Ido Kilovaty (University of Tulsa College of Law, Yale University – Law School) has posted “Psychological Data Breach Harms” (23 North Carolina Journal of Law & Technology (2021)) on SSRN. Here is the abstract:
Cybersecurity law, both in statutory and case law, is primarily based on the premise that data breaches result exclusively in financial harms. Intuitively, legal scholarship has largely been focused on financial harms to the exclusion of non-financial harms, emotional and mental, that also arise from data breaches. There is now a critical mass of research showing that consumers whose information has been compromised suffer from serious emotional and mental conditions as a result. This Article seeks to evaluate cybersecurity law in light of this reality and propose a framework to address these psychological data breach harms.
Psychological data breach harms arising from data breaches raise a plethora of significant challenges which the law does not adequately account for. Consumers suffering these harms are unlikely to pursue litigation, nor are they likely to prevail in it for both standing and cause of action reasons. In similar vein, different cybersecurity law frameworks, such as the Computer Fraud and Abuse Act, data security laws, data breach notification laws, and FTC enforcement do not generally recognize any harms that are non-monetary in nature. Moreover, companies suffering data breaches are not legally required to offer any assistance or mitigation for consumers who may suffer psychological harms. Contributing to these challenges is the fact that breached companies are often not even required to disclose breaches that are unlikely to cause future financial harm.
This Article offers a legal and conceptual framework for psychological data breach harms, which cybersecurity law currently overlooks. First, this Article argues for the recognition of psychological data breach harms within the process of cybersecurity, from the very outset. Second, this Article makes concrete recommendations on how psychological data breach harms ought to be addressed, both by regulators and breached entities, as well as the appropriate remedies. Third, this Article calls for a reconsideration of what we mean by “personal information,” and for the expansion of information categories that cybersecurity law protects.