Rule 23
Rule 23
  • Home
  • The Brief
  • Recent Rulings
  • Case Index
  • About
  • More
    • Home
    • The Brief
    • Recent Rulings
    • Case Index
    • About
  • Home
  • The Brief
  • Recent Rulings
  • Case Index
  • About

Holmes v. Elephant Insurance Co.

ARGUED OCTOBER 29, 2024 — DECIDED OCTOBER 14, 2025

Before AGEE, RICHARDSON, and BERNER, Circuit Judges

View the court's opinion

Findings

The Bottom Line

The court affirmed the dismissal of all claims for plaintiffs Bias and Shaw, affirmed the dismissal of all injunctive relief claims, and reversed and remanded the lower court's dismissal of Cardenas and Holmes' claims.


Class Action Takeaway

The Fourth Circuit held that federal standing in data-breach cases requires a concrete injury beyond the hacker's mere possession of stolen data. Standing for injunctive relief cannot be granted based on speculative future harms, there must be a substantial risk of future harm.


Background

Elephant Insurance Co. provides several different forms of insurance to consumers, eg. home and auto. The company, like many others in the industry, auto-populates information, such as driver's license numbers, once a new customer inputs basic details such as names and addresses. Elephant Insurance Co. is able to access this information through their own database and third-party records. In late March 2022, the insurance company's network was hacked resulting in the driver's license numbers of 3 million people being compromised. Plaintiffs sued, on behalf of the class impacted, soon after they were notified of the breach. Two of the named plaintiffs, Cardenas and Holmes, claim damages of fear, anxiety, and stress due to their driver's license numbers now being published on the dark web. The two other named plaintiffs, Bias and Shaw, claim the same damages, but only out of the knowledge that their driver's license numbers were in the hacker's possession. Their license numbers were not published publicly. The case was dismissed by the district court which concluded that the plaintiffs lacked standing after considering and denying the several alleged injuries listed in the complaint. Shortly thereafter, plaintiffs appealed the dismissal.


Opinion

The court applied TransUnion LLC v. Ramirez (2021) and narrowed in on whether a "concrete injury" was suffered analogous to a traditional harm recognized in common law. The court found that the disclosure of private information (such as driver's license numbers) to the public sphere is analogous to the tort of public disclosure of private facts. This satisfied the concreteness of the injuries suffered by Cardenas and Holmes whose private information had been shared publicly. Plaintiffs Bias and Shaw allege that the hackers were in possession of their private information, not that it was used or shared publicly. The court found that hackers simply being in possession of sensitive information was not a concrete harm and thus the "injury-in-fact” requirement for damages was not satisfied. Additionally, all 4 named plaintiffs sought injunctive relieve for Elephant Insurance Co. to improve its data security. The court opined that there must be a substantial risk of future harm, not just a speculative or possible one, and ruled that no plaintiff had standing to pursue injunctive relief. Ultimately, the court affirmed the dismissal of all claims for plaintiffs Bias and Shaw, affirmed the dismissal of all injunctive relief claims, and reversed and remanded the lower court's dismissal of Cardenas and Holmes' claims.

Rule 23

(321) 447-6461

Copyright © 2025 Rule 23 - All Rights Reserved.

Powered by

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

Accept