{"id":881,"date":"2022-09-08T16:43:37","date_gmt":"2022-09-08T20:43:37","guid":{"rendered":"https:\/\/blogs.duanemorris.com\/techlaw\/?p=881"},"modified":"2022-09-08T16:43:37","modified_gmt":"2022-09-08T20:43:37","slug":"imminent-harm-gives-standing-to-phishing-attack-victim-against-employer","status":"publish","type":"post","link":"https:\/\/blogs.duanemorris.com\/techlaw\/2022\/09\/08\/imminent-harm-gives-standing-to-phishing-attack-victim-against-employer\/","title":{"rendered":"\u201cImminent\u201d Harm Gives Standing to Phishing Attack Victim Against Employer"},"content":{"rendered":"<p>In a precedential ruling, the Third Circuit reinstated a class action lawsuit filed by a former employee who was required to provide sensitive personal and financial information to her employer which was then released on the dark web following a phishing attack, despite the employer\u2019s statement that it would take appropriate measures to protect the information.\u00a0 \u00a0In <em>Clemens v. ExecuPharm Inc.<\/em>, No. 21-1506 (3d Cir. Sept. 2, 2022), the Third Circuit:<\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>overturned the District Court\u2019s dismissal of the action for which the District Court found that Plaintiff failed to allege that she experienced <strong><u>actual<\/u><\/strong> identity theft or fraud<\/li>\n<li>rejected the contention that a <strong><u>risk of<\/u><\/strong> identity theft or fraud cannot qualify as sufficiently \u201cimminent\u201d to establish standing to bring a lawsuit<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Plaintiff, a former employee of Defendant, was required as a condition of her employment to provide sensitive personal and financial information, such as her social security number, bank and financial account numbers, tax information, her passport, and information about her husband and child.\u00a0 Plaintiff\u2019s employment agreement states that Defendant would \u201ctake appropriate measures to protect the confidentiality and security\u201d of this information.<\/p>\n<p>After Plaintiff left Defendant\u2019s employment, a hacking group used a phishing attack in March 2020 to install malware on Defendant\u2019s servers, stealing sensitive information about current and former employees including Plaintiff.\u00a0 Either because Defendant refused to pay or for other reasons, the company\u2019s data \u2013 including 123,000 files and 162 gigabytes of data \u2013 was released on the dark web, as confirmed by screenshots taken by an intelligence firm.<\/p>\n<p>Plaintiff promptly took actions, including: (1) enrolling in Defendant\u2019s complimentary one-year credit monitoring services, (2) transferring her account to a new bank, and (3) placing fraud alerts on her credit reports.<\/p>\n<p>Plaintiff filed a class action lawsuit asserting claims for breach of contract, breach of implied contract, negligence, negligence per se, breach of confidence, and breach of fiduciary duty.\u00a0 Plaintiff alleged that she sustained injuries as a result of the data breach \u2013 primarily the <strong><u>risk<\/u><\/strong><u> <\/u><strong><span style=\"text-decoration: underline\">of<\/span><\/strong> identity theft and fraud \u2013 in addition to the investment of time and money to mitigate potential harm.<\/p>\n<p>The District Court dismissed the case, stating that Plaintiff had not yet experienced <span style=\"text-decoration: underline\"><strong>actual<\/strong><\/span> identity theft or fraud, and thus she had no standing to bring this action.<\/p>\n<p>First, the Third Circuit analyzed that to sustain an injury-in-fact in order to have standing to bring a lawsuit, the injury must be \u201cactual <u>or<\/u> imminent\u201d which indicates that Plaintiff need not wait until she has actually sustained the feared harm in order to seek judicial redress.\u00a0 Instead, Plaintiff can file suit when the risk of harm becomes imminent: \u201cmeaning it poses a substantial risk of harm \u2013 versus hypothetical in the data breach context.\u201d\u00a0 <em>Id<\/em>. at\u00a0 10.\u00a0 The Third Circuit discussed that there are many factors to determine whether a risk is \u201cimminent,\u201d including whether:<\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>the data breach was intentional<\/li>\n<li>the data was misused<\/li>\n<li>the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Second, the Third Circuit cited to U.S. Supreme Court cases which ruled that an intangible injury \u2013 which is an injury that does not represent a purely physical or monetary harm to a plaintiff \u2013 may be a \u201cconcrete\u201d injury.<\/p>\n<p>Third, the Third Circuit analyzed the employment agreement in which Defendant expressly contracted to \u201ctake appropriate measures to protect the confidentiality and security\u201d of this information.<\/p>\n<p>Thus, the Third Circuit is permitting the class action to proceed in the District Court.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a precedential ruling, the Third Circuit reinstated a class action lawsuit filed by a former employee who was required to provide sensitive personal and financial information to her employer which was then released on the dark web following a phishing attack, despite the employer\u2019s statement that it would take appropriate measures to protect the &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blogs.duanemorris.com\/techlaw\/2022\/09\/08\/imminent-harm-gives-standing-to-phishing-attack-victim-against-employer\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;\u201cImminent\u201d Harm Gives Standing to Phishing Attack Victim Against Employer&#8221;<\/span><\/a><\/p>\n","protected":false},"author":265,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"ppma_author":[976],"class_list":["post-881","post","type-post","status-publish","format-standard","hentry","category-infotechtelecom"],"authors":[{"term_id":976,"user_id":265,"is_guest":0,"slug":"srwiggins","display_name":"Sheila Raftery Wiggins","avatar_url":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-content\/uploads\/sites\/17\/2021\/12\/wigginssheila-100x100.jpg","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/posts\/881","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/users\/265"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/comments?post=881"}],"version-history":[{"count":0,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/posts\/881\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/media?parent=881"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/categories?post=881"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/tags?post=881"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/ppma_author?post=881"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}