Rhonda Hutton v. National Board of Examiners , 892 F.3d 613 ( 2018 )

                                     PUBLISHED
UNITED STATES COURT OF APPEALS
FOR THE FOURTH CIRCUIT
No. 17-1506
RHONDA L. HUTTON, O.D.; TAWNY P. KAEOCHINDA, O.D. on behalf of
themselves and all others similarly situated,
Plaintiffs – Appellants,
v.
NATIONAL BOARD OF EXAMINERS IN OPTOMETRY, INC.,
Defendant – Appellee.
No. 17-1508
NICOLE MIZRAHI, individually and on behalf of all others similarly situated,
Plaintiff – Appellant,
v.
NATIONAL BOARD OF EXAMINERS IN OPTOMETRY, INC.,
Defendant – Appellee.
Appeals from the United States District Court for the District of Maryland, at Baltimore.
James K. Bredar, Chief District Judge. (1:16-cv-03025-JKB; 1:16-cv-03146-JKB)
Argued: January 23, 2018                                         Decided: June 12, 2018
Before NIEMEYER, KING, and DIAZ, Circuit Judges.
Vacated and remanded by published opinion. Judge King wrote the opinion, in which
Judge Niemeyer and Judge Diaz joined.
ARGUED: Norman E. Siegel, STUEVE SIEGEL HANSON, LLP, Kansas City, Missouri,
for Appellants. Claudia Drennen McCarron, MULLEN COUGHLIN LLC, Wayne,
Pennsylvania, for Appellee. ON BRIEF: Barrett J. Vahle, J. Austin Moore, STUEVE
SIEGEL HANSON, LLP, Kansas City, Missouri; Hassan A. Zavareei, TYCKO &
ZAVEREEI LLP, Washington, D.C., for Appellants Rhonda L. Hutton and Tawny P.
Kaeochinda. Michael Liskow, New York, New York, Carl Malmstrom, WOLF
HALDENSTEIN ADLER FREEMAN & HERZ, LLP, Chicago, Illinois; Donald J.
Enright, LEVI & KORSINSKY LLP, Washington, D.C., for Appellant Nicole Mizrahi.
2
KING, Circuit Judge:
These consolidated appeals arise from a breach of personal information maintained
in a database of the defendant, the National Board of Examiners in Optometry, Inc. (the
“NBEO”). Three optometrists, Rhonda L. Hutton, Tawny P. Kaeochinda, and Nicole
Mizrahi (the “Plaintiffs”), as representatives of the putative class of victims, specify in two
complaints that their personal information and that of the class members was stolen in the
NBEO data breach. Hutton and Kaeochinda joined in the initial complaint — which
underlies appeal No. 17-1506 — that was filed in the District of Maryland in August 2016.
It alleges five claims, including negligence, breach of contract, and breach of implied
contract. See Hutton v. Nat’l Bd. of Exam’rs in Optometry, Inc., No. 1:16-cv-3025 (D. Md.
Aug. 30, 2016), ECF No. 1 (the “Hutton Complaint”). 1 The complaint of plaintiff Mizrahi
— which underlies appeal No. 17-1508 — was filed in that court in September 2016, and
alleges claims of negligence, breach of contract, breach of implied contract, and unjust
enrichment. See Mizrahi v. Nat’l Bd. of Exam’rs in Optometry, Inc., No. 1:16-cv-3146 (D.
Md. Sept. 13, 2016), ECF No. 1 (the “Mizrahi Complaint”). 2 All the claims arise from the
1
In addition to the three claims identified above, the Hutton Complaint alleges two
California statutory claims. The alleged class of optometrists is defined as: (1) exam takers
of NBEO-administered exams whose personal information was compromised as a result of
the NBEO data breach discovered in July 2016; and (2) exam takers in California of
NBEO-administered exams whose personal information was compromised. See Hutton
Compl. ¶ 35.
2
We sometimes refer to the complaints as the “Hutton and Mizrahi Complaints,” or
as the “Complaints.”
3
NBEO’s failure to adequately safeguard personal information of the Plaintiffs and the class
members.
The district court dismissed the Complaints for lack of subject-matter jurisdiction,
based on a failure to establish that the Plaintiffs possessed Article III standing to sue. It
reasoned, inter alia, that the Complaints had not sufficiently alleged the necessary injury-
in-fact and that, in any event, they failed to sufficiently allege that any injuries suffered by
the Plaintiffs were fairly traceable to conduct of the NBEO. See Hutton v. Nat’l Bd. of
Exam’rs in Optometry, Inc., No. 1:16-cv-3025 (D. Md. Mar. 22, 2017), ECF No. 19 (the
“Opinion”). The Plaintiffs have appealed the judgments of dismissal and the appeals have
been consolidated. As explained below, we are satisfied that the Plaintiffs have standing
to sue and therefore vacate and remand.
I.
A.
In July 2016, optometrists across the United States noticed that Chase Amazon Visa
credit card accounts had been fraudulently opened in their names. See Hutton Compl. ¶ 2;
see also Mizrahi Compl. ¶ 2. 3 The creation of those fraudulent accounts — which required
the use of an applicant’s correct social security number and date of birth — convinced
3
The facts recited herein are drawn from the Hutton and Mizrahi Complaints. We
take the allegations of those Complaints as true and draw all reasonable inferences in favor
of the Plaintiffs. See Nemet Chevrolet, Ltd. v. Consumeraffairs.com, Inc., 

,
253 (4th Cir. 2009).
4
several of the victims that data containing their personal information had been stolen. See
Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 21. The victims discussed the thefts among
themselves in Facebook groups dedicated to optometrists, including, for example, a group
called “ODs on Facebook.” See Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 2. The
optometrists determined that the only common source amongst them and to which they had
all given their personal information — including social security numbers, names, dates of
birth, addresses, and credit card information — was the NBEO, where every graduating
optometry student had to submit their personal information to sit for board-certifying
exams. See Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 3. Although the victim
optometrists identified other possible sources for the data breach — for example, the
American Optometric Association, the American Academy of Optometry, and the
Association of Schools and Colleges of Optometry — those organizations had not collected
or stored social security numbers, or they confirmed that their databases had never been
breached. See Hutton Compl. ¶ 16; see also Mizrahi Compl. ¶ 23.
The NBEO soon became aware of the concerns and suspicions of the victim
optometrists. On August 2, 2016, the NBEO released a statement on its Facebook page
asserting that, “[a]fter a thorough investigation and extensive discussions with involved
parties,” the NBEO had determined that its “information systems [had] NOT been
compromised.” See Mizrahi Compl. ¶ 4, 25. Two days later, however, the NBEO revised
that view, posting a second statement on Facebook asserting that it had decided to further
“investigate whether personal data was stolen from [its] information systems to support the
perpetrators’ fraud on individuals and Chase.” See Hutton Compl. ¶¶ 3, 17; see also
5
Mizrahi Compl. ¶¶ 5, 26. Three weeks later, on August 25, 2016, the NBEO revised its
earlier announcements “with a cryptic message stating its internal review was still ongoing
and that it may take a number of additional weeks to complete.” See Hutton Compl. ¶ 17.
The NBEO also advised the victims to “remain vigilant in checking their credit.” 

On August 30, 2016, Hutton and Kaeochinda initiated their civil action in the
District of Maryland, pursuant to codified provisions of the Class Action Fairness Act. See

(d)(2). Two weeks later, Mizrahi initiated her own civil action in the
same court. Hutton, Kaeochinda, and Mizrahi alleged that their personal information, and
that of the class members, had been compromised in a breach of the NBEO’s database.
The Plaintiffs — on behalf of themselves and the putative class — sought damages,
restitution, and injunctive relief. See Hutton Compl. ¶ 4; see also Mizrahi Compl. ¶ 8.
Hutton, a resident of Kansas, had submitted her personal information to the NBEO
in 1998 when she registered to take a professional optometry licensure examination.
Eighteen years later, on August 5, 2016, Hutton received by mail a Chase Amazon Visa
credit card for which she had not applied. See Hutton Compl. ¶ 5. Although “Hutton” was
her married name in 2016, the Chase credit card account was opened in her maiden name,
which she had used in 1998 in registering with the NBEO. 

 Hutton alleges that, as a
result of her personal information being compromised, she faces an increased risk of
identity theft and fraud. 

 Hutton also alleges that she has spent “time and money putting
credit freezes in place with the credit reporting agencies Experian, TransUnion, and
Equifax.” 

6
Kaeochinda, Hutton’s co-plaintiff, is a resident of California. She submitted her
personal information to the NBEO between 2006 and 2008 — under an earlier married
name — in connection with an optometry licensure examination. See Hutton Compl. ¶ 6.
On August 1, 2016, Kaeochinda learned that someone had fraudulently applied for a Chase
Amazon Visa credit card account using, among other personal information, her earlier
married name. 

 Like Hutton, Kaeochinda alleges that she faces an imminent threat of
future harm from identity theft and fraud. 

 Kaeochinda also maintains that she has spent
time and money putting credit freezes in place, and by “filing reports with the FTC, FBI,
IRS, and her local police department.” 

Plaintiff Mizrahi alleges that, after learning of the NBEO data breach, she began
monitoring her credit score and alerted the credit reporting agency TransUnion to the
potential fraudulent use of her personal information. See Mizrahi Compl. ¶ 32. Mizrahi
also alleges that, on about August 27, 2016, a credit monitoring service advised her that
her credit score had fallen by eleven points due to a credit card application filed under her
name just one day earlier. 

 On about September 2, 2016, Mizrahi received a letter from
Chase bank advising her of steps to be taken to protect her personal information that may
have been compromised, but not specifically stating that any such compromise had
occurred. 

. When Mizrahi contacted Chase about the letter, a bank representative
advised her that a credit card application had been submitted on August 26, 2016, seeking
to open a Chase Amazon Visa credit card. The application had used Mizrahi’s address,
social security number, and her mother’s maiden name. 

. The Mizrahi Complaint
alleges that the Chase bank representative informed Mizrahi that the decrease in her credit
7
score was only temporary, but could not be reversed for approximately sixty days. 

Mizrahi alleges that she thereafter needed to “send certified letters to Chase, the major
credit reporting companies, and others to inform them of this unauthorized event.” 

. Sending the letters first required Mizrahi to engage in the “laborious process” of
“acquiring the necessary documentation, including a police report.” 

B.
On October 22, 2016, the NBEO moved in the district court to dismiss both
Complaints. The motion sought relief pursuant to Federal Rule of Civil Procedure
12(b)(1), for lack of Article III standing to sue, and under Rule 12(b)(6), for failure to state
a claim upon which relief can be granted. On November 2, 2016, the NBEO moved to
consolidate the two civil actions. By its Opinion of March 22, 2017, the court dismissed
both Complaints pursuant to Rule 12(b)(1), ruling that it did not possess subject-matter
jurisdiction due to the Plaintiffs’ lack of standing. The Opinion then concluded that the
other grounds for dismissal, as well as the motions to consolidate, were moot. See Op. 2. 4
In dismissing for lack of standing, the court relied primarily on our decision in Beck v.
McDonald. See 

 (4th Cir. 2017).
As the Opinion properly recognized, in order to possess standing to sue under
Article III of the Constitution, the Plaintiffs were obliged to sufficiently allege three
4
The Opinion incorrectly stated that the Plaintiffs — Hutton, Kaeochinda, and
Mizrahi — had moved to consolidate the two lawsuits. See Op. 2 (“[T]he Court will find
moot Plaintiffs’ motions to consolidate.”). In fact, it was the defendant NBEO that had
moved to consolidate.
8
elements: (1) they suffered an injury-in-fact that was concrete and particularized and either
actual or imminent; (2) there was a causal connection between the injury and the
defendant’s conduct (i.e. traceability); and (3) the injury was likely to be redressable by a
favorable judicial decision. See Lujan v. Defenders of Wildlife, 

, 560-61
(1992). 5 The Opinion addressed two of those elements, the injury-in-fact element and the
traceability element. It first concluded that the Plaintiffs had failed to sufficiently allege
that they suffered an injury-in-fact because, even if the NBEO had confirmed an actual
data breach, the Plaintiffs had “incurred no fraudulent charges” and “had not been denied
credit or been required to pay a higher interest rate for credit they received.” See Op. 8.
The district court reasoned that the Complaints simply alleged speculative harms that could
only occur in the future. 

 Relying on Beck, the Opinion emphasized that the Plaintiffs
had “failed to establish standing either upon their asserted increased risk of identity theft
or upon their expenses to negate identity theft.” 

Second, the Opinion explained that any alleged injury of the Plaintiffs was not
traceable to the NBEO, emphasizing that, “in all of the cases that have been cited by the
parties in the instant cases, an actual data breach had occurred and had been acknowledged
or announced by the entity whose data files had been breached.” See Op. 7. Elaborating,
the Opinion explained that the allegations in the Complaints “relied upon . . . online
5
As the Supreme Court has consistently emphasized, Article III of the Constitution
“limits the jurisdiction of federal courts to ‘Cases’ and ‘Controversies.’” See Lujan v.
Defenders of Wildlife, 

, 559 (1992). The requirement that a Plaintiff possess
“standing to sue” emanates from that constitutional provision.
9
conversations with other optometrists to conclude that NBEO suffered a data breach.” 

The Opinion then determined that the allegations in the Complaints “rest[ed] upon sheer
speculation.” 

 It recited that the Plaintiffs’ “speculation is mistakenly fueled by
NBEO’s announcements that it was looking into whether an intrusion occurred and that it
denies such in fact happened.” 

 In comparing the NBEO’s statements denying the data
breach to the denials of the other professional optometry organizations, the district court
reasoned that the “Plaintiffs do not explain why NBEO’s denial of a data breach is less
credible.” 

 Consequently, the Opinion ruled that the Plaintiffs had “failed to allege a
plausible inferential link” between providing their personal information to the NBEO and
their receipt of unsolicited credit cards. Id. at 8.
Accordingly, the Opinion dismissed the Hutton and Mizrahi Complaints for lack of
Article III standing to sue for lack of subject-matter jurisdiction. Hutton and Mizrahi have
filed timely notices of appeal, and we possess appellate jurisdiction pursuant to 

.
II.
We review de novo a district court’s dismissal of a complaint for lack of standing
to sue. See Beck v. McDonald, 

, 269 (4th Cir. 2017). To possess standing, a
plaintiff must sufficiently allege the three elements identified by the Supreme Court. That
is, a plaintiff must allege that they have: “(1) suffered an injury-in-fact, (2) that is fairly
traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed
by a favorable judicial decision.” See Spokeo, Inc. v. Robins, 

, 1547 (2016).
10
In evaluating a class action complaint, “we analyze standing based on the allegations of
personal injury made by the named plaintiffs.” See Beck, 848 F.3d at 269 (citing Doe v.
Obama, 

, 160 (4th Cir. 2011)). And class plaintiffs cannot meet their burden
to establish standing “[w]ithout a sufficient allegation of harm to the named plaintiff in
particular.” 

 (quoting Doe, 

). When a complaint is evaluated at the
pleading stage, however, “general factual allegations of injury resulting from the
defendant’s conduct may suffice, for on a motion to dismiss we presume that general
allegations embrace those specific facts that are necessary to support the claim.” See Lujan
v. Defenders of Wildlife, 

, 561 (1992) (internal quotation marks and alterations
omitted). Accordingly, “we accept as true” the “allegations for which there is sufficient
‘factual matter’ to render them ‘plausible on [their] face.’” See Beck, 848 F.3d at 270
(quoting Ashcroft v. Iqbal, 

, 678 (2009)).
III.
A.
In these appeals, the Plaintiffs seek a reversal of the district court’s dismissal of the
Hutton and Mizrahi Complaints for lack of standing to sue. They primarily argue that the
court erred by making factual determinations to support its ruling. More specifically, the
Plaintiffs maintain that they made sufficient allegations of injury-in-fact deriving from the
NBEO data breach that are not at all speculative. The Plaintiffs argue that, if their
allegations had been accepted by the court, their actual and impending injuries flowing
from the NBEO’s failure to properly protect their personal information were sufficiently
11
alleged. The Plaintiffs also maintain that their injuries are fairly traceable to the NBEO’s
conduct, because the allegations of the Complaints extensively tie the NBEO to the data
breach. The Plaintiffs also assert that the court misapplied the Article III standing
requirements by misconstruing our decision in Beck v. McDonald. See 

 (4th
Cir. 2017).
On the other hand, the NBEO asks us to affirm the dismissal ruling in the district
court’s Opinion. The NBEO contends that the Plaintiffs’ assignment of blame to the NBEO
is fatally flawed, in that their allegations derive from discussions in Facebook groups and
assume that the personal information divulged in the NBEO data breach had a single
source. 6 The NBEO maintains that the Opinion was correctly decided, and that the
allegations of an NBEO data breach are speculative and conclusory.
B.
As we recently explained in a standing to sue analysis, it “is established that a
complaint must contain sufficient factual matter, accepted as true, to state a claim to relief
that is plausible on its face.” See Nanni v. Aberdeen Marketplace, Inc., 

, 452
(4th Cir. 2017) (internal quotation marks and citations omitted). Challenges to subject-
matter jurisdiction can be presented either facially or factually. See Kerns v. United States,
6
For example, the NBEO rejects the proposition that a fraudulent Chase Amazon
Visa credit card account was opened in 2016 in Hutton’s maiden name — which she had
provided to the NBEO eighteen years earlier in 1998. According to the NBEO, it is a “fair
inference” that Hutton shared that name universally before marrying. See Br. of Appellee
at 14.
12

, 192 (4th Cir. 2009). 7       In this litigation, the NBEO interposes facial
challenges to the Plaintiffs’ jurisdictional allegations with respect to the first two standing
to sue elements. The NBEO contends that the Complaints, on their face, fail to make
allegations sufficient to satisfy the Plaintiffs’ burden of establishing that they suffered an
injury-in-fact that is fairly traceable to the conduct of the NBEO. See Spokeo, Inc. v.
Robins, 

, 1547 (2016). 8 Because injury-in-fact and traceability are the only
standing elements challenged by the NBEO, we focus on those two elements.
1.
First, we assess the injury-in-fact question. To establish an injury-in-fact, the
Plaintiffs must show that they “suffered ‘an invasion of a legally protected interest’ that is
‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’”
See Spokeo, 

 (quoting Lujan v. Defenders of Wildlife, 

, 560
(1992)). As we explained in Beck,
7
In pursuing a facial challenge, the defendant must show that a complaint fails to
allege facts upon which subject-matter jurisdiction can be predicated. See Beck v.
McDonald, 

, 270 (4th Cir. 2017). In a factual challenge, on the other hand,
the defendant maintains that the jurisdictional allegations of the complaint are not true. 

8
The Opinion did not reach or resolve the third element of Article III standing to
sue, that is, redressability. And the NBEO had not pursued any contention concerning
redressability in the district court. The Plaintiffs, on the other hand, argue on appeal that
it is uncontested that an award of the relief requested will redress their injuries. See Br. of
Appellant at 32. Their redressability contention is apparent in the allegations of the
Complaints that seek, inter alia, damages and restitution. See Hutton Compl. ¶ 4; see also
Mizrahi Compl. ¶ 8. Indeed, in a breach of data case, “there is no reason to believe that
monetary compensation will not return plaintiffs to their original position completely.” See
Beck v. McDonald, 

, 274 n.5 (4th Cir. 2017) (internal quotation marks
omitted).
13
while it is true that threatened rather than actual injury can satisfy Article III
standing requirements, . . . not all threatened injuries constitute an injury-in-
fact. Rather, as the Supreme Court has emphasized repeatedly, an injury-in-
fact must be concrete in both a qualitative and temporal sense. The
complainant must allege an injury to himself that is distinct and palpable, as
opposed to merely abstract.
See Beck, 848 F.3d at 271 (internal quotation marks and citations omitted). As we also
explained, the imminence of an injury, although “concededly a somewhat elastic concept,
. . . cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not
too speculative for Article III purposes.” Id. (quoting Lujan, 

564-65 n.2). And
where a plaintiff has made no allegations that show a sufficiently imminent threat of injury
from future identity theft, the plaintiff’s “contention of an enhanced risk of future identity
theft” is simply “too speculative.” Id. at 274.
We reasoned in Beck that a plaintiff fails to “establish Article III standing based on
the harm from the increased risk of future identity theft and the cost of measures to protect
against it.” See Beck, 848 F.3d at 266. We emphasized that a mere compromise of personal
information, without more, fails to satisfy the injury-in-fact element in the absence of an
identity theft. Id. at 274-75. The situations in these consolidated appeals, however, are
readily distinguishable from that in Beck. In Beck, the plaintiffs alleged only a threat of
future injury in the data breach context where a laptop and boxes — containing personal
information concerning patients, including partial social security numbers, names, dates of
birth, and physical descriptions — had been stolen, but the information contained therein
had not been misused. The Plaintiffs in these cases, on the other hand, allege that they
have already suffered actual harm in the form of identity theft and credit card fraud. The
14
Plaintiffs have been concretely injured by the data breach because the fraudsters used —
and attempted to use — the Plaintiffs’ personal information to open Chase Amazon Visa
credit card accounts without their knowledge or approval. Accordingly, there is no need
to speculate on whether substantial harm will befall the Plaintiffs.
By way of example, the Hutton Complaint specifies that Hutton received an
unsolicited Chase Amazon Visa credit card that was applied for using her social security
number and her maiden name (the name that she had provided to the NBEO in 1998).
Around the same time, Kaeochinda learned that someone had applied for a Chase credit
card using her social security number and former married name. Mizrahi also actually
received an alert that her credit score had decreased eleven points due to a credit application
that was fraudulently filed with Chase, using her address, social security number, and
mother’s maiden name. She had to spend time and resources to repair her credit. The
Plaintiffs do not allege that they suffered fraudulent charges on their unsolicited Chase
Amazon Visa credit cards, but the Supreme Court long ago made clear that “[i]n
interpreting injury in fact . . . standing [is] not confined to those who [can] show economic
harm.” See United States v. Students Challenging Regulatory Agency Procedures, 

, 686 (1973).
At a minimum, Plaintiffs have sufficiently alleged an imminent threat of injury to
satisfy Article III standing. On that score, these cases stand in stark contrast to Beck, where
we concluded that the threat was speculative because “even after extensive discovery”
there was “no evidence that the information contained on [a] stolen laptop [had] been
accessed or misused or that [the plaintiffs had] suffered identity theft.” See Beck, 

at 274. In fact, there was no evidence that the thief even stole the laptop with the intent to
steal private information. 

 Here, the Plaintiffs allege that their data has been stolen,
accessed, and used in a fraudulent manner.
And although incurring costs for mitigating measures to safeguard against future
identity theft may not constitute an injury-in-fact when that injury is speculative, see Beck,
848 F.3d at 276, the Court has recognized standing to sue on the basis of costs incurred to
mitigate or avoid harm when a substantial risk of harm actually exists, see Clapper v.
Amnesty Int’l USA, 

, 414 n.5 (2013). The Hutton and Mizrahi Complaints
both allege that the Plaintiffs incurred out-of-pocket costs. And the Plaintiffs also suffered
time lost in seeking to respond to fallout from the NBEO data breach. Indeed, they had to
purchase credit monitoring services, and they had to notify credit reporting agencies and
the IRS of the data breach of their personal information. Because the injuries alleged by
the Plaintiffs are not speculative, the costs of mitigating measures to safeguard against
future identity theft support the other allegations and together readily show sufficient
injury-in-fact to satisfy the first element of the standing to sue analysis. 9
2.
Second, we address the traceability of the NBEO’s conduct to the injuries and harms
alleged in the Complaints. The Supreme Court in Ashcroft v. Iqbal concluded that “[a]
9
The Plaintiffs also allege that they face impending injuries due to the NBEO’s
continuing failure to secure their personal information now in the organization’s
informational systems. Because the Plaintiffs have incurred actual harm by receiving
unsolicited credit cards — and in at least one instance incurring a credit score decrease —
the Plaintiffs have shown more than the mere compromise of their personal information.
16
pleading that offers labels and conclusions or a formulaic recitation of the elements of a
cause of action will not do. Nor does a complaint suffice if it tenders naked assertions
devoid of further factual enhancement.” See 

, 678 (2009) (internal quotation
marks and citations omitted). With respect to the traceability element, the Court has
reasoned that
[t]he injury must be fairly traceable to the challenged action, and relief from
the injury must be likely to follow from a favorable decision. . . . These terms
cannot be defined so as to make application of the constitutional standing
requirement a mechanical exercise.
See Allen v. Wright, 

, 751 (1984) (internal quotation marks and citations
omitted). Therefore, “[p]leadings must be something more than an ingenious academic
exercise in the conceivable.” See Students Challenging Regulatory Agency Procedures,

. We have concluded that the “fairly traceable standard is not equivalent to
a requirement of tort causation.” See Friends of the Earth, Inc. v. Gaston Cooper Recycling
Corp., 

, 161 (4th Cir. 2000) (internal quotation marks omitted).
The Complaints contain allegations demonstrating that it is both plausible and likely
that a breach of the NBEO’s database resulted in the fraudulent use of the Plaintiffs’
personal information, resulting in their receipt of unsolicited Chase Amazon Visa credit
cards. The Complaints allege that a group of optometrists from around the country began
to notice that fraudulent Chase accounts were being opened in their names in July 2016.
For example, in August 2016, Hutton and Kaeochinda received their unsolicited Chase
Amazon Visa credit cards. Hutton’s fraudulent credit card was applied for in her maiden
name — which she had provided to the NBEO eighteen years earlier. Kaeochinda’s
17
unsolicited Chase credit card was applied for in her former married name, which she had
provided to the NBEO several years earlier. In August 2016, Mizrahi was informed by a
credit monitoring service of an effort to open a fraudulent credit card account in her name,
using personal information she had previously provided to the NBEO in registering for a
professional examination.    Notably, the Plaintiffs allege that, amongst the group of
optometrists, the NBEO is the only common source that collected and continued to store
social security numbers that were required to open a credit card account, and also stored
outdated personal information (such as maiden names and former married names) during
the relevant time periods. Furthermore, other national optometry organizations do not
gather or store Social Security numbers, or have investigated and confirmed that their
databases have not been breached.
Put simply, the Complaints contained sufficient allegations that the NBEO was a
plausible source of the Plaintiffs’ personal information. Accordingly, the Complaints
contain “sufficient factual matter” to render the Plaintiffs’ allegations plausible on their
face with respect to traceability. See Beck, 848 F.3d at 270.
In these circumstances, the standing elements of injury-in-fact and traceability are
both sufficiently alleged in the Complaints.        And the third standing element —
redressability — has not been and is not contested by the NBEO. As a result, the district
court erred in dismissing the Complaints for lack of standing to sue.
18
IV.
Pursuant to the foregoing, we vacate the judgment of the district court and remand
for such other and further proceedings as may be appropriate.
VACATED AND REMANDED
19