3rd Circuit finds data leaked on dark web “shaming” site inferred a “substantial risk” of imminent harm


ransomware attack; data

By: Nicholas Jajko

The litigation battleground in class actions arising out of data breaches is almost always fought on Article III standing. Before any discovery is exchanged or fact depositions take place, claimants must allege they have standing to sue the defendant. Standing is demonstrated by showing 1) an injury-in-fact; 2) fairly traceable to the conduct of the defendant; and 3) likely to be redressed by a favorable decision. Whether an injury-in-fact occurred because of a breach of someone’s personal information usually depends on whether there was actual harm, or harm is imminent.

While the Federal Circuit Courts differ in their interpretation of what is actual and imminent, the Court of Appeals for the Third Circuit (Delaware, New Jersey, and Pennsylvania) recently reversed the lower court’s decision that the class action claimant did not meet the “actual or imminent” injury-in-fact prong of the Article III standing analysis in her suit against a former employer. Clemens, an employee of a clinical pharmaceutical research support company for only 10 months, sued the employer alleging negligence, negligence per se, and breach of [employee] contract (among others) for access to her personal data when the company was victimized by the CL0P ransomware group in March 2020.

Like many popular ransomware “gangs” the CL0P group “double-extorted” the employer encrypting its data on company systems for ransom and posting (a sampling) of data taken from the employer on the group’s dark web “shaming” site for sale if the company failed to pay the ransom. Because the employer confirmed employee Social Security numbers, driver’s license numbers, dates of birth, and financial account information were accessed by the cyber-attack group, Clemens alleges damages in time, effort, and expense in procuring additional identity monitoring services, closing & reopening new accounts, and seeking counseling for stress and anxiety caused by the breach. Notably, Clemens made no allegation of actual or attempted identity theft or fraud, or that her personal information is within the sampling of data posted on the shaming site.

In its opinion, the three-judge panel reinforced prior holdings that there is no bright line rule for whether injury was “actual or imminent” in a standing analysis, and that no one factor is dispositive. Particularly, the Court held that in the data breach context, a plaintiff asserting an “[exposure to] substantial risk of identity theft or fraud” may satisfy the concrete injury requirement so long as the allegations also include currently felt concrete harms, including associated costs and even emotional distress.

The Court relied on important factual distinctions underlying the imminency (rather than hypothetical) injury arising out of the double-extortion ransomware incident, that: 1) sensitive employee information was confirmed “accessed and encrypted”; 2) the CL0P group’s criminal intentions were clear; 3) “sensitive data” was stolen and made openly available for download on the dark web for criminal use by anyone with access, and 4) because those who would access such dark web sites would inherently do so for the purposes of committing fraud and identity theft. Whether Clemens’ personal information was among the data stolen, or within the sampling of 162 GB posted on the CL0P shaming site is unclear. Similarly, whether her data was purchased and used nefariously, from this incident, may never be proven. Nevertheless, the Court found Clemens alleged facts, which, when taken as true and with all reasonable inferences, were enough to convey Article III standing and proceed to the pleadings stage.

For cyber risk insurers and incident response counsel, the Third Circuit’s decision reinforces emphasis on collecting critical data points during the incident response investigation. Counsel should work with forensic vendors to drill down on the analysis of available evidence and to form clear and concise findings. Those findings should allow counsel to separate known facts from those that are presumed or speculative, before providing statutorily compliant notifications to a potential class-action class. Finally, for the third-party claims handlers and class action defense counsel, expectations for defending suits that arise out of double-extortion ransomware incidents should be adjusted accordingly.

For further information and inquiries please contact Nicholas Jajko at, Vice-Chair of FMG’s Data Security, Privacy, & Technology practice group.