US Privacy & Breach Litigation Monitor

Welcome to the US Privacy & Breach Litigation Monitor

We are pleased to share the latest edition of Kennedys US Privacy & Breach Litigation Monitor. This bi-weekly mailing was created with our clients in mind - to bring you up to speed on the latest topics and trends in data privacy and breach litigation.

Failure to allege causation dismissal in data breach matter

On August 30, 2022, the Northern District of Indiana issued a decision relating to the February, 2020, Blackbaud breach. In that breach, cybercriminals hacked Blackbaud’s systems and copied (among other things) a database containing the private information of Trinity Health Corp.’s (Trinity) patients stored with Blackbaud. After the breach, Trinity incurred various expenses, including credit monitoring services, call centers, legal counsel, computer systems recovery, data recovery and data migration services. Trinity and its insurer (plaintiffs) subsequently sued Blackbaud under various theories ranging from breach of contract to negligence based on allegations that the security breach occurred as a result of Blackbaud failing to reasonably safeguard Trinity’s database of private information. After Blackbaud filed a motion to dismiss, the Court dismissed all counts based on the failure of the plaintiffs to adequately plead causation for each of their claims. Specifically while plaintiffs included allegations explaining how they believed Blackbaud’s conduct caused the breach, the court found that plaintiffs failed to include any allegations explaining why they had to spend the amounts that they did for remediation. In other words, the court wanted more information as to why the expenses were necessary. The decision took a deep dive into the issue and is a worthwhile read. Aspen American Insurance Company, et al., Plaintiffs, v. Blackbaud, Inc., defendant. Additional Party Names: Trinity Health Corp., No. 3:22-CV-44 JD, 2022 WL 3868102, at *1 (N.D. Ind. Aug. 30, 2022). 

Third Circuit reverses decision on Article III data breach standing

We don’t often see Circuit Courts reversing a District Court’s finding of lack of Article III standing, so let’s take note of the September 3, 2022 decision out of the Third Circuit in Clemens v. ExecuPharm Inc., No. 21-1506, 2022 WL 4005322, at *1 (3d Cir. Sept. 2, 2022). In this case, after the plaintiff left her employment with ExecuPharm, Inc., a hacking group known as CLOP accessed its servers through a phishing attack, stealing sensitive information relating to current and former employees, including the plaintiff. The stolen information contained social security numbers, dates of birth, full names, home addresses, taxpayer identification numbers, banking information, credit card numbers, driver's license numbers, sensitive tax forms, and passport numbers. The data was eventually posted on underground websites located on the Dark Web. Plaintiff sued and the District Court dismissed on the ground that she did not have Article III Standing. Upon review of all of the factors alleged, the Third Circuit found that the plaintiff had established a substantial risk that harm would occur sufficient to establish an imminent injury pursuant to the Supreme Court’s decision in Clapper v. Amnesty International USA, 568 U.S. 398 (2013). As case law has shown us, an allegation that PII has been posted on the Dark Web will generally be sufficient for a finding of imminent injury under Clapper.

Read other items in Privacy & Breach Ligation Monitor - September 21, 2022


Previous issues:

Privacy & Breach Litigation Monitor - August 21, 2022