As the number of data breaches continue to rise, so too will the number of lawsuits filed.  As CPW previously reported, the number of data breaches in 2020 was more than double that of 2019.  One can only wonder what 2021 will bring.  Yet with this increase in data breach litigation, a recent opinion within the Third Circuit reminds us of the crucial issue of standing, which is often challenged at the onset of a lawsuit.  In a data breach, when (if ever) does a plaintiff suffer an actual injury?  Is the disclosure of certain categories of information in a breach, such as Social Security numbers, by itself enough, or must (as the majority of courts have held) a plaintiff allege that she was actually the victim of identity theft and fraudulent charges were placed on her accounts?  Clemens v. Execupharm, Inc., No. 20-cv-3383, 2021 U.S. Dist. LEXIS 35178 (E.D. Pa. Feb. 25, 2021) reminds us that the Third Circuit at least requires more than theft or disclosure of personal information for a plaintiff to have standing in a data breach litigation.  Read on to learn more.

In Clemens, a pharmaceutical company suffered a ransomware attack.  The Plaintiff, a former employee, filed suit against her former employer after receiving a letter informing her that she “may be” part of a group of former employees whose sensitive, personal information was stolen by a third party.  The Defendant moved to dismiss the Complaint under Rule 12(b)(6) and the court sua sponte requested briefing from the parties as to whether Plaintiff had standing (as a federal court lacks subject matter jurisdiction over a lawsuit if a plaintiff does not have Article III standing).

The Plaintiff argued standing on the basis of three arguments:  (1) harm was certainly “impending” because third parties stole her personal information and then held it for ransom and posted it to the dark web; (2) the time, money, and effort she spent to protect her information was an actual harm; and (3) there was harm to her private contract rights, which confers standing even in the absence of additional harm.   The Court disagreed on all three points, and dismissed the case for lack of standing.

First, as is often the case in data breach lawsuits, the line that distinguishes between claims of actual injury (for which there is Article III standing) and speculative harms (for which there is not) can be blurry.  Here, the Court wanted to see actual identity theft or fraud after the breach, not merely a heightened fear or worry that the worst is yet to come.  The Court noted that under Third Circuit precedent, a plaintiff does not suffer a harm unless it alleges an actual “imminent . . . misuse” of personal information.

The Court took its guidance from Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011).  In that case, the plaintiffs did not have standing because—although they alleged increased risks of identity theft, costs spent on monitoring their credit reports, stress and emotional distress—they did not allege actual identity theft or fraud after the breach.

Applying Reilly to the case before it, the Court found the Plaintiff’s pleadings too speculative.  In other words, alleging the theft of her information and posting it on the “dark web” by itself was not sufficient.  The Court noted that the Plaintiff’s harm was “still only ascertainable using the word ‘if’—if anyone actually downloaded her information from the dark web, if they attempt to use her information, and if they do so successfully, only then will she experience actual harm.”  Id. (emphasis added).

Second, in this case, the Plaintiff’s alleged mitigating measures were not enough.  The “time, money, and effort” the Plaintiff purportedly spent on protecting her personal information were not sufficient for standing because they were in response to a “speculative future harm that was not imminent.”  The Court also rejected the double-negative argument that there could be harm when it could not “be maintained that [the Plaintiff’s] information ha[d] not been misused”.  The Court definitively declared that “Courts in this Circuit have declined to find stolen data has been misused in the absence of fraud or identity theft.”  The court noted that this was consistent with the Supreme Court’s ruling in Clapper v. Amnesty Int’l USA.  568 U.S. 398, 416 (2013) (“Respondents’ contention that they have standing because they incurred certain costs as a reasonable reaction to a risk of harm is unavailing—because the harm respondents seek to avoid is not certainly impending.”).

Third, standing by harm through a contract is an unsettled area of law.  The Court noted that the Plaintiff could not acquire standing based on a harm of her private contract rights, but also acknowledged that the Third Circuit “has not directly weighed in on contractual standing”.

Besides the Court’s reception of the Plaintiff’s arguments, we note at least two takeaways from Clemens.

First, the wording of a data breach notice matters.  Does the notice state the recipient’s information was actually obtained illicitly, or was it only believed that the recipient was implicated?  Two of the notices quoted by the Plaintiff suggested that it was up in the air whether her information was actually accessed and posted online.  The notices did not actually state that information specific to the Plaintiff was accessed.  Instead, the closest the notices came was a statement that the Plaintiff “may be among the group of former employees impacted by this incident.”

Second, as CPW readers may remember, there is an ongoing split in opinions whether disclosure of certain categories of information, as opposed to others, is sufficient for standing.  One of the most common points of difference is Social Security numbers.  As we reported in our 2020 Year in Review, some courts have reached differing conclusions when the disclosure of a plaintiff’s Social Security number is alleged.  Sometimes, that disclosure by itself may be sufficient for standing.  Clemens, however, largely avoided this issue due to precedent (Reilly) that did not distinguish between types of information.  Instead, the Clemens court wanted to see an actual fraud or identity theft.  This may not be the response in other circuits.

Alleging standing in a data breach lawsuit is often a formidable challenge for plaintiffs, and what is required varies by circuit.  Clemens serves as a good reminder of some key issues and arguments that often come up when data breaches are litigated.  For more developments on this area of the law, stay tuned.  CPW will be there.