Illinois Supreme Court casts doubt on viability of data breach class actions

Blog Post

The Illinois Supreme Court recently held that a plaintiff in a data breach class action lacked standing, reasoning that an increased risk of future harm is not injury-in-fact and that a loan application using publicly available information did not show her private information had been stolen or misused. The case contains numerous points of interest for practitioners defending such cases or assisting clients with responding to data security incidents.

Key points of case:

Plaintiff Rebecca Petta sued Christie Business Holdings Company, P.C., doing business as Christie Clinic (Christie) after she received a letter from Christie notifying her that a third party had gained unauthorized access to one of its email accounts in an effort to intercept a transaction between Christine and a vendor. The letter stated that Christie retained a forensic firm to investigate the incident, but that the firm could not verify whether the third party had accessed any emails in the account. The letter thus noted that the firm examined “whether protected information was potentially impacted,” concluding that “‘the impacted account MAY have contained certain information related’ … to Petta, including her Social Security number and medical insurance information.”

Petta’s complaint asserted claims for negligence, negligence per se, and a violation of the Personal Information Protection Act (815 ILCS 530/1 et seq. (West 2020). Her complaint did not allege that she had suffered any economic loss as a result of the incident, but alleged that she had received numerous phone calls regarding an unauthorized loan application made in someone else’s name but using Petta’s phone number and city of residence. After the trial court dismissed Petta’s complaint for failure to state a claim, the Illinois Appellate Court, Fifth District affirmed the dismissal on the grounds that Petta lacked standing to sue.

The Illinois Supreme Court took the case and agreed that Petta lacked standing. The court noted that standing requires “injury in fact,” which must be “(1) distinct and palpable, (2) fairly traceable to the defendant’s actions; and (3) substantially likely to be prevented or redressed by the grant of the requested relief.” (cleaned up). It further noted that an alleged injury must be “concrete,” and that “a plaintiff alleging only a ‘purely speculative’ future injury or where there is no ‘immediate danger of sustaining a direct injury’ lacks a sufficient interest to have standing.” In holding that Petta lacked standing, the court emphasized that the letter Petta received stated “only that Petta’s private personal data … may have been exposed to a third party,” and not “that this data was actually acquired by a third party.” In fact, the court went on, “according to the letter, Christie’s investigation revealed that the unauthorized third party was attempting to intercept a financial transaction, not steal patients’ private personal information.”

Those statements in the letter led the court to conclude that “the primary factual allegation of the complaint is that Petta and the other members of the putative class faced only an increased risk that their private personal data was accessed by an unauthorized third party.” The court concluded that, for a plaintiff seeking damages, “such an allegation of an increased risk of harm is insufficient to confer standing.”

The court also specifically rejected Petta’s argument that the loan application, using some of her publicly available information, created injury in fact. It pointed out that Petta’s private personal data, such as her Social Security number, was not used in the application, and so the application was not “an instance of someone stealing Petta’s identity or an indication that an unauthorized third party had acquired Petta’s private, personally identifiable information.” Additionally, the court noted that this allegation pertained only to Petta, and observed that although the Illinois Supreme Court had not yet resolved whether all absent class members must have standing to certify a class, the United States Supreme Court has held that every class member must have standing.

Practitioner takeaways:

Petta has several points of interest for lawyers defending data breach class actions in Illinois, as well as lawyers assisting clients with their response to data security incidents.

  • Petta creates a viable basis for a motion to dismiss many data breach complaints for lack of standing under Section 2-619(a)(9). Many plaintiffs rely on similar allegations of injury to those in Petta—an increased risk of future harm, sometimes coupled with allegations of an increase in spam calls or creation of accounts that use publicly available information—which do not suffice to confer standing.
  • A dismissal for lack of standing is a non-merits dismissal that would not preclude the plaintiff from refiling in another forum, such as federal court. Defense counsel should consider whether jurisdiction exists elsewhere before moving to dismiss for lack of standing. Although federal law on standing in some Circuits takes a broader view of “injury in fact” for data-breach plaintiffs than Petta, counsel should consider whether at least one-third of class members are concentrated in the same state as the defendant such that exceptions to jurisdiction under the Class Action Fairness Act might apply. Those exceptions could lead to dismissal of plaintiff’s claims for lack of jurisdiction even if the plaintiff has standing under federal law.
  • Even where the named plaintiff’s injury is adequately alleged, Petta may still prove helpful, as it could be read as favorably pointing to federal law requiring all absent class members to have standing. That inquiry will often present an individualized issue, which can be used to fracture the class and support arguments opposing class certification.
  • Petta also demonstrates how incident-response counsel can help shape positive litigation outcomes by being careful and precise in the language they put in notification letters sent to those potentially affected by an incident. The court honed in on the letter’s uncertainty about whether the plaintiff’s information was exposed—conveyed by the word “may”—as well as statements about the apparent motivation for the threat actor’s breach (interception of a transaction instead of stealing personal information to use in identity theft).

The case is Petta v. Christie Business Holdings Company, P.C., d/b/a Christie Clinic,  2025 IL 130337.

If you have any questions about your company’s compliance with cyber regulations, concerns about vulnerability to attacks or other breaches, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.