HELENE N. WHITE, Circuit Judge.
Plaintiffs Mohammad Galaria and Anthony Hancox brought these putative class actions after hackers breached the computer network of Defendant Nationwide Mutual Insurance Company and stole their personal information. In their complaints, Plaintiffs allege claims for invasion of privacy, negligence, bailment, and violations of the Fair Credit Reporting Act (FCRA). The district court dismissed the complaints, concluding that Plaintiffs failed to state a claim for invasion of privacy, lacked Article III standing to bring the negligence and bailment claims, and lacked statutory standing to bring the FCRA claims. In this consolidated appeal, Plaintiffs challenge the dismissal of the negligence, bailment, and FCRA claims. Because we conclude that Plaintiffs have Article III standing and that the district court erred in dismissing the FCRA claims for lack of subject-matter jurisdic[386]*386tion, we REVERSE and REMAND for further proceedings.
I. Background
As alleged in the complaints, Nationwide is an insurance and financial-services company that maintains records containing sensitive personal information about its customers, as well as potential customers who submit their information to obtain quotes for insurance products. The data include names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers, and driver’s license numbers. On October 3, 2012, hackers broke into Nationwide’s computer network and stole the personal information of Plaintiffs and 1.1 million others.
Nationwide informed Plaintiffs of the breach in a letter that advised taking steps to prevent or mitigate misuse of the stolen data, including monitoring bank statements and credit reports for unusual activity. To that end, Nationwide offered a year of free credit monitoring and identity-fraud protection of up to $1 million through a third-party vendor. Nationwide also suggested that Plaintiffs set up a fraud alert and place a security freeze on their credit reports. However, Nationwide’s website explained that a security freeze could impede consumers’ ability to obtain credit, and could cost a fee between $5 and $20 to both place and remove. Nationwide did not offer to pay for expenses associated with a security freeze.
Plaintiff Hancox filed a five-count putative class-action complaint against Nationwide in the United States District Court for the District of Kansas, and Plaintiff Galana filed essentially the same complaint in the United States District Court for the Southern District of Ohio a month later. The Kansas district court transferred Hancox’s action to the Ohio district court, which designated the dockets as related. In Counts I and II of the complaints, Plaintiffs allege that Nationwide willfully and negligently violated the Fair Credit Reporting Act (FCRA), Pub. L. No. 91-508, 84 Stat. 1114 (1970) (codified at 15 U.S.C. § 1681), by failing to adopt required procedures to protect against wrongful dissemination of Plaintiffs’ data. In Counts III, IV, and V, Plaintiffs allege claims for negligence, invasion of privacy by public disclosure of private facts, and bailment, which also arose out of Nationwide’s failure to secure Plaintiffs’ data against a breach.
In support of their claims, Plaintiffs allege that there is an illicit international market for stolen data, which is used to obtain identification, government benefits, employment, housing, medical services, financial services, and credit and debit cards. Identity thieves may also use a victim’s identity when arrested, resulting in warrants issued in the victim’s name. According to the complaints, the Nationwide data breach created an “imminent, immediate and continuing increased risk” that Plaintiffs and other class members would be subject to this kind of identity fraud. R. 1, PID 3. Plaintiffs cite a study purporting to show that in 2011 recipients of data-breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incidence rate of 19%.
Plaintiffs allege that victims of identity theft and fraud will “typically spend hundreds of hours in personal time and hundreds of dollars in personal funds,” incurring an average of $354 in out-of-pocket expenses and $1,513 in total economic loss. Id., PID 13. To mitigate this risk, Plaintiffs “have suffered, and will continue to suffer” costs—both “financial and temporal”—that include “purchasing credit reporting services, purchasing credit monitoring and/or internet monitoring services, frequently obtaining, purchasing and reviewing credit [387]*387reports, bank statements, and other similar information, instituting and/or removing credit freezes and/or closing or modifying financial accounts.” Id. The complaints seek damages for, among other things, the increased risk of fraud; expenses incurred in mitigating risk, including the cost of credit freezes, insurance, monitoring, and other mitigation products; and time spent on mitigation efforts.
The district court granted Nationwide’s motion to dismiss the complaints. First, the district court concluded that Plaintiffs did not have “statutory standing” under the FCRA and thus dismissed the FCRA claims for lack of subject-matter jurisdiction. R. 40, PID 408. Next, the district court addressed whether Plaintiffs had Article III standing to bring their negligence and bailment claims, concluded that Plaintiffs had not alleged a cognizable injury, and dismissed the claims for lack of jurisdiction. Lastly, the district court concluded that Plaintiffs had standing to bring their invasion-of-privacy claim but failed to state a claim for relief, and dismissed that claim with prejudice.
Plaintiffs moved for reconsideration and leave to amend, asserting that the district court erred in dismissing one of their FCRA claims. Plaintiffs did not seek reconsideration of the other four dismissed claims, which were omitted from the proposed amended complaint, but maintained their right to appeal the dismissals. Notably, the proposed amended complaint includes a new allegation that Plaintiff Gala-ria discovered three unauthorized attempts to open credit cards in his name. After checking with the credit-card companies, he learned that applications to open cards had been made using his name, Social Security number, and date of birth. The district court denied reconsideration and leave to amend, concluding that Plaintiffs had not demonstrated a clear error of law, and that the proposed amendment would not cure any deficiencies in the FCRA claim in any event.
Plaintiffs appeal the dismissal of their-FCRA, negligence, and bailment claims for lack of jurisdiction, and the denial of their motions for reconsideration and leave to amend. Plaintiffs do not appeal the dismissal of their invasion-of-privacy claim.
II. Discussion
A. Article III standing
We review de novo the district court’s determination of Article III standing. McKay v. Federspiel, 823 F.3d 862, 866 (6th Cir. 2016). “Article III of the Constitution limits the jurisdiction of federal courts to ‘Cases’ and ‘Controversies,’ ” and “[t]he doctrine of standing gives meaning to these constitutional limits by ‘identifying] those disputes which are appropriately resolved through the judicial process.’ ” Susan B. Anthony List v. Driehaus, — U.S. —, 134 S.Ct. 2334, 2341, 189 L.Ed.2d 246 (2014) (quoting Lujan v. Defenders of Wildlife,
Free access — add to your briefcase to read the full text and ask questions with AI
HELENE N. WHITE, Circuit Judge.
Plaintiffs Mohammad Galaria and Anthony Hancox brought these putative class actions after hackers breached the computer network of Defendant Nationwide Mutual Insurance Company and stole their personal information. In their complaints, Plaintiffs allege claims for invasion of privacy, negligence, bailment, and violations of the Fair Credit Reporting Act (FCRA). The district court dismissed the complaints, concluding that Plaintiffs failed to state a claim for invasion of privacy, lacked Article III standing to bring the negligence and bailment claims, and lacked statutory standing to bring the FCRA claims. In this consolidated appeal, Plaintiffs challenge the dismissal of the negligence, bailment, and FCRA claims. Because we conclude that Plaintiffs have Article III standing and that the district court erred in dismissing the FCRA claims for lack of subject-matter jurisdic[386]*386tion, we REVERSE and REMAND for further proceedings.
I. Background
As alleged in the complaints, Nationwide is an insurance and financial-services company that maintains records containing sensitive personal information about its customers, as well as potential customers who submit their information to obtain quotes for insurance products. The data include names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers, and driver’s license numbers. On October 3, 2012, hackers broke into Nationwide’s computer network and stole the personal information of Plaintiffs and 1.1 million others.
Nationwide informed Plaintiffs of the breach in a letter that advised taking steps to prevent or mitigate misuse of the stolen data, including monitoring bank statements and credit reports for unusual activity. To that end, Nationwide offered a year of free credit monitoring and identity-fraud protection of up to $1 million through a third-party vendor. Nationwide also suggested that Plaintiffs set up a fraud alert and place a security freeze on their credit reports. However, Nationwide’s website explained that a security freeze could impede consumers’ ability to obtain credit, and could cost a fee between $5 and $20 to both place and remove. Nationwide did not offer to pay for expenses associated with a security freeze.
Plaintiff Hancox filed a five-count putative class-action complaint against Nationwide in the United States District Court for the District of Kansas, and Plaintiff Galana filed essentially the same complaint in the United States District Court for the Southern District of Ohio a month later. The Kansas district court transferred Hancox’s action to the Ohio district court, which designated the dockets as related. In Counts I and II of the complaints, Plaintiffs allege that Nationwide willfully and negligently violated the Fair Credit Reporting Act (FCRA), Pub. L. No. 91-508, 84 Stat. 1114 (1970) (codified at 15 U.S.C. § 1681), by failing to adopt required procedures to protect against wrongful dissemination of Plaintiffs’ data. In Counts III, IV, and V, Plaintiffs allege claims for negligence, invasion of privacy by public disclosure of private facts, and bailment, which also arose out of Nationwide’s failure to secure Plaintiffs’ data against a breach.
In support of their claims, Plaintiffs allege that there is an illicit international market for stolen data, which is used to obtain identification, government benefits, employment, housing, medical services, financial services, and credit and debit cards. Identity thieves may also use a victim’s identity when arrested, resulting in warrants issued in the victim’s name. According to the complaints, the Nationwide data breach created an “imminent, immediate and continuing increased risk” that Plaintiffs and other class members would be subject to this kind of identity fraud. R. 1, PID 3. Plaintiffs cite a study purporting to show that in 2011 recipients of data-breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incidence rate of 19%.
Plaintiffs allege that victims of identity theft and fraud will “typically spend hundreds of hours in personal time and hundreds of dollars in personal funds,” incurring an average of $354 in out-of-pocket expenses and $1,513 in total economic loss. Id., PID 13. To mitigate this risk, Plaintiffs “have suffered, and will continue to suffer” costs—both “financial and temporal”—that include “purchasing credit reporting services, purchasing credit monitoring and/or internet monitoring services, frequently obtaining, purchasing and reviewing credit [387]*387reports, bank statements, and other similar information, instituting and/or removing credit freezes and/or closing or modifying financial accounts.” Id. The complaints seek damages for, among other things, the increased risk of fraud; expenses incurred in mitigating risk, including the cost of credit freezes, insurance, monitoring, and other mitigation products; and time spent on mitigation efforts.
The district court granted Nationwide’s motion to dismiss the complaints. First, the district court concluded that Plaintiffs did not have “statutory standing” under the FCRA and thus dismissed the FCRA claims for lack of subject-matter jurisdiction. R. 40, PID 408. Next, the district court addressed whether Plaintiffs had Article III standing to bring their negligence and bailment claims, concluded that Plaintiffs had not alleged a cognizable injury, and dismissed the claims for lack of jurisdiction. Lastly, the district court concluded that Plaintiffs had standing to bring their invasion-of-privacy claim but failed to state a claim for relief, and dismissed that claim with prejudice.
Plaintiffs moved for reconsideration and leave to amend, asserting that the district court erred in dismissing one of their FCRA claims. Plaintiffs did not seek reconsideration of the other four dismissed claims, which were omitted from the proposed amended complaint, but maintained their right to appeal the dismissals. Notably, the proposed amended complaint includes a new allegation that Plaintiff Gala-ria discovered three unauthorized attempts to open credit cards in his name. After checking with the credit-card companies, he learned that applications to open cards had been made using his name, Social Security number, and date of birth. The district court denied reconsideration and leave to amend, concluding that Plaintiffs had not demonstrated a clear error of law, and that the proposed amendment would not cure any deficiencies in the FCRA claim in any event.
Plaintiffs appeal the dismissal of their-FCRA, negligence, and bailment claims for lack of jurisdiction, and the denial of their motions for reconsideration and leave to amend. Plaintiffs do not appeal the dismissal of their invasion-of-privacy claim.
II. Discussion
A. Article III standing
We review de novo the district court’s determination of Article III standing. McKay v. Federspiel, 823 F.3d 862, 866 (6th Cir. 2016). “Article III of the Constitution limits the jurisdiction of federal courts to ‘Cases’ and ‘Controversies,’ ” and “[t]he doctrine of standing gives meaning to these constitutional limits by ‘identifying] those disputes which are appropriately resolved through the judicial process.’ ” Susan B. Anthony List v. Driehaus, — U.S. —, 134 S.Ct. 2334, 2341, 189 L.Ed.2d 246 (2014) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992)). The Supreme Court has explained that “the ‘irreducible constitutional minimum’ of standing consists of three elements.” Spokeo, Inc. v. Robins, — U.S. —, 136 S.Ct. 1540, 1547, 194 L.Ed.2d 635 (2016) (quoting Lujan, 504 U.S. at 560, 112 S.Ct. 2130). A plaintiff “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Id.
The plaihtiff “bears the burden of showing that he has standing,” Summers v. Earth Island Institute, 555 U.S. 488, 493, 129 S.Ct. 1142, 173 L.Ed.2d 1 (2009), and “[e]ach element of standing ‘must be-supported in the same way as any other matter on which the plaintiff bears the burden [388]*388of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation.’” Fair Elections Ohio v. Husted, 770 F.3d 456, 459 (6th Cir. 2014) (quoting Lujan, 504 U.S. at 561, 112 S.Ct. 2130). “Where, as here, a case is at the pleading stage, the plaintiff must ‘clearly .,. allege facts demonstrating1 each element.” Spokeo, 136 S.Ct. at 1547 (quoting Warth v. Seldin, 422 U.S. 490, 518, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975)). The court “must accept as true all material allegations of the complaint, and must construe the complaint in favor of the complaining party.” Parsons v. U.S. Dep’t of Justice, 801 F.3d 701, 710 (6th Cir. 2015) (quoting Warth, 422 U.S. at 501, 95 S.Ct. 2197).
Injury is “the ‘[fjirst and foremost’ of standing’s three elements.” Spokeo, 136 S.Ct. at 1547 (quoting Steel Co. v. Citizens for Better Env’t, 523 U.S. 83,103,118 S.Ct. 1003, 140 L.Ed.2d 210 (1998)). “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’ ” Id. at 1548 (quoting Lujan, 504 U.S. at 560, 112 S.Ct. 2130). Where plaintiffs seek to establish standing based on an imminent injury, the Supreme Court has explained “that ‘threatened injury must be certainly impending to constitute injury in fact,’ and that ‘Allegations of possible future injury1 are not sufficient.” Clapper v. Amnesty Int’l USA, — U.S.—, 133 S.Ct. 1138, 1147, 185 L.Ed.2d 264 (2013) (emphasis in original) (quoting Whitmore v. Arkansas, 495 U.S. 149, 158, 110 S.Ct. 1717, 109 L.Ed.2d 135 (1990)). However, the Supreme Court has also “found standing based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm,” even where it is not “literally certain the harms they identify will come about.” Id. at 1150 n.5 (citing cases).
Here, Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation. Plaintiffs allege that the theft of their personal data places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of “possible future injury” or “objectively reasonable likelihood” of injury that the Supreme Court has explained are insufficient. Clapper, 133 S.Ct. at 1147-48. There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals. Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints.
Thus, although it might not be “literally certain” that Plaintiffs’ data will be misused, id. at 1150 n.5, there is-a sufficiently substantial risk of harm that incurring mitigation costs is reasonable. Where Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse—a fraudulent charge on a credit .card, for example—before taking steps to ensure their own personal and financial security, particularly when Nationwide recommended taking these steps. And here, the complaints allege that Plaintiffs and the other putative class members must expend time and money to monitor their credit, check their bank statements, and modify their financial accounts. Although Nationwide offered to provide some of these ser[389]*389vices for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that Nationwide recommended but did not cover. This is not a case where Plaintiffs seek to “manufacture standing by incurring costs in anticipation of non-imminent harm.” Id. at 1155. Rather, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.1
This conclusion is in line with two recent decisions from the Seventh Circuit addressing standing in data-breach cases. In Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), the court held that victims of a data breach at a department store had established injury-in-fact by alleging a “substantial risk of harm” from the theft of their data. Id. at 693. The court explained: “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make a fraudulent charge or assume those consumers’ identities.” Id. The court reached the same conclusion in Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), where restaurant customers’ credit-card data was stolen in a data breach, because a “primary incentive” for a breach is to commit fraud. Id. at 965, 967.2 The Ninth Circuit similarly found Article III standing in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), where employees brought suit after a thief stole a company laptop containing their personal information. Id. at 1141-43.
The Third Circuit reached a different conclusion in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). In Reilly, a hacker broke into a payroll processor’s network, but it was not clear “whether the hacker read, copied, or understood” the personal data stored on the system. Id. at 40, 44. The plaintiffs—whose data was in the system—alleged standing based on an increased risk of identity theft, but the court concluded that the injuries were too speculative because there would be an injury only “if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully.” Id. at 43. The Third Circuit also distinguished the case from data-breach cases where courts found standing: “Here, there is no evidence that the intrusion was intentional or malicious. ... Indeed, no identifiable taking occurred; all that is known is that a firewall was penetrated.” Id. at 44. Thus, Reilly is not on point where, as here, Plaintiffs allege an “identifiable taking”— [390]*390the intentional theft of their data.3
Next, Plaintiffs’ injury must also be “ ‘fairly traceable’ to the conduct being challenged.” Wittman v. Personhuballah, — U.S. —, 136 S.Ct. 1732, 1736, 195 L.Ed.2d 37 (2016) (quoting Lujan, 504 U.S. at 560-61, 112 S.Ct. 2130). This element of standing “is not focused on whether the defendant ‘caused’ the plaintiffs injury in the liability sense,” Wuliger v. Mfrs. Life Ins. Co., 567 F.3d 787, 796 (6th Cir. 2009), because “causation to support standing is not synonymous with causation sufficient to support a claim.” Parsons, 801 F.3d at 715. Indeed, the Supreme Court has made clear that “[pjroximate causation is not a requirement of Article III standing.” Lexmark Int'l Inc. v. Static Control Components, Inc., — U.S.—, 134 S.Ct. 1377,1391 n.6,188 L.Ed.2d 392 (2014). “To that end, the fact that an injury is indirect does not destroy standing as a matter of course.” Parsons, 801 F.3d at 713; see also Warth, 422 U.S. at 504, 95 S.Ct. 2197. Rather, the traceability requirement mainly serves “to eliminate those cases in which a third party and not a party before the court causes the injury.” Am. Canoe Ass’n v. City of Louisa Water & Sewer Comm’n, 389 F.3d 536, 542 (6th Cir. 2004).
Here, Plaintiffs sufficiently allege that their injuries are fairly traceable to Nationwide’s conduct. For example, Plaintiffs allege that Defendants failed “to establish and/or implement appropriate administrative, technical and/or physical safeguards to ensure the security and confidentiality of Plaintiffs and other Class Members’ [data] to protect against anticipated threats to the security or integrity of such information.” R. 1, PID 11-12. Although hackers are the direct cause of Plaintiffs’ injuries, the hackers were able to access Plaintiffs’ data only because Nationwide allegedly failed to secure the sensitive personal information entrusted to its custody. In other words, but for Nationwide’s allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data. These allegations meet the threshold for Article III traceability, which requires “more than speculative but less than but-for” causation. Parsons, 801 F.3d at 714.
This conclusion is consistent with the Eleventh Circuit’s decision in Resnick v. AvMed, Inc., 693 F.3d 1317, 1324 (11th Cir. 2012), which held that injuries from a data breach were fairly traceable to a defendant that failed to secure laptops that were then stolen. The Seventh and Ninth Circuit have also found the traceability requirement met in similar data-breach cases. Lewert, 819 F.3d at 969; Remijas, 794 F.3d at 696; Krottner, 628 F.3d at 1141. Further, in Lambert v. Hartman, 517 F.3d 433, 438 (6th Cir. 2008), we held that identity theft was fairly traceable to a defendant that mishandled the plaintiffs personal data by releasing it online. True, the plaintiff in Lambert alleged conduct more egregious than the general allegations of inadequate security presented in Plaintiffs’ complaints; but at the pleading stage, we “presume[ ] that general allegations embrace those specific facts that are necessary to support the claim.” Lujan v. Nat’l Wildlife Fed’n, 497 U.S. 871,889,110 S.Ct. 3177, 111 L.Ed.2d 695 (1990).
Lastly, Plaintiffs must show that their injury “will likely be ‘redressed’ by a favorable decision.” Wittman, 136 S.Ct. at [391]*3911736 (quoting Lujan, 504 U.S. at 560-61, 112 S.Ct. 2130). Here, Plaintiffs seek compensatory damages for their injuries, and a favorable verdict would provide redress.
Thus, we conclude that Plaintiffs’ complaints adequately allege Article III standing. Nationwide argues in the alternative that the dismissal of the negligence and bailment claims should nonetheless be affirmed on the basis that Plaintiffs failed to state claims for relief. However, because the district court dismissed for lack of jurisdiction, we decline to grant a dismissal on the merits on appeal.
B. Statutory standing under the FCRA
We review de novo the district court’s dismissal of Plaintiffs’ FCRA claims for lack of subject-matter jurisdiction. Askins v. Ohio Dep’t of Agric., 809 F.3d 868, 872 (6th Cir. 2016). The district court concluded that the complaints allege a violation of the FCRA’s statement of purpose rather than a substantive provision of the statute, and dismissed the FCRA claims for lack of statutory standing.
The Supreme Court has explained that the term “statutory standing” describes an inquiry into the question whether a plaintiff “falls within the class of plaintiffs whom Congress has authorized to sue” and therefore “has a cause of action under the statute.” Lexmark, 134 S.Ct. at 1387-88 & n.4. However, this label is “misleading, since ‘the absence of a valid (as opposed to arguable) cause of action does not implicate subject-matter jurisdiction, ie., the court’s statutory or constitutional poioer to adjudicate the case.’ ” Id. (emphasis in original) (quoting Verizon Md. Inc. v. Pub. Serv. Comm’n of Md., 535 U.S. 635, 642-43, 122 S.Ct. 1753, 152 L.Ed.2d 871 (2002)); see also Facione v. CHL Mortg. Trust 2006-J1, 628 Fed.Appx. 919, 920 (6th Cir. 2015) (noting the “confusion” caused by the term “statutory standing”). The question whether Plaintiffs have a cause of action is a merits issue that is “analytically distinct from the question whether a federal court has subject-matter jurisdiction.” Roberts v. Hamer, 655 F.3d 578, 580 (6th Cir. 2011). If a plaintiff lacks statutory standing—in other words, does not have a cause of action—the proper course is to dismiss for failure to state a claim. Id. at 581.
Thus, the district court erred in concluding that it lacked subject-matter jurisdiction over the FCRA claims. As discussed, Plaintiffs have Article III standing to bring this action,4 and we see no other jurisdictional defect; the district court’s contrary conclusion was based on an assessment of the merits. We go no further than reversing the district court’s judgment as to its jurisdiction, and decline to address the merits issue on appeal. Instead, we return this question to the district court, which may dismiss for failure to state a claim if it concludes that Plaintiffs do not have a cause of action under the FCRA.
III. Conclusion
For these reasons, we REVERSE the dismissal of Plaintiffs’ negligence, bailment, and FCRA claims for lack of subject-matter jurisdiction and REMAND for further proceedings.