Fourth Circuit weighs in on standing in data breach class actions

Breach Litigation Basics

Typically, in a data breach or theft, a threat actor accesses and potentially exfiltrates information from a company that maintains personal information of its customers, its employees, or other members of the public. Individuals whose information was potentially affected by these breaches often file putative class action complaints against the breached companies based on a theory that the companies failed to adequately protect the individuals’ sensitive information. 

In some cases, plaintiffs allege that following the exposure of their information, they were the victims of identity theft, bank fraud, or other tangible harms. In most cases, however, plaintiffs allege that the breach of their information creates an imminent risk of harm in the form of future identity theft or a comparable injury, even though there is no evidence that the information was misused beyond the exfiltration itself. 

The question of whether there is an imminent risk of future harm can hinge on what information was exfiltrated and whether and to whom the threat actor disclosed the stolen information after the exfiltration. 

Background in Holmes

In Holmes, four named plaintiffs brought a putative class action against Elephant Insurance Company following a breach that allegedly compromised three million driver’s license numbers. All the plaintiffs alleged that they suffered harm in the form of time spent monitoring their credit and finances, as well as an increased risk of future identity theft. 

Two plaintiffs also alleged that they experienced fear and anxiety caused by the data breach, and one said that he had experienced an increased number of unwanted calls as a result of the breach. Crucially, two plaintiffs—Holmes and Cardenas—alleged that they had found their driver’s license numbers on the “dark web.” Each of the plaintiffs sought damages, a declaration about the alleged inadequacy of Elephant’s data security, and an injunction requiring security improvements. 

The district court found that no plaintiff had standing to pursue any claim and dismissed the entire case under Fed. R. Civ. P. 12(b)(1). 

Fourth Circuit Decision

The Fourth Circuit affirmed the lower court’s dismissal for lack of standing, except that it found that the plaintiffs Holmes and Cardenas had standing to pursue their claims for damages but not equitable relief. The Fourth Circuit considered several theories of injury but found only one convincing. 

It held that disclosure of a plaintiff’s information on the dark web could confer standing because it was the same type of harm protected by the tort of public disclosure of private information. Notably, the court rejected the argument that the increased risk of future harm was sufficiently “imminent” to confer standing, even for the plaintiffs whose information was on the dark web. This approach deviated from decisions from other circuits.

The Holmes court’s analysis began with some familiar ground rules: 

• federal courts may only resolve “Cases” and “Controversies,” which means that each plaintiff must have standing to pursue their claims, 
• standing requires, among other things, that each plaintiff “suffered an injury in fact that is concrete, particularized, and actual or imminent,”
• standing must be present for each type of relief sought, i.e., damages or equitable relief, and
• standing requirements apply to class actions as to any other case.

The court then considered that all the named plaintiffs claimed four types of injury in fact: (1) the actual compromise of their personal information, (2) the risk of future misuse of their personal information, (3) the risk of having their information taken again, and (4) the emotional distress and time spent monitoring their credit and financial records in an attempt to mitigate the likelihood of future harm. One plaintiff’s claim about unwanted calls failed to confer standing because the calls were unrelated to any compromised driver’s license number and therefore not traceable to the breach and, as such, not traceable to the defendant. For the other alleged harms, the question was whether they were sufficiently imminent and concrete. 

The Fourth Circuit primarily relied on TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), which explains how to determine the “concreteness” of an intangible injury. To be sufficiently “concrete,” the harm “must bear a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.” The court analyzed the question of concreteness in terms of relief for retrospective and prospective harms. 

Retrospective Relief

With respect to relief for retrospective harms, the Holmes court considered the tort of public disclosure of private information as a possible traditional-harm analog to the plaintiffs’ purported injuries. The court noted that elements of a tort may not all be relevant for standing purposes, but elements that “define the harm” to the plaintiff—as opposed to elements related to the defendants’ actions—must be alleged to establish concrete injury in fact. 

As defined in the Restatement, the tort of public disclosure of private information requires that the defendant (1) disclose (2) to the public (3) true but private information that would be highly offensive to a reasonable person and (4) otherwise of no legitimate concern to the public. The Holmes court discerned that the harm actionable through the tort was disclosure of sensitive personal information (as opposed to any information) to the public (not just to a small group of people). 

Applying that framework to the plaintiffs’ claims, the court determined that driver’s license numbers are sufficiently sensitive that the plaintiffs justifiably would prefer to keep them confidential. (Notably, that view diverges from the holdings of at least the Seventh and Ninth Circuits.) 

Only Holmes and Cardenas, who claimed to have found their numbers on the dark web, alleged public disclosure. Accordingly, only those plaintiffs sufficiently alleged a specific injury in fact to confer standing to seek “retrospective relief like damages.” 

The other plaintiffs, who alleged that their numbers had been hacked and compromised but not that they’d seen them on the dark web, failed to “provide any reason to think that their driver’s license numbers are now generally accessible.” The court reasoned that while the other plaintiffs alleged their information was in the possession of the hackers, “they d[id] not allege that the unnamed hackers are so numerous as to constitute the public on their own.” Those plaintiffs could not premise standing on that alleged harm.

Prospective Relief and “Imminent” Injury

Next, the Holmes court found that none of the plaintiffs had standing to seek forward-looking relief or to recover for emotional distress or time spent attempting to mitigate potential or speculative future harm. Standing to seek prospective declaratory or injunctive relief requires that the future harm be “imminent,” which in turn requires more than an “objectively reasonable likelihood” that the harm may someday occur. Rather, under US Supreme Court precedent in City of Los Angeles v. Lyons, 461 U.S. 95 (1983), and Murthy v. Missouri, 603 U.S. 43 (2024), a “substantial risk” that the harm will happen “in the near future” is required. 

In an earlier data breach decision, the Fourth Circuit rejected the premise that an alleged 33% risk of harm was enough to qualify as “substantial.” The Holmes court, in turn, observed that a “substantial risk” is “presumably a good bit higher” than 33%. None of the Holmes plaintiffs could make that showing with respect to their claims about potential future harm. Instead, they offered a “speculative chain of possibilities.”

The Holmes court recognized that other circuits “have found imminent injury to plaintiffs in similar circumstances to Cardenas and Holmes,” citing decisions from the First, Second, Seventh, and D.C. Circuit Courts of Appeals. But those decisions, in the Fourth Circuit’s view, “implicitly require[d] only a reasonable probability of future harm—a looser notion of imminence urged by the dissent in Clapper [v. Amnesty International USA, 568 U.S. 398 (2013),] but rejected by the majority.” 

Finally, because none of the plaintiffs had standing to seek prospective injunctive or declaratory relief, they could not invoke “backdoor standing” based on emotional distress or spending time monitoring their financials because of the alleged risk of future harm. Those alleged monitoring and distress injuries cannot furnish standing for damages where the feared future harm itself is merely speculative. Similarly, the court noted that the plaintiffs’ mitigation expenses to prevent future harm were not traceable to the potential future threat.

Takeaways

Holmes analyzes standing in the context of the familiar data breach complaint, concluding that public disclosure of a driver’s license number may convey standing while mere “compromise” of the number, without dissemination by the hacker, will not. As to prospective relief, nonspecific claims about “increased risk” of future harm just because of a past breach are unlikely to suffice in the Fourth Circuit. And for now, anyway, a data breach plaintiff’s choice of federal forum may have an outsize effect on the likelihood that his claims will survive a motion to dismiss for lack of subject matter jurisdiction. 

Francis X. Nolan IV | Partner | +1 212 389 5083 | Email
Valerie Strong Sanders | Counsel | +1 404 853 8168 | Email
Alexander Bussey | Senior Associate | +1 212 287 6997 | Email
Jessica Fuhrman | Senior Associate | +1 202 383 0231 | Email
Elizabeth K. Hudson | Associate | +1 202 383 0301 | Email
Ian N. Jones | Associate | +1 404 853 8051 | Email
Claire E. Scavone | Associate | +1 404 853 8558 | Email

__________

If you have any questions about this Legal Briefing, please feel free to contact any of the attorneys listed or the Eversheds Sutherland attorney with whom you regularly work.