Publicity, Not Mere Exposure: Fourth Circuit Holds Dark‑Web Listing of Driver’s License Numbers Is a Concrete Injury-in-Fact; Future-Risk and Mitigation-Only Theories Fail

Publicity, Not Mere Exposure: Fourth Circuit Holds Dark‑Web Listing of Driver’s License Numbers Is a Concrete Injury-in-Fact; Future-Risk and Mitigation-Only Theories Fail

Introduction

In Christopher Holmes v. Elephant Insurance Company, the Fourth Circuit confronted a recurring threshold question in modern data-breach litigation: when do victims of a cyber incident have Article III standing to sue? Judge Richardson, writing for a unanimous panel, affirmed in part and reversed in part a district court’s dismissal for lack of standing. The court held that two named plaintiffs who plausibly alleged their driver’s license numbers were posted on the dark web suffered a concrete, actual injury-in-fact by analogy to the common-law tort of public disclosure of private facts. But the panel rejected standing theories premised on (i) a generalized increased risk of future misuse, (ii) a speculative risk of a second breach, and (iii) mitigation time or emotional distress untethered to an imminent harm.

The decision carefully distinguishes between “exposure” of information to a small group (e.g., intruders) and “publicity” that renders the information accessible to many (e.g., posting on the dark web). It also clarifies that the common-law analogue analysis required by TransUnion LLC v. Ramirez looks to the nature of the harm suffered, not to one-to-one matching of doctrinal elements. The opinion splits with a Seventh Circuit decision (Baysal v. Midvale) on whether driver’s license numbers are sufficiently private for concreteness and reinforces the Fourth Circuit’s stricter view of imminence in data-breach cases under Beck v. McDonald and Clapper v. Amnesty International.

Parties: Plaintiffs–appellants Christopher Holmes, Trinity Bias, Jaime Cardenas, and Robert Shaw (on behalf of a putative class) sued Elephant Insurance Company, Elephant Insurance Services, LLC, and Apparent Insurance. The plaintiffs alleged a 2022 breach permitted unknown actors to retrieve driver’s license numbers through Elephant’s online quoting platform, which auto-populated data using internal and third-party sources. Two plaintiffs (Cardenas, Holmes) alleged their numbers later appeared on the dark web. The district court dismissed for lack of standing. The Fourth Circuit affirmed in part, reversed in part, and remanded.

Summary of the Opinion

The court addressed Article III standing, emphasizing that standing must be shown for each form of relief (damages versus injunctive/declaratory) and for each named plaintiff. The plaintiffs advanced four injury theories:

  • Actual compromise of personal information in the breach
  • Risk of future misuse of their information (e.g., identity fraud)
  • Risk of a future repeat breach at Elephant
  • Emotional distress and mitigation time spent monitoring accounts

Holdings:

  • Concrete past injury (damages only) for two plaintiffs: The court held that plaintiffs Cardenas and Holmes plausibly alleged a concrete injury because their driver’s license numbers were listed on the dark web. That publicity is closely analogous to the common-law harm behind the tort of public disclosure of private information. They have standing to seek damages.
  • No standing for the other two plaintiffs: Bias and Shaw did not allege publicity—only that hackers obtained their numbers—so they failed to allege a concrete injury. Private knowledge by a small, undefined set of wrongdoers is different in kind from public disclosure.
  • Future-risk theories fail (no injunctive or declaratory relief): None of the plaintiffs established an imminent risk of future misuse or a second breach at Elephant. The court applied the Clapper/Beck “substantial risk” standard (not a looser “reasonable likelihood” standard) and held the alleged risks were too speculative.
  • Mitigation time and emotional distress cannot manufacture standing: Absent a separate imminent harm, allegations of time spent monitoring and emotional distress cannot alone establish standing to seek damages. These are at most parasitic harms.
  • Traceability of spam calls rejected: Holmes’s separate claim of increased spam calls/texts failed for lack of traceability; the compromised data did not include phone numbers.

Disposition: Affirmed in part (dismissal of most standing theories and of all injunctive/declaratory claims), reversed in part (standing for damages as to Cardenas and Holmes based on dark‑web publicity of driver’s license numbers), and remanded.

Analysis

Precedents Cited and Their Influence

  • TransUnion LLC v. Ramirez (2021): Central to the analysis. The court applied TransUnion’s requirement that intangible injuries have a “close relationship” to traditionally recognized harms. Crucially, the court emphasized that the focus is on the type of harm, not a strict element-by-element match. It mirrored TransUnion’s approach to defamation (publication required because that’s when the reputational harm occurs) to explain why “publicity” matters for public disclosure of private facts.
  • Spokeo, Inc. v. Robins (2016): Framed the concreteness requirement and Congress’s role in identifying intangible harms.
  • Lujan v. Defenders of Wildlife (1992): Articulated the injury-in-fact, causation, and redressability triad; future injury must be “imminent.”
  • Clapper v. Amnesty Int’l (2013): Rejected “objectively reasonable likelihood” of future harm as too speculative; required “certainly impending” or “substantial risk.” The Fourth Circuit hewed to this stricter view in rejecting future-risk theories.
  • Murthy v. Missouri (2024): Reaffirmed “substantial risk” as the operative articulation of imminence and warned against speculative chains dependent on independent third-party decisions.
  • City of Los Angeles v. Lyons (1983): Plaintiffs must show a personal risk of future harm for injunctive relief; that an agency will commit wrongs “in the aggregate” does not show the plaintiff himself faces an imminent risk. Applied to reject injunctive standing seeking stronger Elephant security.
  • Beck v. McDonald (4th Cir. 2017): Set a rigorous bar for imminence in data-breach cases, observing even a 33% victimization rate would leave most uninjured and fall short of “substantial risk.” The court used Beck to reject future-misuse standing.
  • Garey v. James S. Farrin, P.C. (4th Cir. 2022): Reinforced TransUnion’s harm-centric (not element-centric) analogue approach.
  • Hunstein v. Preferred Collection (11th Cir. 2022) (en banc): Cited for the conceptual distinction between public and private disclosure—publicity causes a qualitatively different harm.
  • Davis v. FEC (2008): Cited by TransUnion as an example of an actionable privacy-related harm by analogy; helped the court explain that non-salacious data can still implicate privacy analogues.
  • Hutton v. NBEO (4th Cir. 2018): Example of tangible harm from identity fraud (credit score decrease) and that mitigation costs alone do not support standing when future harm is speculative.
  • Warth v. Seldin; Friends of the Earth v. Laidlaw; Town of Chester v. Laroe: Emphasized that each named plaintiff must establish standing and for each form of relief sought.
  • Baysal v. Midvale Indemnity Co. (7th Cir. 2023): The Fourth Circuit expressly disagreed with Baysal’s view that driver’s license numbers are too “neutral” to support the privacy-analogue; it reasoned that sensitivity in degree (e.g., driver’s license versus Social Security numbers) does not defeat the kind of harm recognized.
  • Bohnak v. Marsh & McLennan (2d Cir. 2023); Webb v. Injured Workers Pharmacy (1st Cir. 2023); Clemens v. ExecuPharm (3d Cir. 2022): Sister-circuit cases finding concreteness when breached data was publicized online; the Fourth Circuit’s standing holding for dark-web publicity aligns with these decisions.
  • Driver’s Privacy Protection Act (DPPA), 18 U.S.C. §§ 2721–2725: Congressional judgment that driver’s license information is “personal information” informed the concreteness analysis (while not dispositive under Spokeo/TransUnion).

Legal Reasoning

1) Harm-focused common-law analogue: publicity makes the injury concrete

The court asked whether the intangible injury alleged bears a close relationship to harms traditionally recognized at common law. It looked to the privacy tort of public disclosure of private facts. Two key clarifications drive the analysis:

  • Focus on harms, not elements: TransUnion requires a close relationship in the type of harm, not a one-to-one correspondence with doctrinal elements. Thus, whether the defendant “disclosed” the information (an element of the tort) is not the touchstone for Article III injury. What matters is the plaintiff’s loss of control when sensitive information is made public and accessible to many.
  • Publicity versus private exposure: The “publicity” aspect is harm-defining. Public disclosure causes a qualitatively different injury than a limited, private exposure to a few wrongdoers. The dark web functions as a public (or widely accessible) forum. When personal data appears there—even behind a paywall—the information is accessible to many and thus analogous to publication in a newspaper.

Applying that framework, the court held:

  • Cardenas and Holmes: Allegations that their driver’s license numbers were listed on the dark web establish a concrete, actual injury-in-fact. The information is of a type a person justifiably seeks to “tightly control,” given its misuse potential; the public accessibility of the dark web satisfies the publicity dimension. Congressional judgment in the DPPA reinforces that driver’s license numbers are “personal information” worth protection.
  • Bias and Shaw: Their allegations showed only that unknown hackers obtained their numbers. Without allegations of publicity to the public at large or a large group, they did not allege the kind of harm analogous to public disclosure of private facts. Private knowledge by a handful of wrongdoers is a different kind of harm.

Importantly, the court rejected Elephant’s argument that standing fails absent an affirmative “disclosure” by Elephant. Even if Elephant did not itself publicize the data, the injury to the plaintiffs from public accessibility is the same. While that may bear on liability at the merits, it does not negate concrete injury for Article III purposes.

2) Future misuse and repeat-breach theories are not “imminent”

The panel reaffirmed the Fourth Circuit’s stringent imminence threshold:

  • Future misuse (identity fraud): For Bias and Shaw, the risk that hackers might publicize their information is too speculative under TransUnion. For Cardenas and Holmes—who had publicity—the risk of future fraudulent misuse still depended on multiple contingencies: an identity thief would have to obtain their specific data from the dark web; combine it with other personal data; and do so before the license numbers change. Under Beck, even a 33% risk is insufficient. The plaintiffs alleged no facts showing a substantial risk exceeding that floor.
  • Risk of a repeat breach at Elephant: Lyons forecloses standing for injunctive relief based on generalized future wrongdoing. That a system was breached once does not mean these plaintiffs face a substantial, personal risk of another breach compromising their information. The plaintiffs’ allegations were general and indistinguishable from those of other consumers in a breach-prone era.

3) Mitigation time and emotional distress cannot create standing by themselves

The court assumed without deciding that mitigation time and emotional distress could be “concrete” injuries in some circumstances. But it held they cannot be the sole basis for damages standing when the only feared harm is speculative. Clapper’s anti-manufacturing rule bars plaintiffs from creating Article III injury by incurring costs (or time) or by alleging distress in response to non-imminent risks. Echoing tort law’s “parasitic” approach to emotional distress, the court required a separate imminent harm to which mitigation time or distress can attach. Bias and Shaw alleged none and thus lacked damages standing on these theories.

Impact

Doctrinal significance

  • Establishes a clear standing rule for data-breach cases in the Fourth Circuit: Posting of personal information on the dark web is “publicity” sufficient to make the injury concrete by analogy to public disclosure of private facts; mere compromise (without publicity) is not enough.
  • Sharpens TransUnion’s analogue analysis: The focus is on the harm to the plaintiff, not element-by-element mirroring. Thus, a defendant’s lack of affirmative disclosure does not negate concreteness.
  • Reinforces a high imminence bar: The decision doubles down on Beck/Clapper, requiring a substantial, individualized risk rather than a generalized fear of future misuse or repeat breaches. Chains of contingencies break standing.
  • Limits mitigation-only and distress-only standing: Time spent and emotional distress cannot “manufacture standing” absent a separate imminent injury.
  • Circuit landscape: The court aligned with the First, Second, and Third Circuits on concreteness when dark‑web publicity is alleged and expressly disagreed with the Seventh Circuit’s narrower view of what constitutes protected private information. This emerging disagreement could draw Supreme Court attention if the split deepens.

Practical implications for litigants

  • Pleading strategy for plaintiffs:
    • Allege facts showing publicity: Screenshots, vendor reports, or other documentation that compromised data actually appeared on the dark web (paywalled or not) will be pivotal.
    • Tie publicity to the breach: Plead plausible causation linking the particular dark-web listing to the defendant’s breach.
    • For injunctive relief: Identify individualized facts establishing a substantial, personal risk of future misuse or a repeat breach affecting the plaintiff—general allegations won’t suffice post-Lyons.
    • Consider additional harms: If actual misuse occurred (e.g., fraudulent accounts, credit score hits), plead those tangible impacts. They materially strengthen standing.
  • Defense strategy for companies:
    • Early standing challenges: Move to dismiss where complaints allege only exposure to hackers, generalized future risk, or mitigation time/distress without imminent harm.
    • Publicity disputes: Demand particulars on dark-web listings and challenge causation between any listing and the defendant’s breach.
    • Injunctive relief: Lyons provides a robust basis to defeat prospective-relief claims absent a plaintiff-specific imminent risk.
    • Class certification: TransUnion requires every class member to show Article III injury to recover damages. The dark-web-publicity requirement may complicate class-wide proof and encourage narrower damages classes limited to those with documented listings.
  • Compliance takeaways for data holders:
    • Auto-population risks: Systems that derive sensitive identifiers from limited inputs can magnify external attack surfaces. Controls should consider rate-limiting, CAPTCHA, and anomaly detection to prevent “credential-stuffing” or enumeration attacks.
    • Data minimization: Especially given the court’s skepticism about injunctive standing, companies should proactively implement auditing, deletion of unnecessary data, and routine security training—good governance that can mitigate damages exposure even if not enjoined.

Complex Concepts Simplified

  • Article III standing:
    • Injury-in-fact: Must be concrete, particularized, and actual or imminent.
    • Traceability: The injury must be fairly linked to the defendant’s conduct.
    • Redressability: A court order must likely fix the injury.
    • Relief-specific: Plaintiffs must show standing separately for damages and for injunctive/declaratory relief.
  • Concreteness and common-law analogues:
    • Intangible injuries can be concrete if they are closely related to historically recognized harms (e.g., privacy, reputation).
    • The focus is on the harm’s nature, not whether every element of the common-law tort is met.
  • Publicity versus exposure:
    • Publicity means dissemination to the public or a large audience (e.g., newspapers, modern internet/dark web), not disclosure to a few individuals.
    • Private exposure (hackers alone) differs in kind, not just degree, from public disclosure.
  • Dark web:
    • A network enabling anonymous marketplaces where stolen data is listed and sold.
    • Functionally public: Even if paywalled, it is accessible to many (akin to paid newspapers or subscription sites).
  • “Imminent” future harm:
    • Requires a substantial risk in the near term, not a reasonable possibility at some point.
    • Speculative chains relying on multiple independent actors (e.g., thieves choosing specific data, aggregating multiple data points, before the data changes) do not satisfy imminence.
  • Mitigation time and emotional distress:
    • Cannot on their own create standing if they respond to non-imminent harms; otherwise any plaintiff could manufacture standing.
    • They may be recoverable as part of damages when attached to a separate actual or imminent injury.

Key Takeaways and Open Questions

  • New rule in the Fourth Circuit: Public listing of driver’s license numbers on the dark web is a concrete injury-in-fact by analogy to public disclosure of private facts; mere compromise without publicity is not.
  • No injunctive standing on generalized future-risk or “repeat breach” allegations; Lyons controls.
  • Mitigation time and emotional distress cannot independently establish damages standing absent a separate imminent harm.
  • Circuit split emerging: The Fourth Circuit’s privacy-analogue approach diverges from the Seventh Circuit’s narrower view; alignment with First, Second, and Third Circuits increases the chance of further appellate developments.
  • Class actions: After TransUnion, every damages class member must show individual Article III injury. Plaintiffs may need to limit classes to those with credible proof of dark-web publicity.
  • On remand: The district court will address the surviving damages claims for Cardenas and Holmes (and potentially similarly situated class members), including causation, merits (e.g., DPPA, negligence), and damages. The court did not decide the merits or liability standards; it resolved only standing.

Conclusion

Holmes v. Elephant Insurance advances Article III doctrine in data-breach litigation in three important ways. First, it concretely anchors the harms of online “publicity” in the TransUnion framework: posting a person’s driver’s license number on the dark web is sufficiently analogous to public disclosure of private facts to establish a concrete injury. Second, it reaffirms a stringent imminence requirement for future harms, rejecting generalized future-risk and repeat-breach theories under Clapper, Murthy, Beck, and Lyons. Third, it prevents plaintiffs from manufacturing standing through mitigation time or emotional distress unmoored from a separate imminent injury.

The opinion will reshape pleading and proof in data-breach cases within the Fourth Circuit. Plaintiffs who can document that their sensitive identifiers were actually publicized online will clear the threshold for damages claims; those alleging only exposure, generalized risk, or mitigation efforts will not. For defendants, the decision provides robust tools to defeat injunctive relief and to challenge standing where publicity is not credibly alleged. Against a backdrop of diverging approaches in other circuits, Holmes sets out a careful, harm-centered path consistent with TransUnion’s history-and-tradition guideposts while preserving Article III’s gatekeeping function in an era of ubiquitous cyberattacks.

Case Details

Year: 2025
Court: Court of Appeals for the Fourth Circuit

Comments