Recently, a three-judge panel for the Seventh Circuit unanimously reversed a lower court’s dismissal of a class action brought by a group of data breach victims. In Dieffenbach v. Barnes & Noble, Inc., the Northern District of Illinois found that the plaintiffs failed to adequately allege that a 2012 data breach suffered by Barnes & Noble resulted in any actual harm to the affected consumers. Therefore, the district court found that the plaintiffs failed allege an injury sufficient to establish Article III standing under the Supreme Court’s Spokeo standard.

The Seventh Circuit disagreed and held that the plaintiffs’ alleged injuries—including money spent on credit-monitoring services and time spent protecting themselves after the breach— were sufficient to establish actual harm for standing purposes. However, in doing so, the court also expressed doubt as to whether the class should be certified given the disparity in damages amongst the plaintiffs, or even whether these damages would be recoverable at trial.

TIP: The Seventh Circuit’s decision further muddies the water regarding the standard to which courts hold plaintiffs in establishing standing in data breach litigation. As we have previously written, a split exists amongst the courts regarding what constitutes “actual harm” following a breach under the Spokeo standard. This uncertainty makes a prompt and effective investigation following an actual or suspected breach all the more critical.