Risk and Anxiety: A Theory of Data Breach Harms
UVA Law Faculty Affiliations
In lawsuits about data breaches, the issue of harm has confounded courts. Harm is central to whether plaintiffs have standing to sue in federal court and whether their claims are viable. Plaintiffs have argued that data breaches create a risk of future injury from identity theft or fraud and that breaches cause them to experience anxiety about this risk. Courts have been reaching wildly inconsistent conclusions on the issue of harm, with most courts dismissing data breach lawsuits for failure to allege harm. A sound and principled approach to harm has yet to emerge, resulting in a lack of consensus among courts and an incoherent jurisprudence.
In the past five years, the U.S. Supreme Court has contributed to this confounding state of affairs. In 2013, the Court in Clapper v. Amnesty International concluded that fear and anxiety about surveillance – and the cost of taking measures to protect against it – were too speculative to constitute “injury in fact” for standing. The Court emphasized that injury must be “certainly impending” to warrant recognition. This past term, the U.S. Supreme Court in Spokeo v. Robins issued an opinion aimed at clarifying the harm required for standing in a case involving personal data. But far from providing guidance, the opinion fostered greater confusion. What the Court made clear, however, was that “intangible” injury, including the “risk” of injury, could be sufficient to establish harm. In cases involving informational injuries, when is intangible injury like increased risk and anxiety “certainly impending” or “substantially likely to occur” to warrant standing? The answer is unclear.
Little progress has been made to harmonize this troubled body of law, and there is no coherent theory or approach. In this essay, we examine why courts have struggled when dealing with harms caused by data breaches. The difficulty largely stems from the fact that data breach harms are intangible, risk-oriented, and diffuse. Harms with these characteristics need not confound courts; the judicial system has, been recognizing intangible, risk-oriented, and diffuse injuries in other areas of law.
We argue that courts are far too dismissive of certain forms of data breach harm. In many instances, courts should find that data breaches cause cognizable harm. We explore how existing legal foundations support the recognition of such harm. We demonstrate how courts can assess risk and anxiety in a concrete and coherent way.