Since the first data breach lawsuits were initiated in 2005, Article III standing has remained a pivotal concern. In Holmes v. Elephant Insurance Company, the Court of Appeals for the Fourth Circuit determined that public disclosure of private information constitutes “concrete injury” within the context of unauthorized data access.
Defining Private Information
In Holmes, two plaintiffs demonstrated sufficiently concrete harm by alleging that their driver’s license numbers were published on the dark web as a direct consequence of the breach. This meant that “information they justifiably prefer to tightly control” was made widely accessible. The circumstances mirrored the tort of public disclosure of private information, which serves to protect against the dissemination of sensitive personal data. The court stated, “having one’s information compromised by a data breach is a harm that is both particularized, by affecting each individual personally, and actual, by occurring in reality.” Thus, the public disclosure theory of harm was adequately substantiated for these plaintiffs whose information was allegedly exposed on the dark web.
Conversely, the remaining two named plaintiffs did not establish a concrete injury, as there was no claim that hackers had disseminated their stolen information to the public or on the dark web. Allegations of increased risk of future identity theft, mitigation efforts, and emotional distress were deemed too speculative to confer standing. Plaintiffs cannot create standing through precautionary measures or claims of emotional distress predicated on hypothetical future harm.
Key Takeaways
Plaintiffs increasingly employ dark web monitoring to gather evidence of publication or disclosure, highlighting the necessity for comprehensive post-breach monitoring and documentation. Dark web and deep monitoring are crucial both when negotiating with ransomware threat actors and in defending against subsequent litigation. Organizations encountering cybersecurity incidents should maintain meticulous records demonstrating the absence of real, concrete harm resulting from any breach.
In the event of litigation, businesses can reference Holmes to underscore the distinction between speculative future damage and actual or concrete injury. Courts continue to accept well-reasoned defense arguments indicating that vague or conclusory claims, such as “lost time,” are inadequate in the absence of allegations of monetary loss.