Please ensure Javascript is enabled for purposes of website accessibility

Data breach suit dismissed for standing, causation

Virginia Lawyers Weekly//July 25, 2023

Data breach suit dismissed for standing, causation

Virginia Lawyers Weekly//July 25, 2023//

Listen to this article

Where persons suing over a data breach largely lacked standing because they had not suffered any injuries, and the one person who had standing failed to connect his alleged injury to the data breach, the suit was dismissed.


This matter comes before the court on a motion to dismiss filed by Elephant Insurance Company, Elephant Insurance Services LLC and Platinum General Agency. The plaintiffs allege that Elephant did not adequately protect their personal information, or PI, and that, in a data breach, malicious actors viewed and copied their Pl. The plaintiffs bring a consolidated class action suit, asserting various claims arising from this data breach.


The heightened risk of future identity theft, without more, does not constitute an injury-in­fact because a “threatened injury must be certainly impending to constitute an injury-in-fact.” Although the plaintiffs closely monitor their credit reports and financial accounts, none have alleged misuse of their PI. None have pleaded facts to support their allegations of certainly impending identity theft.

Moreover, to find a threatened injury, the court must assume that the thief targeted Elephant for the PI it contained, then selected the named plaintiffs’ PI from millions of other records has begun combining the purloined PI with PI obtained from other sources to create a full profile and will imminently and successfully attempt to use that information to steal the plaintiffs’ identities. The Fourth Circuit had previously rejected an even shorter chain of possibilities to deny the plaintiffs standing on a claim of heightened risk of identity theft.

Only two of the named plaintiffs have alleged identity theft. Cardenas and Holmes report receiving notifications from a credit monitoring service that their driver’s license numbers appeared on the dark web. Because these plaintiffs have not alleged any misuse of their PI or resulting harm from their driver’s license numbers appearing on the dark web, this alleged injury simply echoes the claim of heightened risk of identity theft. These plaintiffs have not adequately pleaded an injury-in-fact.

Only Holmes has sufficiently pleaded an injury-in-fact. Holmes also avers that he suffers “significant fear, anxiety, and stress” resulting from the data breach. Shaw too suffers “significant fear, anxiety, and stress.” Neither plaintiff expands upon these conclusory allegations of emotional distress. Because the plaintiffs plead only “bare assertion of emotional injury,” they have not pleaded an injury-in-fact.

The plaintiffs also claim the data breach caused their PI to diminish in value. They allege no facts to explain how their PI lost value and instead only repeat conclusory statements: the plaintiffs “have suffered and will continue to suffer … loss of value of their Pl.” On a 12(b)(1) motion, courts have declined to find diminution of value in PI as an injury-in-fact when plaintiffs make only barebones assertions. Finally, the plaintiffs’ time spent paying close attention to their financial documents following the data breach does not constitute an injury-in-fact.


Holmes alleges that he “began experiencing an uptick in spam text and telephone calls that he attributes to this Data Breach.” He asserts he never requested an insurance quote from Elephant and alleges that an unauthorized actor used the online quote tool to retrieve his PI. The plaintiffs do not allege that the PI in this data breach included cell phone numbers. To the extent Holmes claims a loss of privacy due to the “uptick in spam text and telephone calls,” he has not pleaded any facts that causally connect this uptick in spam to Elephant.

Injunctive relief

The plaintiffs allege, without factual support, that “[t]he risk of another such disclosure is real, immediate, and substantial.” Because the plaintiffs have made only conclusory statements and have not articulated a sufficiently imminent and substantial risk of another Elephant data breach, the court finds the plaintiffs lack standing to seek declaratory and injunctive relief.

Defendants’ motion to dismiss granted.

Holmes v. Elephant Insurance Company, Case No. 3:22-cv-487, June 26, 2023. EDVA at Richmond (Gibney). VLW 023-3-371. 12 pp.

VLW 023-3-371

Verdicts & Settlements

See All Verdicts & Settlements

Opinion Digests

See All Digests