The Question of Standing in Leaks of Non-‘Salacious’ Data

When can people sue companies for failing to keep their personal data safe?

In 2021, the Supreme Court held that plaintiffs suing in federal court must point to a common-law analogue for any intangible harms they allege—or else be barred for lack of standing. Since then, circuit courts have diverged on when the harm stemming from data breaches resembles one traditionally recognized under common law. One recurring question is what to do when the leaked information is neutral rather than compromising or salacious. Is the harm of having a driver’s license number wind up in shady corners of the internet close enough to the traditional injury of, say, having an affair splashed across the front page of the newspaper?

On Oct. 14, in Holmes v. Elephant Insurance Company, the U.S. Court of Appeals for the Fourth Circuit answered that question affirmatively. Breaking from sister circuits, the court held that plaintiffs whose driver’s license numbers end up on the dark web after a data breach may sue even though the leaked information isn’t “embarrassing or salacious.” The Fourth Circuit’s approach broadens standing, making it easier for people to sue companies when their personal information surfaces online.

Legal Background

Article III standing requires a plaintiff who wishes to sue in federal court to have a personal stake in the matter. As Justice Antonin Scalia once put it, the plaintiff must be able to answer the question, “What’s it to you?”

To answer that question, the plaintiff must allege a concrete harm. Concreteness is straightforward enough when a harm is physical or monetary. But when a harm is intangible—impairing interests like privacy, reputation, or emotional well-being—the concreteness inquiry becomes, well, less concrete. 

In the 2021 case TransUnion LLC v. Ramirez, the Supreme Court held that an intangible harm counts as “concrete” only if it bears a “close relationship” to a harm “traditionally recognized” as actionable in American courts. While there need not be “an exact duplicate” in history, there must be a “close historical or common-law analogue.” A mere statutory violation does not suffice.

After TransUnion, standing to sue over data breaches became something of a puzzle. The intangible harms that follow data breaches are hard to compare to harms that were recognized at traditional common law. Data breaches, after all, are a modern creature existing only in the context of 21st-century technology.

One of the closest historical analogues to data breaches is the common-law tort of public disclosure of private information. As the Fourth Circuit explained, that tort “requires that the defendant (1) disclose (2) to the public (3) true but private information that would be highly offensive to a reasonable person and (4) is otherwise of no legitimate concern to the public.” At first glance, the analogy seems promising: A victim of such a disclosure might suffer an indignity much like that of a data-breach victim.

But some courts have resisted treating the public disclosure tort as a fit when the leaked data is as mundane as driver’s license numbers. In the 2023 case Baysal v. Midvale Indemnity Co., the U.S. Court of Appeals for the Seventh Circuit rejected the analogy to public disclosure. Judge Frank Easterbrook wrote for the majority that a license number “is not viewed as embarrassing (as a low grade point average or a poor credit score would be) or private (as medical details are) but as neutral.” According to the court, the public disclosure tort contemplates only the release of “potentially embarrassing or intimate details,” not a string of digits on a license. The U.S. Court of Appeals for the Ninth Circuit reached a similar conclusion in 2024.

Factual Background 

Elephant Insurance, an insurance company headquartered in Virginia, suffered a network breach in spring 2022. The driver’s license numbers of nearly 3 million people were compromised, the Fourth Circuit recounted. 

Four of those people—Trinity Bias, Jaime Cardenas, Christopher Holmes, and Robert Shaw—ultimately filed a putative class action lawsuit against Elephant in the Eastern District of Virginia. Only Cardenas and Holmes alleged that they had found their driver’s licenses on the dark web. The other two complained instead of time-intensive mitigation measures, anxiety and stress, and an increased risk of identity theft. All four plaintiffs sought monetary damages, a declaration that Elephant Insurance’s security measures are inadequate, and an injunction forcing the company to strengthen those measures.

Elephant Insurance moved to dismiss, and Judge John A. Gibney Jr. granted the motion. He concluded that only Holmes—who claimed to have experienced an uptick in spam calls after the breach—had alleged a concrete injury. Yet because Holmes had not alleged his phone number was compromised in the breach, Gibney decided this harm wasn’t fairly traceable to Elephant Insurance. So he dismissed the complaint for lack of standing. The plaintiffs then appealed to the Fourth Circuit.

Fourth Circuit Opinion

Writing for a unanimous three-judge panel, Judge Julius N. Richardson affirmed in part and reversed in part. He concluded that the plaintiffs whose numbers had ended up on the dark web—and only those plaintiffs—had standing to sue.

Richardson first clarified that TransUnion doesn’t require “an element-to-element comparison” between a modern claim and a common-law tort. He explained that what matters is not whether the elements are identical but whether the actions seek to redress the same kind of harm. As he explained, the concreteness analysis focuses on the kind of injury the plaintiff suffered—not the elements of the cause of action. The elements of the tort are relevant to the analysis only insofar as they “shed light” on what the analogous harm might be. So it doesn’t affect the standing analysis that one element of the public disclosure tort requires the defendant to have “disclosed” information (a verb hardly applying to the passive victim of a data breach). That element goes to liability, not harm, Richardson wrote.

With that in mind, Richardson concluded that the public disclosure tort protects against “the intangible harm suffered when information that the plaintiff would justifiably prefer to tightly control is released into the open.” He derived that definition in part from two elements of the tort: “that the information be highly offensive to a reasonable person if shared, and that it not be of legitimate public concern.” The harm, he explained, does not extend to the leak of “anodyne” information like hair color or ice-cream preferences, but it covers more than just “embarrassing or salacious” information. In short, a plaintiff suffers a concrete injury when information she has “good reason to keep ... close to the vest” is made public.

That includes driver’s license numbers. In the wrong hands, those numbers could be wielded to help forge identities, open bank accounts, apply for loans, or file fraudulent applications for unemployment benefits, according to the complaint. “So it is no surprise,” Richardson wrote, “that the plaintiffs wish to protect such information from being known by the public at large, and certainly by the unsavory individuals that often trawl the dark web.” Besides, Congress—whose judgment is “instructive” under TransUnion’s harm inquiry—has identified driver’s license information as sensitive by protecting it under the Driver’s Privacy Protection Act. While Congress’s assessment isn’t dispositive, Richardson noted, it supports treating the leak of driver’s licenses as a concrete harm.

Richardson rejected the Seventh Circuit’s conclusion that the leak of driver’s license numbers doesn’t create a concrete harm because the information isn’t “embarrassing” or “private.” The public disclosure tort traditionally protects some information that isn’t embarrassing, like income tax returns, Richardson wrote. And because TransUnion does not require exact duplicates of harms actionable at common law, courts can construe broadly the kinds of information whose dissemination would inflict a concrete harm.

So Cardenas and Holmes, whose driver’s license numbers had ended up on the dark web, had suffered a concrete injury and had standing to seek damages.

But Bias and Shaw didn’t allege that the hackers had disseminated their stolen information. Because their information might not have been accessible to more than just a handful of hackers, their harm wasn’t concrete, according to Richardson. Nor was it enough for the plaintiffs to claim that their information might be used in the future for identity theft or that another data breach might occur at Elephant Insurance, Richardson wrote. Those future injuries were too speculative to satisfy standing requirements.

In sum, the plaintiffs whose driver’s license numbers had been leaked onto the dark web had standing to sue for damages (though not other forms of relief). Other members of their class, if their class is certified, will also have standing. For now, this case—and future cases like it in the Fourth Circuit—will proceed. 

*** 

Although limits on standing for breaches involving “neutral” data may appear technical, they could carry significant consequences for consumers and companies alike. The Fourth Circuit’s broader conception of standing allows more American consumers to seek redress in court when companies are poor stewards of their information—creating an incentive for companies to strengthen their data-protection practices. Yet that same incentive could go too far, pushing companies to be excessively risk averse or to stockpile cash in anticipation of costly lawsuits instead of channeling resources into innovation.

With data breaches on the rise, the question of standing will only grow in importance. The budding circuit split on whether driver’s license leaks create a concrete harm adds still more uncertainty to a doctrine that was already far from determinate.