A recent decision by the U.S. Court of Appeals in Philadelphia gives new hope to plaintiffs in class-action lawsuits over data breaches. The case is Clemens v. ExecuPharm Inc., decided Sept. 2, and it is the first appellate decision on standing in data breach cases since the U.S. Supreme Court seemed to close the door on many such cases in 2021. The ruling is further evidence that some courts will continue to find ways to let data breach litigation go forward even if the affected consumers have not suffered identity theft or fraud from misuse of their information.

Standing is often a make-or-break issue for data security litigation. When a data custodian is hacked and personal information is stolen, the target of the breach often finds itself sued in consumer class actions. If such cases are brought in federal court, they must clear the hurdle of standing: The plaintiffs, before the case can proceed, must allege facts showing that they have been injured, and the mere loss of data is usually considered not concrete enough.

Until last year, in situations where data had been compromised, but no one had yet experienced identity theft or other fraud, plaintiffs often argued that they had standing because, with their data in the hands of criminals or offered for sale on the dark web, they faced a risk of future ID theft or other harm. Relying on language in Supreme Court opinions stating that risk of future injury could establish standing if the risk was substantial enough, courts in data breach cases seemed to be accepting the theory with growing frequency.

Then in June 2021, in TransUnion LLC v. Ramirez, the Supreme Court held quite bluntly that risk of future harm does not provide standing for a damages claim. TransUnion seemed to supersede, or at the very least call into question, all of the cases that had held that risk of future harm on its own could be the basis for standing.

It hasn’t turned out that way. As I wrote here in March, the response of lower courts was all over the map, with quite a few finding standing despite the lack of fraudulent charges or ID theft. Now, in Clemens, the Third Circuit Court of Appeals has weighed in, with an opinion it expressly designated as precedential. It’s worth quoting the court’s holding in full:

Following TransUnion’s guidance, we hold that in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms. For example, if the plaintiff’s knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury.

The Supreme Court in TransUnion had left open the door to this outcome. The high court said that, “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm—at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” It had gone on to say that “a plaintiff’s knowledge that he or she is exposed to a risk of future ... harm could cause its own current emotional or psychological harm.”

The Third Circuit took up these signals and expanded them into a three-step inquiry. First, the appeals court made it clear the risk of future identity theft or fraud had to be sufficiently imminent. In assessing imminence, the court relied on pre-TransUnion rulings in data breach cases. In a 2011 case, Reilly v. Ceridian Corp., the Third Circuit held that risk of future harm was too speculative because the hacker was unknown and what data may have been compromised wasn’t even clear. In contrast, in Clemens, a specific group had taken credit for the hack, it was undisputed that sensitive data had been taken, and Clemens had alleged, based on a report from a cyber-intelligence firm, that her data was already published on the dark web. The court also relied on the factors identified by the Second Circuit in a case called McMorris, decided just before TransUnion: that the hackers had been intentional and that the information compromised (which included Social Security numbers, birthdates, full names, home addresses, taxpayer identification numbers, banking information, credit card numbers, driver’s license numbers, sensitive tax forms, and passport numbers) was precisely the kind of information used ID theft and other fraud.

Second, the Third Circuit considered whether the harm was concrete, applying TransUnion’s direction that “[c]entral to assessing concreteness is whether the asserted harm has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts. The Clemens court found that the harm involved was indeed sufficiently analogous to harms long recognized at common law like the “disclosure of private information.”

Third, the appeals court considered whether the plaintiff had alleged separate harms, in addition to substantial risk, that would qualify as concrete. Yes, it found, Clemens had alleged several additional concrete harms that she had already experienced as a result of that risk (that is, her emotional distress and related therapy costs and the time and money involved in mitigating the fallout of the data breach).

The court concluded with a very board statement: “Given that intangible harms like the publication of personal information can qualify as concrete, and because plaintiffs cannot be forced to wait until they have sustained the threatened harm before they can sue, the risk of identity theft or fraud constitutes an injury-in-fact.” However, this has to be read in conjunction with the court’s three-step analysis: risk of future harm must be substantial, the claim must have a close relationship to matters traditionally heard by American, or English, courts at the time the Constitution was adopted, and there must a separate, current injury.

At least in the Third Circuit (Pennsylvania, New Jersey, Delaware, and the Virgin Islands), data breach plaintiffs  attentive to these three considerations in drafting their complaints have a clear path forward.