Fourth Circuit Weighs in on Standing in Data Breach Class Actions Eversheds Sutherland US LLP JDSupra

pppOne of the hotly litigated issues in data breach class action litigation is whether plaintiffs in these actions have standing under Article III of the US Constitution For a complaint to survive the plaintiff must allege facts to establish that the plaintiff suffered an actual or imminent injury in fact and that the injury to the plaintiff is traceable to and redressable by the defendant Courts grapple with standing in cases where plaintiffs personal information has been exfiltrated in a breach but not disseminated publicly or used to inflict tangible harm like identity theft In Holmes v Elephant Ins Co F4th 2025 WL 2907615 4th Cir Oct 14 2025 the US Court of Appeals for the Fourth Circuit weighed in on these issues providing a road map for courts within that circuit while deepening a split among the circuit courtsppBreach Litigation BasicsppTypically in a data breach or theft a threat actor accesses and potentially exfiltrates information from a company that maintains personal information of its customers its employees or other members of the public Individuals whose information was potentially affected by these breaches often file putative class action complaints against the breached companies based on a theory that the companies failed to adequately protect the individuals sensitive informationppIn some cases plaintiffs allege that following the exposure of their information they were the victims of identity theft bank fraud or other tangible harms In most cases however plaintiffs allege that the breach of their information creates an imminent risk of harm in the form of future identity theft or a comparable injury even though there is no evidence that the information was misused beyond the exfiltration itselfppThe question of whether there is an imminent risk of future harm can hinge on what information was exfiltrated and whether and to whom the threat actor disclosed the stolen information after the exfiltrationppBackground in HolmesppIn Holmes four named plaintiffs brought a putative class action against Elephant Insurance Company following a breach that allegedly compromised three million drivers license numbers All the plaintiffs alleged that they suffered harm in the form of time spent monitoring their credit and finances as well as an increased risk of future identity theftppTwo plaintiffs also alleged that they experienced fear and anxiety caused by the data breach and one said that he had experienced an increased number of unwanted calls as a result of the breach Crucially two plaintiffsHolmes and Cardenasalleged that they had found their drivers license numbers on the dark web Each of the plaintiffs sought damages a declaration about the alleged inadequacy of Elephants data security and an injunction requiring security improvementsppThe district court found that no plaintiff had standing to pursue any claim and dismissed the entire case under Fed R Civ P 12b1ppFourth Circuit DecisionppThe Fourth Circuit affirmed the lower courts dismissal for lack of standing except that it found that the plaintiffs Holmes and Cardenas had standing to pursue their claims for damages but not equitable relief The Fourth Circuit considered several theories of injury but found only one convincingppIt held that disclosure of a plaintiffs information on the dark web could confer standing because it was the same type of harm protected by the tort of public disclosure of private information Notably the court rejected the argument that the increased risk of future harm was sufficiently imminent to confer standing even for the plaintiffs whose information was on the dark web This approach deviated from decisions from other circuitsppThe Holmes courts analysis began with some familiar ground rulesppThe court then considered that all the named plaintiffs claimed four types of injury in fact 1 the actual compromise of their personal information 2 the risk of future misuse of their personal information 3 the risk of having their information taken again and 4 the emotional distress and time spent monitoring their credit and financial records in an attempt to mitigate the likelihood of future harm One plaintiffs claim about unwanted calls failed to confer standing because the calls were unrelated to any compromised drivers license number and therefore not traceable to the breach and as such not traceable to the defendant For the other alleged harms the question was whether they were sufficiently imminent and concreteppThe Fourth Circuit primarily relied on TransUnion LLC v Ramirez 594 US 413 2021 which explains how to determine the concreteness of an intangible injury To be sufficiently concrete the harm must bear a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts The court analyzed the question of concreteness in terms of relief for retrospective and prospective harmsppRetrospective ReliefppWith respect to relief for retrospective harms the Holmes court considered the tort of public disclosure of private information as a possible traditionalharm analog to the plaintiffs purported injuries The court noted that elements of a tort may not all be relevant for standing purposes but elements that define the harm to the plaintiffas opposed to elements related to the defendants actionsmust be alleged to establish concrete injury in factppAs defined in the Restatement the tort of public disclosure of private information requires that the defendant 1 disclose 2 to the public 3 true but private information that would be highly offensive to a reasonable person and 4 otherwise of no legitimate concern to the public The Holmes court discerned that the harm actionable through the tort was disclosure of sensitive personal information as opposed to any information to the public not just to a small group of peopleppApplying that framework to the plaintiffs claims the court determined that drivers license numbers are sufficiently sensitive that the plaintiffs justifiably would prefer to keep them confidential Notably that view diverges from the holdings of at least the Seventh and Ninth CircuitsppOnly Holmes and Cardenas who claimed to have found their numbers on the dark web alleged public disclosure Accordingly only those plaintiffs sufficiently alleged a specific injury in fact to confer standing to seek retrospective relief like damagesppThe other plaintiffs who alleged that their numbers had been hacked and compromised but not that theyd seen them on the dark web failed to provide any reason to think that their drivers license numbers are now generally accessible The court reasoned that while the other plaintiffs alleged their information was in the possession of the hackers they did not allege that the unnamed hackers are so numerous as to constitute the public on their own Those plaintiffs could not premise standing on that alleged harmppProspective Relief and Imminent InjuryppNext the Holmes court found that none of the plaintiffs had standing to seek forwardlooking relief or to recover for emotional distress or time spent attempting to mitigate potential or speculative future harm Standing to seek prospective declaratory or injunctive relief requires that the future harm be imminent which in turn requires more than an objectively reasonable likelihood that the harm may someday occur Rather under US Supreme Court precedent in City of Los Angeles v Lyons 461 US 95 1983 and Murthy v Missouri 603 US 43 2024 a substantial risk that the harm will happen in the near future is requiredppIn an earlier data breach decision the Fourth Circuit rejected the premise that an alleged 33 risk of harm was enough to qualify as substantial The Holmes court in turn observed that a substantial risk is presumably a good bit higher than 33 None of the Holmes plaintiffs could make that showing with respect to their claims about potential future harm Instead they offered a speculative chain of possibilitiesppThe Holmes court recognized that other circuits have found imminent injury to plaintiffs in similar circumstances to Cardenas and Holmes citing decisions from the First Second Seventh and DC Circuit Courts of Appeals But those decisions in the Fourth Circuits view implicitly required only a reasonable probability of future harma looser notion of imminence urged by the dissent in Clapper v Amnesty International USA 568 US 398 2013 but rejected by the majorityppFinally because none of the plaintiffs had standing to seek prospective injunctive or declaratory relief they could not invoke backdoor standing based on emotional distress or spending time monitoring their financials because of the alleged risk of future harm Those alleged monitoring and distress injuries cannot furnish standing for damages where the feared future harm itself is merely speculative Similarly the court noted that the plaintiffs mitigation expenses to prevent future harm were not traceable to the potential future threatppTakeawaysppHolmes analyzes standing in the context of the familiar data breach complaint concluding that public disclosure of a drivers license number may convey standing while mere compromise of the number without dissemination by the hacker will not As to prospective relief nonspecific claims about increased risk of future harm just because of a past breach are unlikely to suffice in the Fourth Circuit And for now anyway a data breach plaintiffs choice of federal forum may have an outsize effect on the likelihood that his claims will survive a motion to dismiss for lack of subject matter jurisdictionppView sourceppSee more ppDISCLAIMER Because of the generality of this update the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations
Attorney Advertisingpp
Eversheds Sutherland US LLP
var today new Date var yyyy todaygetFullYeardocumentwriteyyyy
ppRefine your interests ppPlease take our short survey your perspective helps to shape how firms create relevant useful content that addresses your needsppBack to TopppExplore 2025 Readers Choice AwardsppCopyright var today new Date var yyyy todaygetFullYeardocumentwriteyyyy JD Supra LLCp