Credit-Monitoring Damages in Cybersecurity Tort Litigation
43 Pages Posted: 16 Sep 2012 Last revised: 13 Mar 2014
Date Written: October 5, 2011
This article argues that the costs of credit monitoring should be recoverable in cybersecurity tort litigation. If a data subject’s personal information has been seriously exposed to improper access by a data possessor’s negligence, expenses incurred to detect the opening of unauthorized accounts should be compensable. This issue — which is far from definitively resolved — arises with great frequency in suits against banks, universities, retailers, and employers.
Although early court decisions denied recovery of credit monitoring damages on a variety of grounds, recent developments have called that precedent into question. On the one hand, there is increasing recognition that data possessors have a duty to protect the personal information of data subjects from improper access and to reveal information about breaches in data security. On the other hand, businesses now routinely make voluntary offers of credit monitoring to cybersecurity victims; class action settlements often provide compensation for credit monitoring; and courts and administrative agencies impose sanctions which require provision of credit monitoring services or reimbursement for the same.
Credit monitoring enables the persons placed at risk by a data security breach to promptly detect the opening of unauthorized accounts and to take remedial action. Thus, the costs of credit monitoring are a reasonable and necessary response to any serious breach of cybersecurity. Recovery of credit monitoring damages is consistent with basic tort rules (including the duty to mitigate damages) and the principles of public policy favoring deterrence of deficient data practices and efficient allocation of losses.
Suggested Citation: Suggested Citation