Psychological Data Breach Harms
23 North Carolina Journal of Law & Technology (2021)
66 Pages Posted: 23 Mar 2021 Last revised: 29 Mar 2022
Date Written: February 15, 2021
Cybersecurity law, both in statutory and case law, is primarily based on the premise that data breaches result exclusively in financial harms. Intuitively, legal scholarship has largely been focused on financial harms to the exclusion of non-financial harms—emotional and mental—that also arise from data breaches. A critical mass of research in psychology, psychiatry, and internet studies shows that consumers whose information has been compromised suffer from serious emotional and mental conditions as a result. This Article seeks to evaluate cybersecurity law in light of this reality and proposes a framework to address these psychological data breach harms.
Psychological data breach harms raise significant challenges for which the law does not adequately account. Consumers suffering these harms are unlikely to pursue litigation and, even if consumers do pursue litigation, are unlikely to prevail because of both standing and cause of action reasons. In a similar vein, different cybersecurity law frameworks, such as the Computer Fraud and Abuse Act, data security laws, data breach notification laws, and Federal Trade Commission enforcement, do not generally recognize any harms that are non-monetary in nature. Moreover, companies suffering data breaches are not legally required to offer any assistance or mitigation response for consumers who may suffer psychological harms. Contributing to these challenges is the fact that breached companies are often not even required to disclose breaches that are unlikely to cause future financial harm.
Cybersecurity law currently overlooks a conceptual framework for psychological data breach harms; this Article offers that framework. First, this Article argues for the recognition of psychological data breach harms in the context of cybersecurity, from the very outset. Second, this Article makes concrete recommendations on how psychological data breach harms ought to be addressed, both by regulators and breached entities, as well as the appropriate remedies. Finally, this Article calls for a reconsideration of what we mean by “personal information” and for the expansion of information categories that cybersecurity law should protect.
Keywords: data breach, cybersecurity law, psychological data breach harm
Suggested Citation: Suggested Citation