Liability Without Actual Damage For Cyber-Breach

In Nancy Bohnak v. Marsh & McLennan Cos. Inc., a panel of the Second Circuit Court of Appeals has ruled that Marsh & McLennan must face a class-action lawsuit from its employees because their private information was stolen in a 2021 cyber breach, as reported in an article by Business Insurance.

A lower court had denied plaintiff Bohnak’s motion for class action status. The issue was the risk of future damage v. actual damage, and the appeals court decided that the risk of future damage could be considered a concrete injury, and therefore eligible for a damages award.

Bohnak and other court cases reveal a trend toward allowing plaintiffs to pursue damages for data breaches, despite the absence of evidence that the information was improperly used. In Bohnak, the Second Circuit cited the Supreme Court’s 2021 ruling in TransUnion LLC v. Ramirez, which held that a “concrete injury” can include intangible harm. It also cited a Third Circuit ruling in Jennifer Clemens v.  ExecuPharm Inc., which reached a similar conclusion. That case was also filed by an ex-employee.

The courts are saying that the risk of future damage can be considered a concrete injury.

The recent Second Circuit ruling “is an indicator of more plaintiff-friendly decisions” regarding cyber incidents, said Scott Godes, a partner with Barnes & Thornburg. He calls it further evidence of the importance of cyber risk as a corporate-level risk management issue.