Federal Appeals Court Ruling Means Class-Action Suits Over Data Breaches No Longer Require Proof of Actual Harm

The Requirements are Loosening for an Organization to be Held Legally and Financially Liable for Stolen Private Data, Cybersecurity Attorney Explains

As ransomware attacks targeting the education sector grab more headlines every week, a new ruling from a federal appeals court has further lowered the bar for people whose data is breached and leaked on the dark web to sue the organizations where the data was compromised.

The ruling from U.S. Court of Appeals for the Third Circuit means that the requirement for a data breach plaintiff to have suffered “actual or imminent harm” is shifting along with the fast-changing landscape of cybersecurity and data privacy, said attorney Harris S. Freier, partner at Genova Burns and head of the firm’s Privacy and Cybersecurity Practice.

Freier, whose litigation specialties include employment and trade secret cases as well as data privacy law, wrote about the Third Circuit decision and spoke with THE Journal about its potential impacts in the education sector.

Earlier this month, the Third Circuit Court of Appeals’ three-judge panel unanimously reinstated a putative class-action suit against a company that suffered a ransomware attack, leading to her sensitive information being released onto the dark web.

Lead plaintiff Jennifer Clemens, a former employee of ExecuPharm based in Massachusetts, sued after the company experienced a ransomware attack and the data stored on its servers was published on the dark web, according to court documents.

Notably, Clemens did not suffer identity theft following the breach. After the company notified employees of the breach, Clemens “took swift action by reviewing her financial records and credit reports, switching banks and purchasing credit monitoring services,” according to court documents summarized by Freier.

In February 2021, the District Court for the Eastern District of Pennsylvania dismissed her case for lack of standing, due to the “speculative nature” of the injuries to the employees. But the decision issued on Sept. 2, 2022, by the Third Circuit Court of Appeals vacated the dismissal and remanded the case for consideration on the merits — giving the potential class of plaintiffs a new chance for relief and putting organizations that store PII data on notice, Freier told THE Journal..

The nature of the cyberattack targeting the company is spelled out in the appellate court ruling: “A hacking group known as CLOP accessed ExecuPharm’s servers through a phishing attack in March 2020, stealing sensitive information pertaining to current and former employees, including Clemens. Specifically, the stolen information contained Social Security numbers, dates of birth, full names, home addresses, taxpayer identification numbers, banking information, credit card numbers, driver’s license numbers, sensitive tax forms, and passport numbers. In addition to exfiltrating the data, CLOP installed malware to encrypt the data stored on ExecuPharm’s servers. Then, CLOP held the decryption tools for ransom, threatening to release the information if ExecuPharm did not pay the ransom. Either because ExecuPharm refused to pay or for nefarious reasons unknown, the hackers made good on their threat and posted the data on underground websites located on the dark web.”

Clemens sued under the Class Action Fairness Act, with claims for negligence, breach of contract, breach of fiduciary duty and breach of confidence.

The Third Court Court of Appeals clarified that an injury can be “imminent” in order to qualify for standing, and does not need to have actually taken place at the time of suit being filed. Based on precedent in recent data breaches, the Court of Appeals “determined that the substantial risk of future injury qualifies for standing based on imminence, especially in the event of an intentional, targeted attack by a hacking group,” Freier wrote in his case analysis.

“The Court followed the trend of other jurisdictions, which found that actual misuse of the data is not necessarily required in this context,” Freier wrote. “Finally, to conclude its analysis for standing, the Court also determined that an intangible injury, such as the injury in question, can count as sufficiently concrete. The emotional distress that a victim of a data breach experiences is sufficient.”

Direct Correlation to Ransomware Attacks in Education

The primary factors cited by the Appeals Court decision were whether the data breach was an intentional act by threat actors, and whether the data was misused — though it noted misuse is not necessarily required. The types of data included in this breach, such as Social Security numbers, birth dates, and names, are more likely to create a risk of identity theft or fraud, the court said.

While most of the publicly disclosed ransomware attacks targeting K–12 schools and ed tech providers over the past year have not — according to the targeted organizations’ official notification letters — included Social Security numbers of students, many have included every type of PII of staff members. For example, dark web data leak site of one ransomware group known to be targeting education, Vice Society, was viewed last week by THE Journal; the group since Jan. 1 has published extensive data files from nine U.S. school districts. One district’s files included a clearly labeled PDF of every employee W-2 statement going back over a decade, with all the personal information on every employee included and accessible for bad actors to download and misuse. 

From a public policy perspective, the Court of Appeals warned of “uniquely drastic consequences” of failing to uphold information security agreements in the digital age.

“Because we can reasonably assume that many of those who visit the dark web, and especially those who seek out and access CLOP’s posts, do so with nefarious intent, it follows that Clemens faces a substantial risk of identity theft or fraud by virtue of her personal information being made available on underground websites,” the Appeals Court judges said in their decision. “This set of facts clearly presents a more imminent injury than the ones we deemed to establish only a hypothetical injury” in previous decisions in data-breach lawsuits.

Freier told THE Journal that organizations — including ed tech providers and public schools serving minors — should take all possible precautions to protect private data stored within their systems, as the possibility of being held financially liable after a data breach is growing.

“Now a victim of a data breach no longer needs to wait to suffer a direct harm such as their identity is stolen, and they must pay credit card and bank fees resulting from the identity theft,” he said. “Instead, the fact that a company is a victim of a hack, and the data has been released on the dark web, which is normally the threat if a ransom is not paid to one of these nefarious hackers, is enough to allow any victims of the breach to bring suit, even if they have not yet suffered any harm resulting from the breach.”

Nothing in this ruling would exclude educational institutions from being similarly sued over a data breach, Freier said.

“Remember that educational institutions that receive federal funding are also subject to the Family Educational Rights and Privacy Act, which protects educational records. A hack whereby educational records of students are exposed to a third party by definition violates FERPA,” he explained. “An educational institution that is the victim of hack therefore has not only the potential class-action for negligence and potential contract claims, but it has the added potential liability of the violation of FERPA, which is dealt with by the Department of Education.”

Noting FERPA’s lack of requirements for schools to disclose a data breach, Freier said: “A class-action lawsuit will also be a surefire way for the DOE to become aware of the breach.”

The ruling applies to any organization that stores PII, whether it is the PII of former or current employees or of current or former students or users of its software or services, he said.

“No matter the circumstance, the major cause of action (in a data breach lawsuit) is almost always going to be negligence, and if the company or college did not follow state data breach notification law, a claim for violation of the state’s data breach law as well,” he said. “In the Clemens case, the contract claim was based upon an employment agreement, but it is easy to see a similar claim being made against a college based on (a breach of) enrollment or financial aid documents.”

In the case of K–12 schools, he said, a data breach that resulted in the public disclosure of academic records or PII on the dark web would put the district in an increasingly hot seat, legally and financially.

“In the case of minors, the rights to educational records are controlled by the parents/guardians, and a cyberattack where educational records are exposed to a third party is a FERPA violation, so that means the school is not only dealing with a potential class-action but also a potential Department of Education investigation,” Freier told THE Journal.

Freier cited a similar ruling from last year that also opened up to lawsuits organizations whose data was stolen by a hacker, even when identity theft or fraud hadn’t yet hit every person whose data was stolen.

“Last year, the Second Circuit ruled in McMorris v. Carlos Lopez & Associates that to determine if there is standing for a plaintiff who has not yet suffered damages from a data breach to pursue a claim based on imminent harm, that a court should look at three factors: (i) was the data stolen by a hacker (was this an intentional theft of data); (ii) has anyone whose data was stolen had that data misused, even if the plaintiff has not yet; and (iii) is the data of the type leading to a high risk of identity theft or fraud such as social security numbers along with matching names,” Freier said. “While the Third Circuit did not set forth a framework as detailed or necessarily as rigid as the Second Circuit, it looked at many of the same factors.

“The Third Circuit decision makes it easier than ever for victims of data breaches to pursue class actions even if they have not yet been harmed. Businesses should also consider cyber insurance due to the increasing threats of data breaches and resulting class-action litigation,” he added. “Obviously, preventing cyber attacks and responding appropriately if and when the breaches occur, are the best ways to reduce potential class-action liability.”

Cybersecurity consultant Doug Levin, national director of K12 Security Information Exchange, said it’s long past time for schools and ed tech providers to do whatever it takes to protect student and staff data — specifically, he said, it’s time for the decision-makers to give the IT practitioners whatever resources they need to get the job done.

“The idea that school districts — and their vendors — could be subject to class-action lawsuits for data breach incidents would send a much-needed ‘cybersecurity shock’ through the K–12 sector. On the positive side, it would result in a shift in the ultimate responsibility for cybersecurity risk management from the IT department to the superintendent, CFO, and school board where it belongs,” Levin told THE Journal. “Moreover, it would be instrumental in driving the implementation of a number of common-sense privacy and cybersecurity controls that many districts have been heretofore challenged to implement.”

Levin noted that without guidance and support for organizations like K12SIX and funding from external sources, “many districts may struggle to implement necessary changes.”

“I would expect that this ruling could lead to dramatic shifts in the schools’ interest in using specific ed tech apps and services they may have previously relied on,” he said. “I would hope that in the interest of improved privacy and security, the impact on district operations would be muted, but it is possible that the ruling could have large and significant impacts on the use of technology across K–12.”

Featured