The U.S. District Court for the Northern District of Georgia ruled that financial institutions may continue their suit against Home Depot related to a data breach it suffered in 2014. The breach of Home Depot’s payment data systems affected more than 50 million people who used payment cards at self-checkout lanes in Home Depot stores from April to September 2014. The court found the financial institutions had standing because they had alleged actual harm related to cancelling and reissuing cards compromised in the breach, investigating and refunding fraudulent charges, providing customer fraud monitoring, and costs due to lost interest and transaction fees from reduced card usage. It also found the financial institutions could proceed with their claims of negligence and negligence per se and their request for a declaratory judgment based on Home Depot’s alleged continuing data insecurity. In the course of reaching these decisions, the court adopted some strikingly broad theories that could prove quite damaging to data breach defendants (including financial institutions, when they are the breached parties).