Navigating Standing Considerations in Data Breach Class Actions

The growing prevalence of data breaches has led to an uptick in class action litigation based on consumers' personal information allegedly being accessed. A common theme emerging in these lawsuits is plaintiffs claiming that they were injured as a result of the breach due to an increased risk of identity theft. However, an increased risk of future harm does not mean the harm will necessarily materialize.

Defining Actual Injury in Data Breach Claims

Indeed, not all data breaches result in identity theft—or even any harm at all. This begs the question: What qualifies as an actual injury for a plaintiff to bring claims based on a data breach? State and federal courts are addressing this question in data breach class actions. Sometimes, the decisions appear to conflict.

Article III Standing Requirements

The Article III standing requirement for subject matter jurisdiction in federal court requires plaintiffs to allege that they have:

(i) suffered an injury, in fact,

(ii) that is fairly traceable to the challenged conduct and

(iii) that is likely to be redressed by a favorable decision.

See Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). In 2021, the Supreme Court held that the plaintiffs did not have standing to sue for damages based merely on an increased risk of future harm. TransUnion LLC v. Ramirez, 594 U.S. 413, 437-38 (2021). Since the TransUnion decision, district courts within the Seventh Circuit have taken nuanced positions regarding what is a sufficient injury for a data breach plaintiff.

Kim v. McDonald's USA, LLC – Northern District of Illinois

For instance, in Kim v. McDonald's USA, LLC, the Northern District of Illinois held that the expenses the plaintiffs incurred to mitigate potential fraud following a data breach did not qualify as a sufficient injury to confer standing. No. 21-CV-05287, 2022 U.S. Dist. LEXIS 174276, at *19-20 (N.D. Ill. Sept. 27, 2022).

The plaintiffs in Kim alleged that they were at risk for phishing scams and other identity fraud, but there were no allegations that plaintiffs were actually victims of a phishing attack or identity theft, and the plaintiffs' compromised data contained only non-sensitive information (emails, phone numbers, and mailing addresses). Id. at *14-15.

The court held that mitigation expenses only qualified as "actual injuries" for purposes of conferring standing "when the harm is imminent," and there was no such imminent harm here when the compromised data was not sensitive, and no plaintiff fell victim to an attack or scam. Id. at *18. Otherwise, plaintiffs could "manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending." Id. (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398, 416 (2013)).

Mondelez Data Breach Litigation – Northern District of Illinois

On the other hand, a different court in the Northern District of Illinois recently held that mitigation expenses were sufficient to confer standing, even though, like in Kim, the Mondelez plaintiffs did not allege that their data was actually misused. In re Mondelez Data Breach Litigation, No. 23 C 3999, No 23 C 4249, 2024 U.S. Dist. LEXIS 97948, at *10-11 (N.D.Ill. June 3, 2024).

Mondelez heavily relied on pre-Trans Union Seventh Circuit cases where, again, the plaintiffs did allege misuse of their data—i.e., fraudulent charges on a credit or debit card number that was exposed as a result of the breach—but Mondelez did not acknowledge that factual distinction. See Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015); Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016).

Illinois and Wisconsin state courts are applying similar principles as federal courts when assessing whether plaintiffs have standing to assert claims following a data breach.

Petta v. Christie Bus. Holding Co. – Illinois Supreme Court

In Petta v. Christie Bus. Holding Co., the plaintiff alleged that she "experienced suspicious behavior in connection with her phone number and address" following the data breach, namely, that her phone number and address were "used in connection with a loan application…in someone else's name" and she received "multiple phone calls" regarding "loan applications she did not initiate." 2025 IL 130337, ¶ 9.

The Illinois Supreme Court agreed in a 7-0 decision that Petta had not alleged an injury fact, refusing to find that the loan application was evidence of identity theft "or an indication that an unauthorized third party had acquired Petta's private, personally identifiable information," because the plaintiff did not allege that her private, personal information was used in the application. Id. ¶ 24.

The court also noted that the letter notifying the plaintiff of the data breach indicated that she "faced only an increased risk that [her] private personal data was accessed by an unauthorized third party." Id. ¶¶ 20-21. Moreover, the loan application could not be "fairly traceable" to the defendant's conduct because there was "no apparent connection between the purported fraudulent loan attempt and the data breach at issue." Id. ¶ 25.

Reetz v. Advocate Aurora Health, Inc. – Wisconsin Appellate Court

In Reetz v. Advocate Aurora Health, Inc., the Wisconsin Court of Appeals held that the plaintiff had standing due to a data breach because some of her information exposed in the breach—her Social Security number, birth date, address, and bank account information—was misused, resulting in her incurring $2,700 worth of fraudulent charges and a $600 overdraft fee on her bank account. 405 Wis.2d 298, 311 (Ct. App. 2022).

In addition to the fraudulent charges and fees, the plaintiff also alleged injuries, which included spending time and money remediating the fraud attempts and the threat of future identity theft. Id.

Key Case Takeaways on Navigating Data Breach Claims

• At a minimum, plaintiffs pursuing claims based on a data breach need to allege an injury that is more than a future, speculative harm (i.e., more than simply experiencing an increased risk of identity theft) in order to meet Article III standing requirements in federal court and often times in state court.
• Generally speaking, plaintiffs who allege their data was acquired by an unauthorized third party via a data breach and allege their data was misused will likely establish that they have standing to assert at least some claims.
• However, plaintiffs should be unable to establish standing to assert any claims based on a data breach absent allegations that the plaintiffs' data was actually acquired by an unauthorized third party and that there was a misuse of the plaintiffs' nonpublic data fairly traceable to the data breach.