At MVA, we often help clients who are victims of cyber incidents where threat actors take data and threaten to release it unless they are paid. With ransomware attacks and data exfiltration common, companies face mounting pressure to assess litigation risk after a breach, and understanding the legal landscape is critical. Recent rulings from both federal and state courts underscore a key point: not every breach translates into standing for every affected individual.
In our 2017 DataPoints piece on Beck v. McDonald, we explored how the Fourth Circuit set a reasonable bar for standing in data breach cases. That precedent continues to shape outcomes today, including a recent decision from the Fourth Circuit and a November 18th decision from a state court of appeals reinforcing the principle that speculative harm is not enough for standing.
The Fourth Circuit in Holmes v. Elephant Insurance Co. and the Wisconsin Court of Appeals in Bauer v. Fincantieri Marin Corp. reached similar conclusions: allegations of mere exposure or speculative future harm are not enough. Plaintiffs must show “concrete and particularized” injury—actual misuse or identity theft—to proceed.
Holmes v. Elephant Insurance Co.
On October 14, 2025, the Fourth Circuit issued a ruling in Holmes v. Elephant Insurance Co. that partially reversed and partially affirmed dismissal of a putative class action for lack of standing.
The case arose out of a 2022 hack against Elephant Insurance Co. that compromised the driver’s license numbers of nearly 3 million people. The four named plaintiffs, representing the putative class, claimed harm from spending time reviewing credit and financial documents and increased risk of identity theft. Two plaintiffs alleged emotional distress from fear and anxiety, and one claimed harm from receiving more spam calls. Two of the plaintiffs claimed they found their license numbers on the dark web.
The district court dismissed for lack of standing, and the Fourth Circuit took up the case to examine the standing question. Under the U.S. Supreme Court June 25, 2021 decision in TransUnion LLC v. Ramirez, to show standing, plaintiffs must show three things:
- They suffered an injury in fact that is concrete, particularized, and actual or imminent;
- The injury likely was caused by the defendant; and
- The injury likely would be redressed by judicial relief.
The court noted that the one tangible harm—the increased spam texts and calls—failed at the second prong. Because plaintiffs did not allege that cell phone numbers were obtained in the data breach, the alleged harm was not reasonably likely caused by the defendant.
The named plaintiffs asserted four intangible injuries-in-fact: the compromise of personal information; the risk of future misuse by other malicious actors; the risk of having personal information taken in the future in another Elephant hack; and emotional distress and time spent monitoring financial records to mitigate the likelihood of future harm. The court examined each alleged injury to see if they were concrete, particularized, and actual or imminent. Particularized means affecting each individual personally, and actual means occurring in reality. Concrete means the injuries were real and not abstract.
Dark Web Posting is Concrete, Says Fourth Circuit
The Fourth Circuit reminds us that the TransUnion precedent weighs Congress’s views about whether a harm is sufficiently concrete to qualify as an injury-in-fact.
“To be sufficiently concrete, an intangible harm must bear ‘a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,’” the ruling said. That requires an analysis of whether there is "a close historical or common-law analogue" to the alleged injury.
For the allegations of posting drivers’ license numbers on the dark web, the Fourth Circuit found the analogue in the common law tort of private disclosure of public facts and the Driver's Privacy Protection Act (DPPA).
Holding that “the public disclosure of private information tort makes concrete the intangible harm suffered when information that the plaintiff would justifiably prefer to tightly control is released into the open,” the court noted that the DPPA provides a cause of action against a person who knowingly discloses personal information, including driver's license numbers. “Though driver's license numbers may not be the most sensitive personal information people possess, they are, in Congress's view, among the ‘personal information’ worth protecting,” the ruling said.
Noting also that the plaintiffs alleged that driver’s license numbers could be used for identity theft, the court found sufficient allegations for a concrete injury by the two plaintiffs whose driver’s license numbers were revealed on the dark web. The Fourth Circuit reversed dismissal for those two plaintiffs.
For the other two plaintiffs, while hackers could presumably post their license numbers any time, the possibility itself does not suffice for imminence based on TransUnion, the court decided. Importantly, the plaintiffs whose personal information ended up on the dark web could suffer a malicious actor’s fraudulent impersonation attempt at any time, but the other two plaintiffs are a step behind, and cannot show that fraudulent impersonation is imminent. The dismissal of their claims was upheld.
In landing on this holding, the court cited to Beck v. McDonald and noted the string of circumstances that would need to happen before the threat would come to fruition: “All this means that fraudulent impersonation will befall Cardenas and Holmes only if other intervening malicious actors acquire their driver's license numbers from the dark web and also acquire other pieces of their personal information and do so before their driver's license numbers change. And under our precedent, the plaintiffs cannot just assert that all this might happen; they must allege facts allowing us to conclude that for some particular plaintiff, the combined probability of that speculative chain materializing surpasses at least 33%.”
Bauer v. Fincantieri Marin Corp.
The Wisconsin Court of Appeals issued a decision on November 18, 2025, that similarly dismissed for lack of standing, although the path to get there differed under the state’s law. The case, Bauer v. Fincantieri Marin Corp., concerned a ransomware attack. In 2023, a shipbuilder discovered a cyberattack and determined that current and former employees’ sensitive information may have been viewed or collected. The employees filed a class action lawsuit for claims of negligence, breach of contract, and other counts for failing to safeguard information.
Under Wisconsin law, courts determine whether a party has standing by considering:
- Whether the party whose standing is challenged has a personal interest in the controversy (sometimes referred to in the case law as a "personal stake" in the controversy);
- Whether the interest of the party whose standing is challenged will be injured, that is, adversely affected; and
- Whether judicial policy calls for protecting the interest of the party whose standing has been challenged.
Individual states will have their own rules for establishing standing, but the legal reasoning supported by Wisconsin state law in this case followed similar lines as Holmes. Even as the law of standing is liberally construed, plaintiffs must allege an injury-in-fact.
None of the employees alleged that any identify theft or data misuse occurred. Granting FMC’s motion to dismiss, the trial court concluded that the threat of future identity theft alone is not enough to establish standing. The appeals court affirmed.
The opinion also noted that Wisconsin courts look to federal case law as persuasive authority to resolve questions of standing. The appeals court observed a lack of clear precedent from the Seventh Circuit. Reviewing other case law, including Beck v. McDonald, the appeals court was persuaded “that the risk of future harm and the actions taken to protect against that risk, as alleged by the Employees in this case, remain too attenuated and speculative to confer standing to pursue their claims, absent a demonstration that identity theft or data misuse has already occurred.”
While identity theft would constitute a concrete and particularized injury, the employees established only the mere possibility of harm, the court said in its opinion.
Circuit Uncertainty
As the Fourth Circuit noted in Holmes, not all federal court circuits are aligned. The state of the case law today demonstrates that experienced legal counsel is critical for companies to understand risks and develop cost-effective legal strategy if they become victims of a ransomware attack.
As we noted after Beck years ago, there is a good argument for dismissing a privacy breach case for lack of standing. When plaintiffs lack the evidence of concrete harm as articulated by these opinions, companies can move to dismiss, find leverage for settlement, or move for summary judgment.
MemberWell versed in employment, privacy, and general commercial litigation, Karin helps clients navigate a range of complex issues. In addition to employment and privacy matters, Karin has successfully litigated a wide range of ...
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.