CHRISTOPHER HOLMES; TRINITY BIAS; JAIME CARDENAS; ROBERT SHAW, individually and on behalf of those similarly situated, Plaintiffs – Appellants, v. ELEPHANT INSURANCE COMPANY; ELEPHANT INSURANCE SERVICES, LLC; PLATINUM GENERAL AGENCY INC., d/b/a APPARENT INSURANCE, Defendants – Appellees.
No. 23-1782
UNITED STATES COURT OF APPEALS FOR THE FOURTH CIRCUIT
October 14, 2025
Before AGEE, RICHARDSON, and BERNER, Circuit Judges
PUBLISHED. Argued: October 29, 2024.
Affirmed in part, reversed in part, and remanded by published opinion. Judge Richardson wrote the opinion, in which Judge Agee and Judge Berner joined.
ARGUED: Kate M. Baxter-Kauf, LOCKRIDGE, GRINDAL & NAUEN, P.L.L.P., Minneapolis, Minnesota, for Appellants. James Francis Monagle, MULLEN COUGHLIN LLC, Sacramento, California, for Appellees. ON BRIEF: Lee Floyd, BREIT BINIAZAN, PC, Richmond, Virginia; M. Anderson Berry, CLAYEO C. ARNOLD, A PROFESSIONAL LAW CORP., Sacramento, California; Gayle M. Blatt, CASEY GERRY SCHENK FRANCAVILLA BLATT & PENFIELD, LLP, San Diego, California; David K. Lietz, MILBERG COLEMAN BRYSON PHILLIPS GROSSMAN, PLLC, Washington, D.C., for Appellants. Claudia D. McCarron, MULLEN COUGHLIN LLC, Devon, Pennsylvania, for Appellees.
RICHARDSON, Circuit Judge:
Privacy is an endangered species in the digital age. In the day-to-day, we give our personal data to banks and schools, airlines
On appeal before us, however, is solely the limited question of whether the plaintiffs here even can bring suit, or whether they lack standing to do so. We hold that a subset of the plaintiffs has standing to continue their suit on one of their alleged injuries-in-fact. We affirm the district court’s dismissal of the remainder.
I. BACKGROUND
Elephant Insurance Company, Elephant Insurance Services LLC, and Apparent Insurance (collectively, “Elephant”) sell various forms of insurance, including home and car insurance. To make purchasing insurance more convenient, Elephant—like many other insurance providers—designed its online quoting platform to auto-populate certain information like driver’s license numbers whenever a potential customer provided other information such as their name, address, and date of birth. The quoting platform’s auto-populate feature was made possible by Elephant’s database of personal information, which includes information not just from its own customers but also from third-party sources like DMV records. Unnamed hackers breached Elephant’s network between March 26 and April 1, 2022, compromising the driver’s license numbers of nearly 3 million people. Although Elephant has not confirmed how the information was compromised, the plaintiffs allege that the hackers took advantage of Elephant’s quoting platform by entering a person’s publicly available information and acquiring their driver’s license number via the auto-populate feature. Elephant announced the breach in a public statement a month later, sending individualized notices of the breach, along with an offer of a year of free credit monitoring, to all those affected.
Among those affected were Trinity Bias, Jaime Cardenas, Christopher Holmes, and Robert Shaw. In July, a few months after they were notified that their personal information was compromised in the breach, Bias and Cardenas sued Elephant on behalf of a putative class. A few days later, Holmes brought a substantially similar class action. The district court consolidated the two cases, and the parties—now with Shaw—filed a consolidated class action complaint putatively representing all people affected by the breach of Elephant’s network.1
In the consolidated complaint, the four plaintiffs asserted that the breach injured them in various ways. All four alleged that they spent time reviewing their credit and financial documents—time they would otherwise have spent on other productive activities. All four also alleged that the breach increased their risk of identity theft, with Cardenas and Holmes claiming
The plaintiffs’ class action suit never made it past the threshold. Instead, the district court concluded that the plaintiffs lacked standing to pursue any of their claims. See Holmes v. Elephant Ins., 2023 WL 4183380, at *1 (E.D. Va. June 26, 2023). The district court identified and rejected several possible injuries in the plaintiffs’ complaint. The district court thus granted Elephant’s Rule 12(b)(1) motion as to all plaintiffs and dismissed the entire case. Id. at *6.
The plaintiffs then timely appealed the district court’s dismissal.
II. DISCUSSION
The federal courts can only resolve “Cases” and “Controversies.”
Some plaintiffs may need to answer the standing question more than once. “[S]tanding is not dispensed in gross.” Town of Chester, N.Y. v. Laroe Estates, Inc., 581 U.S. 433, 439 (2017) (quotation omitted). Rather, “a plaintiff must demonstrate standing separately for each form of relief sought.” Friends of the Earth, Inc. v. Laidlaw Env. Servs. (TOC), Inc., 528 U.S. 167, 185 (2000). So a plaintiff could, for example, have standing to seek damages from the defendant but lack standing to seek an injunction. See City of Los Angeles v. Lyons, 461 U.S. 95, 105 (1983).
These standing requirements apply equally to class actions. The individual named plaintiffs must therefore satisfy those requirements.2 See Warth v. Seldin, 422 U.S. 490, 502 (1975). So, like any other plaintiffs, Bias, Cardenas, Holmes, and Shaw can each only proceed if they show an injury-in-fact caused by Elephant and redressable by the court for each form of relief sought. Id. This case turns primarily on whether their allegations establish the first requirement: injury-in-fact.3
A. Two Plaintiffs Suffered A Concrete Injury
Having one’s information compromised by a data breach is a harm that is both particularized, by affecting each individual personally, and actual, by occurring in reality. See Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016). The difficulty is determining whether it is “concrete”—whether it is “real, and not abstract.” TransUnion, 594 U.S. at 424 (quoting Spokeo, 578 U.S. at 340). Some harms are unquestionably concrete. “The most obvious are traditional tangible harms, such as physical harms and monetary harms.” Id. at 425 (emphasis added). When a plaintiff alleges that he has been punched or had his wallet stolen, little more needs to be said.
Intangible harms are not so straightforward. To be sufficiently concrete, an intangible harm must bear “a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.” Id. To determine whether an injury satisfies this standard, we must assess whether there is “a close historical or common-law analogue” to it, though the analogue need not be “an exact duplicate.” Id. at 424.4
Notice what the Supreme Court tells us the relationship must be between: “harms.” Id. at 425. Not elements. This concern with harm is apparent from the very first paragraph of TransUnion, which lists “physical,” “monetary,” and “reputational” harms without discussing the many distinct elements of the many distinct causes of action that protect against these types of harm. 594 U.S. at 417. For this reason, we have explained that under TransUnion, “our inquiry focuses on types of harms protected at common law, not the precise point at which those harms become actionable.” Garey v. James S. Farrin, P.C., 35 F.4th 917, 922 (4th Cir. 2022) (cleaned up) (quoting Krakauer v. Dish Network, LLC, 925 F.3d 643, 654 (4th Cir. 2019)).
This is not to say that the elements of a common-law cause of action are irrelevant. Defining the harm addressed by a cause of action can be difficult, especially when the harm is intangible. And when the harm addressed is not immediately obvious, the elements of the cause of action can shed
In explaining why the latter group lacked a concrete injury, the Court pointed to the elements of defamation, remarking that the element of “[p]ublication is ‘essential to liability’ in a suit for defamation.” Id. at 434 (quoting Restatement of Torts § 577 cmt. a (Am. L. Inst. 1938)). Without publication of the OFAC alert in their credit files, the group of 6,332 plaintiffs could not analogize to defamation.5 Critically, however, this was not because the Court required an element-to-element comparison with defamation. Instead, the Court found the lack of publication fatal to concrete injury because defamation’s harm “was the loss of credit or fame, and not the insult” itself, and that harm could only occur when the defamatory information was known by others. TransUnion, 594 U.S. at 434 (quotation omitted). Publication did not matter because it was an element of defamation; it mattered because it helped define the harm of defamation.
But not all elements of a cause of action go to the harm addressed. Many common-law torts, for example, reserve liability for defendants who have acted with a certain culpable mental state. Take the tort of false imprisonment. To be liable for false imprisonment, a defendant must act “intending to confine” the plaintiff, at least when the imprisonment does not otherwise threaten bodily harm. Restatement (Second) of Torts § 35 & illus. 2 (Am. L. Inst. 1965). Yet a day trapped in a storage closet is a day trapped in a storage closet whether it is brought about intentionally or not; the tangible harm of the confinement is independent of the defendant’s intentions. So a person imprisoned by accident will have standing to sue. The victim has suffered regardless of the defendant’s liability. More generally, elements that pertain to the details of the defendant’s action will often—though not always—be unrelated to the kind of harm felt by the victim.6 At all times, the concreteness analysis must be focused on the harm addressed
1. Having one’s driver’s license number listed on the dark web bears a close relationship to a harm recognized at common law
Now to apply TransUnion’s harm-analogue test to this case. The plaintiffs here seek to analogize the harm from Elephant’s data breach to the harm addressed by the tort of public disclosure of private information—a harm mentioned by name as a permissible common-law analogue.8 TransUnion, 594 U.S. at 425. Public disclosure of private information is one of four “invasion of privacy” torts historically recognized at common law.9 See William L. Prosser, Privacy, 48 Calif. L. Rev. 383, 389 (1960). It requires that the defendant (1) disclose (2) to the public (3) true but private information that would be highly offensive to a reasonable person and (4) is otherwise of no legitimate concern to the public. See Restatement (Second) of Torts § 652D & Special Note & cmt. a; Cape Publ’ns., Inc. v. Hitchner, 549 So.2d 1374, 1377 (Fla. 1989); Shulman v. Grp W. Prods., Inc., 955 P.2d 469, 478 (Cal. 1998).
What harm is the public disclosure of private information tort aimed at? It is chiefly concerned with the dissemination of information regarding “[s]exual relations,” “family quarrels,” and “humiliating illnesses” to a large number of individuals. Restatement (Second) of Torts § 652D cmt. b. But the public-disclosure tort shields more information than just the inherently shameful. It extends to cover situations where publicity has been given to “income tax returns,” suggesting that the private information need not be so sordid as to find a home on Page Six. Id. Nor is it limited to information that has been kept completely confidential. A woman who agrees to film her “caesarian operation . . . for exhibition to medical students for educational purposes” cedes much of her privacy for a particular purpose, and yet she can still sue if the film of her operation is then shown “in a commercial theater.” Id. § 652D illus. 11. So even information that is revealed in some contexts can remain private as to the public at large.
A closer look at the elements of the public disclosure of private information allows us to refine our understanding of its harm. While the tort covers a wide range
And the publicity element makes clear that even when sensitive personal information is at issue, actionable harm does not occur any time that information is shared without permission. The tort is only implicated when the sharing is so broad that it “reaches, or is sure to reach, the public.” Id. § 652D cmt. a. Publicity is given to information “broadcast over the radio,” or given “to a large audience,” or published “in a newspaper or a magazine, even of small circulation,” but not to statements made “to a small group of persons.” Id. So while a confidante may breach her friend’s trust by sharing her friend’s intimate secret with a handful of family members, the tort is unconcerned with such small-scale disclosures. Overall, the public disclosure of private information is aimed at the harm that occurs when sensitive personal information is released into the open.
Importantly, however, our question is not whether the harm inflicted by Elephant would be actionable under the public-disclosure tort. Rather, under TransUnion, the plaintiffs have standing so long as their harm is similar to the harm protected by a common-law cause of action. They need not an “exact duplicate” but an “analogue.” TransUnion, 594 U.S. at 424. While the relationship between harms cannot be so “loose[]” as to serve as an “open-ended invitation for federal courts” to create new bases for standing divorced from history and tradition, the set of harms analogous to those actionable at common law is necessarily broader than the set of harms actually actionable at common law. Id. at 424–25.
TransUnion gives a specific clue about how far the analogous harms can extend by telling us that the harm in Davis v. FEC, 554 U.S. 724 (2008), is sufficiently close. TransUnion, 594 U.S. at 425. Davis is a campaign finance First Amendment case that involved a challenge to a federal law that required political candidates to report the total amount of expenditures they made in their own campaigns over a certain threshold. Davis, 554 U.S. at 729–32. The harm of disclosing the amount of such campaign expenditures thus must bear a close relationship to the harm “traditionally recognized” by the public-disclosure tort. But the amount a candidate spends on his campaign—a bare dollar figure without detail—is not information that would be considered personally sensitive in a way that is actionable under the public-disclosure tort. It is merely information that, though dry and numerical, a candidate may justifiably wish to tightly control (because he wishes to avoid being seen as wealthy and out-of-touch by voters, for example). So though the public-disclosure tort may be limited to sensitive personal information, TransUnion’s invocation of Davis tells us that it furnishes standing by analogy for more.
Because the campaign expenditure amount in Davis was certain to be made publicly available by law, see
Viewing this all together through the lens of TransUnion, we hold that the public disclosure of private information tort makes concrete the intangible harm suffered when information that the plaintiff would justifiably prefer to tightly control is released into the open. Though the information need not be embarrassing or salacious, the plaintiff must have good reason to keep it close to the vest. And though the information need not be broadcast to the whole world, it must be accessible to many.
With this understanding in mind, we can determine whether the plaintiffs have alleged facts that show they have suffered a concrete injury from the Elephant data breach. Our answer is that they have—but only for two of the named plaintiffs.
The complaint contains sufficient allegations to show why all four plaintiffs justifiably desire to keep their driver’s license numbers confidential. The plaintiffs tell us that driver’s license numbers are “critical to easily forging an identity” using a full profile of information that includes other “[u]nique and persistent identifiers.” J.A. 53. The numbers can be used “alone or in combination with other information” to “[o]pen bank accounts” and “[a]pply for financial loans.” J.A. 55. And they are often “the critical missing link for a fraudulent unemployment benefits application.” J.A. 61. So it is no surprise that the plaintiffs wish to protect such information from being known by the public at large, and certainly by the unsavory individuals that often trawl the dark web.
But Bias and Shaw do not provide any reason to think that their driver’s license numbers are now generally accessible. We are told that the hackers possess their driver’s license numbers, but they do not allege that the unnamed hackers are so numerous as to constitute the public on their own. Nor do they allege that the hackers have shared their driver’s license numbers with anyone else. As far as we are told, their stolen information is currently accessible to only a few. So the harm felt by Bias and Shaw does not bear a close relationship to the harm addressed by the public-disclosure tort. If the hackers’ private knowledge of their driver’s license number inflicts a harm, it is a harm different in kind, not degree, from that addressed by the common-law tort. The two of them have not alleged a concrete injury.
The two other named plaintiffs—Cardenas and Holmes—are different. They allege that they found their driver’s license numbers listed on the dark web
Holmes have alleged facts showing that information they justifiably prefer to tightly control has been released into the open. Under TransUnion, that is sufficient to show a concrete injury in the eyes of Article III.11
2. Elephant’s counterarguments are unavailing
Elephant attacks the TransUnion analogy between the plaintiffs’ alleged harm and the public disclosure of private information tort in two ways. Neither succeeds.
First, Elephant argues that the plaintiffs’ theory of concrete injury should fail because they cannot satisfy one element required for liability under the public-disclosure tort: that Elephant made a disclosure.12 That is, in Elephant’s view, an analogy only exists if Elephant had exposed their driver’s license numbers through some affirmative action. See Disclose, Black’s Law Dictionary (6th ed. 1990) (“To bring into view by uncovering; to expose; to make known.”). And Elephant asserts that it took no such action—that it and the plaintiffs alike were passive victims of a hack.
But this misunderstands TransUnion for reasons already given. Recall that TransUnion only seeks a “close relationship” between harms, not elements. 594 U.S. at 425. So the only elements that matter are the ones that define the harm of the analogous
cause of action. A defendant’s disclosure, though also an element of the public disclosure of private information tort, is not a harm-defining element—it goes to the defendant’s liability, not to what is felt by the plaintiff. Someone whose driver’s license number is made accessible to many is harmed by that loss of control over their private information, even if the situation was brought about through no fault or action of the defendant.13
Though the defendant
Second, Elephant points out that a divided panel of the Seventh Circuit has held, in a case nearly identical to this one, that a driver’s license number is not sufficiently close to the kind of sensitive information protected by the public disclosure of private information tort. In that case, Baysal v. Midvale Indemnity Co., plaintiffs brought a putative class action suit against an insurer after the plaintiffs’ driver’s license numbers were compromised in a data breach using the insurer’s auto-populated quoting platform. 78 F.4th 976, 977 (7th Cir. 2023). The Seventh Circuit affirmed the dismissal of the case for lack of standing under TransUnion, reasoning that only “potentially embarrassing or intimate details” are
shielded by the public disclosure of private information, and “[a] license number is not viewed as embarrassing . . . or private . . . but as neutral.” Id. at 979.
As our discussion should make clear, we see things differently. Undoubtedly, a driver’s license number is unlike the details of an affair or a medical condition. People do not consider their driver’s licenses embarrassing and hand them to bartenders and waiters and police officers without hesitation. But we know that the public-disclosure tort protects some types of information that we would not strictly consider embarrassing. See Restatement (Second) of Torts § 652D cmt. b (listing “income tax returns”). And we also know that TransUnion requires harms that are analogues, not duplicates, which further broadens the set of information whose dissemination may inflict a concrete injury. So we cannot accept that a concrete injury exists only if the information publicized is embarrassing.
Indeed, the Seventh Circuit appeared to recognize as much when it implied in the very same opinion that publicizing social security numbers would be concrete injury. Baysal, 78 F.4th at 977, 979. But social security numbers are also “not viewed as embarrassing . . . or private . . . but as neutral,” and “most adults have these numbers, which are neither good nor bad.” Id. at 979. While driver’s license numbers may be less private than social security numbers,15 such a difference would be a difference in degree,
not a difference in kind—and TransUnion only requires an analogy by kind. See TransUnion, 594 U.S. at 424; see also Garey, 35 F.4th at 922 (explaining that the TransUnion inquiry compares “types of harms”).16 If publicizing social
Notably, Congress appears to agree with us. TransUnion reminds us that “[i]n determining whether a harm is sufficiently concrete to qualify as injury in fact . . . Congress’s views may be ‘instructive.’” 594 U.S. at 425 (quoting Spokeo, 578 U.S. at 341). And here, Congress has enacted the
protect by statute. Spokeo, 578 U.S. at 341. Though driver‘s license numbers may not be the most sensitive personal information people possess, they are, in Congress‘s view, among the “personal information” worth protecting.
In sum, Cardenas and Holmes have had their driver‘s license numbers listed on the dark web against their justifiable wishes. Under TransUnion, they have suffered a concrete injury. And because that injury has already come to pass, it gives them standing to seek damages. See Lyons, 461 U.S. at 105. On this specific basis for injury-in-fact, only for retrospective relief like damages, and only for Cardenas and Holmes, we reverse the district court‘s decision.
B. Plaintiffs’ Other Alleged Injuries Do Not Support Standing
The plaintiffs’ other standing theories do not fare so well. The risk that their driver‘s license numbers may be misused in the future fails to furnish standing because they have not alleged facts showing that any particular misuse is imminent. The risk that another data breach may befall Elephant in the future fails for the same reason. And the lack of imminent injury prevents the plaintiffs from bootstrapping their way into standing for damages solely by expending time or alleging emotional distress.
1. Plaintiffs have not shown any further future misuse is imminent
The plaintiffs’ second asserted injury-in-fact is the risk that someone may misuse their driver‘s license numbers in the future. In the plaintiffs’ words, they are at an “increased risk of identity theft.” J.A. 71. But the plaintiffs use the phrase “identity theft” more broadly than is conventional. They suggest that the posting of information on the dark web is itself “identity theft.” See, e.g., J.A. 76 (Plaintiff Holmes‘s “information was on the dark web, proof that his identity has been stolen.“). So we consider the plaintiffs to have actually alleged two distinct risks. Bias
The two alleged future harms are both concrete and particularized.18 So they may furnish standing to seek prospective declaratory and injunctive relief if the future harm is “imminent.” Lujan, 504 U.S. at 564. A future harm is not imminent just because there is an “objectively reasonable likelihood” that it will someday come to pass. Clapper v. Amnesty Int‘l USA, 568 U.S. 398, 410 (2013). Instead, “the plaintiffs must show a substantial risk that” it will happen “in the near future.” Murthy v. Missouri, 603 U.S. 43, 58 (2024).19 While imminence “is concededly a somewhat elastic concept,” Lujan, 504 U.S. at 564 n.2, we conclude that neither alleged future harm establishes a substantial risk of future misuse of their driver‘s license numbers.
First, Bias and Shaw. Their assertion of imminence runs headlong into TransUnion. The 6,332 plaintiffs in TransUnion who did not have their inaccurate credit reports disseminated, in addition to alleging that they suffered an actual injury, also alleged that they faced an imminent injury because “TransUnion could have divulged their misleading credit information to a third party at any moment.” TransUnion, 594 U.S. at 438. But the Court dismissed this “risk of dissemination to third parties” as “too speculative” to establish an imminent injury because the plaintiffs had given no reason to think it would occur. Id. The fact
Bias and Shaw are in a position that is materially indistinguishable from the 6,332 plaintiffs in TransUnion. The hackers who breached Elephant could presumably post their driver‘s license numbers to the dark web “at any moment.” But they have given us no reason to think that this will occur. Their strongest piece of evidence is that the hackers have already posted Cardenas and Holmes‘s information to the dark web, suggesting that more information from the breach may follow. But that fact did not suffice for imminence in TransUnion itself. We see no reason it would be different here.
Cardenas and Holmes are in a different position. Because they have already had their driver‘s license numbers listed on the dark web, the future misuse they worry about will come from a malicious actor‘s fraudulent impersonation attempt. Bias and Shaw, of course, cannot show that fraudulent impersonation is imminent because they falter at an earlier step. Though Cardenas and Holmes have a head start, they arrive at the same place.
Specifically, Cardenas and Holmes‘s position is foreclosed by the principle we stated in Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017). In Beck, an employee‘s laptop and four boxes of medical reports were stolen from a veterans’ hospital. Id. at 267–68. Patients of the hospital sued the hospital for the data breach, alleging violations of the
Cardenas and Holmes do not clear that bar. They do not allege that their driver‘s license numbers have been misused by the hackers to date. So any future harm, given that the hackers have posted their information on the dark web, would presumably come from the intervening actions of independent malicious actors who might buy or otherwise obtain their compromised numbers. Clapper, 568 U.S. at 413. But they have not alleged facts that show that those intervening “independent decisionmakers” “will likely react in predictable ways” that will ultimately result in fraudulent impersonation. Murthy, 603 U.S. at 58 (quoting Dep‘t of Com. v. New York, 588 U.S. 752, 768 (2019)).
There is another link in the speculative chain. As the plaintiffs themselves explain, one single piece of personal information is not enough for fraudulent impersonation; impersonators must usually “aggregate information taken from data breaches on users to build profiles on individuals” before attempting to impersonate someone. J.A. 53. The district court recognized as much. See Elephant Ins., 2023 WL 4183380, at *4 (“The driver‘s license number‘s real value lies in being pieced together with other [personal information] to create a full profile.“). So even if Cardenas or Holmes‘s specific driver‘s license number was acquired, that enables fraudulent impersonation only if the impersonators also have enough information from other sources to build a profile.
And there is yet another link. Driver‘s license numbers do not stay valid for all eternity. “[L]icense numbers change over time as people move to different states or licenses are renewed.” Baysal, 78 F.4th at 979.22 Though perhaps harder to cancel than a credit card, driver‘s license numbers can still “be rendered useless to cybercriminals” more easily than many other forms of information. McMorris, 995 F.3d at 302. Driver‘s license numbers are thus part of, or close to, the category of “less sensitive data” that “does not pose the same risk of future identity theft or fraud to plaintiffs if exposed.” Id. For many plaintiffs, then, “as the breach[] fade[s] further into the past,” the risk they will be impersonated “become[s] more and more speculative.” Beck, 848 F.3d at 275 (quotation omitted).
All this means that fraudulent impersonation will befall Cardenas and Holmes only if other intervening malicious actors acquire their driver‘s license numbers from the dark web and also acquire other pieces of their personal information and do so before their driver‘s license numbers change. And under our precedent, the plaintiffs cannot just assert that all this might happen; they must allege facts allowing us to conclude that for some particular plaintiff, the combined probability of that speculative chain materializing surpasses
We recognize that our sister circuits have found imminent injury to plaintiffs in similar circumstances to Cardenas and Holmes. See, e.g., Bohnak, 79 F.4th at 289 (finding imminent injury when names and SSNs were compromised in a hack); Webb, 72 F.4th at 375–76 (finding imminent injury from future use of detailed pharmacy records compromised in a hack); Attias v. Carefirst, Inc., 865 F.3d 620, 628–29 (D.C. Cir. 2017) (finding imminent injury from future use of names and health insurance numbers compromised in a hack); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693–94 (7th Cir. 2015) (finding imminent injury from future use of credit card numbers compromised in a hack). And several cases identify the targeted nature of an attack and the subsequent listing of the information on the dark web—both present here—as factors weighing in favor of standing. See, e.g., McMorris, 995 F.3d at 301; Clemens, 48 F.4th at 157; Green-Cooper v. Brinker Int‘l, Inc., 73 F.4th 883, 889–90 (11th Cir. 2023).
But our sister circuits have not explained how a data breach presents a substantial risk that any one piece of personal information will be misused in the future, even when the plundered information is listed on the dark web. None run through the chain of independent events and third-party choices that would have to coalesce for future fraudulent impersonation to befall any particular plaintiff. Rather, many cases appear to implicitly require only a reasonable probability of future harm—a looser notion of imminence urged by the dissent in Clapper but rejected by the majority. See Clapper, 568 U.S. at 432–33, 441 (Breyer, J., dissenting). Following “the common-sense notion that a threatened event can be reasonably likely to occur but still be insufficiently imminent to constitute an injury-in-fact,” Beck, 848 F.3d at 276 (cleaned up), this Court has drawn a tighter boundary when it comes to future harms. The plaintiffs may have alleged enough to show that the risk of future misuse is an imminent injury before other courts. But they have not done so before this one.
2. Plaintiffs have not shown another breach will occur at Elephant
Next, the plaintiffs assert another future harm: a second data breach at Elephant that might compromise more of their information in the same way. To redress this alleged injury, they ask us to declare that Elephant‘s security is unlawfully shoddy and enjoin Elephant to fix it by, among other things, hiring security auditors, deleting unused customer data, and conducting routine internal security training sessions. We have already determined that such a data breach would be a concrete injury if the compromised information was then made accessible to many, as by sharing the information on the dark web. And it would be particularized to any person whose information was compromised. So the question, again, is whether the risk of this future injury is imminent enough to itself be an injury-in-fact.
The answer, again, is no. On this front, the plaintiffs run headlong into the Supreme Court‘s decision in City of Los Angeles v. Lyons. In Lyons, police placed Adolph Lyons into a chokehold at a traffic stop. 461 U.S. at 97. Along with retrospective damages for the incident, Lyons sought a prospective injunction ordering the Los Angeles Police Department to revise its use-of-force policies
Lyons maps neatly onto this case. The plaintiffs here make only general allegations that “it is axiomatic” that a database hacked once “due to inadequate security measures” is thereby at risk of imminent additional breaches “unless those security measures are improved.” Op. Br. at 48. But they give us no reason to think this is true—or that hackers would target Elephant again, specifically, as opposed to other companies that have recently suffered data breaches. Nor do they give any reason to think another data breach at Elephant would compromise their information, specifically, as opposed to information belonging to others. All the plaintiffs can show is that they are on the same footing as anyone else whose information was compromised in a data breach in the past few years. That “falls far short of the allegations that would be necessary to establish a case or controversy.” Lyons, 461 U.S. at 105. If the possibility of being subject to another chokehold was insufficiently imminent in Lyons, the possibility of being subject to another data breach is insufficiently imminent here.
3. Without a separate imminent injury, Bias and Shaw cannot recover damages for time spent or emotional distress felt
Finally, the plaintiffs assert that they have suffered an injury-in-fact sufficient for damages by spending time monitoring their financials and by feeling emotional distress in response to the data breach at Elephant.23 Because Cardenas and Holmes have already shown an injury-in-fact sufficient for damages, this assertion is inapplicable to them; there is no such thing as double standing for one form of relief.24 But this assertion matters greatly for Bias and Shaw, who have no other basis to recover damages.
Neither the Supreme Court nor the courts of appeals have settled whether either time spent or emotional distress felt
To start, we know that plaintiffs “cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not [imminent].” Clapper, 568 U.S. at 402. When the future harm is imminent, a plaintiff may have standing to sue based on monetary costs that “remain[] fairly traceable to” the threat. Fed. Election Comm‘n v. Cruz, 596 U.S. 289, 297 (2022). But when the future harm is merely speculative, a plaintiff cannot backdoor standing “simply by making an expenditure based on a nonparanoid fear.” Clapper, 568 U.S. at 416. “If the law were otherwise, an enterprising plaintiff” could conjure standing from nothing, “improperly water[ing] down the fundamental requirements of Article III.” Id.25
We see no reason to treat mitigation time differently than mitigation costs. The worry with finding standing based on mitigation costs alone is that anyone can pay to mitigate anything, however unlikely. The same worry exists for time. The only difference is that rather than spend a dollar, plaintiffs could spend a minute. Just as plaintiffs cannot circumvent their burden to show substantial risk by tacking on a claim for mitigation costs, we think plaintiffs cannot circumvent their burden by tacking on a claim for mitigation time. Allowing the latter would defeat the purpose of Clapper‘s rule against the former and place the existence of an Article III case or controversy entirely in the hands of every plaintiff. We decline this invitation to gut the law of standing.
So too with emotional distress. Under Clapper, a plaintiff cannot “manufacture standing” by resort to a theory that would permit standing in every case. 568 U.S. at 402. And although emotional distress is distinct from mitigation expenditures, it poses much the same problem. Though a plaintiff does not choose to suffer emotional distress the way he might choose to spend time or money, a plaintiff can freely allege emotional distress in every case with little fear of disproof. For this reason, tort law has long aimed a skeptical eye at freestanding emotional distress claims. “Because of the fear
Accordingly, we hold that if time spent and emotional distress felt are concrete injuries, they may serve as the sole basis for standing to recover damages only when incurred in response to a separate imminent harm. They do not suffice for standing on their own. For reasons explained above, Bias and Shaw have failed to allege any imminent harm. So they lack standing to recover damages for any time spent or emotional distress felt too.
* * *
Bias, Cardenas, Holmes, and Shaw sued Elephant after their driver‘s license numbers were compromised in a breach of Elephant‘s network. Cardenas and Holmes had their driver‘s license numbers then posted on the dark web. The publicity given to their driver‘s license numbers inflicted a concrete harm sufficient to establish an actual injury-in-fact. Accordingly, the two of them—along with anyone in their class, if their class is certified—can seek damages for that injury. But they cannot recover any other form of relief. And Bias and Shaw cannot recover at all. The requirements of Article III standing prohibit plaintiffs from receiving redress for speculative future injuries or for injuries incurred only in response to those speculative injuries. Accordingly, the judgment is
AFFIRMED IN PART, REVERSED IN PART, AND REMANDED.
