The cyber insurance market indisputably has experienced a “boom” in recent years, with some sources reporting more than 30% in annual growth in the market over the past decade. With this exponential growth has come a corresponding increase in cyber insurance claims, which must be fielded by adjusters in real time, often with a lack of clarity on how any given jurisdiction will respond to each new and evolving cyber insurance claim. In at least one context, the scope of exposure under cyber liability insurance policies could be limited based on issues of standing under Article III. In Holmes v. Elephant Insurance Co., the Court of Appeals for the Fourth Circuit is poised to address a decision finding data breach victims do not have standing to pursue a class action regarding the compromise of their personal information as they cannot establish sufficient injury-in-fact. 2023 WL 4183380 (E.D. Va. June 26, 2023), appeal No. 23-cv-1782 (4th Cir. July 28, 2023).
In Holmes v. Elephant Ins. Co., a class action was filed by a group of victims of a cyber data breach that resulted in the compromise of their personal information. The plaintiffs were customers and prospective customers of Elephant Insurance Co. who entered personal information on Elephant’s online quote tool. The tool was compromised with hackers gaining access to the users’ sensitive personal information including names, driver’s license numbers, and dates of birth. The victims of the data breach filed a class action against Elephant asserting claims for negligence, unjust enrichment, and violation of various state consumer protection, unfair trade practices, and privacy protection acts. Elephant filed a motion to dismiss based, in part, on a lack of Article III standing.
Article III provides that federal courts only have jurisdiction over “cases” and “controversies.” To establish Article III standing, a party must show three elements: 1) “an injury in fact – an invasion of a legally protected interest which is (a) concrete and particularized… and (b) actual or imminent, not conjectural or hypothetical;” 2) “a causal connection between the injury and the conduct complained of”; and 3) “it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.” Lujan v. Defs. of Wildlife, 504 U.S. 555 (1992). Elephant argued, in part, that the victims of the data breach had not established an injury-in-fact sufficient to support Article III standing in the suit against it. The district court agreed.
The court acknowledged that an injury-in-fact could include “threatened injuries,” but only if it is “certainly impending.” Holmes, citing Whitmore v. Arkansas, 495 U.S. 149 (1990). The court noted that “[a]llegations of possible future injury do not satisfy the requirements of Art. III.” Id. In the specific context of a data breach, the court pointed to prior Fourth Circuit caselaw holding that the “mere compromise of personal information, without more, fails to satisfy the injury-in-fact element”; an actual identity theft or a “nonspeculative, increased risk of identity theft” was required. Id., citing Hutton v. Nat’l Bd. of Examiners in Optometry, Inc., 892 F.3d 613 (4th Cir. 2018) and O’Leary v. TrustedID, Inc., 60 F.4th 240 (4th Cir. 2023). “‘[T]he mere theft of… items’ containing personal information ‘cannot confer standing’ because the threatened injury is too speculative.” Holmes, quoting Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017). “A ‘highly attenuated chain of possibilities’ in which the Court must make a series of assumptions to find a threatened injury ‘cannot confer standing.’” Id., citing Beck and Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013). Further, “[t]he cost of mitigative measures or self-imposed harms, cannot confer standing…. Without an imminent threat, ‘the cost of measures to guard against identity theft, including the cost of credit monitoring services… do[es] not constitute an injury-in-fact.” Id., citing Beck.
Applied to the facts before it, the court found all but one of the victims of the data breach had not shown a sufficient injury-in-fact to establish Article III standing. The court noted that none of the plaintiffs had alleged actual misuse of their personal information, only that the information had been disclosed, which alone was insufficient to support standing. The court found that the risk of future identify theft because of the data breach was too attenuated to support standing under Article III. The court also found that generalized allegations of emotional distress and lost value to personal information from the data breach as plead by the plaintiffs were conclusory and unsupported and did not establish an injury-in-fact for purposes of standing. The court further rejected any claimed injury based on time the plaintiffs spent in reviewing their financial documents after the breach as the Fourth Circuit has not accepted mitigative measures as injury-in-fact.
The court found only one of the plaintiffs had adequately alleged an injury-in-fact stemming from the breach in the form of a loss of privacy as the plaintiff allegedly experienced an uptick in spam texts and calls that he attributed to the data breach. The court nonetheless held this activity was not traceable to the data breach and that this plaintiff lacked standing as well.
Holmes currently is on appeal to the Fourth Circuit. Oral argument was heard on October 29, 2024 and a decision is expected in the coming months. If the decision is affirmed, it will present an example of a court limiting the scope of plaintiffs who successfully can pursue claims for damages against an impacted company after a data breach. From an insurance perspective, this could limit the potential exposure to cyber liability insurance policies issued to companies that suffer a cyber breach to an insured system. Lawsuits undoubtedly still will be filed against affected companies after a breach, but the covered exposure under a cyber liability policy ultimately could be reduced based on challenges to standing. The likelihood of a case continuing past dispositive motions and involving more than cost of defense exposure could be lessened based on viable challenges to Article III standing and the need for plaintiffs to establish a colorable injury-in-fact caused by a data breach. For insurers, the impact of decisions like Holmes could be one less cyber exposure under cyber liability policies, or at least a significantly less expensive exposure.