CLASS ACTION FAIRNESS ACT-DATA BREACH OF DARK WEB

September 16th, 2022 by Rieders Travis in Miscellaneous

Clemens v. ExecuPharm Inc., 2022 U.S. App. LEXIS 24808 (September 2, 2022) (Greenaway, Jr., C.J.)  In this appeal, Jennifer Clemens asks us to reverse the District Court’s dismissal of her complaint seeking equitable and monetary relief in connection with a data breach that resulted in the publication of her sensitive personal information on the Dark Web. Clemens argues that her injury was sufficiently imminent to constitute an injury-in-fact for purposes of standing. We agree. Accordingly, we will vacate the judgment of the District Court and remand for consideration of the merits.  Clemens is a former employee of ExecuPharm, Inc.  Clemens was required to provide her employer with certain sensitive personal and financial information, including her address, social security number, and the like.  ExecuPharm promised to protect the confidentiality and security of this information.  After Clemens left ExecuPharm, the company was hacked, stealing the information.  Clemens took immediate action to mitigate the harm.  Clemens sued ExecuPharm and its parent, seeking to represent herself and others under the Class Action Fairness Act.  The court first addressed the question of standing.  The court also discussed the injury in fact requirement, that it be concrete.  We hold that in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms. For example, if the plaintiff’s knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury.  Clemens has alleged that a substantial risk of harm could occur, especially since the Dark Web was involved.  Clemens has alleged facts that establish traceability, at least at the pleading stage.  She has identified her injuries as a direct and proximate result of the breach of contract.  The failure to safeguard her information allowed her private information to be published on the Dark Web.  Clemens is seeking damages to compensate her for her losses.  We will vacate the district court’s dismissal regarding these claims and remand for consideration on the merits of these claims.  In terms of the tort action, Clements has sufficiently asserted her standing to bring a tort claim.  Therefore, the district court’s dismissal of the tort claims was vacated.  Because we have rejected the contention that a risk of identity theft or fraud cannot qualify as sufficiently imminent, and hold that Clemens has alleged an injury-in-fact, we likewise will vacate the District Court’s decision and remand for a determination of the merits of these claims. Clemens has standing to assert her contract, tort, and secondary contract claims. For all claims, she has alleged a future injury—the risk of identity theft or fraud—that is sufficiently imminent. The breach was conducted by a known hacking group CLOP, which intentionally stole the information, held it for ransom, and published it to the Dark Web, thereby making it accessible to criminals worldwide. The nature of the information—a combination of personal and financial data—is the type that can be used to perpetrate identity theft or fraud. Given that intangible harms like the publication of personal information can qualify as concrete, and because plaintiffs cannot be forced to wait until they have sustained the threatened harm before they can sue, the risk of identity theft or fraud constitutes an injury-in-fact. Accordingly, we will vacate the judgment of the District Court on all counts and remand for consideration of the merits.

Attorney Cliff Rieders

Attorney Cliff RiedersCliff Rieders is a Nationally Board Certified Trial Lawyer practicing personal injury law. A large part of his practice involves multi-district litigation, including cases related to pharmaceuticals, vitamin supplements and medical devices. He is admitted in several state and federal courts, as well as the Supreme Court of the United States. Rieders is the past regional president of the Federal Bar Association and is a life member of the distinguished American Law Institute, which promulgates proposed rules adopted by many state courts. He is a past president of the Pennsylvania Association for Justice, formerly Pennsylvania Trial Lawyers Association. As a founder of the Pennsylvania Patient Safety Authority, he served on the Board for 15 years.

Not only has Rieders held many highly esteemed, leadership positions, he authored legislation related to the Patient Safety Authority and the Mcare Act, which governs medical and hospital liability actions in Pennsylvania. He authored texts upon which both practitioners and judges rely, including Pennsylvania Malpractice Laws and Forms, and Financial Responsibility Law Issues in Pennsylvania, the latter governing auto and truck collisions in Pennsylvania. In addition, he wrote several books on the practice of law in Pennsylvania regarding wrongful death and survivor actions, insurance bad faith, legal malpractice claims and worker rights, among others. Rieders also serves as a resource to practitioners as a regular speaker for Celesq, an arm of the world’s largest legal publisher, Thomson Reuters West Publishing.

As recognition of his wide range of contribution to his profession and of his dedication to protecting the rights of his clients, he received numerous awards, among them the George F. Douglas Amicus Curiae Award, the Milton D. Rosenberg Award, the B’nai B’rith Justice Award, and awards of recognition from the Pennsylvania Trial Lawyers. [ Attorney Bio ]

RECENT ARTICLES

 

Article Categories