Marsh & McLennan Cos. Inc. must face a class-action lawsuit in which a former employee sought damages after her private information was accessed in a 2021 cyber breach, a federal appeals court ruled last week, overturning a lower court.

In Nancy Bohnak v. Marsh & McLennan Cos. Inc., the 2nd U.S. Circuit Court of Appeals in New York on Thursday cited earlier rulings, including a U.S. Supreme Court decision, in determining that the risk of future injury from the release of data was sufficient to constitute an injury for a damages claim.

The cyber breach involved Social Security numbers and other personal data related to Marsh McLennan staff, former staff, clients and others. The company discovered the breach on April 26, 2021, and sent out breach notifications to the people affected about two months later.

After the notifications were sent, Ms. Bohnak, who previously worked at Marsh McLennan Agency, filed a class-action lawsuit on behalf of herself and others similarly situated alleging Marsh McLennan failed to adequately protect personally identifiable information, among other things.

She alleged the injuries she suffered included expenses associated with preventing, detecting and recovering from identity theft, loss opportunity costs associated with attempting to mitigate the consequences of the breach and the continued risk to her PII, which remains unencrypted, the ruling states.

A district court ruled in favor of Marsh McLennan, which sought to dismiss the case because the damages the former employee sought were not “cognizable,” or recognizable and quantifiable. The district court concluded that she could only speculate about any future harm because the alleged loss of time and money responding to the increased risk of harm was not proximately caused by the harm of disclosure.

In overturning the lower court, the three appeals court judges cited the U.S. Supreme Court’s 2021 ruling in TransUnion LLC v. Ramirez, which found, among other things, that the plaintiffs in the case had to suffer a “concrete injury,” which can include intangible harm, to recover damages.

“The core of the injury Bohnak alleges here is that she has been harmed by the exposure of her private information — including her SSN and other PII — to an unauthorized malevolent actor. This falls squarely within the scope of an intangible harm the Supreme Court has recognized as ‘concrete,’” the court ruled.

In addition, in accordance with the 2nd Circuit’s own 2021 ruling in McMorris v. Carlos Lopez & Associates LLC, the former employee alleged “imminent risk of injury.”

“The allegations of a targeted hack that exposed Bohnak’s name and SSN to an unauthorized actor are sufficient to suggest a substantial likelihood of future harm, satisfying the ‘actual or imminent harm’ component of an injury in fact,” the court ruled in remanding the case for further proceedings.

A Marsh McLennan spokesman said the company does not comment on pending litigation.