Class Actions Brief Blog

Since the Supreme Court’s opinion in TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), litigants and courts alike have struggled to determine whether certain intangible harms are “concrete, particularized, and actual or imminent” such that a plaintiff has standing to sue. Indeed, this blog has previously analyzed cases addressing that question here and here.

The Fourth Circuit weighed in recently, holding that a subset of plaintiffs whose drivers’ license numbers were leaked and published online had standing to sue, but the plaintiffs whose numbers were leaked and unpublished did not. Holmes v. Elephant Insurance Co., No. 23-1782 (Oct. 14, 2025).

In that case, defendant Elephant Insurance suffered a data breach in which its customers drivers’ license numbers were leaked. Four Elephant Insurance customers brought a putative class action seeking to remedy alleged harms that they suffered from the breach. Each of the plaintiffs alleged three types of harm: (1) the risk of future misuse of their already leaked data; (2) the risk of their data being compromised in a future hack of Elephant Insurance; and (3) the effort and emotional distress incurred in monitoring their financial records to reduce the likelihood of harm. Furthermore, two plaintiffs alleged that they were harmed because their drivers’ license numbers were published on the dark web.

Elephant Insurance moved to dismiss, arguing that the plaintiffs lacked standing because none of the four alleged injuries were concrete, particularized, and actual or imminent. The Eastern District of Virginia agreed and dismissed the case.

On appeal, the Fourth Circuit reversed in part. While acknowledging that intangible harms present difficult questions of standing, the Court analyzed whether the alleged injuries had a “close historical or common-law analogue.” The Court found an analogue for only one of the plaintiffs’ harms—the publication of their private data. For the two plaintiffs who found their data available online, the Court compared their harm to the harm suffered by a plaintiff pursuing a claim of public disclosure of private information. Because the harm suffered by these two plaintiffs was comparable to a traditionally recognized harm, those plaintiffs had standing to pursue a lawsuit to remedy that harm.

Conversely, because the other two plaintiffs could not allege that their data had been published to a public audience, they had not suffered the same harm. Furthermore, none of the other alleged harms were sufficient to confer standing. First, the plaintiffs could not allege that the risk of future misuse of their leaked data was imminent. Similarly, the plaintiffs could not allege that a future hack of Elephant Insurance was imminent. Finally, the time and emotional distress that the plaintiffs incurred in monitoring their financial records had no historical or common-law analogue. Thus, none of those injuries could confer standing on their own.

Courts and litigants will continue to wrestle with the point at which an intangible harm becomes concrete, particularized, and actual or imminent such that a plaintiff has standing to sue. With the rise of data breach and other online privacy litigation, attorneys will continue to pursue claims for alleged injuries that courts have never considered. The Fourth Circuit’s analysis in Elephant Insurance will assist parties in addressing which of those injuries are able to be remedied through the judicial system.