Cyber Insurance Blog

How a “No-Harm” Data Breach Lawsuit Could Harm Your Clients

Per the nonprofit Identity Theft Resource Center (ITRC), 2,116 data breaches had been reported nationwide this year through September. That figure breaks the previous annual record of 1,862 data breach reports in 2021.

Zero-day attacks against the widely used MOVEit file transfer protocol account for a dramatic number of breaches. “So far in 2023,” the ITRC stated, “344 U.S. organizations have been impacted by a single or multiple vendor(s) using a vulnerable MOVEit product.”

And as data breaches increase, so do data breach lawsuits.

The ITRC stated “the estimated number of [data breach] victims” in 2023 (233.9 million through September) “is well short of the pace from 2022” (425 million total victims). Nonetheless, lawsuits for data breaches aren’t slowing. Legal action is more frequent “even in cases where the number of impacted individuals is smaller,” wrote SecurityWeek’s Eduard Kovacs, citing research from law firm BakerHostetler.

And increasingly, plaintiffs pursue damages in “no-harm” class action lawsuits. In these situations, no evidence the plaintiffs’ compromised, sensitive data was used improperly or caused damage exists.

“Substantial Risk of Future Injury Qualifies for Standing”

Businessman sits at desk using desktop computer while monitor displays data breach warning message. In the past, many data breach lawsuits were dismissed due to the plaintiffs’ lack of standing. Plaintiffs had to demonstrate they suffered actual injury as a result of the breach.

More recently, courts have agreed the risk of future harm, such as identity theft or potential financial loss, constitutes standing to bring a lawsuit for a data breach.

In September 2022, for example, the 3rd U.S. Circuit Court of Appeals remanded for fresh consideration a case previously dismissed for lack of standing.

Biopharmaceutical company ExecuPharm, Inc. suffered a phishing and ransomware attack in 2020. Threat actors hacked ExecuPharm servers and posted current and former employees’ sensitive information on the dark web.

One former employee sued ExecuPharm. Although her identity, finances, and credit suffered no harm from the incident, she brought claims for negligence, breach of contract, breach of fiduciary duty, and breach of confidence.

A federal district court dismissed her case for lack of standing. But the Court of Appeals determined “the substantial risk of future injury qualifies for standing based on imminence, especially in the event of an intentional, targeted attack by a hacking group,” as attorney Harris Freier wrote.

“Alleged Injuries Arising from the Risk of Future Harm Are Concrete”

Court of appeals judge strikes her gavel as she delivers a ruling in a lawsuit for a data breach. In August 2023, the 2nd U.S. Circuit Court of Appeals ruled in a data breach lawsuit involving insurance agency Marsh McLennan. In 2021, the agency discovered a breach compromising Social Security numbers and other personal data.

As in the ExecuPharm case, a former employee brought suit. She filed a putative class-action lawsuit alleging the agency hadn’t adequately protected class members’ personally identifiable information (PII). She alleged she suffered “expenses associated with preventing, detecting, and recovering from identity theft, loss opportunity costs associated with attempting to mitigate the consequences of the breach[,] and the continued risk to her PII, which remains unencrypted,” according to Business Insurance’s Judy Greenwald.

A federal district court initially ruled in Marsh McLennan’s favor. But the Court of Appeals ruled “alleged injuries arising from the risk of future harm are concrete.”

Your Clients Need Cyber Insurance Against Lawsuits for a Data Breach

Cyber Liability Insurance broker sits at computer in office cubicle, ready to advise clients on Cyber policies. Will the trend toward recognizing plaintiffs’ standing in no-harm data breach lawsuits continue?

In September 2023, a federal district court dismissed a putative class action suit against pest control company Truly Nolen of America, Inc., which experienced a data breach in 2022 that compromised not only such PII as Social Security numbers but also such protected health information (PHI) as medical information and medical insurance information. The ruling stated, “Negligence damages must be actual and appreciable, non-speculative[,] and more than merely the threat of future harm.”

As you’ve read, however, circuit courts have overruled district courts on this question before, and they may do so again. The legal landscape of data breach lawsuits continues to evolve.

The potentially shifting standard of plaintiffs’ legal standing in such suits makes Cyber Liability Insurance all the more important.

In the event of a data breach, businesses and other organizations may face significant legal expenses. Cyber Insurance helps cover legal fees, court costs, and damages and cash payments awarded to affected parties.

It also covers the cost of hiring a crisis management team to manage fallout from the data breach and helps pay for credit monitoring services for customers whose personal information was exposed in the attack. Cyber Insurance is a crucial part of an overall security strategy, along with implementing best cyber security practices, to protect a business against potential losses.

Don’t let your business clients wait to become part of this year’s record-breaking data breach statistics. Don’t wait until a court must determine whether or not plaintiffs have standing to bring a suit against them.

Download your copy of ProWriters’ free eBook, How to Sell Cyber: Big Claims in Ransomware & Social Engineering, today.

Get the information and tips you need to quote and sell your clients the critical Cyber Insurance they need.