About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

96 Tex. L. Rev. 737 (2017-2018)
Risk and Anxiety: A Theory of Data-Breach Harms

handle is hein.journals/tlr96 and id is 785 raw text is: Risk and Anxiety: A Theory of Data-Breach Harms Daniel J. Solove* & Danielle Keats Citron* In lawsuits about data breaches, the issue of harm has confounded courts. Harm is central to whether plaintifs have standing to sue in federal court and whether their legal claims are viable. Plaintiffs have argued that data breaches create a risk of future injury, such as identity theft, fraud, or damaged reputations, and that breaches cause them to experience anxiety about this risk. Courts have been reaching wildly inconsistent conclusions on the issue of harm, with most courts dismissing data-breach lawsuits for failure to allege harm. A sound and principled approach to harm has yet to emerge. In the past five years, the U.S. Supreme Court has contributed to the confusion. In 2013, the Court, in Clapper v. Amnesty International, concluded that fear and anxiety about surveillance-and the cost of taking measures to protect against it-were too speculative to satisfy the injury in fact requirement to warrant standing. This past term, the U.S. Supreme Court stated in Spokeo v. Robins that intangible injury, including the risk of injury, could be sufficient to establish harm. When does an increased risk of future injury and anxiety constitute harm? The answer remains unclear. Little progress has been made to harmonize this troubled body of law, and there is no coherent theory or approach. In this Article, we examine why courts have struggled to conceptualize harms caused by data breaches. The difficulty largely stems from the fact that data-breach harms are intangible, risk-oriented, and difuse. Harms with these characteristics need not confound courts; the judicial system has been recognizing intangible, risk-oriented, and diffuse injuries in other areas of law. We argue that courts are far too dismissive ofcertain forms ofdata-breach harm and can and should find cognizable harms. We demonstrate how courts can * John Marshall Harlan Research Professor of Law, George Washington University Law School. We are grateful to Ryan Calo for thoughtfully responding to our work and to Texas Law Review for inviting the conversation. Thanks to Catharine Sharkey, Deven Desai, Will DeVries, Susan Freiwald, Woodrow Hartzog, Chris Hoofnagle, Margot Kaminski, Gregory Keating, Orin Kerr, William McGeveran, Joel Reidenberg, Felix Wu, and the participants at the Privacy Law Scholars Conference for helpful comments. We would like to thank Kristen Bertch, Ariel Glickman, Cassie Meijas, Susan McCarty, and Austin Mooney for their research assistance. We are grateful to the editors of the Texas Law Review for their superb assistance. ** Morton & Sophia Macht Professor of Law, University of Maryland Francis King Carey School of Law; Affiliate Fellow, Yale Information Society Project; Affiliate Scholar, Stanford Center on Internet & Society.

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Contact us for annual subscription options:

Contact Us

Already a HeinOnline Subscriber?

Log In

profiles profiles most