Skip to main content

CLASS ACTION FAIRNESS ACT-DATA BREACH OF DARK WEB

Clemens v. ExecuPharm Inc., 2022 U.S. App. LEXIS 24808 (September 2, 2022) (Greenaway, Jr., C.J.)  In this appeal, Jennifer Clemens asks us to reverse the District Court’s dismissal of her complaint seeking equitable and monetary relief in connection with a data breach that resulted in the publication of her sensitive personal information on the Dark Web. Clemens argues that her injury was sufficiently imminent to constitute an injury-in-fact for purposes of standing. We agree. Accordingly, we will vacate the judgment of the District Court and remand for consideration of the merits.  Clemens is a former employee of ExecuPharm, Inc.  Clemens was required to provide her employer with certain sensitive personal and financial information, including her address, social security number, and the like.  ExecuPharm promised to protect the confidentiality and security of this information.  After Clemens left ExecuPharm, the company was hacked, stealing the information.  Clemens took immediate action to mitigate the harm.  Clemens sued ExecuPharm and its parent, seeking to represent herself and others under the Class Action Fairness Act.  The court first addressed the question of standing.  The court also discussed the injury in fact requirement, that it be concrete.  We hold that in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms. For example, if the plaintiff’s knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury.  Clemens has alleged that a substantial risk of harm could occur, especially since the Dark Web was involved.  Clemens has alleged facts that establish traceability, at least at the pleading stage.  She has identified her injuries as a direct and proximate result of the breach of contract.  The failure to safeguard her information allowed her private information to be published on the Dark Web.  Clemens is seeking damages to compensate her for her losses.  We will vacate the district court’s dismissal regarding these claims and remand for consideration on the merits of these claims.  In terms of the tort action, Clements has sufficiently asserted her standing to bring a tort claim.  Therefore, the district court’s dismissal of the tort claims was vacated.  Because we have rejected the contention that a risk of identity theft or fraud cannot qualify as sufficiently imminent, and hold that Clemens has alleged an injury-in-fact, we likewise will vacate the District Court’s decision and remand for a determination of the merits of these claims. Clemens has standing to assert her contract, tort, and secondary contract claims. For all claims, she has alleged a future injury—the risk of identity theft or fraud—that is sufficiently imminent. The breach was conducted by a known hacking group CLOP, which intentionally stole the information, held it for ransom, and published it to the Dark Web, thereby making it accessible to criminals worldwide. The nature of the information—a combination of personal and financial data—is the type that can be used to perpetrate identity theft or fraud. Given that intangible harms like the publication of personal information can qualify as concrete, and because plaintiffs cannot be forced to wait until they have sustained the threatened harm before they can sue, the risk of identity theft or fraud constitutes an injury-in-fact. Accordingly, we will vacate the judgment of the District Court on all counts and remand for consideration of the merits.