by hackers and fraudsters.  Based on this facts, the Court found that the plaintiff’s risk of harm was “imminent or certainly impending”.

The most potentially impactful part of the Third Circuit’s opinion, however, was its analysis of whether the plaintiff’s injury was sufficiently concrete.  Citing TransUnion, the Court focused on whether the plaintiff’s asserted harm, “has a close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts[.]” The Court found that the plaintiff’s alleged harm was analogous to harms contemplated by privacy torts “well-ensconced in the fabric of American law.” Though intangible, the Court found the plaintiff’s asserted harm to be concrete.

TransUnion, however, held that in lawsuits premised on the “mere risk of future harm”, courts also need to consider the type of relief sought.  TransUnion held that where plaintiffs, like Clemens, seek monetary damages, something more than mere risk of future harm is necessary to establish standing.  The Third Circuit noted that TransUnion recognized that a plaintiff can satisfy the concreteness inquire where “the exposure to the risk of future harm itself causes a separate concrete harm.”  The Court found that the plaintiff had asserted several concrete present harms that she had already experienced as a result of the data breach including emotional distress and time and money spent mitigating the fallout of the data breach.  Accordingly, she had established an injury in fact. 

In many ways, the Third Circuit’s opinion is not significantly different from other Courts of Appeal that have likewise found Article III standing in data breach cases by focusing on whether the breach was the result of a malicious hack, the nature of the data accessed, and allegations of misuse.  The Second Circuit, for example, has articulated a very similar test for determining whether a data breach plaintiff has established Article III standing.  What is notable about the Clemens opinion is that it is post-TransUnion, which case generally raised the bar for plaintiffs seeking to establish federal standing.  The Third Circuit’s methodology for assessing standing under TransUnion’s heightened standards will likely be studied by plaintiff’s attorneys seeking to establish standing in data breach class actions. It would not be surprising, for example, to see plaintiffs allege emotional distress in future breach claims in order to satisfy the concreteness requirement.

It is too early to assess whether other Circuits will follow the Third Circuit’s lead.  Standing in breach cases remains a highly fact intensive analysis, and in the wake of TransUnion and now Clemens it is doubtful that a data breach plaintiff can establish standing if the data breach did not involve malicious hacking, the acquisition of sensitive data, or misuse of such data.