Risk and anxiety: A theory of data breach harms

Abstract

In lawsuits about data breaches, the issue of harm has confounded courts. Harm is central to whether plaintiffs have standing to sue in federal court and whether their legal claims are viable. Plaintiffs have argued that data breaches create a risk of future injury, such as identity theft, fraud, or damaged reputations, and that breaches cause them to experience anxiety about this risk. Courts have been reaching wildly inconsistent conclusions on the issue of harm, with most courts dismissing data-breach lawsuits for failure to allege harm. A sound and principled approach to harm has yet to emerge. In the past five years, the U.S. Supreme Court has contributed to the confusion. In 2013, the Court, in Clapper v. Amnesty International, concluded that fear and anxiety about surveillance—and the cost of taking measures to protect against it—were too speculative to satisfy the “injury in fact” requirement to warrant standing. This past term, the U.S. Supreme Court stated in Spokeo v. Robins that “intangible” injury, including the “risk” of injury, could be sufficient to establish harm. When does an increased risk of future injury and anxiety constitute harm? The answer remains unclear. Little progress has been made to harmonize this troubled body of law, and there is no coherent theory or approach. In this Article, we examine why courts have struggled to conceptualize harms caused by data breaches. The difficulty largely stems from the fact that data-breach harms are intangible, risk-oriented, and diffuse. Harms with these characteristics need not confound courts; the judicial system has been recognizing intangible, risk-oriented, and diffuse injuries in other areas of law. We argue that courts are far too dismissive of certain forms of data-breach harm and can and should find cognizable harms. We demonstrate how courts can assess risk and anxiety in a concrete and coherent way, drawing upon existing legal precedent.