All Things Newz
Law \ Legal

3rd Circuit Finds Data Leaked On Dark Web “Shaming” Site Inferred A “Substantial Risk” Of Imminent Harm – Security



To print this article, all you need is to be registered or login on Mondaq.com.

The litigation battleground in class actions arising out of data
breaches is almost always fought on Article III standing. Before
any discovery is exchanged or fact depositions take place,
claimants must allege they have standing to sue the defendant.
Standing is demonstrated by showing 1) an injury-in-fact; 2) fairly
traceable to the conduct of the defendant; and 3) likely to be
redressed by a favorable decision. Whether an injury-in-fact
occurred because of a breach of someone’s personal information
usually depends on whether there was actual harm, or harm is
imminent.

While the Federal Circuit Courts differ in their interpretation
of what is actual and imminent, the Court of Appeals for the Third
Circuit (Delaware, New Jersey, and Pennsylvania) recently reversed
the lower court’s decision that the class action claimant did
not meet the “actual or imminent” injury-in-fact prong of
the Article III standing analysis in her suit against a former
employer. Clemens, an employee of a clinical pharmaceutical
research support company for only 10 months, sued the employer
alleging negligence, negligence per se, and breach of [employee]
contract (among others) for access to her personal data when the
company was victimized by the CL0P ransomware group in March
2020.

Like many popular ransomware “gangs” the CL0P group
“double-extorted” the employer encrypting its data on
company systems for ransom and posting (a sampling) of data taken
from the employer on the group’s dark web “shaming”
site for sale if the company failed to pay the ransom. Because the
employer confirmed employee Social Security numbers, driver’s
license numbers, dates of birth, and financial account information
were accessed by the cyber-attack group, Clemens alleges damages in
time, effort, and expense in procuring additional identity
monitoring services, closing & reopening new accounts, and
seeking counseling for stress and anxiety caused by the breach.
Notably, Clemens made no allegation of actual or attempted identity
theft or fraud, or that her personal information is within the
sampling of data posted on the shaming site.

In its opinion, the three-judge panel reinforced prior holdings
that there is no bright line rule for whether injury was
“actual or imminent” in a standing analysis, and that no
one factor is dispositive. Particularly, the Court held that in the
data breach context, a plaintiff asserting an “[exposure to]
substantial risk of identity theft or fraud” may satisfy the
concrete injury requirement so long as the allegations also include
currently felt concrete harms, including associated costs and even
emotional distress.

The Court relied on important factual distinctions underlying
the imminency (rather than hypothetical) injury arising out of the
double-extortion ransomware incident, that: 1) sensitive employee
information was confirmed “accessed and encrypted”; 2)
the CL0P group’s criminal intentions were clear; 3)
“sensitive data” was stolen and made openly available for
download on the dark web for criminal use by anyone with access,
and 4) because those who would access such dark web sites would
inherently do so for the purposes of committing fraud and identity
theft. Whether Clemens’ personal information was among the data
stolen, or within the sampling of 162 GB posted on the CL0P shaming
site is unclear. Similarly, whether her data was purchased and used
nefariously, from this incident, may never be proven. Nevertheless,
the Court found Clemens alleged facts, which, when taken as true
and with all reasonable inferences, were enough to convey Article
III standing and proceed to the pleadings stage.

For cyber risk insurers and incident response counsel, the Third
Circuit’s decision reinforces emphasis on collecting critical
data points during the incident response investigation. Counsel
should work with forensic vendors to drill down on the analysis of
available evidence and to form clear and concise findings. Those
findings should allow counsel to separate known facts from those
that are presumed or speculative, before providing statutorily
compliant notifications to a potential class-action class. Finally,
for the third-party claims handlers and class action defense
counsel, expectations for defending suits that arise out of
double-extortion ransomware incidents should be adjusted
accordingly.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

Should NFTs Be Considered A Security?

Lewis Brisbois Bisgaard & Smith LLP

If you had asked the author of this post 10 years ago whether he would believe that people would pay thousands upon thousands of dollars for what is essentially a PDF…

Important Security Updates Issued By Apple

Taft Stettinius & Hollister

If you haven’t already seen the notifications in the Taft Privacy and Data Security Mobile App, we wanted to make you aware or remind you about some important security updates issued by Apple…

Combatting Fraud And Corruption In The NFT Market

BakerHostetler

On Oct. 6, 2021, the U.S. Department of Justice (DOJ) announced the creation of a National Cryptocurrency Enforcement Team to tackle investigations and prosecutions of criminal misuses of cryptocurrency.



Source link

Related posts

Federal Judge Orders DOJ To Release Redacted Affidavit – Terrorism, Homeland Security & Defence

Horace Hayward

Banks Increasingly Embracing Crypto As It Moves Into The Mainstream – Fin Tech

Horace Hayward

E-commerce : le guide des opérations de ventes avec primes – Contracts and Commercial Law

Horace Hayward