About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline

2019 Jotwell: J. Things We Like 1 (2019)
Data Breach Harms - Bringing in the Courts, or Leaving Them out?

handle is hein.journals/jotwell2019 and id is 75 raw text is: 
Technology Law
The Journal of Things We Like (Lots)

Data Breach Harms-Bringing in the Courts, or Leaving Them Out?

Author  : Tal Zarsky

Date : February 19, 2019

Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data-Breach Harms, 96 Tex. L. Rev. 737
(201 8).

As more  and more of our daily activities and private lives shift to the digital realm, maintaining digital security has
become  a vital task. Private and public entities find themselves in the position of controlling vast amounts of personal
information and therefore responsible for assuring such information does not find its way to unauthorized hands. In
some  cases, there are strong incentives to maintain high standards of digital security, as security breaches are a real
pain. When reports on such breaches are made  public, they generate reputation costs, lead to regulatory scrutiny and
often call for substantial out-of-pocket expenses to fix. Unfortunately, however, the internal incentives for maintaining
high security standards are often insufficient motivators. In such cases, the security measures taken are unfitting,
outdated and generally unacceptable. These are the instances where legal intervention is required.

There are several possible regulatory strategies to try and improve digital security standards. One option calls for
greater transparency regarding breaches that led to personal data leakage and other negative outcomes. Another
option calls upon the government to set data security standards and enforce them, at least in key sectors (more on
these two options and their limitations, below). Yet an additional central form of legal intervention is through private
litigation and the court system. However, key doctrinal hurdles in the United States currently make it extremely difficult
to sue for damages resulting from security breaches. In an important recent paper, .D ani  oL v and DanilleCit ron,
two prominent privacy scholars, explain what these hurdles are, how to overcome them, and why such doctrinal
changes  are essential.

As the authors explain, the key to many of the challenges of data security litigation is the concept of harm, or lack
thereof. A finding of actual, tangible harm is crucial for establishing standing, which requires demonstrating an injury
that is both concrete and actual (or at least imminent). Without standing, the case is thrown out immediately without
additional consideration. Additionally, tort-based claims (as opposed to some property-based claims) require a showing
of harm. And when  examining data security claims, courts require tangible damages to prove harm. Security-related
harms  are often considered intangible. Therefore, many data security-related lawsuits are either immediately blocked
or ultimately fail.

The complex  issue of harm, standing and data security/privacy has been recently addressed by the U.S. Supreme
Court in Cla~er v. Amnesty International USA (where the Court generally rejected hypothetical injuries as sufficient
to establish standing) and more recently in Spokeo Inc. v. Robins. In this latter case (addressing the standing and the
FCRA)  the Court has, at least in principle, recognized that intangible harms could be considered as sufficiently
'concrete if they generate the risk of real harm, and thus provide plaintiffs with standing. Furthermore, an additional
case-Frank   v. Gaos-is currently before the Supreme Court. While this latter case focuses on the practice of cypres
settlements in class actions, it appears to incidentally yet again raise questions related to standing, harms and digital
security/privacy-this time with regard to referrer headers.

In response to the noted challenges security litigation faces, the authors call upon courts to enter the 21st century and
accept changes  to the doctrines governing the establishment of harm. They convincingly show that security breaches
indeed create both harm and anxiety-but of somewhat  different form. In fact, they assert, some courts have already
begun  to recognize harms resulting from data security breaches. For instance, courts have found that a mere
increased risk of identity theft constitutes actual harm (even before such theft has occurred) when the data has made


What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.

Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Contact us for annual subscription options:

Already a HeinOnline Subscriber?

profiles profiles most