Risk and Anxiety: A Theory of Data Breach Harms

41 Pages Posted: 15 Dec 2016 Last revised: 24 Feb 2017

Daniel J. Solove

George Washington University Law School

Danielle Keats Citron

University of Maryland Francis King Carey School of Law; Yale University - Yale Information Society Project; Stanford Law School Center for Internet and Society

Date Written: December 14, 2016

Abstract

In lawsuits about data breaches, the issue of harm has confounded courts. Harm is central to whether plaintiffs have standing to sue in federal court and whether their claims are viable. Plaintiffs have argued that data breaches create a risk of future injury from identity theft or fraud and that breaches cause them to experience anxiety about this risk. Courts have been reaching wildly inconsistent conclusions on the issue of harm, with most courts dismissing data breach lawsuits for failure to allege harm. A sound and principled approach to harm has yet to emerge, resulting in a lack of consensus among courts and an incoherent jurisprudence.

In the past five years, the U.S. Supreme Court has contributed to this confounding state of affairs. In 2013, the Court in Clapper v. Amnesty International concluded that fear and anxiety about surveillance – and the cost of taking measures to protect against it – were too speculative to constitute “injury in fact” for standing. The Court emphasized that injury must be “certainly impending” to warrant recognition. This past term, the U.S. Supreme Court in Spokeo v. Robins issued an opinion aimed at clarifying the harm required for standing in a case involving personal data. But far from providing guidance, the opinion fostered greater confusion. What the Court made clear, however, was that “intangible” injury, including the “risk” of injury, could be sufficient to establish harm. In cases involving informational injuries, when is intangible injury like increased risk and anxiety “certainly impending” or “substantially likely to occur” to warrant standing? The answer is unclear.

Little progress has been made to harmonize this troubled body of law, and there is no coherent theory or approach. In this essay, we examine why courts have struggled when dealing with harms caused by data breaches. The difficulty largely stems from the fact that data breach harms are intangible, risk-oriented, and diffuse. Harms with these characteristics need not confound courts; the judicial system has, been recognizing intangible, risk-oriented, and diffuse injuries in other areas of law.

We argue that courts are far too dismissive of certain forms of data breach harm. In many instances, courts should find that data breaches cause cognizable harm. We explore how existing legal foundations support the recognition of such harm. We demonstrate how courts can assess risk and anxiety in a concrete and coherent way.

Keywords: Data Breach, Data Security, Cybersecurity, Harms, Clapper, Spokeo, Standing, Privacy

Suggested Citation

Solove, Daniel J. and Citron, Danielle Keats, Risk and Anxiety: A Theory of Data Breach Harms (December 14, 2016). 96 Texas Law Review, Forthcoming 2017; GWU Law School Public Law Research Paper No. 2017-2; GWU Legal Studies Research Paper No. 2017-2; U of Maryland Legal Studies Research Paper No. 2017-3. Available at SSRN: https://ssrn.com/abstract=2885638

Daniel J. Solove (Contact Author)

George Washington University Law School ( email )

2000 H Street, N.W.
Washington, DC 20052
United States
202-994-9514 (Phone)

HOME PAGE: http://danielsolove.com

Danielle Keats Citron

University of Maryland Francis King Carey School of Law ( email )

500 West Baltimore Street
Baltimore, MD 21201-1786
United States

Yale University - Yale Information Society Project

127 Wall Street
New Haven, CT 06511
United States

Stanford Law School Center for Internet and Society

Palo Alto, CA
United States

Paper statistics

Downloads
827
Rank
21,774
Abstract Views
3,291