Skip to Main Content

Parker Poe

Keeping you informed

Fourth Circuit: Leaked Data Breach Information Must Be Publicly Available to Cause 'Concrete Injury'

    Client Alerts
  • October 27, 2025

On October 14, 2025, the Fourth Circuit issued its opinion in Holmes v. Elephant Insurance Company, clarifying that plaintiffs in data breach class actions must demonstrate that their compromised personal information was publicly disclosed in order to establish Article III standing. The decision provides a clearer benchmark for businesses on when data breach plaintiffs have standing in the Fourth Circuit.

Background and Key Holdings

Holmes arose from a 2022 data breach of Elephant Insurance’s network, exposing the driver’s license numbers of nearly three million individuals. The four class representatives alleged a range of injuries, including time spent on mitigation, increased risk of identity theft, emotional distress, and, for two plaintiffs, discovery of their license numbers on the dark web.

The Fourth Circuit held:

  • Only plaintiffs whose driver’s license numbers were posted on the dark web had standing to seek damages. Public disclosure of private information constitutes a concrete injury sufficient for standing to sue. Mere possession of data by hackers, without public dissemination, does not meet this threshold.
     
  • Speculative injuries are insufficient. Increased risk of future identity theft, mitigation efforts, and emotional distress were deemed too speculative to confer standing. Plaintiffs cannot manufacture standing by taking precautionary measures or alleging emotional distress based on hypothetical future harm.
     
  • Common law analog and TransUnion v. Ramirez. The court’s reasoning draws on the Supreme Court’s decision in TransUnion v. Ramirez, analogizing the harm to the common law tort of public disclosure of private information. This connection underscores the requirement for a close relationship between the alleged harm and those traditionally recognized at common law.

The court allowed the claims of the two class representatives whose license numbers were actually posted or made available for purchase on the dark web to proceed, finding their damages sufficiently concrete. The other plaintiffs' claims were dismissed as too speculative.

Part of a Broader Judicial Trend

The Fourth Circuit’s approach aligns with recent opinions from the First, Second, and Third Circuits, which have similarly required public dissemination of compromised data for standing in data breach cases. Notably, the Fourth Circuit distinguished between mere possession and actual public disclosure, drawing a meaningful line between speculative and concrete injuries. This distinction limits standing to plaintiffs who can demonstrate that their privacy has been tangibly invaded, rather than those who only face a theoretical risk of harm.

The court also expressly rejected the Seventh Circuit’s narrower view in Baysal v. Midvale Indemnity Co., which found driver’s license numbers insufficiently sensitive for standing. In contrast, the Fourth Circuit reasoned that even non-embarrassing but valuable identifiers, such as driver’s license numbers, can qualify as protected private information when publicly disclosed, especially given their potential for misuse in identity theft. This approach broadens the scope of what may constitute a concrete injury in data breach litigation, while maintaining a rigorous threshold for standing.

Potential Risks and Need for Continued Vigilance

While the Fourth Circuit’s decision narrows federal standing in data breach litigation, it is essential not to conflate this with a relaxation of breach notification or regulatory obligations. Privacy statutes and reporting requirements often apply even when data has not been publicly disclosed, and the threshold for notification is typically lower than the threshold for federal standing. Businesses should remain attentive to the distinction between litigation standing and regulatory obligations, as notification requirements may apply even in the absence of public disclosure.

Plaintiffs are increasingly utilizing dark web monitoring to identify evidence of publication or disclosure, which may influence both litigation strategy and incident response planning. This trend underscores the importance of robust post-breach monitoring and documentation.

Additionally, the decision may also influence the dynamics of ransomware and extortion scenarios, as emphasis on public disclosure could affect how threat actors approach demands. As actual publication continues to be a key factor in litigation risk, organizations may face evolving challenges in responding to threat actors, including potential shifts in ransom demands and incident response strategies.

Key Takeaways

  • Concrete injury requires public disclosure. Plaintiffs must show that their information was made publicly available, not merely accessed by unauthorized parties.
     
  • Mitigation efforts and emotional distress alone do not confer standing. Time spent monitoring accounts or emotional distress, without imminent or actual misuse, is insufficient.
     
  • Trend toward a higher bar for standing. Courts increasingly require plaintiffs to demonstrate actual, concrete harm typically through public disclosure of sensitive information in order to proceed with data breach claims.
     
  • Regulatory obligations remain. Businesses must remember that breach reporting requirements apply regardless of whether public disclosure occurred.
     
  • Dark web monitoring is increasingly important. Plaintiffs are actively searching for evidence of publication, which may affect both litigation and regulatory exposure.
     
  • Ransom risk may increase. The decision could inadvertently strengthen the bargaining position of threat actors.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.

×
By using this website, you agree to our use of cookies.