Credit-Monitoring Damages in Cybersecurity Tort Litigation

43 Pages Posted: 16 Sep 2012 Last revised: 13 Mar 2014

See all articles by Vincent R. Johnson

Vincent R. Johnson

Saint Mary's University of San Antonio

Date Written: October 5, 2011


This article argues that the costs of credit monitoring should be recoverable in cybersecurity tort litigation. If a data subject’s personal information has been seriously exposed to improper access by a data possessor’s negligence, expenses incurred to detect the opening of unauthorized accounts should be compensable. This issue — which is far from definitively resolved — arises with great frequency in suits against banks, universities, retailers, and employers.

Although early court decisions denied recovery of credit monitoring damages on a variety of grounds, recent developments have called that precedent into question. On the one hand, there is increasing recognition that data possessors have a duty to protect the personal information of data subjects from improper access and to reveal information about breaches in data security. On the other hand, businesses now routinely make voluntary offers of credit monitoring to cybersecurity victims; class action settlements often provide compensation for credit monitoring; and courts and administrative agencies impose sanctions which require provision of credit monitoring services or reimbursement for the same.

Credit monitoring enables the persons placed at risk by a data security breach to promptly detect the opening of unauthorized accounts and to take remedial action. Thus, the costs of credit monitoring are a reasonable and necessary response to any serious breach of cybersecurity. Recovery of credit monitoring damages is consistent with basic tort rules (including the duty to mitigate damages) and the principles of public policy favoring deterrence of deficient data practices and efficient allocation of losses.

Suggested Citation

Johnson, Vincent R., Credit-Monitoring Damages in Cybersecurity Tort Litigation (October 5, 2011). George Mason Law Review, Vol. 19, No. 1, 2011, Available at SSRN:

Vincent R. Johnson (Contact Author)

Saint Mary's University of San Antonio ( email )

1 Camino Santa Maria
San Antonio, TX 78023
United States
210-431-2131 (Phone)

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics