Businesses can expect more court rulings allowing plaintiffs to pursue damages for data breaches, even where there is no evidence the information was ever improperly used, after an influential appeals court ruled on the issue late last month.

The ruling, concerning a breach at Marsh & McLennan Cos. Inc., is the latest in a line of federal and state court rulings that establish that just the risk of damage, rather than actual harm, can be considered a concrete injury and eligible for a damages award.

The Aug. 24 decision by the 2nd U.S. Circuit Court of Appeals in New York in Nancy Bohnak v. Marsh & McLennan Cos. Inc. concerned a former Marsh McLennan employee who sued the brokerage after her private information was accessed in a 2021 cyber breach that involved Social Security numbers and other personal data.

The company discovered the breach on April 26, 2021, and sent out breach notifications to the people affected about two months later.

After the notifications were sent, Ms. Bohnak, who previously worked at Marsh McLennan Agency, filed a putative class-action lawsuit on behalf of herself and others similarly situated alleging Marsh McLennan did not adequately protect personally identifiable information, among other things.

Ms. Bohnak alleged the injuries she suffered included expenses associated with preventing, detecting and recovering from identity theft, loss opportunity costs associated with attempting to mitigate the consequences of the breach and the continued risk to her PII, which remains unencrypted, the ruling states.

A district court ruled in Marsh’s favor, stating the complaint “ultimately falls short in establishing that Plaintiffs have suffered legally cognizable injury to support their substantive claims.”

But a three-judge appeals court panel held that “Bohnak’s alleged injuries arising from the risk of future harm are concrete.”

Marsh had no comment on the decision.

Under the ruling, plaintiffs have standing to sue if data accessed in a breach gets to a third party, said Peter A. Halprin, a partner with Pasich LLP in New York.

It is the latest decision by courts related to the issue. The 2nd Circuit panel cited the U.S. Supreme Court’s 2021 ruling in TransUnion LLC v. Ramirez, which, while not a case concerning a data breach, held that the “concrete injury” necessary to trigger damages can include intangible harm.

TransUnion significantly lowered the standard required to litigate data breach cases, said Sara H. Jodka, a member of Dickinson Wright LLP in Columbus, Ohio. “It’s opened the floodgates,” she said.

The 2nd Circuit also cited a 2022 ruling by the 3rd U.S. Circuit Court of Appeals in Philadelphia in Jennifer Clemens v.  ExecuPharm Inc., which reached a similar conclusion in a case that was also filed by an ex-employee.

The Illinois Supreme Court also held in 2019 in Rosenbach v. Six Flags Entertainment Corp. that individuals do not have to allege injury or an adverse effect to successfully assert a violation of the Illinois Biometric Information Privacy Act. BIPA requires businesses that store biometric information to inform the subjects in writing that their data is being collected or stored.

In its July 2015 ruling in Hilary Remijas v. Neiman Marcus Group LLC, the 7th U.S. Circuit Court of Appeals in Chicago held that plaintiffs had met the standard set by the U.S. Supreme Court by showing there was a “substantial risk of harm” from a 2013 data breach.

The 2nd Circuit ruling “is an indicator of more plaintiff-friendly decisions” regarding claimants’ ability to proceed with litigation following cyber incidents, said Scott Godes, a partner with Barnes & Thornburg LLP in Washington.

“This is going to mark a greater shift towards courts finding standing in these sorts of cases,” said Dan Pepper, a partner with Norton Rose Fulbright US LLP in New York.

The ruling is further evidence of the importance of cyber risk as a corporate-level risk management issue, Mr. Godes said.

“You can minimize your cyber risk by encrypting as much sensitive information as humanly possible,” said Joshua Gold, a shareholder with Anderson Kill P.C. in New York.

He said one approach is to segregate and then restrict access to such data as much as possible.