Professors Solove and Citron Explain the Risk and Anxiety Harms that Arise from Data Breaches

By TAP Staff Blogger

Posted on March 14, 2018


In “Risk and Anxiety: A Theory of Data-Breach Harms,” Professors Daniel Solove and Danielle Citron challenge the courts’ inconsistent conclusions on the issue of harm resulting from data breaches. “More often than not, a plaintiff’s increased risk of financial injury and anxiety is deemed insufficient to warrant recognition of harm.”


Consider this scenario:

Suppose that Company X fails to adequately secure its clients’ personal data. Imagine the company knows that hackers previously accessed its system yet does nothing about it. This time, hackers have little difficulty accessing the company’s computer network to steal sensitive personal data about thousands of individuals. In the hackers’ hands are now the keys to those individuals’ credit and bank accounts: Social Security numbers, birth dates, and financial information. The company’s clients bring suit, seeking compensation for their increased risk of identity theft, the money they spent monitoring credit activity, and the ensuing emotional distress.


Professors Solove and Citron explain that the defining issue in the lawsuit will be harm. And they point out that there “has been no consistent or coherent judicial approach to data-breach harms.”


In their article, Professors Solove and Citron discuss the way that courts are currently deciding cases involving data-breach harms; explore why the law struggles with recognizing privacy and security violations as having caused cognizable harm; and, demonstrate that there are foundations in the law for a coherent recognition of harm based upon increased risk and anxiety.


Below are a few excerpts from “Risk and Anxiety: A Theory of Data-Breach Harms” (96 Texas Law Review 737 (2017)).




In lawsuits about data breaches, the issue of harm has confounded courts. Harm is central to whether plaintiffs have standing to sue in federal court and whether their legal claims are viable. Plaintiffs have argued that data breaches create a risk of future injury, such as identity theft, fraud, or damaged reputations, and that breaches cause them to experience anxiety about this risk. Courts have been reaching wildly inconsistent conclusions on the issue of harm, with most courts dismissing data-breach lawsuits for failure to allege harm. A sound and principled approach to harm has yet to emerge.


In the past five years, the U.S. Supreme Court has contributed to the confusion. In 2013, the Court, in Clapper v. Amnesty International, concluded that fear and anxiety about surveillance—and the cost of taking measures to protect against it—were too speculative to satisfy the “injury in fact” requirement to warrant standing. This past term, the U.S. Supreme Court stated in Spokeo v. Robins that “intangible” injury, including the “risk” of injury, could be sufficient to establish harm. When does an increased risk of future injury and anxiety constitute harm? The answer remains unclear. Little progress has been made to harmonize this troubled body of law, and there is no coherent theory or approach.


In this Article, we examine why courts have struggled to conceptualize harms caused by data breaches. The difficulty largely stems from the fact that data-breach harms are intangible, risk-oriented, and diffuse. Harms with these characteristics need not confound courts; the judicial system has been recognizing intangible, risk-oriented, and diffuse injuries in other areas of law. We argue that courts are far too dismissive of certain forms of data-breach harm and can and should find cognizable harms. We demonstrate how courts can assess risk and anxiety in a concrete and coherent way, drawing upon existing legal precedent.


Issues with Showing Harm


In the past two decades, plaintiffs in hundreds of cases have sought redress for data breaches caused by inadequate data security. In most instances, there is evidence that the defendants failed to use reasonable care in securing plaintiffs’ data. The majority of the cases, however, have not turned on whether the defendants were at fault. Instead, the cases have been bogged down with the issue of harm. No matter how derelict defendants might be with regard to security, no matter how much warning defendants have about prior hacks and breaches, if plaintiffs cannot show harm, they cannot succeed in their lawsuits.


Much like Reilly [Reilly v. Ceridian Corp.], the majority of courts have ruled that injuries from data breaches are too speculative and hypothetical, too reliant on subjective fears and anxieties, and not concrete or significant enough to warrant recognition. Courts have held that the “mere increased risk of identity theft or identity fraud alone does not constitute a cognizable injury.” They have refused to find harm even in cases where hackers used malware to steal personal data and there was evidence of misuse of the data. Claims have been summarily dismissed on the grounds that plaintiffs have not suffered identity theft or could not show an imminent threat of financial injury.


Acknowledging the Risk and Anxiety from Data-Breach Harms


This issue cries out for attention. The number of people affected by data breaches continues to rise as companies collect more and more personal data in inadequately secured data reservoirs. Risk and anxiety are injuries in the here and now. Victims of data breaches have an increased risk of identity theft, fraud, and reputational damage. Once victims learn about breaches, they may be chilled from engaging in activities that depend on good credit, like house- and job-hunting. Data-breach victims might decline to search for a new home or employment since there is an increased chance that lenders or employers will find their credit reports marred by theft. They face an increased chance of being preyed upon by blackmailers, extortionists, and fraudsters promising quick fixes in exchange for data or money. Emotional distress is a crucial aspect of the suffering. Knowing that thieves may be using one’s personal data for criminal ends can produce significant anxiety. Because companies do not have to internalize these negative externalities borne by individuals, the number of data breaches continues to grow. Data breaches have become an epic problem.


In this Article, we focus on data-breach harms. We explore why courts have struggled with the issue, and we offer an approach to address data-breach harms that has roots in existing law. In what follows, we explore the nature of data-breach harms and demonstrate how the law is far from closed off to recognizing them. We show that there are ample conceptual foundations in the law to address risk and anxiety and thus to recognize data-breach harms. In some areas, the law has been developing gingerly in the direction of recognizing concepts helpful to recognizing data-breach harms; in other areas of the law, such concepts are widely accepted yet remain sequestered from similar kinds of harm in other contexts.


If a news media site published a nude photo or sex video of a person without consent, the plaintiff could prevail without establishing financial losses or physical injury because the gravamen of the harm is emotional distress. Recently, the famous former pro wrestler Hulk Hogan won $115 million in compensatory damages from media site Gawker for posting a sex video involving him without his consent. In cases involving data breaches or improper sharing of data, however, claims of emotional distress are dismissed as insufficient without even a whisper of the extensive body of law under the privacy torts that establishes otherwise. Why does the embarrassment over a sex video amount to $115 million worth of harm but the anxiety over the loss of personal data (such as a Social Security number and financial information) amount to no harm?


This Article has three parts: In Part I, we discuss the way that courts are currently deciding cases involving data-breach harms. In Part II, we explore why the law struggles with recognizing privacy and security violations as having caused cognizable harm. In Part III, we demonstrate that there are foundations in the law for a coherent recognition of harm based upon increased risk and anxiety. We build on this foundation, offering a framework for courts to assess risk and anxiety in a principled and consistent way.


From the Conclusion


When the law fails to recognize harm, the costs of our data-driven society are externalized onto individuals. These costs are compounding as data-breach harms aggregate. Not recognizing data-breach harms can lead to under-deterrence of data security violations as well as inadequate investment in prevention. Dealing with data-breach harms will certainly be challenging, but the law is ready, and the stakes are of paramount importance.


Read the full article: “Risk and Anxiety: A Theory of Data-Breach Harms



Recent TAP Bloggers
  • Omer Tene
  • The Haim Striks School of Law, The College of Management Academic Studies