The Illinois Supreme Court recently ruled that the named plaintiff in a putative data breach class action lacked standing to pursue her claims given that her private personal information had not actually been misused by a third party.

In Petta v. Christie Bus. Holdings Co., P.C., — N.E. 3d —, 2025 WL 287152 (Jan. 24, 2025), the plaintiff, on behalf of herself and a putative class, filed suit against Christie Clinic, a medical services provider, after receiving notice from the clinic that an unauthorized actor had accessed one of the clinic’s email accounts.  According to Christie Clinic’s notice, the email account “may have contained certain information related” to the plaintiff, including her Social Security number and medical insurance information, but as the notice explained, there was “no evidence of identity theft or misuse of [the plaintiff’s] personal information.”  Nonetheless, the plaintiff, on behalf of herself and the putative class, claimed that Christie Clinic violated state and federal privacy laws, including HIPAA and the FTC Act.  The plaintiff asserted that it did so by failing to reasonably protect her private personal information, purportedly leading to the data breach and the plaintiff’s alleged increased risk that her private personal information had been stolen.  The lower court rejected that argument, finding that the plaintiff’s increased risk of identify theft was too speculative of an injury to confer standing.  The Illinois Supreme Court affirmed.

According to the court, the plaintiff’s allegation that she and the other putative class members “faced an increased risk that their personal data was accessed by an unauthorized third party” was not a sufficiently concrete injury to confer standing.  The court also found that the named plaintiff’s allegation that, sometime after the data breach, her phone number had allegedly been used in an unauthorized loan application, was insufficient to confer standing.  According to the court, the plaintiff’s allegation that her publicly available phone number had been used in the loan application did not establish that her private personal information had been accessed or misused.

Ultimately, the Illinois Supreme Court’s conclusion—that the plaintiff’s alleged increased risk that her personal data had been stolen was too “speculative” to confer standing­—is in line with decisions by a number of courts in other jurisdictions requiring concrete harm, not just a risk of future harm, in the data breach context.