Alexander Busse, Jessica Fuhrman, Elizabeth Hudson, Ian Jones, Francis Nolan IV, and Valerie Strong Sanders of Eversheds Sutherland write:
One of the hotly litigated issues in data breach class action litigation is whether plaintiffs in these actions have standing under Article III of the US Constitution. For a complaint to survive, the plaintiff must allege facts to establish that the plaintiff suffered an actual or imminent injury in fact and that the injury to the plaintiff is traceable to and redressable by the defendant. Courts grapple with standing in cases where plaintiffs’ personal information has been exfiltrated in a breach but not disseminated publicly or used to inflict tangible harm like identity theft. In Holmes v. Elephant Ins. Co., ___ F.4th ___, 2025, WL 2907615 (4th Cir. Oct. 14, 2025), the US Court of Appeals for the Fourth Circuit weighed in on these issues, providing a road map for courts within that circuit while deepening a split among the circuit courts.
[…]
Background in Holmes
In Holmes, four named plaintiffs brought a putative class action against Elephant Insurance Company following a breach that allegedly compromised three million driver’s license numbers. All the plaintiffs alleged that they suffered harm in the form of time spent monitoring their credit and finances, as well as an increased risk of future identity theft.
Two plaintiffs also alleged that they experienced fear and anxiety caused by the data breach, and one said that he had experienced an increased number of unwanted calls as a result of the breach. Crucially, two plaintiffs—Holmes and Cardenas—alleged that they had found their driver’s license numbers on the “dark web.” Each of the plaintiffs sought damages, a declaration about the alleged inadequacy of Elephant’s data security, and an injunction requiring security improvements.
The district court found that no plaintiff had standing to pursue any claim and dismissed the entire case under Fed. R. Civ. P. 12(b)(1).
Read more at JDSupra.