Former Employee Could Sue Company over Data Breach

By Adam D. Brown November 21, 2022

Takeaway: This case reinforces the importance of employers taking appropriate steps to prevent the disclosure, including by way of data breach, of sensitive personal and confidential information from their employees. This duty becomes especially important when the employer requires the employee to provide such information and then makes a contractual promise to safeguard it.

In the event of a data breach, while it may appear that no harm occurred because the employee did not actually experience identity theft or fraud, circumstances exist where the harm may nevertheless be more than hypothetical and thus give the employee standing to bring claims against the employer. 

When receiving sensitive data, employers must implement effective security measures. As personal information dwells increasingly in the digital realm, the risks will continue to multiply, and adequate preparation is essential.

​The 3rd U.S. Circuit Court of Appeals held that a former employee of a biopharmaceutical company could sue the company for a data breach that resulted in the publication of her sensitive personal information on the dark web. Rejecting the company's argument that the absence of any actual harm to the former employee deprived her of standing, the court held that the risk of harm from the publication of the information and the former employee's alleged emotional distress and mitigation expenditures established injury sufficient to allow her to bring her claims.

The former employee had an employment agreement with the company that required her to provide it with various sensitive pieces of information such as her Social Security number, banking information, credit card numbers, and passport and driver's license numbers. In exchange, the agreement stated that the company would keep the information confidential and secure.

In March 2020, after the former employee had left the company, a hacking group breached the company's electronic systems and stole a large volume of sensitive and confidential employee information. It then published and attempted to sell the information on the dark web, a part of the Internet hidden from search engines and commonly used to facilitate illicit activities. The former employee's information was included in the material that appeared on the dark web.

The company informed the affected individuals of the breach so that they could mitigate the attendant risks, such as identity theft and fraud. Upon learning of the breach, the former employee took various steps to protect herself, including changing banks and buying credit monitoring services.

The former employee then brought a lawsuit against the company, alleging that the risk of identity theft and fraud had caused her to experience emotional distress and other injuries and to spend time and money on mitigation. She sought redress on behalf of herself and a class of other employees, asserting claims that included breach of contract and negligence.

The company moved to dismiss, arguing that the former employee had alleged only speculative, future harm that did not meet standing requirements. The district court agreed and granted the motion, concluding that the alleged injury was not sufficiently imminent and concrete. The former employee appealed to the 3rd Circuit, seeking to reinstate the claims.

On appeal, the 3rd Circuit ruled that the district court should not have dismissed the claims. Applying the test for standing developed by the U.S. Supreme Court, the appellate court determined that the former employee had suffered an injury that was both imminent and concrete.

In so holding, the court distinguished the former employee's claims from those at issue in a 2011 data-breach case on which the district court had relied, Reilly v. Ceridian Corp. In that case, a hacker had accessed potentially sensitive information, but the only harm to the plaintiff was the hypothetical risk of future injury.

In contrast, the appellate court reasoned, the former employee's information was actually published on the dark web and presented for sale, posing a substantial risk that harm would occur. Also, the former employee had alleged various concrete injuries, including emotional distress and related therapy costs, plus time and money she spent in response to the publication of her data.

The appellate court therefore reversed the dismissal of the former employee's claims and sent the matter to the district court for further proceedings.

Clemens v. ExecuPharm, 3rd Cir. No. 21-1506 (Sept. 2, 2022).

Adam D. Brown is an attorney in the Philadelphia office of Duane Morris LLP. 



Hire the best HR talent or advance your own career.


HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.