Liability for Data Injuries

68 Pages Posted: 30 Jul 2018 Last revised: 5 Apr 2019

See all articles by Jay P. Kesan

Jay P. Kesan

University of Illinois College of Law

Carol Mullins Hayes

University of Washington - The Information School

Date Written: June 26, 2018


Data insecurity affects the general public to a significant degree, and the law needs to step forward and cope with the challenges posed by data breaches, data misuse, and data injuries. The primary goal of this article is to provide a thorough analytical framework for data breach cases that specifically focuses on the evolutions needed in the areas of duty and injury in shaping the contours of liability for data injuries. This article represents the first comprehensive analysis of a duty to secure data within the modern context of data insecurity. While most of our focus is on data breaches, the principles explored in this article are broad enough to be applied helpfully in data misuse cases as well, including the recent controversy over Facebook’s permissive data use practices.

We examine duty as a part of a negligence framework for data insecurity harms, and we argue that courts should recognize a legal duty to secure data. This duty is made necessary by pervasive cognitive biases that result in systematic underestimation of cyber risk by firms and individuals and interfere with the risk management process. A legal duty to secure data is also supported by statutory trends towards liability for people who were upstream or downstream of a data thief.

We also analyze data injuries. Courts struggle with fitting data insecurity injuries within the existing legal models, but part of the reason for that is the preoccupation with economic harm, which is a poor method for quantifying privacy injuries. The erosion of privacy through neglect of security is troubling, and the legal system must shift away from traditional economic measurements of injury and focus instead on the fact that data insecurity is a social harm. Data insecurity is a privacy injury and an injury to autonomy that interferes with self-determination, and it should be analyzed as such. Our article represents another step forward in the process of aligning legal protections with the societal shifts driven by technological changes.

Suggested Citation

Kesan, Jay P. and Hayes, Carol Mullins, Liability for Data Injuries (June 26, 2018). University of Illinois Law Review, Vol. 2019, Issue 1, pp. 295, University of Illinois College of Law Legal Studies Research Paper No. 18-28, Available at SSRN:

Jay P. Kesan (Contact Author)

University of Illinois College of Law ( email )

504 E. Pennsylvania Avenue
Champaign, IL 61820
United States
217-333-7887 (Phone)
217-244-1478 (Fax)


Carol Mullins Hayes

University of Washington - The Information School ( email )

Box 353350
Seattle, WA 98195
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics