Jennifer Clemens v. Execupharm Inc

PRECEDENTIAL UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT ____________ No. 21-1506 ____________ JENNIFER CLEMENS, Appellant v. EXECUPHARM INC.; PAREXEL INT’L CORP. ____________ On Appeal from the United States District Court for the Eastern District of Pennsylvania (Civil No. 2-20-cv-03383) District Judge: Honorable Gerald J. Pappert ____________ Argued December 14, 2021 ____________ Before: GREENAWAY, JR., KRAUSE, and PHIPPS, Circuit Judges. (Filed: September 2, 2022) Mark S. Goldman Goldman Scarlato & Penny 161 Washington Street 8 Tower Bridge, Suite 1025 Conshohocken, PA 19428 J. Austin Moore [ARGUED] Norman E. Siegel Barrett J. Vahle Caleb J. Wagner Stueve Siegel Hanson 460 Nichols Road Suite 200 Kansas City, MO 64112 Counsel for Appellant Shifali Baliga Kristine M. Brown Donald M. Houser [ARGUED] Alston & Bird 1201 West Peachtree Street One Atlantic Center, Suite 4900 Atlanta, GA 30309 Mathieu Shapiro Obermayer Rebmann Maxwell & Hippel 1500 Market Street Centre Square West, 34th Floor Philadelphia, PA 19102 Counsel for Appellees 2 ____________ OPINION OF THE COURT ___________ GREENAWAY, JR., Circuit Judge. In this appeal, Jennifer Clemens asks us to reverse the District Court’s dismissal of her complaint seeking equitable and monetary relief in connection with a data breach that resulted in the publication of her sensitive personal information on the Dark Web. Clemens argues that her injury was sufficiently imminent to constitute an injury-in-fact for purposes of standing. We agree. Accordingly, we will vacate the judgment of the District Court and remand for consideration of the merits. I. Background1 Clemens is a former employee of ExecuPharm, Inc. (“ExecuPharm” or “the Company”), a subsidiary of the global biopharmaceutical company Parexel International Corp. (“Parexel”). As a condition of her employment, Clemens was required to provide ExecuPharm with sensitive personal and financial information, including her address, social security 1 Where, as here, the challenge to a District Court’s subject matter jurisdiction was made on the face of the pleadings, we accept all “well-pleaded factual allegations as true and draw all reasonable inferences” in favor of the plaintiff. In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 633 (3d Cir. 2017). 3 number, bank and financial account numbers, insurance and tax information, her passport, and information relating to her husband and child. In exchange, Clemens’s employment agreement provided that ExecuPharm would “take appropriate measures to protect the confidentiality and security” of this information. J.A. 41 ¶ 58. Based on the complaint’s allegations, ExecuPharm did not perform its obligation. After Clemens had left ExecuPharm, a hacking group known as CLOP accessed ExecuPharm’s servers through a phishing attack in March 2020, stealing sensitive information pertaining to current and former employees, including Clemens. Specifically, the stolen information contained social security numbers, dates of birth, full names, home addresses, taxpayer identification numbers, banking information, credit card numbers, driver’s license numbers, sensitive tax forms, and passport numbers. In addition to exfiltrating the data, CLOP installed malware to encrypt the data stored on ExecuPharm’s servers. Then, CLOP held the decryption tools for ransom, threatening to release the information if ExecuPharm did not pay the ransom. Either because ExecuPharm refused to pay or for nefarious reasons unknown, the hackers made good on their threat and posted the data on underground websites located on the Dark Web, which is “a portion of the Internet that is intentionally hidden from search engines and requires the use of an anonymizing browser to be accessed. It is most widely used as an underground black market where individuals sell illegal products like . . . sensitive stolen data that can be used to commit identity theft or fraud.” J.A. 25 ¶ 15. Screenshots by an Israel-based intelligence firm confirm that CLOP made available for download at least one archive containing nearly 123,000 files and 162 gigabytes of 4 data pertaining to ExecuPharm and Parexel, including sensitive employee information. Throughout March and April of 2020, ExecuPharm provided periodic updates to current and former employees to inform them of the breach and encourage them to take precautionary measures. ExecuPharm appreciated the risks, cautioning current and former employees that “[u]nauthorized access to [the compromised] information may potentially lead to the misuse of [their] personal data to impersonate [them] and/or to commit, or allow third parties to commit, fraudulent acts such as securing credit in [their] name.” J.A. 30 ¶ 28. To mitigate potential harm, Clemens took immediate action. She conducted a review of her financial records and credit reports for unauthorized activity; placed fraud alerts on her credit reports; transferred her account to a new bank; enrolled in ExecuPharm’s complimentary one-year credit monitoring services; and purchased three-bureau credit monitoring services for herself and her family for $39.99 per month for additional protection. As a result of the breach, Clemens alleges that she has sustained a variety of injuries— primarily the risk of identity theft and fraud—in addition to the investment of time and money to mitigate potential harm. Seeking redress, Clemens brought suit against ExecuPharm and Parexel in the United States District Court for the Eastern District of Pennsylvania. She sought to represent herself and a class of all others whose personal information was compromised, as well as a subclass of current and former ExecuPharm employees whose employment agreements promised that the Company would take appropriate measures to protect their personal data. She invoked the subject matter 5 jurisdiction of the District Court under the Class Action Fairness Act, 28 U.S.C. § 1332(d). She asserted claims for negligence (Count I), negligence per se (Count II), and breach of implied contract (Count III) against both Defendants. She also asserted claims for breach of contract (Count IV), breach of fiduciary duty (Count V), and breach of confidence (Count VI) against ExecuPharm. Lastly, she sought a declaratory judgment that Defendants’ existing data security measures fail to comply with their fiduciary duties of care and that instructs them to implement and maintain industry-standard measures. ExecuPharm and Parexel filed a motion to dismiss the complaint under Federal Rule of Civil Procedure 12(b)(6). The District Court ordered the parties to submit supplemental briefing regarding Clemens’s standing, and, after receiving that briefing, granted the motion to dismiss on February 25, 2021 based on lack of Article III standing. Specifically, the District Court stated that it sought to follow our “bright line” rule providing that allegations of an increased risk of identity theft resulting from a security breach are insufficient for standing. J.A. 9 (quoting In re Rutter’s Inc. Data Sec. Breach Litig., 511 F. Supp. 3d 514, 525 (M.D. Pa. 2021)). Applying our decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), the District Court concluded that Clemens’s risk of future harm was not imminent, but “speculative,” because she had not yet experienced actual identity theft or fraud. J.A. 9-11. This conclusion also meant that any money Clemens spent to mitigate the speculative risk was likewise insufficient to confer standing. The District Court additionally held that, even if ExecuPharm breached the employment agreement, it would not have automatically given Clemens standing to assert her 6 breach of contract claim. Clemens timely appealed and seeks vacatur of the District Court's dismissal of her complaint. II. Applicable Law2 A. Article III Standing Requirements Article III standing requires a plaintiff to demonstrate: “(1) that he or she suffered an injury in fact that is concrete, particularized, and actual or imminent, (2) that the injury was caused by the defendant, and (3) that the injury would likely be redressed by the requested judicial relief.”3 Thole v. U.S. Bank N.A., 140 S. Ct. 1615, 1618 (2020) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992)). Only the first two prongs are disputed on appeal. a. Injury-in-fact: Imminent 2 The District Court had jurisdiction over the underlying putative class action pursuant to 28 U.S.C. § 1332(d). We have jurisdiction pursuant to 28 U.S.C. § 1291. 3 Our concurring colleague suggests that because Clemens “brings causes of action ‘of the sort traditionally amenable to, and resolved by, the judicial process,’” we need not apply the typical tri-partite standing analysis in this case. Concurring Opinion at 5 (quoting Uzuegbunam v. Preczewski, 141 S. Ct. 792, 798 (2021)). We disagree, and apply this tri-partite approach consistent with binding precedent. See, e.g., Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992) (citations omitted); Thorne v. Pep Boys Manny Moe & Jack Inc., 980 F.3d 879, 885 (3d Cir. 2020) (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016)). 7 With regard to the injury-in-fact prong, the injury must be “actual or imminent, not ‘conjectural’ or ‘hypothetical.’” Lujan, 504 U.S. at 560 (citations omitted). That “actual or imminent” is disjunctive is critical: it indicates that a plaintiff need not wait until he or she has actually sustained the feared harm in order to seek judicial redress, but can file suit when the risk of harm becomes imminent. This is especially important in the data breach context, where the disclosure of the data may cause future harm as opposed to currently felt harm. In this way, depending on the nature of the data at issue, claims flowing from a data breach can differ from traditional tort claims like defamation or invasion of privacy. While a claim arising from a data breach may share some commonalities with such torts—e.g., in that it may involve the publication of information to a third party or unauthorized access to private information—the latter claims involve actual injury. A claim for defamation, for instance, rests on the “reputational harm” that flows from the publication of a statement “that would subject [the victim] to hatred, contempt, or ridicule.” TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2208- 09 (2021) (quoting Milkovich v. Lorain Journal Co., 497 U.S. 1, 13 (1990)). And a claim for invasion of privacy contemplates that the exposure “cause[s] mental suffering, shame or humiliation” to the victim. Pro Golf Mfg., Inc. v. Tribune Rev. Newspaper Co., 809 A.2d 243, 248 (Pa. 2002). By contrast, the type of data involved in a data breach may be such that mere access and publication do not cause inherent harm to the victim. Reilly, 664 F.3d at 42. Even then, however, it can still poise the victim to endure the kind of future harm that qualifies as “imminent.” Indeed, allegations of future injury “suffice if the threatened injury is ‘certainly impending’ or there is a 8 ‘substantial risk’ that the harm will occur.” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.5 (2013)). A substantial risk means a “‘realistic danger of sustaining a direct injury.’” Pennell v. City of San Jose, 485 U.S. 1, 8 (1988) (quoting Babbitt v. United Farm Workers Nat’l Union, 442 U.S. 289, 298 (1979)). While plaintiffs are not required “to demonstrate that it is literally certain that the harms they identify will come about,” a “possible future injury”—even one with an “objectively reasonable likelihood” of occurring— is not sufficient. Clapper, 568 U.S. at 409-10, 414 n.5 (emphasis omitted). In Reilly, we considered whether an alleged risk of future identity theft or fraud stemming from a data breach in which an unknown hacker potentially accessed sensitive personal and financial information from a company’s network was sufficiently imminent for purposes of standing. 664 F.3d 38 (3d Cir. 2011). We held that it was not. We observed that the injury alleged was a future injury as opposed to a present injury. Id. at 42. Consistent with Susan B. Anthony List, that an injury will occur in the future is not fatal to standing. 573 U.S. at 158. But where the future injury is also hypothetical, there can be no imminence and therefore no injury-in-fact. Because the plaintiffs in Reilly alleged a future, hypothetical risk of identity theft or fraud, we concluded that they had not suffered an injury-in-fact. Specifically, the risk was “dependent on entirely speculative, future actions of an unknown third-party.” 664 F.3d at 42. Further, we could not “describe how the [Appellants] will be injured . . . without beginning our explanation with the word ‘if’: if the hacker read, copied, and understood the hacked information, and if the 9 hacker attempts to use the information, and if he does so successfully.” Id. at 43. In holding that the Reilly plaintiffs lacked standing, we did not create a bright line rule precluding standing based on the alleged risk of identity theft or fraud. Such a rule would require plaintiffs to wait until they had sustained an actual injury to bring suit. This would directly contravene the Supreme Court’s holding in Susan B. Anthony List, which authorizes suits based on a “‘substantial risk’ that the harm will occur.” 573 U.S. at 158 Instead, Reilly requires consideration of whether an injury is present versus future, and imminent versus hypothetical. Courts rely on a number of factors in determining whether an injury is imminent—meaning it poses a substantial risk of harm—versus hypothetical in the data breach context. These non-exhaustive factors can serve as useful guideposts, with no single factor being dispositive to our inquiry. Among them is whether the data breach was intentional. See, e.g., McMorris v. Carlos Lopez & Assocs., 995 F.3d 295, 301-03 (2d Cir. 2021) (holding that the intentional nature of an attack renders standing more likely); Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 632 (7th Cir. 2007) (finding standing where a breach was “sophisticated, intentional and malicious”); In re U.S. Off. of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42, 58-59 (D.C. Cir. 2019) (noting that “hackers targeted—and extracted data”); In re Zappos.com, Inc., 888 F.3d 1020, 1029 n.13 (9th Cir. 2018) (emphasizing that hackers “specifically targeted” the data to distinguish from a case in which there was no substantial risk of identity theft). 10 Courts also consider whether the data was misused.4 See, e.g., McMorris, 995 F.3d at 301-02 (holding that misuse cuts towards standing); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010) (finding standing where a laptop with personal unencrypted data was stolen and a plaintiff alleged that someone “attempted to open a bank account in his name”); Remijas v. Neiman Marcus Grp., 794 F.3d 688, 692- 94 (7th Cir. 2015) (finding standing where plaintiff alleged that personal data had “already been stolen” and that 9,200 people had “incurred fraudulent charges”). Of note, misuse is not necessarily required. The Seventh Circuit has found standing despite no allegations of misuse, holding that it was sufficient that a data breach “increas[ed] the risk of future harm that the plaintiff would have otherwise faced, absent the defendant’s actions.” Pisciotta, 499 F.3d at 634. Further, courts consider whether the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft. See, e.g., McMorris, 995 F.3d at 302. For instance, disclosure of social security 4 In accordance with Spokeo, Inc. v. Robins, which provides that “named plaintiffs who represent a class ‘must allege and show that they personally have been injured,’” our inquiry should focus on the misuse of information particular to the plaintiff—not other members of the class. 578 U.S. 330, 338 n.6 (2016) (quoting Simon v. E. Ky. Welfare Rts. Org., 426 U.S. 26, 40 n.20 (1976)); but see McMorris v. Carlos Lopez & Assocs., 995 F.3d 295, 301-02 (2d Cir. 2021) (holding that any misuse of the data, even if the class representative has not yet been affected, cuts towards standing). 11 numbers, birth dates, and names is more likely to create a risk of identity theft or fraud. Id. (citing Attias v. CareFirst, Inc., 865 F.3d 620, 628 (D.C. Cir. 2017)). By contrast, the disclosure of financial information alone, without corresponding personal information, is insufficient. See, e.g., In re SuperValu, Inc., 870 F.3d 763, 770-71 (8th Cir. 2017); Tsao v. Captiva MVP Rest. Partners, 986 F.3d 1332, 1343 (11th Cir. 2021). This is because financial information alone generally cannot be used to commit identity theft or fraud. See In re SuperValu, Inc., 870 F.3d at 770-71. b. Injury-in-fact: Concrete The injury-in-fact prong of the standing analysis also requires that the alleged injury be “concrete,” meaning “real, and not abstract.” Spokeo, Inc. v. Robins, 578 U.S. 330, 340 (2016) (internal quotation marks omitted); see Lujan, 504 U.S. at 560 The Supreme Court recently clarified in TransUnion LLC v. Ramirez that “[c]entral to assessing concreteness is whether the asserted harm has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts—such as physical harm, monetary harm, or various intangible harms.” 141 S. Ct. at 2200 (citing Spokeo, 578 U.S. at 340-41). The fact that an injury is intangible—that is, it does not represent a purely physical or monetary harm to the plaintiff—does not prevent it from nonetheless being concrete, as various intangible harms have been “traditionally recognized as providing a basis for lawsuits in American courts.” Id. at 2204 (citing Spokeo, 578 U.S. at 340-41). For example, certain privacy harms, like the disclosure of private information and intrusion upon seclusion, though intangible, have long given rise to tort claims. Id. 12 The first step in assessing concreteness is to ask whether the asserted harm is adequately analogous to a harm traditionally recognized as giving rise to a lawsuit. In the data breach context, there are several potential parallels to harms traditionally recognized at common law, depending on the precise theory of injury the plaintiff puts forward. For example, if the theory of injury is an unauthorized exposure of personally identifying information that results in an increased risk of identity theft or fraud, that harm is closely related to that contemplated by privacy torts that are “well-ensconced in the fabric of American law.” In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 638-39 (3d Cir. 2017) (quoting David A. Elder, Privacy Torts § 1:1 (2016)).5 Though such an injury is intangible, it is nonetheless concrete. 5 At argument, ExecuPharm contended that any analogies to the traditional privacy torts fail because the stolen data here was not the sort of inherently private information that could have given rise to a successful privacy claim at common law. For example, the “private facts” contemplated in the tort of public disclosure of private facts would not include the transactional employee data that was exposed here. Even if we were to accept the premise that this particular combination of stolen information could not form the basis for common law privacy tort liability—and we have no occasion to address that issue here—this mistakes the nature of the inquiry required for an assessment of Article III standing. In looking for a common law analog to an asserted theory of harm, “we do not require an exact duplicate.” TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2209 (2021). Indeed, in TransUnion itself, the Supreme Court cites Davis v. Fed. Election Comm’n, in which the information disclosed was only 13 TransUnion also made clear, though, that the mere existence of a common law analog for the asserted harm does not necessarily end our inquiry. In a suit premised on the “mere risk of future harm”—that is, where the alleged injury- in-fact is “imminent” rather than “actual”—we must also consider the type of relief sought. TransUnion LLC, 141 S. Ct. at 2210-11. Where the plaintiff seeks injunctive relief, the allegation of a risk of future harm alone can qualify as concrete as long as it “is sufficiently imminent and substantial.” Id. at 2210 (citing Clapper, 568 U.S. at 414 n.5). However, where the plaintiff seeks only damages, something more is required. Specifically, that plaintiff can satisfy concreteness where “the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 2211. the fact that the plaintiff had spent a certain amount of personal funds in his campaign, 554 U.S. 724, 733 (2008), as a case in which the asserted intangible harm was concrete because it was closely related to the “disclosure of private information.” TransUnion LLC, 141 S. Ct. at 2204. Likewise, we are content for now that the exposure of the type of information that was alleged here—information employees would normally choose to keep to themselves and would reasonably not want to make publicly available—and the resulting substantial risk of identity theft or fraud is a harm that bears at least a “close relationship” to harms traditionally recognized in privacy torts. Id. at 2208 (citing Spokeo, 578 U.S. at 341). Accordingly, the asserted injury supports Article III standing—and whether a plaintiff has successfully made out claims under a particular cause of action is a separate question. 14 The Supreme Court did not reach the question of what separate harms might qualify as concrete to support a substantial-risk theory of future harm in an action for damages, but it did indicate that “a plaintiff’s knowledge that he or she is exposed to a risk of future . . . harm could cause its own current emotional or psychological harm,” which could be sufficiently analogous to the tort of intentional infliction of emotional distress. Id. at 2211 n.7. Following TransUnion’s guidance, we hold that in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms. For example, if the plaintiff’s knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury. III. Analysis We exercise de novo review over the District Court’s dismissal of a complaint for lack of subject matter jurisdiction. Horizon Healthcare, 846 F.3d at 632. Clemens’s complaint asserts contract, tort, and secondary contract claims—each based on the same underlying facts. “[A] plaintiff must demonstrate standing for each claim he seeks to press.” DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 352 (2006). Accepting the well-pleaded factual allegations in Clemens’s complaint as true, we hold that Clemens has standing to assert her contract, tort, and secondary 15 contract claims. Her alleged injuries are sufficiently imminent and concrete to qualify as injuries-in-fact. A. Contract Claims The District Court erred in dismissing Clemens’s contract claims, which are raised in Counts III (breach of implied contract) and IV (breach of contract). These claims arise from her employment agreement with ExecuPharm. When Clemens provided ExecuPharm with her sensitive personal information upon hire, ExecuPharm expressly contracted to “take appropriate measures to protect the confidentiality and security” of this information in Clemens’s employment agreement. J.A. 40-41 ¶¶ 57-58. Clemens alleged that ExecuPharm breached this express provision when it failed to adequately protect her information, allowing CLOP to steal sensitive employee information, hold it for ransom, and publish it on the Dark Web. Moreover, Clemens has alleged an injury stemming from the breach—the risk of identity theft or fraud—that is sufficiently imminent and concrete.6 As employment agreements have become routine, information security provisions like the one in the instant case have assumed a new prominence. Likewise, the failure to uphold these provisions—particularly in the digital age—can yield uniquely drastic consequences. Namely, victims of a data breach must live with the perpetual, well-founded fear and risk 6 Because Clemens has alleged an injury separate and apart from the breach of contract itself, we have no occasion to reach her additional argument that the breach of contract alone is a sufficiently imminent and concrete injury that confers standing for her to raise her contract claims. 16 that hackers will misuse their data. The only way to allay those concerns is to invest time and money into precautionary measures that could mitigate the potential misuse, like changing one’s banking information. But there is no guarantee that mitigative measures will be effective—especially given that some information, such as our names and social security numbers, generally stay with us for life. In Reilly, we had occasion to discuss the contours of the injury-in-fact requirement in the data breach context. This time, the alleged injury-in-fact is far more imminent. Whereas Reilly involved an unknown hacker who potentially gained access to sensitive information, 664 F.3d at 42-43; here, a known hacker group named CLOP accessed Clemens’s sensitive information. CLOP is a sophisticated ransomware group that is notorious for encrypting companies’ internal data and placing in every digital folder a text file called “ClopReadMe.txt” that contains a message demanding ransom. J.A. 24-25 ¶ 14. These attacks are particularly threatening given that, according to a data specialist, there are “no known decryption tools for CLOP ransomware.” J.A. 35 ¶ 40. In this instance, CLOP launched its signature attack against ExecuPharm: it encrypted ExecuPharm’s information and held it for ransom. Further, while the injury to the plaintiffs in Reilly depended upon a string of hypotheticals being borne out, 664 F.3d at 43, CLOP has already published Clemens’s data on the Dark Web, a platform that facilitates criminal activity worldwide. Clemens has alleged that the Dark Web is “most widely used as an underground black market where individuals sell illegal products like drugs, weapons, counterfeit money, and sensitive stolen data that can be used to commit identity theft or fraud.” J.A. 25 ¶ 15. 17 Because we can reasonably assume that many of those who visit the Dark Web, and especially those who seek out and access CLOP’s posts, do so with nefarious intent, it follows that Clemens faces a substantial risk of identity theft or fraud by virtue of her personal information being made available on underground websites. This set of facts clearly presents a more imminent injury than the ones we deemed to establish only a hypothetical injury in Reilly. Adopting and applying the factors that our Sister Circuits consider in determining imminence in the data breach context confirms this point. CLOP intentionally gained access to and misused the data: it launched a sophisticated phishing attack to install malware, encrypted the data, held it for ransom, and published it. See McMorris, 995 F.3d at 301-03; Remijas, 794 F.2d at 693-94; Attias, 865 F.3d at 628-29. The data was also the type of data that could be used to perpetrate identity theft or fraud. Not only did it contain financial information— which, on its own, could subject the breach victims to credit card fraud—but it also contained social security numbers, dates of birth, full names, home addresses, taxpayer identification numbers, banking information, credit card numbers, driver’s license numbers, sensitive tax forms, and passport numbers. This combination of financial and personal information is particularly concerning as it could be used to perpetrate both identity theft and fraud. See McMorris, 995 F.3d at 302; cf. In re SuperValu, Inc., 870 F.3d at 770-71 (noting that financial information, without accompanying personally identifying information, is unlikely to give rise to identity theft). Together, these factors show that Clemens has alleged a “‘substantial risk’ that the harm will occur” sufficient to establish an “imminent” injury. Anthony List, 573 U.S. at 158 18 (quoting Clapper, 568 U.S. at 414 n.5).7 Further, that injury is concrete, because the harm involved is sufficiently analogous to harms long recognized at common law like the “disclosure of private information.” TransUnion LLC, 141 S. Ct. at 2204. And although the substantial risk of identity theft is a risk of future harm and this is a suit for damages, which may under other circumstances pose a problem for concreteness, id. at 2210-11, Clemens has alleged several additional concrete harms that she has already experienced as a result of that risk (that is, her emotional distress and related therapy costs and the time and money involved in mitigating the fallout of the data breach). Thus, her injury is also “concrete.” In addition to proving injury-in-fact, standing also requires Clemens to prove traceability and “that the injury would likely be redressed by the requested judicial relief.” Thole, 140 S. Ct. at 1618. Traceability means that the injury was caused by the challenged action of the defendant as opposed to an independent action of a third party. Lujan, 504 U.S. at 560. We have yet to articulate a single standard for establishing this “causal relationship.” See Khodara Env’t, Inc. v. Blakely, 376 F.3d 187, 195 (3d Cir. 2004). Instead, we have held that but-for causation is sufficient to satisfy traceability. See, e.g., Edmonson v. Lincoln Nat’l Life Ins. Co., 725 F.3d 406, 418 (3d Cir. 2013). So, too, is concurrent 7 At Oral Argument, ExecuPharm agreed that, in the abstract, facts satisfying the imminence inquiry yet falling short of actual harm could confer standing in a data breach case. However, it was unable to articulate such a scenario. If the facts in this case—which fall short of actual harm—do not meet the test for imminence, we would be hard pressed to conjure up a set of facts that would. 19 causation. See, e.g., Const. Party of Pa. v. Aichele, 757 F.3d 347, 366 (3d Cir. 2014). Here, Clemens has alleged facts that establish traceability, at least at the pleading stage. Specifically, she has identified her injuries as “a direct and proximate result of Defendants’ breach” of contract: ExecuPharm’s failure to safeguard her information enabled CLOP to publish it on the Dark Web as part of the stolen dataset of ExecuPharm and Parexel employee information. J.A. 65 ¶ 141, J.A. 66 ¶ 146. Likewise, Clemens satisfied redressability. As we observed in Reilly, the injuries caused by a data breach are “easily and precisely compensable with a monetary award,” 664 F.3d at 45-46, and Clemens is seeking those damages to compensate for her losses here. This traceability and redressability analysis applies with equal force to the tort and secondary contract claims as well. We will vacate the District Court’s dismissal regarding these claims and remand for a consideration of the merits of these claims. B. Tort Claims In addition, the District Court erred in dismissing Clemens’s tort claims, which are raised in Counts I (negligence) and II (negligence per se). The tort claims have the same factual genesis as the contract claims: namely, that ExecuPharm breached its duty to adequately safeguard sensitive employee information, which allowed CLOP to steal and misuse the data, and subjected Clemens to a substantial risk of identity theft or fraud. 20 In an increasingly digitalized world, an employer’s duty to protect its employees’ sensitive information has significantly broadened. Information security is no longer a matter of keeping a small universe of sensitive, hard-copy paperwork under lock and key. Now, employers maintain massive datasets on digital networks. In order to protect the data, they must implement appropriate security measures and ensure that those measures continue to comply with ever- changing industry standards. Failure to satisfy this duty could leave employer networks vulnerable to data breach, subjecting data breach victims to a unique kind of harm: the perpetual risk of identity theft or fraud, necessitating the investment of time and money to hopefully mitigate that risk. With rare exception, where multiple pieces of personally identifying information about a given consumer are stolen and then publicized, one can draw a reasonable inference that the victims of the data breach face an imminent risk of identity theft or fraud. When that information is made available for download on the Dark Web—a platform that exists primarily to facilitate illegal activity—the risk that a criminal will access it and use it for a nefarious purpose is particularly acute. As discussed supra in Section III Part A, Clemens’s alleged risk of identity theft or fraud is sufficiently imminent. Compared to Reilly, the risk is not hypothetical: a known hacking group intentionally stole the information, misused it, ultimately published it on the Dark Web, and the sensitive information is the type that could be used to perpetrate identity theft or fraud. Consistent with Anthony List, Clemens cannot be required to wait until she has experienced actual identity theft or fraud before she can sue; the “substantial risk” that she has established is enough. 573 U.S. at 158. Her asserted injury 21 is also concrete, as intangible harms like the disclosure of private information qualify as concrete. See TransUnion LLC, 141 S. Ct. at 2204. Because Clemens has sufficiently asserted her standing to bring her tort claims, we will vacate the District Court’s dismissal and remand for a consideration of the merits of those claims. C. Secondary Contract Claims Finally, the District Court erred in dismissing Clemens’s secondary contract claims which are raised in Counts V (breach of fiduciary duty) and VI (breach of confidence). The breach of the duties underlying these claims and the resulting harm are based on the same facts as the contract and tort claims. As with the prior claims, the District Court identified the failure to allege an imminent injury as fatal to standing. Because we have rejected the contention that a risk of identity theft or fraud cannot qualify as sufficiently imminent, and hold that Clemens has alleged an injury-in-fact, we likewise will vacate the District Court’s decision and remand for a determination of the merits of these claims. IV. Conclusion Clemens has standing to assert her contract, tort, and secondary contract claims. For all claims, she has alleged a future injury—the risk of identity theft or fraud—that is sufficiently imminent. The breach was conducted by a known hacking group CLOP, which intentionally stole the information, held it for ransom, and published it to the Dark 22 Web, thereby making it accessible to criminals worldwide. The nature of the information—a combination of personal and financial data—is the type that can be used to perpetrate identity theft or fraud. Given that intangible harms like the publication of personal information can qualify as concrete, and because plaintiffs cannot be forced to wait until they have sustained the threatened harm before they can sue, the risk of identity theft or fraud constitutes an injury-in-fact. Accordingly, we will vacate the judgment of the District Court on all counts and remand for consideration of the merits. 23 Clemens v. ExecuPharm Inc., No. 21-1506 PHIPPS, Circuit Judge, concurring in the judgment The Majority Opinion labors through the modern tripartite test for Article III standing and concludes that Jennifer Clemens has standing to assert common-law claims for negligence, breach of contract, breach of confidence, and breach of fiduciary duty. The modern test for Article III standing, however, typically governs claims seeking to vindicate constitutional or statutory rights.1 It has always been the rule that a litigant has standing in federal court to pursue a cause of action that was recognized as well suited for judicial resolution at the time of the Constitution’s ratification: When a suit is made of “the stuff of the traditional actions at common law tried by the courts at Westminster in 1789” and is brought within the bounds of federal jurisdiction, the responsibility for deciding that suit rests with Article III judges in Article III courts. 1 See, e.g., Spokeo, Inc. v. Robins, 578 U.S. 330, 338–39 (2016); Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013); Summers v. Earth Island Inst., 555 U.S. 488, 493 (2009); Friends of the Earth, Inc. v. Laidlaw Env’t Servs. (TOC), Inc., 528 U.S. 167, 180–81 (2000); Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992); Allen v. Wright, 468 U.S. 737, 751 (1984); Valley Forge Christian Coll. v. Ams. United for Separation of Church & State, Inc., 454 U.S. 464, 472 (1982); see also 20 Charles Alan Wright & Mary Kay Kane, Federal Practice and Procedure: Federal Practice Deskbook § 14 (2d ed. Apr. 2022 update) (“The law of standing is almost exclusively concerned with public-law questions involving determinations of constitutionality and review of administrative or other governmental action.”). Stern v. Marshall, 564 U.S. 462, 484 (2011) (citation omitted) (quoting N. Pipeline Constr. Co. v. Marathon Pipe Line Co., 458 U.S. 50, 90 (1982) (Rehnquist, J., concurring in judgment)); see also Ariz. Christian Sch. Tuition Org. v. Winn, 563 U.S. 125, 132 (2011) (“[Article III] restricts the federal judicial power ‘to the traditional role of the Anglo-American courts.’” (quoting Summers v. Earth Island Inst., 555 U.S. 488, 492 (2009))); Commodity Futures Trading Comm’n v. Schor, 478 U.S. 833, 854 (1986) (“[P]rivate, common law rights were historically the types of matters subject to resolution by Article III courts.”); N. Pipeline Constr. Co., 458 U.S. at 86 n.39 (plurality opinion) (stating that, “in the Framers’ view, the tasks of [Article III] courts, for which independence was an important safeguard, included . . . matters of common law”); Tenn. Elec. Power Co. v. Tenn. Valley Auth., 306 U.S. 118, 137 (1939) (holding that litigants have standing when “the right invaded is a legal right,” such as “one of property, one arising out of contract, [or] one protected against tortious invasion”); Murray’s Lessee v. Hoboken Land & Improvement Co., 59 U.S. 272, 284 (1855) (explaining that “any matter which, from its nature, is the subject of a suit at the common law, or in equity” is within “judicial cognizance”).2 The modern test builds on that principle by using traditionally recognized causes of action as a foundation for its comparative analysis. The premise of the test is that litigants 2 See also Erwin Chemerinsky, Federal Jurisdiction 74 (8th ed. 2020) (“Injury to rights recognized at common law – property, contracts, and torts – are sufficient for standing purposes.”); Cass R. Sunstein, Standing and the Privatization of Public Law, 88 Colum. L. Rev. 1432, 1439 (1988) (explaining that “the existence of an interest protected at common law [has been] sufficient to confer standing”). 2 have standing for claims traditionally recognized as well suited for judicial resolution. See TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2204 (2021) (explaining that the concreteness component of the injury-in-fact element requires that a statutory cause of action bear a “close relationship” to a “historical or common-law analogue”).3 Thus, the modern test for Article III standing operates as a supplement to, not a substitute for, the rule that a litigant has Article III standing to bring a traditionally recognized cause of action in federal court.4 3 See also Hollingsworth v. Perry, 570 U.S. 693, 700 (2013) (“As used in the Constitution, [‘case’ and ‘controversy’] do not include every sort of dispute, but only those ‘historically viewed as capable of resolution through the judicial process.’” (quoting Flast v. Cohen, 392 U.S. 83, 95 (1968))); DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 342 (2006) (“[W]e must find that the question is presented in a ‘case’ or ‘controversy’ that is, in James Madison’s words, ‘of a Judiciary Nature.’” (quoting 2 Records of the Federal Convention of 1787 430 (Max Farrand ed., 1966))); Schlesinger v. Reservists Comm. to Stop the War, 418 U.S. 208, 220–21 (1974) (explaining that federal courts can resolve only disputes that take “a form traditionally capable of judicial resolution”). 4 See F. Andrew Hessick, Standing, Injury in Fact, and Private Rights, 93 Cornell L. Rev. 275, 277 (2008) (“The purpose of the factual injury requirement is to ensure that plaintiffs are asserting their own private rights. The requirement therefore is superfluous in cases alleging the violation of a private right.”); 20 Charles Alan Wright & Mary Kay Kane, Federal Practice and Procedure: Federal Practice Deskbook § 14 (2d ed. Apr. 2022 update) (“The person suing for breach of contract or for a tort must be found to be the real party in interest, but in practice those suits are brought only by a person harmed by the supposed wrong, and standing to sue is self-evident. It is 3 The claims that Clemens pursues here – for negligence, breach of contract, breach of confidence, and breach of fiduciary duty – are traditional causes of action that were recognized as well suited for judicial resolution at the time of the Constitution’s adoption.5 She therefore has standing. Yet by applying the modern test for Article III standing when it is unnecessary to do so, the Majority Opinion gives the mistaken impression that the modern test replaces the original understanding of what constitutes a case or controversy subject to resolution in federal court.6 only when the question is of a public nature that the interested bystander is likely to attempt suit.”). 5 See Robert J. Kaczorowski, The Common-Law Background of Nineteenth-Century Tort Law, 51 Ohio St. L.J. 1127, 1129 (1990) (explaining that some negligence claims were “in the common law for centuries,” while others “primarily emerged in the last quarter of the seventeenth century”); Harold J. Berman & Charles J. Reid, Jr., The Transformation of English Legal Science: From Hale to Blackstone, 45 Emory L.J. 437, 460–61 (1996) (stating that “the common-law courts in the late seventeenth and early eighteenth centuries expanded the forms of action to cover . . . obligations arising from breach of contract”); Neil M. Richards & Daniel J. Solove, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123, 136 (2007) (describing how “[l]egal remedies for divulging . . . confidential information began to emerge as early as the eighteenth century,” when “English courts of equity . . . fashion[ed] an action for breach of confidence”); Leonard I. Rotman, Fiduciary Law’s “Holy Grail”: Reconciling Theory and Practice in Fiduciary Jurisprudence, 91 B.U. L. Rev. 921, 922 (2011) (“Fiduciary law has been a part of the common law tradition since its crystallization in the landmark case of Keech v. Sandford in 1726.”). 6 In footnote three, the Majority Opinion asserts that its approach is consistent with binding precedent, but despite the 4 I cannot join that analysis, and I respectfully concur in the judgment only. It suffices for her Article III standing that Clemens brings causes of action “of the sort traditionally amenable to, and resolved by, the judicial process.” Uzuegbunam v. Preczewski, 141 S. Ct. 792, 798 (2021) (quoting Vt. Agency of Nat. Res. v. United States ex rel. Stevens, 529 U.S. 765, 774 (2000)); see also Stern, 564 U.S. at 494 (stating that “the most prototypical exercise of judicial power” is a court’s adjudication of “a common law cause of action”). Nothing more is needed. abundance of precedent on Article III standing, the Majority Opinion identifies no Supreme Court case applying the modern test to a traditionally recognized cause of action. 5