                                     PUBLISHED

                       UNITED STATES COURT OF APPEALS
                           FOR THE FOURTH CIRCUIT


                                      No. 17-1506



RHONDA L. HUTTON, O.D.; TAWNY P. KAEOCHINDA, O.D. on behalf of
themselves and all others similarly situated,

                    Plaintiffs – Appellants,

             v.

NATIONAL BOARD OF EXAMINERS IN OPTOMETRY, INC.,

                    Defendant – Appellee.



                                      No. 17-1508


NICOLE MIZRAHI, individually and on behalf of all others similarly situated,

                    Plaintiff – Appellant,

             v.

NATIONAL BOARD OF EXAMINERS IN OPTOMETRY, INC.,

                    Defendant – Appellee.


Appeals from the United States District Court for the District of Maryland, at Baltimore.
James K. Bredar, Chief District Judge. (1:16-cv-03025-JKB; 1:16-cv-03146-JKB)


Argued: January 23, 2018                                         Decided: June 12, 2018
Before NIEMEYER, KING, and DIAZ, Circuit Judges.


Vacated and remanded by published opinion. Judge King wrote the opinion, in which
Judge Niemeyer and Judge Diaz joined.


ARGUED: Norman E. Siegel, STUEVE SIEGEL HANSON, LLP, Kansas City, Missouri,
for Appellants. Claudia Drennen McCarron, MULLEN COUGHLIN LLC, Wayne,
Pennsylvania, for Appellee. ON BRIEF: Barrett J. Vahle, J. Austin Moore, STUEVE
SIEGEL HANSON, LLP, Kansas City, Missouri; Hassan A. Zavareei, TYCKO &
ZAVEREEI LLP, Washington, D.C., for Appellants Rhonda L. Hutton and Tawny P.
Kaeochinda. Michael Liskow, New York, New York, Carl Malmstrom, WOLF
HALDENSTEIN ADLER FREEMAN & HERZ, LLP, Chicago, Illinois; Donald J.
Enright, LEVI & KORSINSKY LLP, Washington, D.C., for Appellant Nicole Mizrahi.




                                       2
KING, Circuit Judge:

       These consolidated appeals arise from a breach of personal information maintained

in a database of the defendant, the National Board of Examiners in Optometry, Inc. (the

“NBEO”). Three optometrists, Rhonda L. Hutton, Tawny P. Kaeochinda, and Nicole

Mizrahi (the “Plaintiffs”), as representatives of the putative class of victims, specify in two

complaints that their personal information and that of the class members was stolen in the

NBEO data breach. Hutton and Kaeochinda joined in the initial complaint — which

underlies appeal No. 17-1506 — that was filed in the District of Maryland in August 2016.

It alleges five claims, including negligence, breach of contract, and breach of implied

contract. See Hutton v. Nat’l Bd. of Exam’rs in Optometry, Inc., No. 1:16-cv-3025 (D. Md.

Aug. 30, 2016), ECF No. 1 (the “Hutton Complaint”). 1 The complaint of plaintiff Mizrahi

— which underlies appeal No. 17-1508 — was filed in that court in September 2016, and

alleges claims of negligence, breach of contract, breach of implied contract, and unjust

enrichment. See Mizrahi v. Nat’l Bd. of Exam’rs in Optometry, Inc., No. 1:16-cv-3146 (D.

Md. Sept. 13, 2016), ECF No. 1 (the “Mizrahi Complaint”). 2 All the claims arise from the




       1
        In addition to the three claims identified above, the Hutton Complaint alleges two
California statutory claims. The alleged class of optometrists is defined as: (1) exam takers
of NBEO-administered exams whose personal information was compromised as a result of
the NBEO data breach discovered in July 2016; and (2) exam takers in California of
NBEO-administered exams whose personal information was compromised. See Hutton
Compl. ¶ 35.
       2
         We sometimes refer to the complaints as the “Hutton and Mizrahi Complaints,” or
as the “Complaints.”

                                              3
NBEO’s failure to adequately safeguard personal information of the Plaintiffs and the class

members.

       The district court dismissed the Complaints for lack of subject-matter jurisdiction,

based on a failure to establish that the Plaintiffs possessed Article III standing to sue. It

reasoned, inter alia, that the Complaints had not sufficiently alleged the necessary injury-

in-fact and that, in any event, they failed to sufficiently allege that any injuries suffered by

the Plaintiffs were fairly traceable to conduct of the NBEO. See Hutton v. Nat’l Bd. of

Exam’rs in Optometry, Inc., No. 1:16-cv-3025 (D. Md. Mar. 22, 2017), ECF No. 19 (the

“Opinion”). The Plaintiffs have appealed the judgments of dismissal and the appeals have

been consolidated. As explained below, we are satisfied that the Plaintiffs have standing

to sue and therefore vacate and remand.



                                               I.

                                              A.

       In July 2016, optometrists across the United States noticed that Chase Amazon Visa

credit card accounts had been fraudulently opened in their names. See Hutton Compl. ¶ 2;

see also Mizrahi Compl. ¶ 2. 3 The creation of those fraudulent accounts — which required

the use of an applicant’s correct social security number and date of birth — convinced



       3
         The facts recited herein are drawn from the Hutton and Mizrahi Complaints. We
take the allegations of those Complaints as true and draw all reasonable inferences in favor
of the Plaintiffs. See Nemet Chevrolet, Ltd. v. Consumeraffairs.com, Inc., 591 F.3d 250,
253 (4th Cir. 2009).

                                               4
several of the victims that data containing their personal information had been stolen. See

Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 21. The victims discussed the thefts among

themselves in Facebook groups dedicated to optometrists, including, for example, a group

called “ODs on Facebook.” See Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 2. The

optometrists determined that the only common source amongst them and to which they had

all given their personal information — including social security numbers, names, dates of

birth, addresses, and credit card information — was the NBEO, where every graduating

optometry student had to submit their personal information to sit for board-certifying

exams. See Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 3. Although the victim

optometrists identified other possible sources for the data breach — for example, the

American Optometric Association, the American Academy of Optometry, and the

Association of Schools and Colleges of Optometry — those organizations had not collected

or stored social security numbers, or they confirmed that their databases had never been

breached. See Hutton Compl. ¶ 16; see also Mizrahi Compl. ¶ 23.

       The NBEO soon became aware of the concerns and suspicions of the victim

optometrists. On August 2, 2016, the NBEO released a statement on its Facebook page

asserting that, “[a]fter a thorough investigation and extensive discussions with involved

parties,” the NBEO had determined that its “information systems [had] NOT been

compromised.” See Mizrahi Compl. ¶ 4, 25. Two days later, however, the NBEO revised

that view, posting a second statement on Facebook asserting that it had decided to further

“investigate whether personal data was stolen from [its] information systems to support the

perpetrators’ fraud on individuals and Chase.” See Hutton Compl. ¶¶ 3, 17; see also

                                            5
Mizrahi Compl. ¶¶ 5, 26. Three weeks later, on August 25, 2016, the NBEO revised its

earlier announcements “with a cryptic message stating its internal review was still ongoing

and that it may take a number of additional weeks to complete.” See Hutton Compl. ¶ 17.

The NBEO also advised the victims to “remain vigilant in checking their credit.” Id.

       On August 30, 2016, Hutton and Kaeochinda initiated their civil action in the

District of Maryland, pursuant to codified provisions of the Class Action Fairness Act. See

28 U.S.C. § 1332(d)(2). Two weeks later, Mizrahi initiated her own civil action in the

same court. Hutton, Kaeochinda, and Mizrahi alleged that their personal information, and

that of the class members, had been compromised in a breach of the NBEO’s database.

The Plaintiffs — on behalf of themselves and the putative class — sought damages,

restitution, and injunctive relief. See Hutton Compl. ¶ 4; see also Mizrahi Compl. ¶ 8.

       Hutton, a resident of Kansas, had submitted her personal information to the NBEO

in 1998 when she registered to take a professional optometry licensure examination.

Eighteen years later, on August 5, 2016, Hutton received by mail a Chase Amazon Visa

credit card for which she had not applied. See Hutton Compl. ¶ 5. Although “Hutton” was

her married name in 2016, the Chase credit card account was opened in her maiden name,

which she had used in 1998 in registering with the NBEO. Id. Hutton alleges that, as a

result of her personal information being compromised, she faces an increased risk of

identity theft and fraud. Id. Hutton also alleges that she has spent “time and money putting

credit freezes in place with the credit reporting agencies Experian, TransUnion, and

Equifax.” Id.



                                             6
       Kaeochinda, Hutton’s co-plaintiff, is a resident of California. She submitted her

personal information to the NBEO between 2006 and 2008 — under an earlier married

name — in connection with an optometry licensure examination. See Hutton Compl. ¶ 6.

On August 1, 2016, Kaeochinda learned that someone had fraudulently applied for a Chase

Amazon Visa credit card account using, among other personal information, her earlier

married name. Id. Like Hutton, Kaeochinda alleges that she faces an imminent threat of

future harm from identity theft and fraud. Id. Kaeochinda also maintains that she has spent

time and money putting credit freezes in place, and by “filing reports with the FTC, FBI,

IRS, and her local police department.” Id.

       Plaintiff Mizrahi alleges that, after learning of the NBEO data breach, she began

monitoring her credit score and alerted the credit reporting agency TransUnion to the

potential fraudulent use of her personal information. See Mizrahi Compl. ¶ 32. Mizrahi

also alleges that, on about August 27, 2016, a credit monitoring service advised her that

her credit score had fallen by eleven points due to a credit card application filed under her

name just one day earlier. Id. On about September 2, 2016, Mizrahi received a letter from

Chase bank advising her of steps to be taken to protect her personal information that may

have been compromised, but not specifically stating that any such compromise had

occurred. Id. at ¶ 33. When Mizrahi contacted Chase about the letter, a bank representative

advised her that a credit card application had been submitted on August 26, 2016, seeking

to open a Chase Amazon Visa credit card. The application had used Mizrahi’s address,

social security number, and her mother’s maiden name. Id. at ¶ 34. The Mizrahi Complaint

alleges that the Chase bank representative informed Mizrahi that the decrease in her credit

                                             7
score was only temporary, but could not be reversed for approximately sixty days. Id.

Mizrahi alleges that she thereafter needed to “send certified letters to Chase, the major

credit reporting companies, and others to inform them of this unauthorized event.” Id. at

¶ 35. Sending the letters first required Mizrahi to engage in the “laborious process” of

“acquiring the necessary documentation, including a police report.” Id.

                                              B.

       On October 22, 2016, the NBEO moved in the district court to dismiss both

Complaints. The motion sought relief pursuant to Federal Rule of Civil Procedure

12(b)(1), for lack of Article III standing to sue, and under Rule 12(b)(6), for failure to state

a claim upon which relief can be granted. On November 2, 2016, the NBEO moved to

consolidate the two civil actions. By its Opinion of March 22, 2017, the court dismissed

both Complaints pursuant to Rule 12(b)(1), ruling that it did not possess subject-matter

jurisdiction due to the Plaintiffs’ lack of standing. The Opinion then concluded that the

other grounds for dismissal, as well as the motions to consolidate, were moot. See Op. 2. 4

In dismissing for lack of standing, the court relied primarily on our decision in Beck v.

McDonald. See 848 F.3d 262 (4th Cir. 2017).

       As the Opinion properly recognized, in order to possess standing to sue under

Article III of the Constitution, the Plaintiffs were obliged to sufficiently allege three



       4
        The Opinion incorrectly stated that the Plaintiffs — Hutton, Kaeochinda, and
Mizrahi — had moved to consolidate the two lawsuits. See Op. 2 (“[T]he Court will find
moot Plaintiffs’ motions to consolidate.”). In fact, it was the defendant NBEO that had
moved to consolidate.

                                               8
elements: (1) they suffered an injury-in-fact that was concrete and particularized and either

actual or imminent; (2) there was a causal connection between the injury and the

defendant’s conduct (i.e. traceability); and (3) the injury was likely to be redressable by a

favorable judicial decision. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61

(1992). 5 The Opinion addressed two of those elements, the injury-in-fact element and the

traceability element. It first concluded that the Plaintiffs had failed to sufficiently allege

that they suffered an injury-in-fact because, even if the NBEO had confirmed an actual

data breach, the Plaintiffs had “incurred no fraudulent charges” and “had not been denied

credit or been required to pay a higher interest rate for credit they received.” See Op. 8.

The district court reasoned that the Complaints simply alleged speculative harms that could

only occur in the future. Id. Relying on Beck, the Opinion emphasized that the Plaintiffs

had “failed to establish standing either upon their asserted increased risk of identity theft

or upon their expenses to negate identity theft.” Id.

       Second, the Opinion explained that any alleged injury of the Plaintiffs was not

traceable to the NBEO, emphasizing that, “in all of the cases that have been cited by the

parties in the instant cases, an actual data breach had occurred and had been acknowledged

or announced by the entity whose data files had been breached.” See Op. 7. Elaborating,

the Opinion explained that the allegations in the Complaints “relied upon . . . online



       5
         As the Supreme Court has consistently emphasized, Article III of the Constitution
“limits the jurisdiction of federal courts to ‘Cases’ and ‘Controversies.’” See Lujan v.
Defenders of Wildlife, 504 U.S. 555, 559 (1992). The requirement that a Plaintiff possess
“standing to sue” emanates from that constitutional provision.

                                              9
conversations with other optometrists to conclude that NBEO suffered a data breach.” Id.

The Opinion then determined that the allegations in the Complaints “rest[ed] upon sheer

speculation.” Id. It recited that the Plaintiffs’ “speculation is mistakenly fueled by

NBEO’s announcements that it was looking into whether an intrusion occurred and that it

denies such in fact happened.” Id. In comparing the NBEO’s statements denying the data

breach to the denials of the other professional optometry organizations, the district court

reasoned that the “Plaintiffs do not explain why NBEO’s denial of a data breach is less

credible.” Id. Consequently, the Opinion ruled that the Plaintiffs had “failed to allege a

plausible inferential link” between providing their personal information to the NBEO and

their receipt of unsolicited credit cards. Id. at 8.

       Accordingly, the Opinion dismissed the Hutton and Mizrahi Complaints for lack of

Article III standing to sue for lack of subject-matter jurisdiction. Hutton and Mizrahi have

filed timely notices of appeal, and we possess appellate jurisdiction pursuant to 28 U.S.C.

§ 1291.



                                               II.

       We review de novo a district court’s dismissal of a complaint for lack of standing

to sue. See Beck v. McDonald, 848 F.3d 262, 269 (4th Cir. 2017). To possess standing, a

plaintiff must sufficiently allege the three elements identified by the Supreme Court. That

is, a plaintiff must allege that they have: “(1) suffered an injury-in-fact, (2) that is fairly

traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed

by a favorable judicial decision.” See Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016).

                                               10
In evaluating a class action complaint, “we analyze standing based on the allegations of

personal injury made by the named plaintiffs.” See Beck, 848 F.3d at 269 (citing Doe v.

Obama, 631 F.3d 157, 160 (4th Cir. 2011)). And class plaintiffs cannot meet their burden

to establish standing “[w]ithout a sufficient allegation of harm to the named plaintiff in

particular.” Id. (quoting Doe, 631 F.3d at 160). When a complaint is evaluated at the

pleading stage, however, “general factual allegations of injury resulting from the

defendant’s conduct may suffice, for on a motion to dismiss we presume that general

allegations embrace those specific facts that are necessary to support the claim.” See Lujan

v. Defenders of Wildlife, 504 U.S. 555, 561 (1992) (internal quotation marks and alterations

omitted). Accordingly, “we accept as true” the “allegations for which there is sufficient

‘factual matter’ to render them ‘plausible on [their] face.’” See Beck, 848 F.3d at 270

(quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)).



                                              III.

                                              A.

       In these appeals, the Plaintiffs seek a reversal of the district court’s dismissal of the

Hutton and Mizrahi Complaints for lack of standing to sue. They primarily argue that the

court erred by making factual determinations to support its ruling. More specifically, the

Plaintiffs maintain that they made sufficient allegations of injury-in-fact deriving from the

NBEO data breach that are not at all speculative. The Plaintiffs argue that, if their

allegations had been accepted by the court, their actual and impending injuries flowing

from the NBEO’s failure to properly protect their personal information were sufficiently

                                              11
alleged. The Plaintiffs also maintain that their injuries are fairly traceable to the NBEO’s

conduct, because the allegations of the Complaints extensively tie the NBEO to the data

breach. The Plaintiffs also assert that the court misapplied the Article III standing

requirements by misconstruing our decision in Beck v. McDonald. See 848 F.3d 262 (4th

Cir. 2017).

       On the other hand, the NBEO asks us to affirm the dismissal ruling in the district

court’s Opinion. The NBEO contends that the Plaintiffs’ assignment of blame to the NBEO

is fatally flawed, in that their allegations derive from discussions in Facebook groups and

assume that the personal information divulged in the NBEO data breach had a single

source. 6 The NBEO maintains that the Opinion was correctly decided, and that the

allegations of an NBEO data breach are speculative and conclusory.

                                             B.

       As we recently explained in a standing to sue analysis, it “is established that a

complaint must contain sufficient factual matter, accepted as true, to state a claim to relief

that is plausible on its face.” See Nanni v. Aberdeen Marketplace, Inc., 878 F.3d 447, 452

(4th Cir. 2017) (internal quotation marks and citations omitted). Challenges to subject-

matter jurisdiction can be presented either facially or factually. See Kerns v. United States,



       6
        For example, the NBEO rejects the proposition that a fraudulent Chase Amazon
Visa credit card account was opened in 2016 in Hutton’s maiden name — which she had
provided to the NBEO eighteen years earlier in 1998. According to the NBEO, it is a “fair
inference” that Hutton shared that name universally before marrying. See Br. of Appellee
at 14.


                                             12
585 F.3d 187, 192 (4th Cir. 2009). 7       In this litigation, the NBEO interposes facial

challenges to the Plaintiffs’ jurisdictional allegations with respect to the first two standing

to sue elements. The NBEO contends that the Complaints, on their face, fail to make

allegations sufficient to satisfy the Plaintiffs’ burden of establishing that they suffered an

injury-in-fact that is fairly traceable to the conduct of the NBEO. See Spokeo, Inc. v.

Robins, 136 S. Ct. 1540, 1547 (2016). 8 Because injury-in-fact and traceability are the only

standing elements challenged by the NBEO, we focus on those two elements.

                                              1.

       First, we assess the injury-in-fact question. To establish an injury-in-fact, the

Plaintiffs must show that they “suffered ‘an invasion of a legally protected interest’ that is

‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’”

See Spokeo, 136 S. Ct. at 1548 (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560

(1992)). As we explained in Beck,


       7
        In pursuing a facial challenge, the defendant must show that a complaint fails to
allege facts upon which subject-matter jurisdiction can be predicated. See Beck v.
McDonald, 848 F.3d 262, 270 (4th Cir. 2017). In a factual challenge, on the other hand,
the defendant maintains that the jurisdictional allegations of the complaint are not true. Id.
       8
         The Opinion did not reach or resolve the third element of Article III standing to
sue, that is, redressability. And the NBEO had not pursued any contention concerning
redressability in the district court. The Plaintiffs, on the other hand, argue on appeal that
it is uncontested that an award of the relief requested will redress their injuries. See Br. of
Appellant at 32. Their redressability contention is apparent in the allegations of the
Complaints that seek, inter alia, damages and restitution. See Hutton Compl. ¶ 4; see also
Mizrahi Compl. ¶ 8. Indeed, in a breach of data case, “there is no reason to believe that
monetary compensation will not return plaintiffs to their original position completely.” See
Beck v. McDonald, 848 F.3d 262, 274 n.5 (4th Cir. 2017) (internal quotation marks
omitted).

                                              13
       while it is true that threatened rather than actual injury can satisfy Article III
       standing requirements, . . . not all threatened injuries constitute an injury-in-
       fact. Rather, as the Supreme Court has emphasized repeatedly, an injury-in-
       fact must be concrete in both a qualitative and temporal sense. The
       complainant must allege an injury to himself that is distinct and palpable, as
       opposed to merely abstract.

See Beck, 848 F.3d at 271 (internal quotation marks and citations omitted). As we also

explained, the imminence of an injury, although “concededly a somewhat elastic concept,

. . . cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not

too speculative for Article III purposes.” Id. (quoting Lujan, 504 U.S. at 564-65 n.2). And

where a plaintiff has made no allegations that show a sufficiently imminent threat of injury

from future identity theft, the plaintiff’s “contention of an enhanced risk of future identity

theft” is simply “too speculative.” Id. at 274.

       We reasoned in Beck that a plaintiff fails to “establish Article III standing based on

the harm from the increased risk of future identity theft and the cost of measures to protect

against it.” See Beck, 848 F.3d at 266. We emphasized that a mere compromise of personal

information, without more, fails to satisfy the injury-in-fact element in the absence of an

identity theft. Id. at 274-75. The situations in these consolidated appeals, however, are

readily distinguishable from that in Beck. In Beck, the plaintiffs alleged only a threat of

future injury in the data breach context where a laptop and boxes — containing personal

information concerning patients, including partial social security numbers, names, dates of

birth, and physical descriptions — had been stolen, but the information contained therein

had not been misused. The Plaintiffs in these cases, on the other hand, allege that they

have already suffered actual harm in the form of identity theft and credit card fraud. The


                                              14
Plaintiffs have been concretely injured by the data breach because the fraudsters used —

and attempted to use — the Plaintiffs’ personal information to open Chase Amazon Visa

credit card accounts without their knowledge or approval. Accordingly, there is no need

to speculate on whether substantial harm will befall the Plaintiffs.

       By way of example, the Hutton Complaint specifies that Hutton received an

unsolicited Chase Amazon Visa credit card that was applied for using her social security

number and her maiden name (the name that she had provided to the NBEO in 1998).

Around the same time, Kaeochinda learned that someone had applied for a Chase credit

card using her social security number and former married name. Mizrahi also actually

received an alert that her credit score had decreased eleven points due to a credit application

that was fraudulently filed with Chase, using her address, social security number, and

mother’s maiden name. She had to spend time and resources to repair her credit. The

Plaintiffs do not allege that they suffered fraudulent charges on their unsolicited Chase

Amazon Visa credit cards, but the Supreme Court long ago made clear that “[i]n

interpreting injury in fact . . . standing [is] not confined to those who [can] show economic

harm.” See United States v. Students Challenging Regulatory Agency Procedures, 412

U.S. 669, 686 (1973).

       At a minimum, Plaintiffs have sufficiently alleged an imminent threat of injury to

satisfy Article III standing. On that score, these cases stand in stark contrast to Beck, where

we concluded that the threat was speculative because “even after extensive discovery”

there was “no evidence that the information contained on [a] stolen laptop [had] been

accessed or misused or that [the plaintiffs had] suffered identity theft.” See Beck, 848 F.3d

                                              15
at 274. In fact, there was no evidence that the thief even stole the laptop with the intent to

steal private information. Id. Here, the Plaintiffs allege that their data has been stolen,

accessed, and used in a fraudulent manner.

       And although incurring costs for mitigating measures to safeguard against future

identity theft may not constitute an injury-in-fact when that injury is speculative, see Beck,

848 F.3d at 276, the Court has recognized standing to sue on the basis of costs incurred to

mitigate or avoid harm when a substantial risk of harm actually exists, see Clapper v.

Amnesty Int’l USA, 568 U.S. 398, 414 n.5 (2013). The Hutton and Mizrahi Complaints

both allege that the Plaintiffs incurred out-of-pocket costs. And the Plaintiffs also suffered

time lost in seeking to respond to fallout from the NBEO data breach. Indeed, they had to

purchase credit monitoring services, and they had to notify credit reporting agencies and

the IRS of the data breach of their personal information. Because the injuries alleged by

the Plaintiffs are not speculative, the costs of mitigating measures to safeguard against

future identity theft support the other allegations and together readily show sufficient

injury-in-fact to satisfy the first element of the standing to sue analysis. 9

                                               2.

       Second, we address the traceability of the NBEO’s conduct to the injuries and harms

alleged in the Complaints. The Supreme Court in Ashcroft v. Iqbal concluded that “[a]


       9
         The Plaintiffs also allege that they face impending injuries due to the NBEO’s
continuing failure to secure their personal information now in the organization’s
informational systems. Because the Plaintiffs have incurred actual harm by receiving
unsolicited credit cards — and in at least one instance incurring a credit score decrease —
the Plaintiffs have shown more than the mere compromise of their personal information.

                                               16
pleading that offers labels and conclusions or a formulaic recitation of the elements of a

cause of action will not do. Nor does a complaint suffice if it tenders naked assertions

devoid of further factual enhancement.” See 556 U.S. 662, 678 (2009) (internal quotation

marks and citations omitted). With respect to the traceability element, the Court has

reasoned that

       [t]he injury must be fairly traceable to the challenged action, and relief from
       the injury must be likely to follow from a favorable decision. . . . These terms
       cannot be defined so as to make application of the constitutional standing
       requirement a mechanical exercise.

See Allen v. Wright, 468 U.S. 737, 751 (1984) (internal quotation marks and citations

omitted). Therefore, “[p]leadings must be something more than an ingenious academic

exercise in the conceivable.” See Students Challenging Regulatory Agency Procedures,

412 U.S. at 687. We have concluded that the “fairly traceable standard is not equivalent to

a requirement of tort causation.” See Friends of the Earth, Inc. v. Gaston Cooper Recycling

Corp., 204 F.3d 149, 161 (4th Cir. 2000) (internal quotation marks omitted).

       The Complaints contain allegations demonstrating that it is both plausible and likely

that a breach of the NBEO’s database resulted in the fraudulent use of the Plaintiffs’

personal information, resulting in their receipt of unsolicited Chase Amazon Visa credit

cards. The Complaints allege that a group of optometrists from around the country began

to notice that fraudulent Chase accounts were being opened in their names in July 2016.

For example, in August 2016, Hutton and Kaeochinda received their unsolicited Chase

Amazon Visa credit cards. Hutton’s fraudulent credit card was applied for in her maiden

name — which she had provided to the NBEO eighteen years earlier. Kaeochinda’s


                                             17
unsolicited Chase credit card was applied for in her former married name, which she had

provided to the NBEO several years earlier. In August 2016, Mizrahi was informed by a

credit monitoring service of an effort to open a fraudulent credit card account in her name,

using personal information she had previously provided to the NBEO in registering for a

professional examination.    Notably, the Plaintiffs allege that, amongst the group of

optometrists, the NBEO is the only common source that collected and continued to store

social security numbers that were required to open a credit card account, and also stored

outdated personal information (such as maiden names and former married names) during

the relevant time periods. Furthermore, other national optometry organizations do not

gather or store Social Security numbers, or have investigated and confirmed that their

databases have not been breached.

       Put simply, the Complaints contained sufficient allegations that the NBEO was a

plausible source of the Plaintiffs’ personal information. Accordingly, the Complaints

contain “sufficient factual matter” to render the Plaintiffs’ allegations plausible on their

face with respect to traceability. See Beck, 848 F.3d at 270.

       In these circumstances, the standing elements of injury-in-fact and traceability are

both sufficiently alleged in the Complaints.        And the third standing element —

redressability — has not been and is not contested by the NBEO. As a result, the district

court erred in dismissing the Complaints for lack of standing to sue.




                                            18
                                           IV.

      Pursuant to the foregoing, we vacate the judgment of the district court and remand

for such other and further proceedings as may be appropriate.

                                                          VACATED AND REMANDED




                                           19
