Time for SCOTUS to Step In: Yet Another Circuit Court Misapplies TransUnion to a Cyberattack Class Action – and This Time Creates Three Circuit Splits Along the Way
By Douglas H Meal - Edited by Shriya Srikanth
Mr. Meal is an Adjunct Professor at Cleveland State University College of Law and Boston College Law School. He teaches Cybersecurity Litigation at each institution. The views expressed in this Article are his own and are not attributable to either institution with which he is affiliated.
1. Introduction
The Supreme Court’s seminal 2021 ruling in TransUnion LLC v. Ramirez [1] addressed what injuries are “concrete” for purposes of establishing Article III standing. TransUnion first recognized that already-incurred tangible injuries such as out-of-pocket monetary losses and physical damage to one’s person or property are paradigmatically “concrete” for Article III standing purposes. [2] The Court next tackled the Article III “concreteness” of two other sorts of injuries: (1) already-incurred intangible injuries and (2) yet-to-be-incurred future injuries. As to already-incurred intangible injuries, the Court held that they are “concrete” for Article III standing purposes where they bear “a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.” [3] And as to yet-to-be-incurred future injuries, the Court held that they are “concrete” for Article III standing purposes where (1) the future injury is “sufficiently” imminent and substantial [4] and (2) the plaintiff’s risk of incurring that injury “itself causes a separate concrete harm.” [5]
TransUnion was a Fair Credit Reporting Act case. But its holding has to be applied in the context of other claims. One such context is class action cyberattacks involving the theft of personal information. Before TransUnion, plaintiffs in such cyberattack class actions had, with good reason, customarily eschewed theories of injury predicated on their having already suffered a tangible injury as a result of the attack. Because few individuals whose personal information is involved in a cyberattack suffer tangible harm that can be traced to the attack, relying on such a theory of injury would nearly always eliminate from the class the overwhelming majority of the individuals whose personal information was involved in the attack. Moreover, because individualized inquiries would be necessary first to identify, and then to prove and quantify the damages suffered by, the relatively few people who had already suffered tangible injuries from the cyberattack, it would be nearly impossible to establish the “predominance of common issues” required to certify a damages class composed of such people.
Instead, prior to TransUnion, plaintiffs in such cyberattack class actions had normally predicated their claims on class-wide theories of injury, positing that all individuals whose personal information was involved in the attack had already suffered the same intangible injury (such as a loss of privacy) and/or were at risk of suffering the same future tangible injury (such as a monetary loss from identity theft). As TransUnion’s two core holdings addressed, and seemingly greatly limited, the circumstances under which already-incurred intangible injuries and as-yet-unmaterialized tangible injuries could be “concrete” for Article III standing purposes, those two holdings had obvious implications for the theories of injury that were then in vogue in cyberattack class actions. [6]
As had been predicted, TransUnion has triggered an avalanche of litigation in cyberattack class actions as to whether the named plaintiffs’ alleged injuries were “concrete” for Article III standing purposes. The most recent circuit court ruling to emerge from that avalanche is the Fourth Circuit’s decision in Holmes v. Elephant Insurance Co. [7]
2. Background on Elephant Insurance
Elephant Insurance arose from a cyberattack in which hackers succeeded in stealing the driver’s license number (DLN) of nearly 3 million of the defendant’s actual and potential insureds. [8] The named plaintiffs brought a putative class action on behalf of all the persons whose DLNs had been stolen. [9] None of the named plaintiffs claimed that the attack had already caused him or her to suffer an out-of-pocket monetary loss of the type that TransUnion recognized would always sustain Article III standing. Instead, as to injury, plaintiffs claimed (1) to have already suffered a variety of intangible injuries (i.e., loss of privacy; time spent reviewing their credit and financial documents; fear, anxiety, and stress; and increased calls and texts from spammers) and (2) to have been placed at an increased risk of a tangible injury in the future, namely, a monetary loss from identity theft. [10] The defendant moved to dismiss for lack of Article III standing under TransUnion’s two above-described holdings, and the trial court granted the motion. [11]
The Fourth Circuit reversed. In so doing the Fourth Circuit became the latest in a line of circuit courts to misapply TransUnion’s two core holdings in the context of a cyberattack class action. Along the way, the Fourth Circuit (by its own admission) created three clear circuit splits as to the application of those holdings in the cyberattack-class-action context.
3. Elephant Insurance’s Misapplication of TransUnion’s Intangible Injury Holding
As to whether plaintiffs’ alleged intangible injuries could sustain Article III standing, the Elephant Insurance court focused on the loss of privacy inherent in having one’s DLN stolen in a cyberattack and inquired whether that alleged privacy injury, in TransUnion’s parlance, bore “a close relationship” to the loss-of-privacy harm addressed by the common-law tort of public disclosure of private facts (“PDPF”). [12] That harm, as the court recognized, has three elements: (1) a disclosure to the public (2) of a matter concerning the private life of another (3) that would be highly offensive to a reasonable person. [13] TransUnion teaches that, while the courts should not apply its “common-law analogue” rubric by “requir[ing] an exact duplicate” between the harm alleged by the plaintiff and the common-law harm to which it is being compared (the “comparator harm”), [14] the “close relationship” required by that test does not exist where the harm alleged by the plaintiff “circumvents a fundamental requirement of” the comparator harm because it is missing an element or an aspect that is “essential to liability” for the comparator harm. [15] In Elephant Insurance, then, the Fourth Circuit should have applied TransUnion to the plaintiffs’ intangible loss-of-privacy injury by inquiring whether that injury was missing any of the three essential elements of, and therefore circumvented a fundamental requirement of, the injury made actionable by the proposed comparator tort, namely, the tort of PDPF.
As shown below, had the Elephant Insurance court done that, it would have had to conclude that the intangible injury inherent in having one’s DLN stolen in a cyberattack “circumvents” not just a “fundamental requirement,” but every fundamental requirement, of the harm made actionable by the common-law tort of PDPF. Because that intangible injury therefore was missing multiple elements “essential to liability” for the harm made actionable under the tort of PDPF, the Fourth Circuit should have ruled that TransUnion precluded Article III standing from being predicated on that particular intangible injury. Unfortunately, the Elephant Insurance court mistakenly ruled otherwise.
a. Misapplication of Second and Third Requirements of a PDPF-Actionable Harm
Regarding the second and third of the requirements of the harm made actionable by the tort of PDPF — namely that the disclosure be of a private matter and highly offensive to a reasonable person — this author has elsewhere detailed the welter of legal authority holding that, for purposes of that tort, a public disclosure of a Social Security number neither reveals a private matter nor is highly offensive to a reasonable person. [16] That prior discussion need not be repeated here except to say that it applies a fortiori to a DLN, which is far less private and far less sensitive than a Social Security number. And, indeed, in 2023, in Baysal v. Midvale Indemnity Co. (“Baysal”), the Sixth Circuit expressly rejected the proposition that disclosure of a DLN constitutes a highly offensive disclosure of a private fact for purposes of the tort of PDPF and, as such, could sustain Article III standing in a cyberattack class action. [17]
In Elephant Insurance, the Fourth Circuit acknowledged that Baysal presented a “nearly identical case” to Elephant Insurance, but asserted that the Fourth Circuit “saw things differently” from the Seventh Circuit on this particular point. [18] In defending its different view of things, the Fourth Circuit noted that a PDPF claim can be predicated on a disclosure of one’s income tax return. [19] But income tax returns are rife with private information about one’s financial circumstances and transactions that could be embarrassing or humiliating if disclosed. They thus fit comfortably within the category of those “facts about [one]self that [one] does not expose to the public eye, but keeps entirely to [one]self or at most reveals only to [one’s] family or to close personal friends.” [20] As such they bear no resemblance (much less a “close” one) to DLNs, which are routinely disclosed without any embarrassment or hesitation at airline, rental car, and hotel check-in desks; to airport, government-building, and office-building security guards; to waitstaff and bartenders in restaurants and bars; and in myriad other circumstances when one’s driver’s license is used to verify one’s age or identity.[21] That being the case, a DLN is not private information, nor would its public disclosure be highly offensive to a reasonable person, for purposes of the second and third requirements of the harm made actionable by the tort of PDPF. For this reason alone, the Fourth Circuit erred — and created a clear circuit split — in finding Article III standing based on plaintiffs’ alleged loss-of-privacy injury.
b. Misapplication of the First Requirement of a PDPF-Actionable Harm
Regarding the first of the three requirements of the harm made actionable by the tort of PDPF — namely that the disclosure be public — this author has elsewhere described the many cases holding that, for purposes of applying TransUnion’s “common-law analogue” test, a non-public disclosure can never bear a “close relationship” to the harm made actionable by the tort of PDPF. [22] In Elephant Insurance, the Fourth Circuit tried to evade the fatal standing implications of the non-public nature of the disclosure at issue there by pointing to the fact that two of the named plaintiffs allegedly had their DLN not merely stolen, but also posted to the dark web, by the cybercriminals in question. [23] According to the Fourth Circuit, “information listed on [the dark web] either ‘reaches, or is sure to reach, the public,’” and thus posting information on the dark web constitutes a “public disclosure” of the posted information within the meaning of the tort of PDPF. [24]
The court offered no supporting factual citation, however, for its conclusion that once information is posted on the dark web, that information thereby “reaches or is sure to reach the public.” The Elephant Insurance court did observe (in another assertion for which it cited no factual support) that the dark web is accessible “to those with some degree of proficiency with computers.” [25] But this assertion is simply untrue. The plaintiffs’ complaint admitted as much, describing the “dark web” as “a heavily encrypted part of the Internet that is not accessible via traditional search engines” and noting that “[l]aw enforcement has difficulty policing the dark web due to this encryption, which allows users and criminals to conceal identities and online activity.” [26]
Moreover, even if one gets to the dark web, there are substantial practical and technical barriers before one can reliably access a dark web marketplace (“DWM”) (typically a .onion site on the Tor network) to illegally buy and sell stolen personal information. First, .onion services differ from public-facing internet websites in numerous ways: they can only be accessed over the Tor network; .onion URLs are lengthy alphanumeric hashes rather than recognizable names like amazon.com, which makes them difficult to remember; the network path between the client and the .onion service is typically longer, increasing latency and thus reducing the performance of the service; and .onion services are private by default, meaning that users must discover many of these sites through word-of-mouth, rather than with a search engine. [27] Second, operators of DWMs often layer additional security and anti-automation mechanisms, account security mechanisms, and financial security mechanisms and specific transaction conditions to protect themselves — making automated crawling or casual browsing difficult and imposing friction for aspiring buyers far beyond what is customarily encountered at public facing internet retail websites. [28] Third — and perhaps most important of all — unlike buyers of online subscriptions to magazines and newspapers sold on the internet, buyers of stolen personal information on a DWM must be willing not only to pay money to obtain the information they are seeking, but also to engage in criminal conduct by illegally transacting to buy stolen goods from parties who, incidentally, are by the nature of the transaction wholly untrustworthy. For all these reasons, and with due respect to the Fourth Circuit, Elephant Insurance is plainly wrong in asserting that information being bought and sold on a DWM is just as easily accessed as information being bought and sold behind a paywall on a public-facing internet website.
In any event, even if this assertion were correct, that would not establish a public disclosure of stolen personal information any time such information is posted for sale on the dark web. Stolen personal information posted for sale on the dark web will only “reach or be sure to reach” the limited group of aspiring cybercriminals who both have the requisite degree of computer proficiency to access the DWM in question and make criminal use of that proficiency by succeeding in illegally purchasing the information in question. As the Fourth Circuit itself recognized later in its Elephant Insurance opinion:
To be sure, hackers list personal information on the dark web in the hope that someone will buy it. But no particular piece of personal information is guaranteed to be seen or sold, just as no particular item on Craigslist or eBay is guaranteed to be seen or sold. Without more it is unrealistic to assume that identity thieves will imminently acquire the driver’s license number of any given plaintiff. [29]
Plainly, if it is unrealistic to assume that even one aspiring identity thief will acquire a stolen DLN once it is posted for sale on the dark web, it is a fortiori unrealistic to assume that once such a posting occurs so many aspiring identity thieves will see and acquire the DLN in question that, collectively, their acquisitions constitute a public disclosure of that DLN. Yet that is precisely the unrealistic assumption the Fourth Circuit made in Elephant Insurance.
In Elephant Insurance, the Fourth Circuit sought to defend that assumption by analogizing the small group of aspiring cyber criminals who might purchase stolen DLNs on the dark web with the small segment of the public that might purchase a subscription to an online newspaper or magazine. [30] As the Fourth Circuit pointed out, the Second Torts Restatement recognizes that “any publication [of information] in a newspaper or a magazine, even of small circulation . . . is sufficient to give publicity [to that information] within the meaning of the [tort of PDPF].” [31] But in relying on that language from the Second Torts Restatement, the Fourth Circuit missed the point the drafters were making. “The distinction,” the drafters made clear, “is one between private and publiccommunication.” [32] Information published in a newspaper or magazine is a “public disclosure” of that information for purposes of the tort, even if the publication has a small circulation and must be purchased by those members of the public who wish to read it, because the information is being disseminated by means of a communication targeted towards the public at large. On the other hand, where information is only disclosed by means of a private communication, there is no “public disclosure” of that information for purposes of the tort, even if the information is disclosed to multiple persons. [33]
The distinction between public and private communications should have driven the court’s analysis of the public disclosure issue in Elephant Insurance. When DLNs are posted for sale for the dark web, any ensuing disclosure of those DLNs will be not by means of a public communication akin to a newspaper or magazine article, but rather by means of a wholly private communication between the criminal who stole the DLNs and a second criminal who wants to make criminal use of the DLNs. Even if multiple such sales occur, and hence multiple such private communications occur (which cannot be assumed, as the Fourth Circuit itself recognized), their private nature would prevent them from collectively amounting to a public disclosure of the DLNs in question. The Fourth Circuit was therefore wrong to conclude that a DLN posted for sale on the dark web necessarily “reaches, or is sure to reach, the public.” [34] Accordingly, for this further reason the Fourth Circuit erred in finding Article III standing in Elephant Insurance under TransUnion’s “common-law analogue” rubric.
4. Elephant Insurance’s Misapplication of TransUnion’s Risk-of-Future-Injury Holding
In Elephant Insurance, the Fourth Circuit separately considered whether Article III standing could be found under TransUnion’s two-pronged test for predicating standing on a plaintiff’s risk of suffering a future injury from the defendant’s allegedly unlawful conduct. [35] Here, again, the Fourth Circuit misapplied TransUnion. Along the way, it created two more clear circuit splits.
In applying the first prong of TransUnion’s “risk of future injury” test, the Elephant Insurance court joined the many other circuit courts that have applied that prong in cyberattack class actions by requiring that the plaintiff establish a “substantial” risk of future identity theft by reason of the cyberattack in question. [36] As this author has elsewhere described, the “substantial risk” standard that other circuit courts have embraced in this context employs a list of “non-exhaustive” factors that leaves litigants with no objective way of knowing, and courts with no objective way of deciding, whether the requisite “substantial risk” exists in the case at hand. [37] This is particularly so because the other circuit courts’ “substantial risk” standard never quantifies exactly (or even approximately) how probable a future injury needs to be, based on an analysis of the standard’s non-exhaustive list of factors, in order for the risk of its occurring to be “substantial” within the meaning of that standard. The other circuits’ “substantial risk” standard is therefore a wholly subjective “I-know-it-when-I-see-it” test that, in reality, is no standard at all. [38]
To its credit, the Fourth Circuit rejected the wholly subjective, and thereby legally flawed, substantial risk inquiry that the other circuit courts had embraced — which created a second circuit split. [39] Instead, the Fourth Circuit opted for an objective test that quantified how likely a potential future identity theft must be in order for the chance of its occurring to qualify as “substantial.”[40] But, unfortunately, the Fourth Circuit’s effort to quantify the meaning of “substantial risk” for Article III purposes fell short under TransUnion and the Supreme Court’s other Article III precedents.
According to the Fourth Circuit, in a cyberattack case, a plaintiff seeking to show a “substantial risk” of future identity theft resulting from the attack must establish a risk that “surpasses at least 33%.” [41] The better read of TransUnion and the Supreme Court’s other Article III precedents, however, is that a risk of future injury is “sufficiently” substantial for Article III purposes only where that injury is likely to occur. [42] Indeed, the Supreme Court said exactly that, word for word, in June 2024. [43] In Elephant Insurance, then, the Fourth Circuit should have required a showing that the plaintiffs’ risk of future identity theft “surpasses at least [50]%” — not 33% — in order for Article III standing to be predicated on that risk. [44] By failing to do so, the Elephant Insurance court misapplied TransUnion’s “risk-of-future-injury” holding. [45]
TransUnion’s “risk-of-future-injury” holding further requires that an as-yet-unmaterialized future injury be not merely probable, but also imminent, for the risk of that injury occurring to sustain Article III standing. [46] As this author has elsewhere discussed, [47] and as observed by the Fourth Circuit, [48] the “substantial risk” standard that other circuit courts have applied in the cyberattack-class-action context essentially disregards the imminence element of TransUnion’s test for when a risk of future injury can sustain Article III standing. The Fourth Circuit enforced that element in Elephant Insurance, however, holding that a future cyberattack-caused identity theft was not only insufficiently likely to befall plaintiffs, [49] but also insufficiently imminent, to be a predicate for Article III standing under TransUnion.[50] In so holding, the Fourth Circuit (as it readily acknowledged) thereby created a third circuit split regarding the application of TransUnion in the cyberattack-class-action context.[51]
5. Conclusion
Elephant Insurance is just the latest example of a circuit court’s misapplying TransUnion in the context of a cyberattack class action. [52] Moreover, by its opinion in Elephant Insurance, the Fourth Circuit created three separate circuit splits as to the proper application of TransUnion in the cyberattack-class-action context. The time has therefore come for the Supreme Court to step in and resolve the open issues through a grant of certiorari in an appropriate cyberattack class action case. [53]
[1] 594 U.S. 413 (2021).
[2] Id. at 425.
[3] Id.
[4] Id. at 435.
[5] Id. at 436 (emphasis in original).
[6] See, e.g., Mathew D. Berkowitz & Brian M. O’Shea, The Future of Data Breach Class Actions After TransUnion v. Ramirez, FOR THE DEFENSE, at 30–31 (Nov. 2021), https://digitaleditions.walsworth.com/publication/?i=729352&article_id=4161569&view=articleBrowser. [https://perma.cc/R844-FSQ8].
[7] 156 F.4th 413 (4th Cir. 2025).
[8] Id. at 419.
[9] Id.
[10] Id. at 419-20.
[11] Holmes v. Elephant Ins. Co., 2023 U.S. Dist. LEXIS 110161, 2023 WL 4183380 (E.D. Va., June 26, 2023).
[12] Elephant Insurance, 156 F.4th at 423. The Eleventh Circuit has held that TransUnion’s “common-law analogue” rubric has no application where the injury in question is being asserted in support of a state common-law claim of the sort typically asserted in a cybersecurity class action. Green-Cooper v. Brinker Int'l, Inc., 73 F.4th 883, 890 n.9 (11th Cir. 2023), cert. denied sub nom. Brinker Int'l, Inc. v. Steinmetz, 144 S. Ct. 1457 (2024). In September 2025, Ninth Circuit rejected this view. Kisil v. Illuminate Education, Inc., 2025 U.S. App. LEXIS, at *3 (9th Cir. Sept. 8, 2025). By applying TransUnion’s “common-law analogue” rubric to both the statutory and the common-law claims that plaintiffs asserted in Elephant Insurance, the Fourth Circuit implicitly sided with the Ninth Circuit on this further circuit split (the fourth to date) regarding how TransUnion should be applied to cyberattack class actions.
[13] Elephant Insurance, 156 F.4th at 423 (citing Restatement (Second) of Torts § 652D & Special Note & cmt. a).
[14] TransUnion, 594 U.S. at 424.
[15] Id. at 434, 434 n.6.
[16] See Douglas H. Meal, Booing Bohnak: How the Second Circuit Dropped the Article III Ball in Analyzing Standing in Class Actions Arising from Cyberattacks, 16 J.L. Tech. & Internet 1, 18-20 (2025), also available at: https://scholarlycommons.law.case.edu/jolti/vol16/iss1/2 (hereinafter “Booing Bohnak”).
[17] See Baysal v. Midvale Indemnity Co., 78 F.4th 976, 979 (7th Cir. 2023) (affirming dismissal of cyberattack class action based on stolen DLNs for lack of standing under TransUnion, reasoning that only "potentially embarrassing or intimate details" are shielded by the tort of public disclosure of private information, and "[a] license number is not viewed as embarrassing . . . or private . . . but as neutral").
[18] Elephant Insurance, 156 F.4th at 427.
[19] Id. (citing Restatement (Second) of Torts § 652D, cmt. b).
[20] Restatement (Second) of Torts § 652D, cmt. b (defining what constitutes “private” information for purposes of the tort of PDPF).
[21] Elephant Insurance, 156 F.4th at 427 (“People do not consider their driver’s licenses embarrassing and hand them to bartenders and waiters and police officers without hesitation.”)
[22] See Booing Bohnak, supra note 16, at 17-18.
[23] Elephant Insurance, 156 F.4th at 425-26.
[24] Id. at 426.
[25] Id.
[26] Consolidated Class Action Complaint (Docket Entry 18), Elephant Insurance, 156 F.4th 413, Para. 40.
[27] P. Winter et al., How Do Tor Users Interact with Onion Services, Proceedings of the 27th USENIX Security Symposium (Aug. 15-17, 2018), at 411, available at https://www.usenix.org/conference/usenixsecurity18/presentation/winter.
[28] Y. Wang et al., Secure in the Dark? An In-Depth Analysis of Dark Web Markets Security. International Journal of Information Security, 24 . ISSN 1615-5270 (2025) at 2, available at https://doi.org/10.1007/s10207-025-01015-1. As examples, the authors point to DWM operators’ regularly protecting themselves by use of security and anti-automation mechanisms such as web security techniques (e.g., waiting queues, anti-phishing hurdles, CAPTCHAs, secret phrases, rate limiting, and distributed denial-of-service protection); account security mechanisms such as username, password and PIN requirements, mnemonics, multi-factor authentication, and account kill-switches; and financial security mechanisms such as requiring use of crypto currency and specifying the crypto currency to be used and imposing specific transaction conditions (e.g., multi-signature, escrow and finalize-early requirements). Id.
[29] Elephant Insurance, 156 F.4th at 431.
[30] Id. at 426.
[31] Id. at 426 n.10.
[32] Restatement (Second) of Torts § 652D, cmt. a (emphasis supplied).
[33] See id. (“it is not an invasion of the right of privacy, within the [tort of PDPF], to communicate a fact concerning the plaintiff's private life to a single person or even to a small group of persons”).
[34] Rather, the most that fairly could have been and could be said is that such a DLN might possibly reach a small group of cyber criminals intent on misusing that DLN – a circumstance that falls far short of making the DLN “substantially certain to become [a matter] of public knowledge,” as required by the harm made actionable by the tort of PDPF. Id. (tort of PDPF applies only where the matter in question is communicated “to so many persons that the matter must be regarded as substantially certain to become one of public knowledge”).
[35] Elephant Insurance, 156 F.4th 413, at Part II.B.1.
[36] Id. at 432.
[37] See Booing Bohnak, supra note 16, at 25.
[38] Id. at 25-26.
[39] Elephant Insurance, 156 F.4th at 432 (“We recognize that our sister circuits have found imminent injury to plaintiffs in similar circumstances to [the named plaintiffs in Elephant Insurance]” (citing prior decisions made under the subjective test for “substantial risk” adopted by the Second, First, D.C., Third, and Eleventh Circuits).
[40] Id. at 431-32.
[41] Id.
[42] See Booing Bohnak, supra note 16, at 30-33.
[43] FDA v. All. for Hippocratic Med., 602 U.S. 367, 381 (2024) (holding that, for an injury to be “concrete” for Article III purposes, “the injury must be actual or imminent, not speculative—meaning that the injury must have already occurred or be likely to occur soon”) (citing Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013)) (emphasis added).
[44] See Likely, MERRIAM-WEBSTER DICTIONARY ONLINE, http://www.merriam-webster.com... (last visited Nov.28, 2025) (defining “likely” to mean “having a high probability of occurring or being true : very probable”).
[45] Fortunately for the defendant, in Elephant Insurance the Fourth Circuit found that plaintiffs had not established even a 33% chance of suffering a cyberattack-caused identity theft at some point in the future and, on that basis, refused to allow Article III standing to be predicated on TransUnion’s “risk of future injury” test. Elephant Insurance, 156 F.4th at 432.
[46] FDA v. All. for Hippocratic Med., 602 U.S. at 381 (holding that, for an injury to be “concrete” for Article III purposes, “the injury must be actual or imminent, not speculative—meaning that the injury must have already occurred or be likely to occur soon”) (emphasis added).
[47] See Booing Bohnak, supra note 16, at 33-34.
[48] See Elephant Insurance, 156 F.4th at 432.
[49] See note 45 supra.
[50] Elephant Insurance, 156 F.4th at 432 (explaining that “the chain of independent events and third-party choices that would have to coalesce for future impersonation to befall any particular plaintiff” was so attenuated that it made such future impersonation not only insufficiently probable, but also insufficiently imminent, to sustain Article III standing under TransUnion).
[51] Id. (“The plaintiffs may have alleged enough to show that the risk of future [identity theft] is an imminent injury before [our sister circuits]. But they have not done so before this one.”).
[52] See Booing Bohnak, supra note16 (discussing, in turn, prior misapplications of TransUnion in the cyberattack-class-action context by the Eleventh Circuit (at 7 n.29), the Second Circuit (at Part II.C.1), and the First, Second, and Third Circuits (at Part II.C.2).
[53] Elephant Insurance filed a certiorari petition in Elephant Insurance on March 12, 2026. Elephant Insurance Co. v. Holmes, No. 25-1085(Sup. Ct. Mar. 12, 2026). However, on May 12, 2026, the parties jointly moved to dismiss the petition by reason of their having reached a settlement. Id. (May 12, 2026).