On September 2, the U.S. Court of Appeals for the Third Circuit vacated the dismissal of a class action alleging that a defendant pharmaceutical research company’s negligence led to a data breach. According to the opinion, the plaintiff, who is a former employee of the defendant’s subsidiary, provided her sensitive personal and financial information in exchange for the defendant’s agreement, pursuant to the plaintiff’s employment agreement, to “take appropriate measures to protect the confidentiality and security” of this information. After plaintiff ended her employment with the company, a hacking group accessed the defendant’s servers through a phishing attack and stole sensitive information pertaining to current and former employees. In addition to exfiltrating the data, the hackers installed malware to encrypt the data stored on the defendant’s servers and held the decryption tools for ransom. The defendant informed current and former employees of the breach and encouraged them to take precautionary measures. To mitigate potential harm, the plaintiff took immediate action by conducting a review of her financial records and credit reports for unauthorized activity, among other things. As a result of the breach, the plaintiff alleged that she has sustained a variety of injuries—primarily the risk of identity theft and fraud—in addition to the investment of time and money to mitigate potential harm. The district court granted the defendant’s motion to dismiss based on lack of Article III standing, concluding “that [the plaintiff’s] risk of future harm was not imminent, but ‘speculative,’ because she had not yet experienced actual identity theft or fraud.”

Read more about what the decision in Clemens v. Execupharm was vacated at InfoBytes Blog.