Psychological Data Breach Harms

23 North Carolina Journal of Law & Technology (2021)

66 Pages Posted: 23 Mar 2021 Last revised: 29 Mar 2022

See all articles by Ido Kilovaty

Ido Kilovaty

University of Tulsa College of Law; Yale University - Law School

Date Written: February 15, 2021


Cybersecurity law, both in statutory and case law, is primarily based on the premise that data breaches result exclusively in financial harms. Intuitively, legal scholarship has largely been focused on financial harms to the exclusion of non-financial harms—emotional and mental—that also arise from data breaches. A critical mass of research in psychology, psychiatry, and internet studies shows that consumers whose information has been compromised suffer from serious emotional and mental conditions as a result. This Article seeks to evaluate cybersecurity law in light of this reality and proposes a framework to address these psychological data breach harms.

Psychological data breach harms raise significant challenges for which the law does not adequately account. Consumers suffering these harms are unlikely to pursue litigation and, even if consumers do pursue litigation, are unlikely to prevail because of both standing and cause of action reasons. In a similar vein, different cybersecurity law frameworks, such as the Computer Fraud and Abuse Act, data security laws, data breach notification laws, and Federal Trade Commission enforcement, do not generally recognize any harms that are non-monetary in nature. Moreover, companies suffering data breaches are not legally required to offer any assistance or mitigation response for consumers who may suffer psychological harms. Contributing to these challenges is the fact that breached companies are often not even required to disclose breaches that are unlikely to cause future financial harm.

Cybersecurity law currently overlooks a conceptual framework for psychological data breach harms; this Article offers that framework. First, this Article argues for the recognition of psychological data breach harms in the context of cybersecurity, from the very outset. Second, this Article makes concrete recommendations on how psychological data breach harms ought to be addressed, both by regulators and breached entities, as well as the appropriate remedies. Finally, this Article calls for a reconsideration of what we mean by “personal information” and for the expansion of information categories that cybersecurity law should protect.

Keywords: data breach, cybersecurity law, psychological data breach harm

Suggested Citation

Kilovaty, Ido, Psychological Data Breach Harms (February 15, 2021). 23 North Carolina Journal of Law & Technology (2021), Available at SSRN: or

Ido Kilovaty (Contact Author)

University of Tulsa College of Law ( email )

3120 E. Fourth Place
Tulsa, OK 74104
United States

Yale University - Law School ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics