Jacob V. Stewart

In Holmes v. Elephant Insurance Co., the Fourth Circuit applied traditional standing principles to modern privacy questions.  No. 23-1782, 2025 WL 2907615 (4th Cir. Oct. 14, 2025).  In this purported class action, the Court applied two significant rules concerning data-breach litigation.  First, to sufficiently allege a “concrete” injury caused by disclosed information, plaintiffs must assert that they “justifiably” preferred to keep the disclosed information private, and that the data breach caused the information to become “accessible to many.”  Second, in order for potential identity theft to be an “imminent” injury, plaintiffs’ allegations must create at least a one-third probability of identity theft.  This post provides a rundown of Holmes, which will likely be a mainstay in Fourth Circuit data-breach litigation.

District Court Dismisses Purported Class Action for Lack of Standing

The defendants in Holmes sold insurance, “including home and car insurance.” Hackers breached the defendants’ online platform, compromising “nearly 3 million” driver’s-license numbers. Because of the breach, four named plaintiffs brought two putative class actions against the defendants. Senior District Judge John A. Gibney, Jr., sitting in the Eastern District of Virginia, consolidated the cases.    

Two of the plaintiffs, the “hacker plaintiffs,” simply claimed that hackers stole their driver’s-license numbers. The other two plaintiffs, the “dark-web plaintiffs,” claimed that hackers stole their driver’s-license numbers and then placed the numbers on the “dark web.”  

The plaintiffs all alleged that the breach caused both past injuries and future injuries. Their alleged past injuries were informational harms; information that the plaintiffs preferred to keep private was made public. Their alleged future injuries were the potential for identity theft and the potential for another data breach. 

The plaintiffs sought multiple remedies. For their past injuries, the plaintiffs requested damages. For their future injuries, the plaintiffs requested declaratory and injunctive relief. 

The district court concluded that the plaintiffs lacked standing to seek any relief and granted the defendants’ motion to dismiss. The district court reasoned that the plaintiffs failed to allege a concrete injury caused by the defendants. The plaintiffs appealed.   

Fourth Circuit Affirms in Part and Reverses in Part

Standing requires an (1) injury (2) caused by a defendant (3) that is redressable by a court. Id. at *2. Because no single remedy is a panacea, plaintiffs must have standing for each remedy sought. See id. Standing applies no less in class actions, and the standing question in Holmes turned on whether the plaintiffs’ alleged injuries were sufficiently “concrete.” Relying on TransUnion (which we have explored in a previous post), the Fourth Circuit analyzed whether the plaintiffs’ alleged injuries were sufficiently concrete by assessing “whether there is ‘a close historical or common-law analogue’ to” the plaintiffs’ alleged harm. Holmes, 2025 WL 2907615, at *3 (quoting TransUnion LLC v. Ramirez, 594 U.S. 413, 424 (2021)).     

Past Injuries 

Regarding the plaintiffs’ alleged past injuries, the Court examined whether their alleged harms were analogous to the harms protected by the historical tort of “public disclosure of private information.” This tort “makes concrete the intangible harm suffered when information that the plaintiff would justifiably prefer to tightly control is released into the open.” The disclosed information “need not be embarrassing or salacious,” and it “need not be broadcast to the whole world.” Rather, “the plaintiff must have good reason to keep [the disclosed information] close to the vest,” and the disclosure must make the information “accessible to many.”  Id. at *6.    

The dark-web plaintiffs alleged that hackers placed their driver’s-license numbers on the dark web. The Court concluded that the “dark web” is accessible to many, and people justifiably prefer to keep their driver’s-license numbers private.  Thus, the harm suffered by the dark-web plaintiffs was analogous to the harm protected by the historical public-disclosure tort; thus, their injuries were concrete, and they had standing to seek damages.  The hacker plaintiffs, however, did not allege that their driver’s-license numbers were on the dark web.  As a result, they did not allege that their driver’s-license numbers were generally accessible, and they did not allege that their harm was analogous to the harm protected by the historical public-disclosure tort.  Therefore, the hacker plaintiffs did not allege concrete injuries, so they lacked standing to seek damages.    

Future Injuries    

As to future injuries, all of the plaintiffs asserted that they were harmed by the threat of a second data breach. Separately, the hacker plaintiffs argued that they were harmed by the risk of having their information publicized, and the dark-web plaintiffs argued that they were harmed by the risk of identity theft. Standing to seek prospective relief for future injury requires that the future injury be “imminent.” Injury is imminent if there is “‘a substantial risk that’ it will happen ‘in the near future.’” Id. at *10 (quoting Murthy v. Missouri, 603 U.S. 43, 58 (2024)). 

The Court quickly concluded that neither the threat of a second data breach nor the risk of the hacker plaintiffs’ information being disclosed were imminent. Moreover, the Court concluded that the dark-web plaintiffs’ identity-theft argument was “foreclosed by the principle . . . stated in Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017),” which set “a numerical bar for imminence in the context of data breaches.” Holmes, 2025 WL 2907615, *11.   “Substantial risk,” i.e., imminence, of identity theft requires—at least—a 33% probability of identity theft.  Id. The Court concluded that the dark-web plaintiffs’ allegations required too many inferences to create a one-third probability of identity theft. Therefore, the Court held that none of the plaintiffs alleged an imminent future injury, so none of them had standing to seek prospective relief. 

A Final Unavailing Argument 

As a final argument for standing to seek damages, the plaintiffs asserted that they were injured because the data breach forced them to monitor their financials and caused them emotional distress. Because the Court already concluded that the dark-web plaintiffs had standing to seek damages, the Court only analyzed this argument as applied to the hacker plaintiffs. The Court concluded that the hacker plaintiffs could not manufacture standing “solely through expenditures of time and allegations of emotional distress.” Id. at *14. Even if lost time and emotional distress were concrete injuries, “they may serve as the sole basis for standing to recover damages only when incurred in response to a separate imminent harm.” Id. at *16. The hacker plaintiffs lacked a separate imminent harm, so their lost time and emotional distress were not concrete injuries. 

Takeaways

Holmes highlights the ubiquity of standing questions in federal court, no less in class actions, and it reiterates that standing to seek one remedy does not always create standing to seek another. Moreover, Holmes shows that standing remains fertile ground for arguments to dismiss, and it confirms the force of numerical arguments regarding imminent harm and prospective relief. In an era teeming with privacy concerns, Holmes will likely be a common citation for class-action defendants in Fourth Circuit privacy litigation.