On July 20, 2015, the Seventh Circuit overturned a dismissal by the federal district court of Illinois stemming from a 2013 data breach at Neiman Marcus. In Remijas v. Neiman Marcus Grp., LLC, No. 14-3122, 2015 WL 4394814 (7th Cir. July 20, 2015), a putative class action involving a reported 350,000 impacted payment cards, the appeals court concluded that the widespread instances of actual misuse – including a reported 9,200 instances of fraudulent charges – were sufficient for the plaintiffs to show that they faced a substantial risk of future harm from the breach and thus had standing to sue. This decision marks the first time a court of appeals has opined on the standards for standing in data breach cases in the wake of the 2013 US Supreme Court case of Clapper v. Amnesty International. As we have previously reported, and as shown by the Zappos decision described below, Clapper's requirement that injury be "certainly impending" and not speculative frequently has been cited as a basis for dismissal of data breach plaintiffs' claims, particularly in the absence of actual misuse of their data.