Holmes v. Elephant Insurance Company FILE IN THIS CASE ONLY

Case Information

IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF VIRGINIA Richmond Division

CHRISTOPHER HOLMES et al., on behalf Of themselves and all similarly situated persons, Plaintiffs, v.

Civil Action No. 3:22cv487

ELEPHANT INSURANCE COMPANY, et al., Defendants.

OPINION

This matter comes before the Court on a motion to dismiss filed by the defendants, Elephant Insurance Company, Elephant Insurance Services, LLC, and Platinum General Agency (collectively, "Elephant"). The plaintiffs ^[1] allege that Elephant did not adequately protect their personal information ("PI") and that, in a data breach, malicious actors viewed and copied their PI. The plaintiffs bring a consolidated class action suit, asserting various claims arising from this data breach. Because the compromise of data, without more, does not constitute an injury-in-fact, the Court will grant Elephant's motion and dismiss the complaint because the plaintiffs lack standing.

I. FACTS ALLEGED IN THE CONSOLIDATED COMPLAINT

On May 6, 2022, Elephant announced to the public that they had detected unusual activity on their network (the "Data Breach"), and that "sensitive information" had been viewed or copied. (ECF No. $18\pi$ 7.) This information included "name, driver's license number, and date of birth."

(Id. (quoting an Elephant News Release).) Elephant notified the plaintiffs that their information had been viewed by unauthorized actors. Elephant told the plaintiffs that Elephant had their personal information ("PI") because the plaintiffs "are . . . current or previous Elephant Insurance customer[s] or [Elephant] received [their] information as part of providing a quote for auto or other insurance coverage." (Id. II 26 (quoting Elephant's "Notice of Data Incident" letter).)

Elephant's online quote tool auto-populated personal information after a user completed certain fields. Unauthorized actors took advantage of the auto-populate feature to prompt Elephant to disclose the plaintiffs' PI. The four named plaintiffs include: (1) a previous Elephant customer (Robert Shaw); (2) a consumer who requested a quote for auto insurance (Jaime Cardenas); (3) an individual who does not remember if she requested a quote for auto insurance (Trinity Bias); and (4) an individual who asserts he never requested a quote for auto insurance (Christopher Holmes).

The plaintiffs assert eight claims against Elephant: violations of the Drivers' Privacy Protection Act (Count One); negligence (Count Two); negligence per se (Count Three); unjust enrichment (Count Four); violation of the Texas Consumer Protection Act (Count Five); violation of the Illinois Consumer Fraud Act (Count Six); violation of the Illinois Deceptive Trade Practices Act (Count Seven); and declaratory and injunctive relief (Count Eight). Elephant has moved to dismiss the complaint for lack of standing pursuant to Federal Rule of Civil Procedure 12(b)(1) and for failure to state a claim upon which relief may be granted pursuant to Federal Rule of Civil Procedure 12(b)(6).

II. RELEVANT LAW

A motion under Rule 12(b)(1) tests the Court's subject matter jurisdiction. As the party asserting jurisdiction, the plaintiff bears the burden of proving proper subject matter jurisdiction. Adams v. Bain, 697 F.2d 1213, 1219 (4th Cir. 1982). "[W]hen a defendant asserts that the

complaint fails to allege sufficient facts to support subject matter jurisdiction, the trial court must apply a standard patterned on Rule 12(b)(6) and assume the truthfulness of the facts alleged." Kerns v. United States, 585 F.3d 187, 193 (4th Cir. 2009). ^[2] "In a class action, [courts] analyze standing based on the allegations of personal injury made by the named plaintiffs." Beck v. McDonald, 848 F.3d 262, 269 (4th Cir. 2017). As the party invoking federal jurisdiction, the plaintiffs bear the burden of establishing each element of standing. Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992). "At the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice," and courts "accept as true [the plaintiffs'] allegations for which there is sufficient 'factual matter' to render them 'plausible on [their] face.'" Beck, 848 F.3d at 270 (first quoting Lujan, 504 U.S. at 561, then quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (second alteration in the original)). Courts "do not, however, apply the same presumption of truth to 'conclusory statements' and 'legal conclusions.'" Id. (quoting Bell Atl. Corp., 550 U.S. at 555-56). "[T]he irreducible constitutional minimum of standing contains three elements." Lujan, 504 U.S. at 560 . First, the plaintiff must have suffered "an injury in fact-an invasion of a legally protected interest which is (a) concrete and particularized . . . and (b) actual or imminent, not

conjectural or hypothetical." Id. (internal quotations omitted). "Second, there must be a causal connection between the injury and the conduct complained of." Id. "Third, it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Id. at 561 (internal quotations omitted).

Statutory causes of action require an injury-in-fact. Spokeo, Inc. v. Robins, 578 U.S. 330, 341 (2016) ("Article III standing requires a concrete injury even in the context of a statutory violation."). "[P]laintiffs proceeding under a statutory cause of action can establish a cognizable injury by 'identif[ying] a close historical or common-law analogue for their asserted injury' for which courts have 'traditionally' provided a remedy." Garey v. Farrin, 35 F.4th 917, 921 (4th Cir. 2022) (quoting TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2204 (2021) (alteration in original)). "[U]nder Article III, an injury in law is not an injury in fact." TransUnion LLC, 141 S. Ct. at 2205.

First, an injury-in-fact, "the first and foremost of standing's three elements," may include threatened injuries, but "not all threatened injuries constitute an injury-in-fact." Spokeo, Inc., 578 U.S. at 338 (internal quotation omitted); Beck, 848 F.3d at 271. "Allegations of possible future injury do not satisfy the requirements of Art[icle] III. A threatened injury must be 'certainly impending' to constitute injury in fact." Whitmore v. Arkansas, 495 U.S. 149, 158 (1990) (quoting Babbitt v. Farm Workers, 442 U.S. 289, 298 (1979)).

The "mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft." Hutton v. Nat'l Bd. of Exam'rs in Optometry, Inc., 892 F.3d 613, 621 (4th Cir. 2018). The Fourth Circuit has consistently "held that being subjected to a data breach isn't in and of itself sufficient to establish Article III standing without a nonspeculative, increased risk of identity theft." O'Leary v. TrustedID, Inc., 60 F.4th 240, 244 (4th Cir. 2023). "[T]he mere theft of . . . items" containing personal information "cannot confer

standing" because the threatened injury is too speculative. Beck, 848 F.3d at 275. A "highly attenuated chain of possibilities" in which the Court must make a series of assumptions to find a threatened injury "cannot confer standing." Clapper v. Amnesty Int'l USA, 568 U.S. 398, 410 (2013); Beck, 848 F.3d at 275. "Moreover, as the breaches fade further into the past, the [p]laintiffs' threatened injuries become more and more speculative." Id. (internal quotation omitted). The cost of mitigative measures, or "self-imposed harms, cannot confer standing." Id. at 276-77; see also Clapper, 568 U.S. at 402 (rejecting the respondents' contention of "present injury because the risk of § 1881a-authorized surveillance already has forced them to take costly and burdensome measures to protect the confidentiality of their international communications" and finding that "respondents cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending"). Without an imminent threat, "the cost of measures to guard against identity theft, including the cost of credit monitoring services . . . do[es] not constitute an injury-in-fact." Beck, 848 F.3d at 276.

Second, standing requires a causal connection between the alleged injury and the defendant's action. "[T]he 'case or controversy' limitation of Art[icle] III still requires that a federal court act only to redress injury that fairly can be traced to the challenged action of the defendant, and not injury that results from the independent action of some third party not before the court." Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 41-42 (1976).

Finally, "there must be redressability-a likelihood that the requested relief will redress the alleged injury." Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 103 (1998). "[T]he point has always been the same: whether a plaintiff 'personally would benefit in a tangible way from the court's intervention.'" Id. at n. 5 (quoting Warth v. Seldin, 422 U.S. 490, 508 (1975)).

When a plaintiff seeks injunctive relief, she must still establish each element of standing but the injury-in-fact requirement for standing differs slightly. "[A] plaintiff can satisfy the injury-in-fact requirement for prospective relief either by demonstrating a sufficiently imminent injury in fact or by demonstrating an ongoing injury." Garey, 35 F.4th at 922 (quoting Deal v. Mercer Cnty. Bd. of Educ., 911 F.3d 183, 189 (4th Cir. 2018)) (internal quotation omitted) (alteration in the original). "[A] person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial." TransUnion LLC, 141 S. Ct. at 2210. The Fourth Circuit has "decline[d] to infer a substantial risk of harm of future identity theft from an organization's offer to provide free credit monitoring services to affected individuals." Beck, 848 F.3d at 276.

III. DISCUSSION

Bias, Cardenas, and Shaw do not allege a concrete and particularized injury-in-fact to establish Article III standing. Holmes does allege a cognizable injury but cannot fairly trace that injury to Elephant. The named plaintiffs therefore lack standing to assert claims for monetary damages (Counts One through Seven). Because none of the plaintiffs have alleged a substantial risk of imminent harm, they also lack standing to assert a claim for declaratory and injunctive relief (Count Eight). Because the Court therefore lacks jurisdiction over this action, the Court will not reach the merits of the plaintiffs' claims.

A. Standing - Monetary Damages (Counts One Through Seven)

1. Injury-in-Fact

The plaintiffs allege the following injuries: (1) "be[ing] at heightened risk for financial fraud, future identity theft, other forms of fraud, and the attendant damages for years to come[;]" (2) identity theft (as demonstrated by one's "driver's license number [being] for sale on the dark

web"); (3) "loss of privacy[;]" (4) "significant fear, anxiety, and stress[;]" (5) diminution in the value of their PI; and (6) "time reviewing [their] bank statements, tax information, car titles, and credit card statements." (ECF No. 18 ¶ 83, 88, 92-93, 97, 101-03, 190.)

a. Heightened Risk of Future Identity Theft

The heightened risk of future identity theft, without more, does not constitute an injury-infact because a "threatened injury must be certainly impending to constitute an injury-in-fact." Clapper, 568 U.S. at 410 (internal quotation omitted). Although the plaintiffs closely monitor their credit reports and financial accounts, none have alleged misuse of their PI. None have pleaded facts to support their allegations of certainly impending identity theft. In fact, "as the breaches fade further into the past, the [p]laintiffs' threatened injuries become more and more speculative." Beck, 848 F.3d at 275. The Clapper Court rejected the "highly attenuated chain of possibilities" required to show a threatened injury conferring standing. Clapper, 568 U.S. at 410. In this case, to find a threatened injury, the Court must assume that the thief targeted Elephant for the PI it contained, then selected the named plaintiffs' PI from millions of other records, has begun combining the purloined PI with PI obtained from other sources to create a full profile (or "fullz"3), and will imminently and successfully attempt to use that information to steal the plaintiffs' identities. In Beck, the Fourth Circuit rejected an even shorter chain of possibilities to deny the plaintiffs standing on a claim of heightened risk of identity theft. Beck, 848 F.3d at 276. Because the Fourth Circuit has rejected even shorter chains of possibilities, that the plaintiffs have here not adequately pleaded a heightened risk of identity sufficient to confer standing.

b. Identity Theft

Only two of the named plaintiffs have alleged identity theft. Cardenas and Holmes report receiving notifications from a credit monitoring service that their driver's license numbers appeared on the dark web. As the plaintiffs themselves allege, "a driver's license [number] combined with the full name and state issued, is a sought-after data point." (ECF No. 18 ¶ 32 (emphasis added).) ^[4] The driver's license number's real value lies in being pieced together with other PI to create a full profile. "[H]ackers often aggregate information taken from data breaches on users to build profiles on individuals" because " $[t]$ here are few data breaches that provide a comprehensive snapshot of any one individual person." (Id. $\mathbb{1}$ 30.) To derive value from a driver's license number (and thus harm the plaintiffs), identity thieves would have to already possess other key pieces of these plaintiffs' PI or search the dark web for this PI, find enough pieces to create full profiles, then either use the full profiles themselves or sell them on the dark web to downstream actors who would use them for nefarious purposes. Because the plaintiffs have not alleged any misuse of their PI or resulting harm from the their driver's license numbers appearing on the dark web, this alleged injury simply echoes the claim of heightened risk of identity theft. The plaintiffs have not adequately pleaded an injury-in-fact.

c. Loss of Privacy

The loss of privacy can constitute an injury-in-fact. See Garey, 35 F.4th at 921. Only Holmes alleges facts amounting to a cognizable loss of privacy. He alleges that he "began experiencing an uptick in spam text and telephone calls that he attributes to this Data Breach." (ECF No. 18 ¶ 97.) In Garey, the Fourth Circuit determined that receiving unsolicited mail from

a law firm closely paralleled the tort of loss of privacy and recognized it as an injury-in-fact. Garey, 35 F.4th at 922. Spam texts and calls invade an individual's privacy as much or perhaps even more than unsolicited mail. Holmes has sufficiently pleaded an injury-in-fact.

d. Emotional Distress

Emotional distress does not constitute a cognizable injury-in-fact. Beck, 848 F.3d at 272 ("We also reject the [p]laintiffs' claim that emotional upset and fear of identity theft and identity fraud resulting from the data breaches are . . sufficient to confer Article III standing." (internal quotations omitted)). In Beck, the Fourth Circuit affirmed the district court's dismissal for lack of standing and found that "'conclusory allegations' that [the plaintiff] was 'torn . . . all to pieces' by the unauthorized disclosure of his social security number" cannot "support . . . the proposition that bare assertions of emotional injury are sufficient to confer Article III standing." Id. at 273 (quoting Doe v. Chao, 540 U.S. 614, 617 (2004)). Holmes avers that he suffers "significant fear, anxiety, and stress" resulting from the Data Breach. (ECF No. 18 ¶ 101.) Shaw too suffers "significant fear, anxiety, and stress." (Id. ¶ 114.) Neither plaintiff expands upon these conclusory allegations of emotional distress. Because the plaintiffs plead only "bare assertion of emotional injury," they have not pleaded an injury-in-fact. Beck, 848 F.3d at 273.

e. Loss of Value in PI

The plaintiffs claim the Data Breach caused their PI to diminish in value. (Id. ¶ 190.) They allege no facts to explain how their PI lost value and instead only repeat conclusory statements: the plaintiffs "have suffered and will continue to suffer . . . loss of value of their PI." (Id. ¶ 218.) On a 12(b)(1) motion, courts have declined to find diminution of value in PI as an injury-in-fact when plaintiffs make only barebones assertions. See In re Cap. One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d 374, 403 (E.D. Va. 2020) ("Nor is there any allegation that Plaintiff[s] have

attempted to purchase goods or services, which requires the exchange of their PII, and Plaintiffs were denied receipt of that good or service or were only offered less-than-desirable terms because of their PII's prior exposure through the Data Breach.") Conversely, when plaintiffs allege that they had to take extra steps to receive approval for a low-interest credit card after a data breach, courts have found that they have plausibly alleged the lost value of their PI as an injury. See McCreary v. Filters Fast LLC, No. 3:20-cv-595-FDW-DCK, 2021 WL 3044228, at *6 n. 3 (W.D. N.C. July 19, 2021). Because the plaintiffs plead no facts to support their conclusory allegation that their PI lost value, the Court cannot find that they have alleged an injury-in-fact.

f. Mitigative Measures

Finally, the plaintiffs' time spent paying close attention to their financial documents following the Data Breach does not constitute an injury-in-fact. Even if the plaintiffs had alleged that they spent money on protective services, the Fourth Circuit has held that expenses incurred on preventative or mitigative measures do not constitute an injury. Beck, 848 F.3d at 276-77 ("selfimposed harms cannot confer standing"). As the Court discussed above, the threat of identity theft is neither imminent nor substantial. Without an imminent threat, "the cost of measures to guard against identity theft . . . do[es] not constitute an injury in fact." Beck, 848 F.3d at 276. Because the Fourth Circuit has not accepted mitigative measures as an injury-in-fact, the Court must find that the plaintiffs have failed to establish an injury.

The Court will grant Elephant's motion and dismiss Counts One through Seven as to Bias, Cardenas, and Shaw because these plaintiffs have not adequately pleaded an injury-in-fact and therefore lack standing. Only Holmes alleges a cognizable injury-in-fact. But, for the below reasons, Holmes lacks standing because he cannot fairly trace the injury to Elephant.

2. Traceability

Holmes alleges that he "began experiencing an uptick in spam text and telephone calls that he attributes to this Data Breach." (ECF No. 18 ¶ 97.) He asserts he never requested an insurance quote from Elephant and alleges that an unauthorized actor used the online quote tool to retrieve his PI. The plaintiffs do not allege that the PI in this Data Breach included cell phone numbers. To the extent Holmes claims a loss of privacy due to the "uptick in spam text and telephone calls," he has not pleaded any facts that causally connect this uptick in spam to Elephant. (Id. ¶ 97.) Holmes has failed to adequately allege traceability and therefore lacks standing to assert Counts One through Seven.

B. Standing - Declaratory and Injunctive Relief (Count Eight)

"[A] plaintiff must 'demonstrate standing separately for each form of relief sought.'" TransUnion LLC, 141 S. Ct. at 2110 (quoting Friends of the Earth, Inc. v. Laidlaw Env'tal Svcs. (TOC), Inc., 528 U.S. 167, 185 (2000)). The injury-in-fact requirement to seek monetary damages differs from the injury-in-fact requirement to seek injunctive relief. "[A] person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial." Id.

The plaintiffs ask the Court to declare that Elephant's "existing security measures do not comply with their duties of care to provide adequate security." (ECF No. 18 ¶ 254.) They further ask the Court to order Elephant to "implement and maintain reasonable security measures." (Id.) The plaintiffs allege, without factual support, that "[t]he risk of another such disclosure is real, immediate, and substantial." (Id. ¶ 255.) Because the plaintiffs have made only conclusory statements and have not articulated a sufficiently imminent and substantial risk of another Elephant

data breach, the Court finds the plaintiffs lack standing to seek declaratory and injunctive relief. The Court will grant Elephant's motion and dismiss Count Eight.

In sum, the plaintiffs lack standing as to all Counts, and the Court must dismiss the complaint. ^[5]

IV. CONCLUSION

The plaintiffs have not adequately pleaded facts to establish an injury-in-fact or traceability. Because the plaintiffs lack standing to bring claims for monetary damages, the Court will grant Elephant's motion and dismiss Counts One through Seven. Further, because the plaintiffs have not alleged facts showing that a second Data Breach is imminent or substantial, they lack standing to bring a claim for declaratory and injunctive relief. Accordingly, the Court will grant Elephant's motion and dismiss Count Eight.

The Court will issue an appropriate Order. Let the Clerk send a copy of this Opinion to all counsel of record.

Date: $\underset{―}{2}\underset{―}{\underset{―}{Z}}$ June 2023 Richmond, VA

^[5] Because the plaintiffs lack standing to assert their claims, the Court will not reach Elephant's arguments regarding failure to state a claim.

NOTES

Notes

${}^1$ The Consolidated Complaint names Christopher Holmes, Trinity Bias, Jaime Cardenas, and Robert Shaw as plaintiffs. It also indicates that these plaintiffs represent a class of similarly situated individuals that the plaintiffs will move to certify as a class if this case proceeds to discovery. Throughout this Opinion, "plaintiffs" shall connote the four named plaintiffs and the potential class members.

${}^2$ A Rule 12(b)(6) motion gauges the sufficiency of a complaint without resolving any factual discrepancies or testing the merits of the claims. Republican Party of N.C. v. Martin, 980 F.2d 943, 952 (4th Cir. 1992). In considering the motion, a court must accept all allegations in the complaint as true and must draw all reasonable inferences in favor of the plaintiff. Nemet Chevrolet, Ltd. v. Consumeraffairs.com, Inc., 591 F.3d 250, 253 (4th Cir. 2009) (citing Edwards v. City of Goldsboro, 178 F.3d 231, 244 (4th Cir. 1999)). The principle that a court must accept all allegations as true, however, does not apply to legal conclusions. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). To survive a Rule 12(b)(6) motion to dismiss, a complaint must state facts that, when accepted as true, state a claim to relief that is plausible on its face. Id. "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 556 (2007)).

${}^3$ The plaintiffs note that "'[f]ullz' is slang used by threat actors and various criminals meaning 'full information,' a complete identity profile or set of information on any entity or individual." (ECF No. 18, at 12 n.19.)

${}^4$ The plaintiffs do not allege that the Data Breach included the issuing state for the plaintiffs' driver's licenses.

Case Details

Case Name: Holmes v. Elephant Insurance Company FILE IN THIS CASE ONLY

Court Name: District Court, E.D. Virginia

Date Published: Jun 26, 2023

Citation: 3:22-cv-00487

Docket Number: 3:22-cv-00487

Court Abbreviation: E.D. Va.