Class-Action Suits Over Data Breaches No Longer Require Proof of Actual Harm, According to Federal Appeals Court Ruling
Requirements are loosening for an organization to be held legally and financially responsible for stolen private data, cybersecurity attorney explains
- By Kristal Kuykendall
- 09/27/22
As ransomware attacks targeting the education sector grab more headlines every week, a new ruling from a federal appeals court has made it easier for people whose data is breached and leaked on the dark web to sue the organizations where the data was compromised.
The ruling from U.S. Court of Appeals for the Third Circuit means that the requirement for a data breach plaintiff to have suffered "actual or imminent harm" is shifting along with the fast-changing landscape of cybersecurity and data privacy, said attorney Harris S. Freier, partner at Genova Burns and head of the firm's Privacy and Cybersecurity Practice.
Freier, whose litigation specialties include employment and trade secret cases as well as data privacy law, wrote about the Third Circuit decision in a recent blog post.
Earlier this month, the Third Circuit Court of Appeals' three-judge panel unanimously reinstated a putative class-action suit against a company that suffered a ransomware attack, leading to her sensitive information being released onto the dark web.
Lead plaintiff Jennifer Clemens, a former employee of ExecuPharm based in Massachusetts, sued after the company experienced a ransomware attack and the data stored on its servers was published on the dark web, according to court documents.
Notably, Clemens did not suffer identity theft following the breach. After the company notified employees of the breach, Clemens "took swift action by reviewing her financial records and credit reports, switching banks and purchasing credit monitoring services," according to court documents summarized by Freier.
In February 2021, the District Court for the Eastern District of Pennsylvania dismissed her case for lack of standing, due to the "speculative nature" of the injuries to the employees. But the decision issued on Sept. 2, 2022, by the Third Circuit Court of Appeals vacated the dismissal and remanded the case for consideration on the merits — giving the potential class of plaintiffs a new chance for relief and putting organizations that store PII data on notice, Freier explained.
The nature of the cyberattack targeting the company is spelled out in the appellate court ruling: "A hacking group known as CLOP accessed ExecuPharm's servers through a phishing attack in March 2020, stealing sensitive information pertaining to current and former employees, including Clemens. Specifically, the stolen information contained Social Security numbers, dates of birth, full names, home addresses, taxpayer identification numbers, banking information, credit card numbers, driver's license numbers, sensitive tax forms, and passport numbers. In addition to exfiltrating the data, CLOP installed malware to encrypt the data stored on ExecuPharm's servers. Then, CLOP held the decryption tools for ransom, threatening to release the information if ExecuPharm did not pay the ransom. Either because ExecuPharm refused to pay or for nefarious reasons unknown, the hackers made good on their threat and posted the data on underground websites located on the dark web."
Clemens sued under the Class Action Fairness Act, with claims for negligence, breach of contract, breach of fiduciary duty and breach of confidence.
The Third Court Court of Appeals clarified that an injury can be "imminent" in order to qualify for standing, and does not need to have actually taken place at the time of suit being filed. Based on precedent in recent data breaches, the Court of Appeals "determined that the substantial risk of future injury qualifies for standing based on imminence, especially in the event of an intentional, targeted attack by a hacking group," Freier wrote in his case analysis.
"The Court followed the trend of other jurisdictions, which found that actual misuse of the data is not necessarily required in this context," Freier wrote. "Finally, to conclude its analysis for standing, the Court also determined that an intangible injury, such as the injury in question, can count as sufficiently concrete. The emotional distress that a victim of a data breach experiences is sufficient."
Direct Correlation to Ransomware Attacks in Education
The primary factors cited by the Appeals Court decision were whether the data breach was an intentional act by threat actors, and whether the data was misused — though it noted misuse is not necessarily required. The types of data included in this breach, such as Social Security numbers, birth dates, and names, are more likely to create a risk of identity theft or fraud, the court said.
From a public policy perspective, the Court of Appeals warned of "uniquely drastic consequences" of failing to uphold information security agreements in the digital age.
"Because we can reasonably assume that many of those who visit the dark web, and especially those who seek out and access CLOP's posts, do so with nefarious intent, it follows that Clemens faces a substantial risk of identity theft or fraud by virtue of her personal information being made available on underground websites," the Appeals Court judges said in their decision. "This set of facts clearly presents a more imminent injury than the ones we deemed to establish only a hypothetical injury" in previous decisions in data-breach lawsuits.
Freier said that organizations — including ed tech providers and education institutions — should take all possible precautions to protect private data stored within their systems, as the possibility of being held financially liable after a data breach is growing.
"Now a victim of a data breach no longer needs to wait to suffer a direct harm such as their identity is stolen, and they must pay credit card and bank fees resulting from the identity theft," he said. "Instead, the fact that a company is a victim of a hack, and the data has been released on the dark web, which is normally the threat if a ransom is not paid to one of these nefarious hackers, is enough to allow any victims of the breach to bring suit, even if they have not yet suffered any harm resulting from the breach."
Nothing in this ruling would exclude education institutions from being similarly sued over a data breach, Freier added.
"Remember that educational institutions that receive federal funding are also subject to the Family Educational Rights and Privacy Act, which protects educational records. A hack whereby educational records of students are exposed to a third party by definition violates FERPA," he explained. "An educational institution that is the victim of hack therefore has not only the potential class-action for negligence and potential contract claims, but it has the added potential liability of the violation of FERPA, which is dealt with by the Department of Education."
Noting FERPA's lack of requirements for schools to disclose a data breach, Freier said: "A class-action lawsuit will also be a surefire way for the DOE to become aware of the breach."
The ruling applies to any organization that stores PII, whether it is the PII of former or current employees or of current or former students or users of its software or services, he said.
"No matter the circumstance, the major cause of action (in a data breach lawsuit) is almost always going to be negligence, and if the company or college did not follow state data breach notification law, a claim for violation of the state's data breach law as well," he said. "In the Clemens case, the contract claim was based upon an employment agreement, but it is easy to see a similar claim being made against a college based on (a breach of) enrollment or financial aid documents."
Freier cited a similar ruling from last year that also opened up to lawsuits organizations whose data was stolen by a hacker, even when identity theft or fraud hadn't yet hit every person whose data was stolen.
"Last year, the Second Circuit ruled in McMorris v. Carlos Lopez & Associates that to determine if there is standing for a plaintiff who has not yet suffered damages from a data breach to pursue a claim based on imminent harm, that a court should look at three factors: (i) was the data stolen by a hacker (was this an intentional theft of data); (ii) has anyone whose data was stolen had that data misused, even if the plaintiff has not yet; and (iii) is the data of the type leading to a high risk of identity theft or fraud such as social security numbers along with matching names," Freier said. "While the Third Circuit did not set forth a framework as detailed or necessarily as rigid as the Second Circuit, it looked at many of the same factors.
"The Third Circuit decision makes it easier than ever for victims of data breaches to pursue class actions even if they have not yet been harmed. Businesses should also consider cyber insurance due to the increasing threats of data breaches and resulting class-action litigation," he added. "Obviously, preventing cyber attacks and responding appropriately if and when the breaches occur, are the best ways to reduce potential class-action liability."