Illinois Appellate Decisions Highlight Evolving Landscape of Data Breach Litigation

Illinois is a major destination for putative class actions arising out of data incidents such as ransomware and other attacks. The cases rarely involve actual demonstrable misuse of personal identifying information (PII). Instead, plaintiffs allege that third parties’ unauthorized access to their PII carries sufficient risk of future harm to sue.

Two recent decisions of the Illinois Appellate Court showcase the evolving landscape of data breach class actions in Illinois as well as other states, and emphasize the importance of closely reviewing the facts actually alleged in such cases, and developing a litigation strategy to address those facts.

Most recently, in Petta v. Christie Business Holding Co., the Illinois Appellate Court for the Fifth District (which encompasses a large section of Southern and Central Illinois) affirmed the dismissal of two plaintiffs’ claims arising from a ransomware incident. The Fifth District ruled that both plaintiffs lacked standing to sue because their alleged injuries were not “fairly traceable” to the PII allegedly accessed in the ransomware incident. Following a decision of the Second District, Maglio v. Advocate Health & Hospitals Corp., the Fifth District ruled that “speculative fear” of increased risk of harm did not provide standing to sue.

Importantly, the Petta court then went a bit farther, holding that even where a plaintiff alleges specific PII that was accessed and ensuing “suspicious activity” like fraudulent loan applications, the plaintiff still must expressly “trace the fraudulent activity back to the defendant’s actions.” The Fifth District ruled that the plaintiffs had not done so because they had only alleged access to PII that was publicly available – “anyone could have committed the fraud using the same readily available public information.” The Petta court also expressed skepticism that the plaintiff had a viable claim against the company victimized by a third party’s intervening acts to steal data.

Petta provides an important counterweight to a recent, factually-distinct decision of the First District (which encompasses Chicago and Cook County, Illinois), Flores v. Aon Corp. In Flores, the First District reiterated the principle that a “mere risk of increased risk of identity theft is not enough.” However, considering various allegations made by the plaintiffs, the First District held that the Flores plaintiffs had made “sufficient allegations to establish that the fraudulent payments were fairly traceable to the data breach for the purposes of standing.” The allegations at issue included the possibility that sensitive information like payment card information was misused, attempted fraudulent charges, and allegations that the defendant was sophisticated in cybersecurity matters.

In summary, Petta and Flores show that the Illinois state courts are taking a relatively nuanced view of the allegations in data breach cases, and whether they are sufficient to provide standing to sue. In some ways, the Illinois state courts are applying a more restrictive view of standing than the Illinois federal courts, but that could continue to evolve.

Finally, the Illinois Supreme Court has repeatedly shown interest in civil litigation standing issues. In the last few years, three times it has granted leave to appeal standing rulings in putative class actions; in all of those cases, the defendant had challenged whether the harm suffered by the plaintiff was sufficient to allow the plaintiff to sue. The first two cases settled while on appeal; the third, Fausett v. Walgreen Co., is currently before the court. (Shook filed an amicus brief in that matter on behalf of the United States Chamber of Commerce and Illinois Chamber of Commerce). Although Fausett is not a data privacy case, depending on the scope of the Supreme Court’s ruling, it could lead to additional new Illinois case law on standing issues pertinent to data privacy cases. Or the court could take up the issue of standing in data privacy litigation separately. Stay tuned.