In the movie Animal Crackers, Chico Marx’s character, “Chicolini,” is on trial for treason. On cross-examination, he turns to the prosecutor and says, “Now I ask you one…What is it that has a trunk but no key, weighs two thousand pounds, and lives in a circus?” The prosecutor responds, “That’s irrelevant!” to which Chicolin replies, “A relaphant? Hey! That’s the answer…There’s a whole lotta relephants in the circus.” When the insurance company “Elephant Insurance” was hacked and threat actors obtained the driver’s license numbers of their customers, crafty class action lawyers saw an opportunity to sue for damages. On October 14, the United States Court of Appeals for the Fourth Circuit attempted to address a question that has plagued courts considering privacy-related damages – did those whose driver’s license numbers were exposed (or potentially exposed) suffer sufficient harm to have “standing” to sue?

In the world of cybersecurity and privacy law, the obvious often goes unspoken: When your personal data is exposed, your privacy is already lost — long before your credit card is stolen or your identity is misused. That’s the elephant in the room.

In early 2022, hackers discovered that Elephant Insurance, a Virginia-based auto insurer, had a vulnerability in its online quoting system. The platform was designed for speed: type in your name, address, and birth date, and it would auto-fill the rest — driver’s license number included — using internal and third-party databases.

Between March 26 and April 1, 2022, attackers exploited that feature, harvesting the driver’s license numbers of almost three million people.

The victims — Trinity Bias, Jaime Cardenas, Christopher Holmes and Robert Shaw — filed a class-action lawsuit. They claimed the breach invaded their privacy, caused anxiety, wasted time, and increased their risk of identity theft. Two of them — Cardenas and Holmes — said they later found their driver’s license numbers for sale on the dark web.

The lower court threw the case out, saying none of that was a “real injury.” In Holmes v. Elephant Insurance Company (4th Cir. Oct. 14, 2025), the Fourth Circuit Court of Appeals finally admitted that sometimes, privacy harm is real, concrete, and heavy enough to count. The Fourth Circuit ruled that Cardenas and Holmes, whose license numbers were actually posted online, had suffered a concrete privacy injury and could proceed.

Facts vs. Information: What We Lose When Data is Stolen

To understand why that matters, it helps to distinguish between two kinds of “personal” data:

Personal facts — the content of your private life: Medical records, tax returns, intimate messages, family quarrels. When these are exposed, the harm is immediate. It’s the kind of violation that tort law — public disclosure of private facts, intrusion into seclusion, defamation — was designed to redress. The injury is the exposure itself.

Personal information — identifiers that don’t reveal anything by themselves but can be used to unlock or impersonate your identity: driver’s license numbers, bank account numbers, passwords, Social Security numbers. Their theft doesn’t expose your private life; it simply increases your risk of future misuse.

The law treats those categories very differently. Losing “personal facts” is a privacy violation. Losing “personal information” is merely a potential risk. Until your stolen information is used — or worse, published — the courts generally say you haven’t been harmed yet.

That’s what Holmes v. Elephant Insurance was about. The key question wasn’t whether Elephant’s servers were hacked or if personal data (not just personally identifiable information) was exposed. Everyone agreed it was. The question was whether that hack caused a legally recognizable injury. The Fourth Circuit said yes — but only for the plaintiffs whose information was actually disclosed.

First, the Court found that the mere theft of a driver’s license number itself causes no compensable harm. In TransUnion LLC v. Ramirez, the U.S. Supreme Court sharply limited when individuals can sue in federal court for data or privacy-related harms. That case arose when TransUnion, a credit reporting agency, incorrectly flagged thousands of consumers as potential terrorists or criminals in its internal credit files. Only some of those credit reports were actually shared with third parties, such as lenders.

The Court ruled that only those whose false credit information was disseminated to others had suffered a “concrete injury” sufficient for Article III standing. The rest — whose files contained the same false and damaging information but were never sent out — had no standing to sue, because they suffered no tangible or “real-world” harm. The majority (Justice Kavanaugh) reasoned that a mere statutory violation or risk of future harm is not enough; injury must closely resemble a harm traditionally recognized in American law, such as defamation, which requires publication.

In the Elephant Insurance case, two members of the class showed that their driver’s license numbers were listed for sale on the dark web. That, the court said, was like publishing someone’s private information in a newspaper — a digital version of the old-fashioned privacy tort called “public disclosure of private facts.” The exposure itself was the harm. They had standing to sue.

But for the others, whose information was merely stolen but not yet published, the harm was too speculative. The risk of future identity theft wasn’t “imminent” enough. The court likened it to a punch that might be thrown someday. Until it lands, there’s no bruise, no injury, no case. However, assuming that the driver’s license number of the two plaintiffs was posted BECAUSE it was exposed on the Elephant website, it is naive to think that the other driver’s licenses weren’t exposed. It’s likely just that it was exposed privately (person to person) or on a more hidden dark web forum. The punch landed – we just don’t know where.

This distinction—between “stolen” and “published” — creates a profound policy problem.

For the average person, the theft of their data feels like a violation. They trusted a company with information that now circulates in the wild. They must spend time and money protecting themselves from potential misuse. But for the law, unless and until that misuse happens — or unless the data appears in public — the harm is invisible.

That means most data breaches cause no legally recognized injury.

And when companies know that victims can’t show “standing,” they know that the risk of being sued is minimal. They can offer free credit monitoring, apologize, and move on. The legal system, in effect, prices privacy at zero.

That’s why the Fourth Circuit’s ruling matters. It doesn’t solve the problem, but it acknowledges what every security professional already knows: once data leaves the vault, the harm is already done. It’s not “irrelevant”

Why the Elephant Still Sits There

In the analog world, the violation of privacy was physical or reputational. Someone opened your mail, published your diary, or printed your name in the paper. In the digital world, privacy harm is ambient. Your data circulates silently, copied a thousand times over, stripped of context but never erased.

Courts struggle with that. They want proof of injury that looks like traditional tort damage — a broken bone, a lost dollar, a printed lie. But privacy harms are modern and intangible: Loss of control, anxiety, diminished trust and exposure to unknown risks.

To a very real extent, we don’t “value” privacy because we don’t put a “value” on privacy alone. Certainly, a plaintiff would have to show that their fear of identity theft or future harm is real, and is tied to the specific breach and specific information exposed. But this does not mean that they suffered no harm at all.

Until courts and lawmakers assign those harms value — through statutes, presumptions of injury, or fixed damages — companies will continue to under-invest in security. After all, from a purely economic perspective, if victims can’t sue, then the cost of a breach is just PR. Data subjects can’t rely on privacy promises in privacy policies or contracts either, because they may have a clause that says, “If any of the parties participating in this contract are shown not to be in their right mind, the entire agreement is automatically nullified.” — you know — a sanity clause. But, as Chico would say in A Night at the Opera, “you can’t fool me. There ain’t no sanity clause!”

Recent Articles By Author

• Magnifica Humanitas – Pope Leo’s Take on Intelligence – Artificial and Otherwise
• Health Entities and Ransomware — HHS Adopts a “Blame the Victim” Strategy. Let’s See if It Works.
• Platform Liability for Virtual Pornography: The FTC’s First TAKE IT DOWN Act Warning Shot

More from Mark Rasch