In an unusual turn for recent data breach class action cases, the Seventh Circuit this week found that a likely threat of identity theft is sufficient for a proposed class to have standing to sue Nieman Marcus for a cyber-hacking incident that affected 350,000 card holders in January of 2014.

The lower Court dismissed the case in September of 2014 as the plaintiffs failed to demonstrate concrete injury to establish Article III standing. The Seventh Circuit reversed stating that a “substantial risk” of harm is sufficient for standing. The Court noted that 9200 of the affected cards had been fraudulently used after the hacking.

In addition, the Court stated that “ allegations of future harm can establish Article III standing if the harm is ‘certainly impending’ but ‘allegations of possible future injury are not sufficient’ citing Clapper v. Amnesty Int’l USA. The Court found that although the plaintiffs were reimbursed for any fraudulent charges, and that there is presently no indication that their identities have been stolen, the plaintiffs have spent time and money replacing cards and monitoring their credit score which is a material factual dispute enough to withstand a Motion to Dismiss. It held that “[A]t this stage of the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach.”