Harm has become the key issue in data breach cases. During the past 20 years, there have been hundreds of lawsuits over data breaches. In many cases, the plaintiffs have evidence to establish that reasonable care wasn’t used to protect their data. But the cases have often been dismissed because courts conclude that the plaintiffs have not suffered harm as a result of the breach. Some courts are beginning to recognize harm, leading to significant inconsistency and uncertainty in this body of law.
In a new article (still in draft form), Risk and Anxiety: A Theory of Data Breach Harms (with Professor Danielle Citron), we argue that the issue of harm needs a serious rethinking. Courts are too quick to conclude that data breaches don’t create harm.
There are two key dimensions to data breach harm — risk and anxiety — both of which have been an area of struggle for courts.
Courts often are dismissive of increased risk as a basis to establish harm. Courts are also quite dismissive of any protective measures people might take to deal with the increased risk of fraud or identity theft in the wake of a breach. Many courts find that anything involving risk is too difficult to measure and not concrete enough to constitute actual injury. Yet, outside of the world of the judiciary, other fields and industries have recognized risk as something concrete. Today, risk is readily quantified, addressed, and factored into countless decisions of great importance. As we note in the article: “Ironically, the very companies being sued for data breaches make high-stakes decisions about cyber security based upon an analysis of risk.” Despite the challenges of addressing risk, courts in other areas of law have done just that. These bodies of law are oddly ignored in data breach cases.
When it comes to anxiety — the emotional distress people might feel based upon a breach — courts often quickly dismiss it by noting that emotional distress alone is too vague and unsupportable in proof to be recognized as harm. Yet in other areas of law, emotional distress alone is sufficient to establish harm. In many cases, this fact is so well-settled that harm is rarely an issue in dispute.
In recent years, the U.S. Supreme Court has decided two important cases on the issue of harm (in the context of standing, which requires an “injury in fact”). These cases, however, have resulted in more confusion than clarity.
In 2013, the Supreme Court in Clapper v. Amnesty International concluded that fear and anxiety about surveillance – and the cost of taking measures to protect against it – were too speculative to constitute an “injury in fact.” for standing. In 2016, in Spokeo v. Robins, the Supreme Court noted that “intangible” injury and the “risk” of injury could be sufficient to establish harm. But the Court also stated things that could make establishing an injury more difficult. In a post about the case, I wrote: “This opinion is like an M.C. Escher painting. It keeps on begging questions and sending the reader around and around in impossible loops.”
With the steady stream of data breaches, and a growing body of litigation in the courts, more progress must be made to develop a coherent approach to the issue of harm. The reason why courts have struggled so much with data breach harm stems from the nature of such harms — they are intangible, risk-oriented, and diffuse. These characteristics are areas that have been particularly vexing for courts. But they are also ones where courts have made great strides during the past century to address.
We hope we can help provide greater coherence to this troubled body of law. Outside of the cases, there clearly seems to be a lot of concern about the issue. As we argue: “Despite the intangible nature of these injuries, data breaches inflict real compensable injuries. Data breaches raise significant public concern and legislative activity. Would all this concern and activity exist if there were no harm? Why would more than 90% of the states pass data-breach notification laws in the past decade if breaches did not cause harm?”
In our article, we work our way through a series of examples — various types of data breach — and discuss whether harm should be recognized. We don’t think harm should be recognized in all instances, but there are many situations where we would find harm where the majority of courts today would not.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 4-7, 2017 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter (2x per month).
TWITTER: Follow Professor Solove on Twitter.