                              In the

    United States Court of Appeals
                For the Seventh Circuit
                    ____________________
No. 14-3700
JOHN LEWERT, on behalf of himself and all others similarly
situated, et al.,
                                      Plaintiffs-Appellants,

                                v.

P.F. CHANG’S CHINA BISTRO, INC.,
                                                Defendant-Appellee.
                    ____________________

        Appeal from the United States District Court for the
          Northern District of Illinois, Eastern Division.
        Nos. 14 C 4787, 14 C 4923 — John W. Darrah, Judge.
                    ____________________

    ARGUED JANUARY 13, 2016 — DECIDED APRIL 14, 2016
                    ____________________

    Before WOOD, Chief Judge, and BAUER and HAMILTON, Cir-
cuit Judges.
    WOOD, Chief Judge. About two months after they dined at
P.F. Chang’s China Bistro, in Northbrook, Illinois, John Lew-
ert and Lucas Kosner received the unwelcome news that the
restaurant’s computer system had been hacked and debit-
and credit–card data had been stolen. Lewert and Kosner
brought separate suits, which were later consolidated, seek-
2                                                   No. 14-3700

ing damages resulting from the theft on behalf of themselves
and a class. Concluding that they had not suffered the requi-
site personal injury, the district court dismissed for lack of
standing. FED. R. CIV. P. 12(b)(1). In light of Remijas v. Neiman
Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015), we reverse and
remand for further proceedings.
                                I
    P.F. Chang’s operates a chain of restaurants throughout
the United States. On June 12, 2014, the company announced
that its computer system had been breached and some con-
sumer credit- and debit–card data had been stolen. At the
time, it did not know how many consumers were affected,
whether the breach was general or limited to specific loca-
tions, or how long the breach lasted. As a precaution, it
switched to a manual card–processing system at all locations
in the continental United States and encouraged its custom-
ers to monitor their card statements. News articles indicated
that the breach might have begun as far back as September
2013. Later that summer, on August 4, 2014, P.F. Chang’s an-
nounced that it had determined that data was stolen from
just 33 restaurants. The only affected restaurant in Illinois, it
reported, was at the Woodfield Mall in Schaumburg (a sub-
urb of Chicago).
    Kosner dined at a different P.F. Chang’s, located in
Northbrook, on April 21, 2014, and paid with his debit card.
On June 8, 2014, four fraudulent transactions were made
with the card he had used, and so he cancelled it immediate-
ly. Later in June, Kosner learned about the breach at P.F.
Chang’s. Putting two and two together, he noted that the
fraudulent charges on his card had appeared shortly after he
dined at P.F. Chang’s, and he drew the conclusion that his
No. 14-3700                                                   3

debit-card data were among those compromised by the
breach. Based on that concern, he purchased a credit moni-
toring service to protect against identity theft, including
against criminals using the stolen card’s data to open new
credit or debit cards in his name. He spent $106.89 on the
service.
    On April 3, 2014, Lewert dined at the same P.F. Chang’s in
Northbrook as Kosner later patronized. Lewert, too, paid
with his debit card. The consequences for Lewert were less
troubling: he did not spot any fraudulent charges on his
card, nor did he cancel his card and suffer the associated in-
convenience or costs. Lewert did allege, however, that after
P.F. Chang’s initially announced the breach in June 2014, he
spent time and effort monitoring his card statements and his
credit report to ensure that no fraudulent charges had been
made on that card and that no fraudulent accounts had been
opened in his name.
    Lewert and Kosner seek to represent a class of all similar-
ly situated customers whose payment data may have been
compromised. Their actions were consolidated on June 24,
2014. In the aggregate, the claims they assert on behalf of the
class exceed $5,000,000 in value. Minimal diversity exists:
Lewert and Kosner are citizens of Illinois, while P.F. Chang’s
is a Delaware corporation with its principal place of business
in Arizona. Putting to one side the central issue of Article III
standing, to which we return, the district court therefore had
jurisdiction under the Class Action Fairness Act (CAFA), 28
U.S.C. § 1332(d)(2). As we said, the district court dismissed
the consolidated action for lack of standing.
4                                                      No. 14-3700

                                 II
    We consider de novo the question whether a plaintiff sat-
isfies the standing criteria imposed by Article III of the Con-
stitution. Reid L. v. Ill. State Bd. of Educ., 358 F.3d 511, 515 (7th
Cir. 2004). The district court “must accept as true all material
allegations of the complaint, drawing all reasonable infer-
ences therefrom in the plaintiff’s favor, unless standing is
challenged as a factual matter.” Id. The plaintiffs, as the
“part[ies] invoking federal jurisdiction,” bear the burden of
establishing Article III standing. Lujan v. Defenders of Wildlife,
504 U.S. 555, 561 (1992). They must demonstrate that they
have “suffered a concrete and particularized injury that is
fairly traceable to the challenged conduct, and is likely to be
redressed by a favorable judicial decision.” Hollingsworth v.
Perry, 133 S. Ct. 2652, 2661 (2013) (citing Lujan, 504 U.S. at
560–61).

                                 A

    This is not our first time to examine standing in a case
involving a data breach. In Remijas v. Neiman Marcus Grp.,
LLC, 794 F.3d 688 (7th Cir. 2015), the high–end department
store Neiman Marcus experienced a data breach that poten-
tially exposed the payment–card data of all customers who
paid with cards during the previous year. Id. at 690. The
store alerted all potentially affected customers and offered a
credit monitoring service to each of them. Id. The plaintiffs
had shopped at Neiman Marcus during the time the infor-
mation was exposed to the invader. Id. They brought a class
action based on the breach. Id. at 691.
No. 14-3700                                                     5

     We concluded that several of those plaintiffs’ injuries
were concrete and particularized enough to support Article
III standing. First, we identified two future injuries that were
sufficiently imminent: the increased risk of fraudulent cred-
it- or debit-card charges, and the increased risk of identity
theft. Id. at 691–94. These, we found, were not mere “allega-
tions of possible future injury,” but instead were the type of
“certainly impending” future harm that the Supreme Court
requires to establish standing. Id. at 692 (internal quotation
marks omitted) (quoting Clapper v. Amnesty Int’l USA, 133 S.
Ct. 1138, 1147 (2013)). In Clapper, the plaintiffs expressed on-
ly their fear that the government might have intercepted their
private communications. Clapper, 133 S. Ct. at 1148. The Su-
preme Court held that this injury was too speculative to
support standing to challenge the Foreign Intelligence Sur-
veillance Act. Id. In contrast, the alleged data theft in Remijas
had already occurred. Remijas, 794 F.3d at 693. In the latter
situation, we held, “there is ‘no need to speculate as to
whether [the Neiman Marcus customers’] information has
been stolen and what information was taken.’” Id. (alteration
in original) (quoting In re Adobe Sys., Inc. Privacy Litig., 66 F.
Supp. 3d 1197, 1214 (N.D. Cal. 2014)). The plaintiffs “should
not have to wait until hackers commit identity theft or cred-
it-card fraud in order to give the class standing, because
there is an ‘objectively reasonable likelihood’ that such inju-
ry will occur.” Id. (quoting Clapper, 133 S. Ct. at 1147).

   Remijas also found injuries sufficient for standing in the
time and money the class members predictably spent resolv-
ing fraudulent charges (even if the bank ultimately repaid
those charges), as well as in the identity theft that had al-
ready occurred and in the time and money customers spent
6                                                 No. 14-3700

protecting against future identity theft or fraudulent charg-
es. Id. at 694. While mitigation expenses qualify as “actual
injuries” only when the harm is imminent, the data breach in
Remijas had already occurred. This made the risk of identity
theft and fraudulent charges sufficiently immediate to justify
mitigation efforts. Id. (citing Clapper, 133 S. Ct. at 1152).

    In the present case, several of Lewert and Kosner’s al-
leged injuries fit within the categories we delineated in Remi-
jas. They describe the same kind of future injuries as the
Remijas plaintiffs did: the increased risk of fraudulent charg-
es and identity theft they face because their data has already
been stolen. These alleged injuries are concrete enough to
support a lawsuit. P.F. Chang’s acknowledges that it experi-
enced a data breach in June of 2014. It is plausible to infer a
substantial risk of harm from the data breach, because a
primary incentive for hackers is “sooner or later[] to make
fraudulent charges or assume those consumers’ identities[.]”
Id. at 693. Lewert is at risk for both fraudulent charges and
identity theft. Kosner has already cancelled his debit card,
but he is still at risk of identity theft. Other members of the
would–be class will be in the same position as one or the
other named plaintiff.

    Similarly, Lewert and Kosner have alleged sufficient facts
to support standing based on their present injuries. Kosner
asserts that he already has experienced fraudulent charges.
Even if those fraudulent charges did not result in injury to
his wallet (he stated that his bank stopped the charges before
they went through), he has spent time and effort resolving
them. He also took measures to mitigate his risk by purchas-
ing credit monitoring for $106.89. Lewert alleged that he has
No. 14-3700                                                   7

spent time and effort monitoring both his card statements
and his other financial information as a guard against fraud-
ulent charges and identity theft.

     P.F. Chang’s accepts Remijas’s holding that the time and
money spent resolving fraudulent charges are cognizable
injuries for Article III standing. (We emphasize that we
speak only of allegations—whether any compensable losses
occurred is a question for the merits.) But it does argue that
the plaintiffs’ mitigation here was unreasonable because, un-
like the situation in Remijas and similar data breaches, this
one posed a risk only of fraudulent charges to affected cards,
not of identity theft. But this is a factual assumption that has
yet to be tested. We recognized in Remijas that the infor-
mation stolen from payment cards can be used to open new
cards in the consumer’s name. Id. at 692–93. P.F. Chang’s it-
self implicitly acknowledged this—in its August press re-
lease, P.F. Chang’s encouraged consumers to monitor their
credit reports (in part for new-account activity) rather than
simply the statements for existing affected cards. This is con-
sistent with Anderson v. Hannahford Bros. Co., in which the
First Circuit held that the expenses for replacing cards and
purchasing a credit monitoring service were reasonable mit-
igation after a data breach. 659 F.3d 151, 162 (1st Cir. 2011)
(pre-Clapper). If P.F. Chang’s wishes to present evidence that
this data breach is unlike prior breaches and that the plain-
tiffs should have known this, it is free to do so, but this goes
to the merits. As a matter of pleading, nothing suggests that
the plaintiffs’ mitigation efforts were unreasonable.

   P.F. Chang’s tries to distinguish this case from Remijas by
noting that, unlike Neiman Marcus, it contests whether the
8                                                   No. 14-3700

plaintiffs’ data was exposed in the breach. To the extent this
is a valid distinction (and that is questionable), it is one that
is immaterial. At the pleading stage, the plaintiffs’ factual
allegations must “[]cross the line from conceivable to plausi-
ble.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). Once
they have crossed this threshold, we accept them for pur-
poses of a motion to dismiss as true. Reid L., 358 F.3d at 515.
The same is true of allegations of standing. Lujan, 504 U.S. at
561 (each element of standing “must be supported … with
the manner and degree of evidence required at the succes-
sive stages of the litigation”).

    The plaintiffs plausibly allege that their data was stolen.
In its June statement, P.F. Chang’s addressed customers who
had dined at all of its stores in the United States and admit-
ted that it did not know how many stores were affected. It is
easy to infer that it considered the risk to all stores signifi-
cant enough to implement a universal, though temporary,
switch to manual card-processing. P.F. Chang’s later analy-
sis (based on internal information not before the district
court at this stage) led it to conclude that only 33 stores were
affected. This creates a factual dispute about the scope of the
breach, but it does not destroy standing. P.F. Chang’s will
have the opportunity to present evidence to explain how the
breach occurred and which stores it affected. Perhaps it can
trace which specific data files were stolen. Perhaps each in-
dividual location’s data is behind a separate firewall. Or
perhaps it is being too optimistic and the breach was greater
than it suggests. At this stage, no one knows. When the data
system for an entire corporation with locations across the
country experiences a data breach and the corporation reacts
No. 14-3700                                                       9

as if that breach could affect all of its locations, it is certainly
plausible that all of its locations were in fact affected.

    For completeness, we briefly address Lewert and Kos-
ner’s other asserted injuries. We do not decide whether any
of these would be sufficient injury for Article III standing,
but we are skeptical.

     Plaintiffs claim that the cost of their meals is an injury be-
cause they would not have dined at P.F. Chang’s had they
known of its poor data security. As we noted in Remijas,
such arguments have been adopted by courts only where the
product itself was defective or dangerous and consumers
claim they would not have bought it (or paid a premium for
it) had they known of the defect. Remijas, 794 F.3d at 695; see,
e.g., In re Aqua Dots Prods. Liab. Litig., 654 F.3d 748, 751 (7th
Cir. 2011) (acknowledging financial injury when plaintiffs
“paid more for the toys than they would have, had they
known of the risks the beads posed to children”). The plain-
tiffs here make no such allegations, and we are not inclined
to push this theory beyond its current scope.

    Plaintiffs also claim that they have a property right to
their personally identifiable data, and that the theft of their
data supports standing just as well as the theft of one’s car
would. But the only authority to which they direct us is Sterk
v. Redbox Automated Retail, LLC, 770 F.3d 618 (7th Cir. 2014),
which says nothing of the kind. That case interpreted the
Video Privacy Protection Act, 18 U.S.C. § 2710, which creates
a legally protected interest in a consumer’s personally identi-
fiable information with respect to video rentals. Id. at 623.
Sterk does not recognize a legal interest in personally identi-
fiable information beyond the video-rental context.
10                                                No. 14-3700

    Plaintiffs fare no better under state law. They contend
that Illinois’s Consumer Fraud and Deceptive Business Prac-
tices Act, 815 ILCS 505, protects their personally identifiable
information by establishing that its theft is an injury even in
the absence of actual damages. But the Illinois Appellate
Court has held otherwise: the statute requires “actual dam-
ages” before a private litigant can bring suit. People ex rel.
Madigan v. United Constr. of America, Inc., 981 N.E.2d 404,
410–11 (Ill. App. Ct. 2012).

    In short, at least some of the injuries Lewert and Kosner
allege here qualify as immediate and concrete injuries suffi-
cient to support Article III standing. If they can meet the
other two criteria for standing, this case can go forward.

                              B

    Those criteria are causation and redressability. See Hol-
lingsworth, 133 S. Ct. at 2661. P.F. Chang’s argues that the
plaintiffs cannot show causation because their information
was never compromised and in any event any fraudulent
charges cannot be attributed to its data breach. The former
argument assumes the answer to a disputed fact—whether
the Northbrook restaurant was among those hit by the hack-
ers. Plaintiffs have alleged that it was, and they have includ-
ed enough facts to push that allegation to the point of plau-
sibility. The latter argument is a theory of defense that P.F.
Chang’s will be entitled to pursue at the merits phase. Both
P.F. Chang’s and the plaintiffs have available to them the
standard methods of proving causation. See Remijas, 794
F.3d at 696 (citing Summers v. Tice, 199 P.2d 1 (Cal. 1948) (en
banc) (explaining that once a plaintiff properly pleads joint
liability, the burden shifts to defendants to demonstrate re-
No. 14-3700                                                    11

sponsibility)); Price Waterhouse v. Hopkins, 490 U.S. 228, 263
(1989) (O’Connor, J., concurring) (“the common law of torts
has long shifted the burden of proof to multiple defendants
to prove that their negligent actions were not the ‘but-for’
cause of the plaintiff’s injury”). Merely identifying potential
alternative causes does not defeat standing.

     Finally, a favorable judgment would redress the plain-
tiffs’ injuries. Kosner and those in his position, for example,
have some easily quantifiable financial injuries: they pur-
chased credit monitoring services. Kosner also alleges that
he was unable to accrue points on his debit card while he
was waiting for a replacement. If that loss has any monetary
value (a question on which we take no position), it would be
compensable. While neither Lewert nor Kosner have unre-
imbursed fraudulent charges on their payment cards, other
class members (should the class be certified) might. See Rem-
ijas, 794 F.3d at 697 (explaining that federal law does not re-
quire credit and debit card companies to reimburse consum-
ers for all fraudulent charges). And all class members should
have the chance to show that they spent time and resources
tracking down the possible fraud, changing automatic
charges, and replacing cards as a prophylactic measure.

                                C

    Finally, we briefly address P.F. Chang’s alternative ar-
gument that the plaintiffs failed to state a claim upon which
relief can be granted. FED. R. CIV. P. 12(b)(6). A dismissal for
failure to state a claim is with prejudice. Id. The district court
here dismissed the plaintiffs’ claims for lack of subject-
matter jurisdiction, which is a dismissal without prejudice.
FED. R. CIV. P. 12(b)(1). The district court did not reach P.F.
12                                                No. 14-3700

Chang’s arguments about failure to state a claim. While we
may affirm a judgment on an alternative ground, Hester v.
Indiana State Department of Health, 726 F.3d 942, 946 (7th Cir.
2013), we may do so only when that ground supports the
same relief. We may not grant additional relief unless the
appellee files a cross-appeal. As the Supreme Court ex-
plained in Jennings v. Stephens, “an appellee who does not
cross-appeal may not attack the decree with a view either to
enlarging his own rights thereunder or of lessening the
rights of his adversary.” 135 S. Ct. 793, 798 (2015) (internal
quotation marks omitted). Because P.F. Chang’s did not file
a cross—appeal, we cannot and do not consider whether the
plaintiffs failed to state a claim.

    We conclude that the plaintiffs have alleged enough to
support Article III standing. In so ruling, we express no
opinion on the merits or on the suitability of this case for
class certification. The district court’s judgment is REVERSED
and the case REMANDED for further proceedings consistent
with this opinion.
