Skip to Content
Client Payment

Events In the News

An Update as to Standing in Data Breach Class Actions

on Friday, 21 November 2025 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

Recently, the Fourth Circuit[1] addressed whether plaintiffs affected by a data breach suffered by an insurance company had Article III standing to pursue their claims. The decision is significant because many of the current class actions settle quickly before discovery begins in an effort to avoid the costs of discovery. The result is that while settlements can provide good precedent for plaintiffs’ attorneys, defense attorneys have not had a significant amount of leverage due to the limited number of case opinions.

Background

Elephant Insurance Company (“Elephant”) and a subsidiary notified consumers on May 6, 2022, that unauthorized parties may have accessed personal information, including names, driver’s license numbers, and birthdates, according to court documents. Elephant also disclosed that the information may have included data from current, past and prospective customers.

The initial suit was dismissed for lack of standing for the four named plaintiffs: Christopher Holmes, Robert Shaw, Jaime Cardenas, and Trinity Bias.

The dismissal was appealed, and a federal appeals court partially reinstated the suit finding standing for two of the plaintiffs, while establishing a clear precedent.

Opinion

In this opinion the court provides a clear distinction between plaintiffs who have standing and those who do not, which may pave the way for more challenges to data breach class actions.

The court in the Elephant concluded that of the four named plaintiffs only two, Holmes and Cardenas, alleged a concrete injury sufficient to show standing and ultimately to seek damages. The court held:

  1. Standing

Two of the plaintiffs have standing to seek damages because their driver’s license numbers were actually found on the dark web, creating a concrete injury analogous to the common-law tort of public disclosure of private facts.

The court noted that a plaintiff must show:

“(i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief.” Id. (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992)).

The Court held that publication of a driver’s license number on the dark web is public exposure of sensitive, tightly controlled information. This is closely related to the harm addressed by the tort of public disclosure.

The court held that a driver’s license number is private information even though:

  • a driver’s license number per se is not embarrassing,
  • Elephant did not affirmatively disclose it, and
  • the dark web is not a traditional “public” forum.

Thus, sensitive information published on the dark web is concrete injury. And, because this injury was actual and concrete, Cardenas and Holmes have standing and can pursue damages.

  1. Two plaintiffs, Shaw and Bias, lacked standing entirely, because they did not allege that their stolen information was publicly accessible on the dark web or misused[2]. Those plaintiffs whose numbers were compromised, but not shown to be publicized or posted on the dark web, did not have standing.
  2. None of the plaintiffs have standing to seek injunctive or declaratory relief, because they failed to show any imminent future harm. Specifically, the court rejected all other alleged injuries such as:
  • Risk of future misuse was too speculative. The chain of events required (criminal purchase, aggregation of additional personal data, timely use before license renewal) was too remote. The court also noted that unlike other sensitive information, driver’s license numbers change over time as the license may expire or the individual may move. The future risk of harm also depends on an intervening third-party to cause that injury.
  • Risk of a second data breach was also too remote. The plaintiffs offered no plausible reason why they, personally, faced imminent risk of another breach. The court noted that under Lyons[3], general risk affecting the public does not establish personal imminence.
  • Time and emotional distress do not prove standing. Without a separate injury, plaintiffs cannot recover from spent time and emotional distress. Even if these could be “concrete” harms, they cannot create standing by themselves. The court noted that under Clapper[4], plaintiffs cannot “manufacture standing” through self-imposed costs or anxieties in response to speculative future harm. Such “harms” would be relevant for the purposes of calculating damages.

Conclusion

In summary, the court found that only plaintiffs that demonstrate actual disclosure of their sensitive information on the dark web have standing to pursue damages. Alleged future risks, emotional distress, and time spent in response to the incident were deemed too speculative to support claims for injunctive or declaratory relief.

Robert L. Kardell

[1] Holmes et al. v. Elephant Insurance Co. et al., No. 23-1782, 2025 WL 2907615 (4th Cir. Oct. 14, 2025).

[2] An interesting question to consider then is whether theft of sensitive data, but with no subsequent posting of such information on the dark web, not necessarily result in “misuse”.

[3] City of Los Angeles v. Lyons, 461 U.S. 95, 105 (1983)

[4] Clapper v. Amnesty Int’l USA, 568 U.S. 398, 410 (2013), pg. 402.

back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design