Imminent And Substantial: The Third Circuit Holds That The Leak Of Personal Information Onto The Dark Web Is Sufficient To Establish An “Injury-In-Fact” – Data Protection

A recent decision from the Third Circuit suggests that the leak
of information onto the Dark Web provides standing to class action
plaintiffs in data breach litigation. In Clemens v. ExecuPharm,
Inc., 48 F.4th 146 (3d Cir. 2022), the Defendant employer
suffered a data breach that permitted a ransomware gang to steal
sensitive information pertaining to the Defendant’s current and
former employees. Eventually, the hackers posted the data on
underground websites located on the Dark Web.

The plaintiff, a former employee whose data was stolen by the
hackers, filed a class action lawsuit on behalf of herself and
other employees whose information was accessed. However, the
plaintiff did not allege that she (or any other employees) suffered
any financial losses as a result of the breach. Since showing
financial harm is traditionally a required element to establish
standing, the District Court dismissed the case.

However, the Third Circuit reversed. Interpreting the U.S.
Supreme Court’s holding in
Transunion¹, the Third Circuit
held that the leak of information onto the Dark Web by
itself constitutes an “injury-in-fact” sufficient to
provide standing to sue in federal court. Explaining their
decision, the Third Circuit wrote, “Because we can reasonably
assume that many of those who visit the Dark Web, and especially
those who seek out and access [the ransomware group’s] posts,
do so with nefarious intent, it follows that Clemens faces a
substantial risk of identify theft or fraud by virtue of her
personal information being made available on underground
websites…”

In light of this decision, and the increasingly digitized world,
employers are strongly encouraged to implement appropriate security
measures and ensure that those measures continue to comply with
ever-changing industry standards. Failure to take these
preventative measures could leave employer networks vulnerable to
data breach, subjecting employers to potential liability for the
breach of employee or customer data itself, let alone the financial
consequences that could result if such information is misused.

Footnote

1. In this case, the U.S. Supreme Court held that an
allegation of a risk of future harm is sufficient to
establish an injury-in-fact for standing purposes, if such risk of
future harm is “sufficiently imminent and substantial.”
TransUnion LLC v. Ramirez, __ U.S. __, 141 S.Ct. 2190,
2210-11 (2021).

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.