Courts continue to grapple with the type of “concrete harm” that is required to confer Article III standing under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), particularly in data breach and privacy class actions.  On October 14, the Fourth Circuit contributed to this debate, holding that allegations that plaintiffs’ driver’s license data had been leaked and appeared on the dark web were sufficient to establish standing.

Holmes v. Elephant Ins. Co., — F.4th —, 2025 WL 2907615 (4th Cir. 2025), started with a 2022 data breach of Elephant Insurance Company’s networks.  Id. at *1.  Plaintiffs were Elephant customers whose driver’s license numbers were compromised in the breach.  Id.  They sued Elephant for alleged harms stemming from the breach.  Id. at *3.  Two plaintiffs specifically alleged that they had found their driver’s license numbers on the dark web; the others did not.  Id. at *2.  The district court dismissed plaintiffs’ claims, holding that none of the alleged injuries were sufficient to confer standing.  Id.  But the Fourth Circuit disagreed in part, reversing the lower court’s dismissal of the two plaintiffs who alleged that their driver’s license information appeared on the dark web, but affirming dismissal of the other two. 

To determine whether plaintiffs had standing, the court had to grapple with whether their breach-related harms were a “concrete” injury under TransUnion.  Id. at *3.  Whether an intangible harm, like personal data loss, is concrete turns on whether it “bear[s] a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.”  Id.  Plaintiffs argued that harms from Elephant’s data breach were akin to the tort of public disclosure of private information.  Id. at *5.  After examining the contours of this tort, the court held that it can confer standing under TransUnion where “information that the plaintiff would justifiably prefer to tightly control is released into the open” and is “accessible to many.”  Id. at *6. 

The court concluded that driver’s license information is the type of private data that a person would wish to “tightly control,” the release of which could cause a concrete harm.  Id. at 6–7.  But only the two plaintiffs who alleged that their driver’s license information was disseminated on the dark web could satisfy the requirement that “information they justifiably prefer to tightly control has been released into the open.”  Id. at *7.  That is so because the court determined that the dark web “either reaches, or is sure to reach, the public, or is close to doing so.”  Id.  At the same time, the court held that plaintiffs’ various other alleged harms—that someone may misuse their leaked data in the future, that their data may be disclosed by another breach at Elephant, and that they suffered emotional distress—were inadequate to support standing and affirmed the dismissal of claims based on those harms.  Id. at *10–16. 

Article III standing law post-TransUnion continues to develop, and it is important to investigate circuit-specific law when litigating.  As the Fourth Circuit acknowledged, other circuits have taken different approaches to standing in nearly identical circumstances.  See Baysal v. Midvale Indem. Co., 78 F.4th 976 (7th Cir. 2023) (holding that leaked driver’s license data did not satisfy public disclosure of private information tort to confer standing).  Further, the Fourth Circuit’s analysis was highly fact-dependent, limiting the potential reach of the case.