Third Circuit: Risk of Future Harm from Data Breach Enough for Article III Standing

The U.S. Court of Appeals for the Third Circuit recently held in Clemens v. ExecuPharm Inc. that the risk of future harm from a data breach can be enough for Article III standing, taking into consideration whether the breach was intentional, whether the data was misused, and the nature of the data accessed.

As a condition of employment, a consumer was required to provide her employer “with sensitive personal and financial information, including her address, social security number, bank and financial account numbers, insurance and tax information, her passport, and information relating to her husband and child.”  The employment agreement stated that the employer “would ‘take appropriate measures to protect the confidentiality and security’ of this information.”

Sometime after the consumer left that employment, a hacking group used a phishing attack to steal her information, as well as that of other current and former employees. Ultimately, the hackers posted the data on the Dark Web, which “is most widely used as an underground black market where individuals sell illegal products like . . . sensitive stolen data that can be used to commit identity theft or fraud.”

View this content by subscribing

Please register to unlock this content

I already have an account. Log in