Risk and Anxiety: A Theory of Data-Breach Harms

Privacy and Security

Article Snapshot


Danielle Citron and Daniel J. Solove


Texas Law Review, Vol. 96, No. 4, pp. 737-786, 2018


Data breaches increase the risk that consumers will be victims of fraud. But courts are reluctant to recognize that this increased risk is a sufficient harm to justify a lawsuit. Recognizing such harms might lead to more bankruptcies, but would deter data breaches.

Policy Relevance

Courts should be more willing to recognize intangible harms from data breaches.

Main Points

  • In federal court, a plaintiff suing for harm from a firm’s loss of personal data must show “standing;” the plaintiff must allege an injury in fact, that is, a concrete harm, not a conjectural or hypothetical harm.
  • Data breaches involve leaks of personal data such as financial account information, driver’s license numbers, social security numbers, and biometric markers.
  • Plaintiffs suing because of a data breach usually offer three theories of harm.
    • One theory is that the plaintiff faces an increased risk of future injury, but most courts reject this as too speculative.
    • A second theory is that the plaintiff must bear the cost of preventative measures to reduce risk.
    • A third theory is that the plaintiff will experience anxiety because of the breach, but courts will reject this theory if based on increased risk alone.
  • If data breaches do not cause harm, why have federal and state legislators and agencies passed laws concerning data breaches?
  • Courts are moving towards recognition of hard-to-see harms, intangible harms, emotional distress, and future harms; however, it is challenging to measure such harms, and to avoid the possibility that plaintiffs will magnify such harms artificially.
  • A data breach puts one’s credit history at risk of being affected by fraudulent future transactions; courts should recognize reasonable risks and reasonable emotional distress as harms in such cases.
  • Imposing liability for data breaches that cause only minor harm could have major downstream consequences, such as putting firms into bankruptcy; however, courts should disregard these downstream problems, because the problem of undeterred data breaches is more serious.


Get The Article

Find the full article online

Search for Full Article