Risk and Anxiety: A Theory of Data-Breach Harms

Article Source: Texas Law Review, Vol. 96, No. 4, pp. 737-786, 2018
Publication Date:
Time to Read: 2 minute read
Written By:

Search for the full article on Bing



Data breaches increase the risk that consumers will be victims of fraud. But courts are reluctant to recognize that this increased risk is a sufficient harm to justify a lawsuit. Recognizing such harms might lead to more bankruptcies, but would deter data breaches.


Policy Relevance:

Courts should be more willing to recognize intangible harms from data breaches.


Key Takeaways:
  • In federal court, a plaintiff suing for harm from a firm’s loss of personal data must show “standing;” the plaintiff must allege an injury in fact, that is, a concrete harm, not a conjectural or hypothetical harm.
  • Data breaches involve leaks of personal data such as financial account information, driver’s license numbers, social security numbers, and biometric markers.
  • Plaintiffs suing because of a data breach usually offer three theories of harm.
    • One theory is that the plaintiff faces an increased risk of future injury, but most courts reject this as too speculative.
    • A second theory is that the plaintiff must bear the cost of preventative measures to reduce risk.
    • A third theory is that the plaintiff will experience anxiety because of the breach, but courts will reject this theory if based on increased risk alone.
  • If data breaches do not cause harm, why have federal and state legislators and agencies passed laws concerning data breaches?
  • Courts are moving towards recognition of hard-to-see harms, intangible harms, emotional distress, and future harms; however, it is challenging to measure such harms, and to avoid the possibility that plaintiffs will magnify such harms artificially.
  • A data breach puts one’s credit history at risk of being affected by fraudulent future transactions; courts should recognize reasonable risks and reasonable emotional distress as harms in such cases.
  • Imposing liability for data breaches that cause only minor harm could have major downstream consequences, such as putting firms into bankruptcy; however, courts should disregard these downstream problems, because the problem of undeterred data breaches is more serious.



Daniel Solove

About Daniel J. Solove

Daniel J. Solove is the Eugene L. and Barbara A. Bernard Professor of Intellectual Property and Technology Law at the George Washington University Law School. He is an internationally-known expert in privacy law.

Danielle Citron

About Danielle Citron

Danielle Citron is the Jefferson Scholars Foundation Schenck Distinguished Professor in Law at the University of Virginia School of Law. She writes and teaches about privacy, free expression and civil rights. She is an Affiliate Scholar at the Stanford Center on Internet and Society, Affiliate Fellow at the Yale Information Society Project, Senior Fellow at Future of Privacy, Affiliate Faculty at the Berkman Klein Center at Harvard Law School, and a Tech Fellow at the NYU Policing Project.