When victims of data breaches sue, courts are often sympathetic to their fears of identity theft and fraud.1 But such worst-case outcomes materialize only in the future, if at all, which runs up against standing doctrine’s requirement of an actual or imminent injury. This tension has bedeviled courts for a decade, dating back at least to the Supreme Court’s tightening of “imminence” in Clapper v. Amnesty International USA.2 Recently, in Clemens v. ExecuPharm Inc.,3 the Third Circuit held that a plaintiff whose personal data had been stolen but who had yet to suffer any financial loss had nevertheless pleaded an imminent injury because there was a “substantial risk” that harm would occur.4 Clemens is notable for distinguishing, if not overruling, circuit precedent seeming to require actual misuse of personal data.5 But on a broader view, it is just the latest in a long string of data breach cases that have reached conflicting conclusions on standing under largely identical facts.6 While Clemens falls on the more defensible side of this divide, it represents yet another missed opportunity for courts to evolve this area of law in response to the rising epidemic of data insecurity.
Jennifer Clemens provided ExecuPharm, Inc., her former employer, with “significant amounts of her personal and financial information,” which ExecuPharm promised to “take appropriate measures to protect.”7 But in March 2020, a criminal ransomware group accessed ExecuPharm’s servers and exfiltrated thousands of employee records with “full names, home addresses, social security numbers, . . . [and] credit card and bank information.”8 The hackers made “some of [this] information . . . available for download on the ‘dark web,’”9 the underbelly of the Internet where stolen data is traded. ExecuPharm notified Clemens of the breach, stating that it “believe[d] sensitive information ha[d] been accessed” and “shared on the dark web” and that she “may [have] be[en] among the group of former employees impacted.”10
Clemens sued ExecuPharm in the Eastern District of Pennsylvania, seeking individual and class relief on a variety of contract and tort theories.11 She alleged several common law injuries: “[S]ubstantial and imminent risk of future harm” from identity theft or fraud, “significant time and effort” spent on mitigation, and harm to her “private contract rights.”12 Crucially, however, Clemens did not “allege [that] she ha[d] [actually] experienced any identity theft or fraud.”13
Seizing on this fact, the district court granted ExecuPharm’s motion to dismiss.14 After reciting the familiar Article III standing test — injury in fact, traceability, redressability — the court homed in on injury in fact, which requires an injury that is “concrete,” “particularized,” and “actual or imminent.”15 It found this case indistinguishable from Reilly v. Ceridian Corp.,16 a precedent holding that the increased risk of identity theft from a data breach was not a cognizable injury because the causal chain was too “attenuated” and “dependent on entirely speculative, future actions of an unknown third-party” (the would-be fraudster).17 That the hacker here was identifiable, had “criminal intent,” undeniably accessed the data, and even published some of it were “distinctions without a difference.”18 For example, although Clemens’s data was on the dark web, someone had to “actually download[] her information,” “attempt to use” it, and “do so successfully” for harm to occur.19 The district court then disposed of Clemens’s other bases for standing: “[T]ime, money and effort” spent to avoid a speculative injury is not itself an injury, and it isn’t clear that “a contractual breach categorically creates an Article III injury.”20 Clemens timely appealed.21
The Third Circuit vacated and remanded.22 Writing for the panel, Judge Greenaway23 held that Clemens had standing to bring her claims,24 with the bulk of the analysis centered on the “actual or imminent” prong of injury in fact.25 He conceded that “mere access and publication” of data may not “cause inherent harm” — hence, no actual injury — but asserted that a data breach might “still poise the victim to endure” imminent future harms, like identity theft or fraud.26 He clarified that Reilly “did not create a bright line rule precluding standing” based on future risks, as such a reading would “directly contravene” Supreme Court precedent that plaintiffs need not “wait until they . . . sustain[] an actual injury to bring suit.”27 Instead, synthesizing cross-circuit precedent, he held that it is enough for there to be a “substantial risk” of harm,28 which exists if (1) the “breach was intentional,” (2) “the data was misused,” and (3) “the nature of the [breached] information . . . could subject a plaintiff to a risk of identity theft.”29
Applying these factors, Judge Greenaway agreed with Clemens that the risk of harm here was imminent: (1) the ransomware group intentionally “launched a sophisticated phishing attack” at ExecuPharm; (2) it misused ExecuPharm’s data by holding it for ransom; and (3) the data included both personal and financial information, a “particularly concerning” combination that “could be used to perpetrate both identity theft and fraud.”30 Moreover, whereas Reilly involved “an unknown hacker who potentially gained access to sensitive information,”31 here, the hacker was a “sophisticated” and “notorious” operator who had “already published Clemens’s data on the Dark Web.”32
Judge Phipps concurred in the judgment.33 He argued that themajority “unnecessar[ily]” applied the Article III standing test,34 which only governs “claims seeking to vindicate constitutional or statutory rights”35 and “operates as a supplement to, not a substitute for” standing predicated on “traditionally recognized cause[s] of action.”36 In his view, the fact that Clemens’s claims, which sounded in contract and tort, were “of the sort traditionally amenable to, and resolved by, the judicial process” was sufficient in and of itself to confer standing.37
Clemens’s discretion-laden test for imminent injuries perpetuates the unfortunate trend in data breach cases of standing hinging on minute and subjective differences in the facts. The Third Circuit should have taken a different approach and held that while Clemens suffered no imminent injury under the reasoning of Reilly, she did suffer an actual injury by virtue of having her data stolen and subsequently needing to take costly precautions against identity theft. Such a reorientation would eschew guesswork about probabilities in favor of a more objective evaluation of the sensitivity of the breached data, yielding more consistent judgments in favor of meritorious plaintiffs while penalizing companies for lax security practices. An actual-injury analysis would thus strike a better balance between the many considerations at play in data breach litigation: recompense for plaintiffs, fairness for defendants, administrability for courts, and protections for society.
Having characterized Clemens’s injury as “the risk of identity theft or fraud,”38 the Clemens court was obliged to ask, for standing purposes, whether this risk was imminent. The problem is that imminence is unworkable in the context of data breaches. Of the three factors the court considered — intent of the hacker, evidence of actual misuse, and sensitivity of the data39 — only the third is sensible: the kind of data that was compromised is both objectively determinable and determinative of the potential harm.40 By contrast, the second factor, actual misuse,41 is fraught because it is hard to trace identity theft back to a specific breach;42 not to mention, it cuts against the court’s own assertion that “a plaintiff need not wait until . . . she has actually sustained the feared harm” to sue.43 And the first factor, hacker intent, is harder still to pin down. Even if it could be determined that a hacker were motivated by, say, espionage, that hardly rules out opportunistic fraud.44 Nor does sophistication, which seemed to influence the court’s analysis,45 necessarily correlate with imminence: criminal outfits like the one that hacked ExecuPharm depend on companies ponying up for the safe return of their data, so misuse would undercut the hackers’ own business.46 On top of it all, standing is usually challenged on a motion to dismiss,47 at which stage much of what plaintiffs know about the breach comes from the breached company itself — yet governing state law typically does not require disclosure of details like the hacker’s identity,48 and companies are increasingly reluctant to offer up such information,49 making it exceptionally difficult for plaintiffs to plead the requisite facts.
Unsurprisingly, these multifactor tests have proven something of a lottery. Courts have divined opposite meanings from the same facts.50 They have held differently in nearly identical scenarios51 — even with respect to the same scenario.52 And they have struggled to reconcile the case law.53 The upshot: a plaintiff’s odds turn largely on the venue (perhaps even the judge they draw) and the smallest factual variations.54
Reframing data breaches as actual injuries avoids these complications. The Clemens court was quick to assume that a data breach is not per se injurious because it does not resemble traditional tort harms55 — but injury in fact is ultimately “a normative concept, not a descriptive one,”56 and there are compelling policy reasons to adopt this reframing. First, deterrence. As the Clemens court observed, the fallout from data breaches may be impossible to remediate,57 so companies must “implement appropriate security measures” ahead of time.58 While the confused state of current jurisprudence does not reliably punish companies for complacency, certain and timely liability, which an actual-injury framework is more likely to produce, would strongly incentivize action. And, while reorienting Clemens’s claims around actual injury would limit the available damages — she could not then recover for identity theft, which was imminent at best — in a class action like the one she brought, even small awards add up to meaningful sums.59
Second, loss limitation. Compensating victims for “necess[ary]”60 precautions like credit monitoring is a cost-effective way to mitigate potential losses.61 It is no answer to wait for losses to materialize before allowing suits to proceed: given the frequency of breaches nowadays, corporate defendants may well argue that such victims still lack standing because in the meantime, other companies holding the same victims’ data have also been breached, so the loss is not fairly traceable to them.62
Third, basic notions of fairness. Consumers have no real say in whether to give up their data or how it is stored, placing them at the mercy of the companies they interact with. Clemens, for instance, was obligated to provide sensitive information “[a]s a condition of her employment.”63 In other contexts, courts have responded to an imbalance of bargaining power by fashioning protective default rules — for instance, scrutinizing adhesion contracts under the judge-made doctrine of unconscionability.64 They should do the same with data breaches.
Moreover, this characterization of data breaches as actual injuries is reconcilable with Supreme Court precedent. As an initial matter, while recent decisions like TransUnion LLC v. Ramirez65 may clamp down on injury in fact by requiring concrete harms in cases involving statutory claims,66 they do not obviously bear on common law cases like Clemens. Underlying TransUnion were concerns about separation of powers67 and, in particular, congressional creation of “novel and expansive causes of action,”68 neither of which is relevant when one private party is suing another on common law contract and tort theories.69 And, at other times, the Court has liberally construed injury in fact to reflect, at its core, the “invasion of a legally protected interest.”70 Justice Thomas has further explained that standing is grounded in the “traditional, fundamental limitations . . . of common-law courts,”71 which historically “possessed broad power to adjudicate suits involving the alleged violation of private rights, even when plaintiffs alleged . . . nothing more.”72
Thus, the Third Circuit could have held that ExecuPharm’s actions created a plausible risk of financial loss, invading Clemens’s legal interests (whether or not loss materialized) and imposing an actual injury. Scholars and judges have suggested that individuals hold an interest “in not having to pay to insure against risk,”73 that “loss of a chance of . . . avoiding an adverse consequence should be compensable,”74 and that “risk of harm [is] itself a harm.”75 Here, Clemens posited a “well-founded fear” of hackers misusing victims’ data,76 and even courts that have denied standing have admitted that victims would “fear the worst” and “watch their credit reports until something untoward occurs.”77 Those impositions can themselves be injuries.
Importantly, this actual-injury approach has its limits. Plaintiffs on a motion to dismiss would have to plead that the breached data is of the sort that can be used for financial crime — names, addresses, account numbers78 — unless defendants can produce mitigating evidence.79 More benign breaches (say, of email addresses) would not inflict a plausible risk of loss and thus would not constitute injuries.80 This responds to a concern about opening the floodgates of litigation,81 as well as to the notion that it would be unfair or even counterproductive to hold companies liable for simple carelessness.82 Companies can avoid liability by taking precautions like encryption that protect victims even in case of breach. Plus, damages would be limited as plaintiffs could recover only for costs that directly stem from the breach, like credit monitoring or time spent on remediation, not losses that are yet to occur.
In Clemens, the Third Circuit rightly recognized that in our “increasingly digitalized world,” it is critical for companies that choose to “maintain massive datasets . . . [to] implement appropriate security measures.”83 But, having identified a compelling interest of victims in avoiding the “uniquely drastic” harms of data breaches,84 it should have opted for the direct application of actual injury instead of the linguistic gymnastics of imminence in applying the Article III standing test. Future courts should take care to avoid the same pitfalls and instead articulate a more practicable set of conditions under which victims of data breaches may hold companies to account.