When a company suffers a data breach, the company suffers twice, first from the breach itself, and second, from the plaintiff class action claims that are sure to follow. A threshold issue in those claims is “standing,” which is a legal requirement of a sufficient personal stake in a suit for an individual (or class) to seek relief. In other words, the breach happened, but plaintiff still must show “what is it to you?” The data breach plaintiffs bar has seen varying success in arguing for both standing and damages in connection with data breach class actions.
In recent years, the general trend is for courts to take an increasingly broad view of standing – at least where a breach incident reveals information that is sufficiently personal or risky to an affected consumer. One recent example of this trend that is of particular potential interest to dealers was in Holmes v. Elephant Insurance Co., No 23-1782, (4th Cir. Oct. 14, 2025), where the 4th Circuit Court of Appeals held that public disclosure of driver’s license numbers constitutes concrete injury sufficient to allow standing to sue for claims related to a data breach.
Background
The Holmes case resulted from a 2022 data breach of Elephant Insurance’s network1 that exposed the driver’s license numbers of three million individuals on the dark web. Drawing on the US Supreme Court’s decision in TransUnion v. Ramirez (coincidently involving the purchase of a new car from a dealership), the Fourth Circuit held that driver’s license numbers alone, posted on the dark web, are considered public disclosure of private information that constitutes a concrete injury sufficient for standing to sue – given their potential for misuse in identity theft.
Key Takeaway for Dealers
Determining what consumer information is technically sensitive enough to require protection can be a difficult and complicated legal issue. The best general guidance for dealers is to treat ALL customer data as highly sensitive and take adequate steps to protect it, regardless of the nature or source. In the context of a breach class action, there is now one more reason to ensure that drivers license data (both copies as well as numbers or other identifying information) are adequately protected and maintained only as necessary.
First, given the sensitivity of drivers license data, you should review why you obtain drivers license data in the first place. There may be valid reasons (and perhaps even requirements) to obtain that information in connection with a test drive or vehicle purchase. But is it needed in all situations? Is a copy (or scan) of the license necessary or is a review of the information on the license sufficient? As most dealers know, copying a license is an issue that does commonly lead to consumer questions and complaints. To be sure, there are valid and important identity theft and fraud prevention issues that may require you to gather this information. However, dealers should avoid simply gathering this information as a matter of routine, or because you have “always done so.” You should have a process and valid reason for obtaining this information.
Second, if it is gathered, do you keep it? If so, you should ask why that data is kept? Is it needed? For how long and for what purpose? Like credit card numbers, unless there is some compelling independent reason to maintain that data, dealers should ensure that the copy of the license or at least the license number itself are deleted (or redacted) as soon as no longer required to be maintained. You cannot be sued for a breach of data you do not have.
Avoiding a Breach Is the Best Protection
As with this or any other personal data, the best step dealers can take to avoid these issues is to prevent breaches in the first place. While that is easier said than done, at a minimum, dealers should be taking steps to meet all your FTC Safeguards security requirements – not just because it’s required, but because it is an effective way to protect your business from breach risks. If you are taking all the data security steps required, and are doing so with a reputable security vendor, you are materially strengthening your posture to avoid breaches. But many dealers increasingly are going beyond the FTC Safeguards requirements with tools like managed detection and response tools and more. Contact ComplyAuto today to learn more about how to best protect your dealership from breach risks.
- Interestingly, the attackers obtained the drivers license numbers by utilizing the Elephant online quoting platform, which auto-populated the drivers license number (presumably obtained from the DMV) when a consumer provided publicly available information in the platform. The hackers used this tool to obtain millions of license numbers by providing the publicly available information via the auto-populate feature. This is a reminder to dealers to closely consider similar types of quoting or other online tools with extreme caution. ↩︎