Author(s)
Source
Texas Law Review, Vol. 96, No. 4, pp. 737-786, 2018
Summary
Data breaches increase the risk that consumers will be victims of fraud. But courts are reluctant to recognize that this increased risk is a sufficient harm to justify a lawsuit. Recognizing such harms might lead to more bankruptcies, but would deter data breaches.
Policy Relevance
Courts should be more willing to recognize intangible harms from data breaches.
Main Points
- In federal court, a plaintiff suing for harm from a firm’s loss of personal data must show “standing;” the plaintiff must allege an injury in fact, that is, a concrete harm, not a conjectural or hypothetical harm.
- Data breaches involve leaks of personal data such as financial account information, driver’s license numbers, social security numbers, and biometric markers.
- Plaintiffs suing because of a data breach usually offer three theories of harm.
- One theory is that the plaintiff faces an increased risk of future injury, but most courts reject this as too speculative.
- A second theory is that the plaintiff must bear the cost of preventative measures to reduce risk.
- A third theory is that the plaintiff will experience anxiety because of the breach, but courts will reject this theory if based on increased risk alone.
- If data breaches do not cause harm, why have federal and state legislators and agencies passed laws concerning data breaches?
- Courts are moving towards recognition of hard-to-see harms, intangible harms, emotional distress, and future harms; however, it is challenging to measure such harms, and to avoid the possibility that plaintiffs will magnify such harms artificially.
- A data breach puts one’s credit history at risk of being affected by fraudulent future transactions; courts should recognize reasonable risks and reasonable emotional distress as harms in such cases.
- Imposing liability for data breaches that cause only minor harm could have major downstream consequences, such as putting firms into bankruptcy; however, courts should disregard these downstream problems, because the problem of undeterred data breaches is more serious.