It comes as no surprise that cybersecurity is at the forefront of business owners’ minds across the globe. Corporate cyberattacks were at an all-time high last year, up 50% year over year. The Cybersecurity and Infrastructure Security Agency reported in February that it is aware of ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors.

Ransomware attacks against notable American companies have made headlines, and the actions of these companies in response to those attacks have caused controversy. The stakes are high, as a ransomware attack will cost a company an average total of $4.54 million. The U.S. Court of Appeals for the Third Circuit recently issued an important ruling in the cyber data space. On Sept. 2, the court held that a plaintiff successfully established standing after hackers accessed personal information (PI) from her former employer and published it on the dark web, without requiring her to prove she suffered any actual harm. See Clemens v. ExecuPharm. This ruling makes it easier for victims of identity theft to sue employers, vendors, or any other company that is the victim of a cybersecurity breach even before—or even if they never— experience provable financial harm. The Third Circuit’s decision is in keeping with other jurisdictions that have focused on the exposure of personally identifiable information as the actual harm, rather than a subsequent harm such as identity theft.