Clemens v. ExecuPharm Inc.

48 F.4th 146

Jennifer CLEMENS, Appellant

v.EXECUPHARM INC.; Parexel Int'l Corp.

No. 21-1506

United States Court of Appeals, Third Circuit.

Argued December 14, 2021

Filed: September 2, 2022

Mark S. Goldman, Goldman Scarlato & Penny, 161 Washington Street, 8 Tower Bridge, Suite 1025, Conshohocken, PA 19428, J. Austin Moore [ARGUED], Norman E. Siegel, Barrett J. Vahle, Caleb J. Wagner, Stueve Siegel Hanson, 460 Nichols Road, Suite 200, Kansas City, MO 64112, Counsel for Appellant

Shifali Baliga, Kristine M. Brown, Donald M. Houser [ARGUED], Alston & Bird, 1201 West Peachtree Street, One Atlantic Center, Suite 4900, Atlanta, GA 30309, Mathieu Shapiro, Obermayer Rebmann Maxwell & Hippel, 1500 Market Street, Centre Square West, 34^th Floor, Philadelphia, PA 19102, Counsel for Appellees

Before: GREENAWAY, JR., KRAUSE, and PHIPPS, Circuit Judges.

OPINION OF THE COURT

GREENAWAY, JR., Circuit Judge.

In this appeal, Jennifer Clemens asks us to reverse the District Court's dismissal of her complaint seeking equitable and monetary relief in connection with a data breach that resulted in the publication of her sensitive personal information on the Dark Web. Clemens argues that her injury was sufficiently imminent to constitute an injury-in-fact for purposes of standing. We agree. Accordingly, we will vacate the judgment of the District Court and remand for consideration of the merits.

I. Background¹

Clemens is a former employee of ExecuPharm, Inc. ("ExecuPharm" or "the Company"), a subsidiary of the global biopharmaceutical company Parexel International Corp. ("Parexel"). As a condition of her employment, Clemens was required to provide ExecuPharm with sensitive personal and financial information, including her address, social security number, bank and financial account numbers, insurance and tax information, her passport, and information relating to her husband and child. In exchange, Clemens's employment agreement provided that ExecuPharm would "take appropriate measures to protect the confidentiality and security" of this information. J.A. 41 ¶ 58. Based on the complaint's allegations, ExecuPharm did not perform its obligation.

After Clemens had left ExecuPharm, a hacking group known as CLOP accessed ExecuPharm's servers through a phishing attack in March 2020, stealing sensitive information pertaining to current and former employees, including Clemens. Specifically, the stolen information contained social security numbers, dates of birth, full names, home addresses, taxpayer identification numbers, banking information, credit card numbers, driver's license numbers, sensitive tax forms, and passport numbers. In addition to exfiltrating the data, CLOP installed malware to encrypt the data stored on ExecuPharm's servers. Then, CLOP held the decryption tools for ransom, threatening to release the information if ExecuPharm did not pay the ransom. Either because ExecuPharm refused to pay or for nefarious reasons unknown, the hackers made good on their threat and posted the data on underground websites located on the Dark Web, which is "a portion of the Internet that is intentionally hidden from search engines and requires the use of an anonymizing browser to be accessed. It is most widely used as an underground black market where individuals sell illegal products like ... sensitive stolen data that can be used to commit identity theft or fraud." J.A. 25 ¶ 15. Screenshots by an Israel-based intelligence firm confirm that CLOP made available for download at least one archive containing nearly 123,000 files and 162 gigabytes of data pertaining to ExecuPharm and Parexel, including sensitive employee information.

Throughout March and April of 2020, ExecuPharm provided periodic updates to current and former employees to inform them of the breach and encourage them to take precautionary measures. ExecuPharm appreciated the risks, cautioning current and former employees that "[u]nauthorized access to [the compromised] information may potentially lead to the misuse of [their] personal data to impersonate [them] and/or to commit, or allow third parties to commit, fraudulent acts such as securing credit in [their] name." J.A. 30 ¶ 28.

To mitigate potential harm, Clemens took immediate action. She conducted a review of her financial records and credit reports for unauthorized activity; placed fraud alerts on her credit reports; transferred her account to a new bank; enrolled in ExecuPharm's complimentary one-year credit monitoring services; and purchased three-bureau credit monitoring services for herself and her family for $39.99 per month for additional protection. As a result of the breach, Clemens alleges that she has sustained a variety of injuries—primarily the risk of identity theft and fraud—in addition to the investment of time and money to mitigate potential harm.

Seeking redress, Clemens brought suit against ExecuPharm and Parexel in the United States District Court for the Eastern District of Pennsylvania. She sought to represent herself and a class of all others whose personal information was compromised, as well as a subclass of current and former ExecuPharm employees whose employment agreements promised that the Company would take appropriate measures to protect their personal data. She invoked the subject matter jurisdiction of the District Court under the Class Action Fairness Act, 28 U.S.C. § 1332(d).

She asserted claims for negligence (Count I), negligence per se (Count II), and breach of implied contract (Count III) against both Defendants. She also asserted claims for breach of contract (Count IV), breach of fiduciary duty (Count V), and breach of confidence (Count VI) against ExecuPharm. Lastly, she sought a declaratory judgment that Defendants' existing data security measures fail to comply with their fiduciary duties of care and that instructs them to implement and maintain industry-standard measures.

ExecuPharm and Parexel filed a motion to dismiss the complaint under Federal Rule of Civil Procedure 12(b)(6). The District Court ordered the parties to submit supplemental briefing regarding Clemens's standing, and, after receiving that briefing, granted the motion to dismiss on February 25, 2021 based on lack of Article III standing. Specifically, the District Court stated that it sought to follow our "bright line" rule providing that allegations of an increased risk of identity theft resulting from a security breach are insufficient for standing. J.A. 9 (quoting In re Rutter's Inc. Data Sec. Breach Litig. , 511 F. Supp. 3d 514, 525 (M.D. Pa. 2021) ). Applying our decision in Reilly v. Ceridian Corp. , 664 F.3d 38 (3d Cir. 2011), the District Court concluded that Clemens's risk of future harm was not imminent, but "speculative," because she had not yet experienced actual identity theft or fraud. J.A. 9-11. This conclusion also meant that any money Clemens spent to mitigate the speculative risk was likewise insufficient to confer standing. The District Court additionally held that, even if ExecuPharm breached the employment agreement, it would not have automatically given Clemens standing to assert her breach of contract claim. Clemens timely appealed and seeks vacatur of the District Court's dismissal of her complaint.

II. Applicable Law²

A. Article III Standing Requirements

Article III standing requires a plaintiff to demonstrate: "(1) that he or she suffered an injury in fact that is concrete, particularized, and actual or imminent, (2) that the injury was caused by the defendant, and (3) that the injury would likely be redressed by the requested judicial relief."³ Thole v. U.S. Bank N.A. , ––– U.S. ––––, 140 S. Ct. 1615, 1618, 207 L.Ed.2d 85 (2020) (citing Lujan v. Defs. of Wildlife , 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) ). Only the first two prongs are disputed on appeal.

a. Injury-in-fact: Imminent

With regard to the injury-in-fact prong, the injury must be "actual or imminent, not ‘conjectural’ or ‘hypothetical.’ " Lujan , 504 U.S. at 560, 112 S.Ct. 2130 (citations omitted). That "actual or imminent" is disjunctive is critical: it indicates that a plaintiff need not wait until he or she has actually sustained the feared harm in order to seek judicial redress, but can file suit when the risk of harm becomes imminent. This is especially important in the data breach context, where the disclosure of the data may cause future harm as opposed to currently felt harm. In this way, depending on the nature of the data at issue, claims flowing from a data breach can differ from traditional tort claims like defamation or invasion of privacy. While a claim arising from a data breach may share some commonalities with such torts—e.g. , in that it may involve the publication of information to a third party or unauthorized access to private information—the latter claims involve actual injury. A claim for defamation, for instance, rests on the "reputational harm" that flows from the publication of a statement "that would subject [the victim] to hatred, contempt, or ridicule." TransUnion LLC v. Ramirez , ––– U.S. ––––, 141 S. Ct. 2190, 2208-09, 210 L.Ed.2d 568 (2021) (quoting Milkovich v. Lorain Journal Co. , 497 U.S. 1, 13, 110 S.Ct. 2695, 111 L.Ed.2d 1 (1990) ). And a claim for invasion of privacy contemplates that the exposure "cause[s] mental suffering, shame or humiliation" to the victim. Pro Golf Mfg., Inc. v. Tribune Rev. Newspaper Co. , 570 Pa. 242, 809 A.2d 243, 248 (2002). By contrast, the type of data involved in a data breach may be such that mere access and publication do not cause inherent harm to the victim. Reilly , 664 F.3d at 42. Even then, however, it can still poise the victim to endure the kind of future harm that qualifies as "imminent."

Indeed, allegations of future injury "suffice if the threatened injury is ‘certainly impending’ or there is a ‘substantial risk’ that the harm will occur." Susan B. Anthony List v. Driehaus , 573 U.S. 149, 158, 134 S.Ct. 2334, 189 L.Ed.2d 246 (2014) (quoting ...