We recently reported on an anticipated decision from the Fourth Circuit that could limit the scope of cyber insurance claims stemming from the disclosure of personal information in a data breach based on challenges to Article III standing. The case is Holmes v. Elephant Insurance Co., 2023 WL 4183380 (E.D. Va. June 26, 2023), appeal No. 23-cv-1782 (4th Cir. July 28, 2023). The Fourth Circuit has now issued a decision on appeal and held that certain of such claims can survive Article III standing challenges – specifically where a victim’s driver’s license information has been shared on the dark web without consent – as such claims involve concrete “injury-in-fact.”

In Holmes, victims of a cyber breach brought a class action against an insurance company that had collected their personal information via an online quote tool. The tool was then hacked, resulting in disclosure of the victims’ personal information including names, driver’s license numbers, and dates of birth. The insurance company filed a motion to dismiss the class action based, in part, on challenges to the victims’ Article III standing. The insurer argued the victims could not establish an “injury-in-fact” (“an invasion of a legally protected interest which is (a) concrete and particularized… and (b) actual or imminent, not conjectural or hypothetical”), which is a required element for Article III standing. In the alternative, the insurer argued the victims could not establish “a causal connection between the injury and the conduct complained of,” which is the second element of Article III standing. The district court agreed with the insurance company and dismissed the class action in its entirety. The plaintiffs appealed.

On October 14, 2025, the Fourth Circuit entered a decision on the Holmes appeal. The Court held that while the majority of the class plaintiffs had failed to establish concrete injury from the data breach, at least one subset of victims had adequately plead “injury-in-fact” from the disclosure of their personal information to give them standing to continue their claims against the insurance company.

The class plaintiffs had alleged four distinct “injuries” as a result of the data breach: 1) the actual compromise of their personal information in the breach including driver’s license numbers being listed on the dark web without their consent; 2) the risk of future misuse of their personal information by other malicious actors; 3) the risk of having their personal information taken again in the future in another hack of the insurance company; and 4) the emotional distress and time spent monitoring their financial records to mitigate the likelihood of future harm. Of these four “injuries,” the Fourth Circuit held only the first was sufficient to constitute “injury-in-fact” to support Article III standing.

The Court found the plaintiffs whose driver’s license numbers had been listed on the dark web against their justifiable wishes had suffered a concrete injury, and “because that injury has already come to pass, it gives them standing to seek damages.” The Court analogized this subset of victims’ claims to a common law tort claim for invasion of privacy based on public disclosure of private information. The Court explained that this tort “makes concrete the intangible harm suffered when information that the plaintiff would justifiably prefer to tightly control is released to the open.” In evaluating what kind of information would be deemed private enough to support a tort claim for invasion of privacy, the Court explained: “Though the information need not be embarrassing or salacious, the plaintiff must have a good reason to keep it close to the vest. And though the information need not be broadcast to the whole world, it must be accessible to many.” Here, certain class plaintiffs’ driver’s license information had been disclosed. The Court noted that Congress had enacted the Driver’s Privacy Protection Act, which provides a cause of action against “a person who knowingly… discloses… information, from a motor vehicle record, for purposes not permitted under [the Act],” which includes driver’s license numbers. 18 U.S.C. §2724. The Court explained that while driver’s license information “may not be the most sensitive personal information people possess,” it is “in Congress’s view, among the ‘personal information’ worth protecting” and “[t]hat favors finding the injury here concrete.”

With regard to the other “injuries” alleged by the victims, the Court held none were sufficient to constitute concrete “injury-in-fact” for purposes of Article III standing. The Court found the risk of future use of the victims’ personal information, future identify theft, or a second data breach at the insurance company was not “imminent enough to itself be an injury-in-fact.” The Court also held standing could not be furnished based on time spent by the victims in monitoring financial records after the breach or by allegations of emotional distress. The Court explained that when future harm is merely speculative, “a plaintiff cannot backdoor standing by simply by making an expenditure based on a paranoid fear.” Similarly, “a plaintiff cannot manufacture standing by resort to a theory that would permit standing in every case” like emotional distress. The Court held that “if time spent and emotional distress felt are concrete injuries, they may serve as the sole basis for standing to recover damages only when incurred in response to a separate imminent harm.” Such “injuries” otherwise would not suffice for Article III standing on their own.

The Fourth Circuit’s decision in Holmes has opened the door for future claims by victims of a data breach whose personal information has been disclosed on the dark web without their consent. From an insurance perspective, this increases the potential for exposure under cyber liability policies when such claims are asserted against an insured after a breach. While the district court’s decision in Holmes had suggested exposure under cyber liability policies after a data breach could be limited by the “injury-in-fact” element of Article III standing, the Fourth Circuit’s decision shows that at least some claims will make it through. Rather than “one less cyber exposure” as had been predicted after the district court’s decision in Holmes, the Fourth Circuit’s decision presents a clear example of claims that will be permitted to continue against an insured after a cyber breach and, as a result, “one more cyber exposure” under cyber insurance policies.