Psychological Data Breach Harms

23 North Carolina Journal of Law & Technology (2021)

66 Pages Posted: 23 Mar 2021 Last revised: 29 Mar 2022

See all articles by Ido Kilovaty

Ido Kilovaty

University of Arkansas - School of Law; Yale University - Law School

Date Written: February 15, 2021

Abstract

Cybersecurity law, both in statutory and case law, is primarily based on the premise that data breaches result exclusively in financial harms. Intuitively, legal scholarship has largely been focused on financial harms to the exclusion of non-financial harms—emotional and mental—that also arise from data breaches. A critical mass of research in psychology, psychiatry, and internet studies shows that consumers whose information has been compromised suffer from serious emotional and mental conditions as a result. This Article seeks to evaluate cybersecurity law in light of this reality and proposes a framework to address these psychological data breach harms.

Psychological data breach harms raise significant challenges for which the law does not adequately account. Consumers suffering these harms are unlikely to pursue litigation and, even if consumers do pursue litigation, are unlikely to prevail because of both standing and cause of action reasons. In a similar vein, different cybersecurity law frameworks, such as the Computer Fraud and Abuse Act, data security laws, data breach notification laws, and Federal Trade Commission enforcement, do not generally recognize any harms that are non-monetary in nature. Moreover, companies suffering data breaches are not legally required to offer any assistance or mitigation response for consumers who may suffer psychological harms. Contributing to these challenges is the fact that breached companies are often not even required to disclose breaches that are unlikely to cause future financial harm.

Cybersecurity law currently overlooks a conceptual framework for psychological data breach harms; this Article offers that framework. First, this Article argues for the recognition of psychological data breach harms in the context of cybersecurity, from the very outset. Second, this Article makes concrete recommendations on how psychological data breach harms ought to be addressed, both by regulators and breached entities, as well as the appropriate remedies. Finally, this Article calls for a reconsideration of what we mean by “personal information” and for the expansion of information categories that cybersecurity law should protect.

Keywords: data breach, cybersecurity law, psychological data breach harm

Suggested Citation

Kilovaty, Ido, Psychological Data Breach Harms (February 15, 2021). 23 North Carolina Journal of Law & Technology (2021), Available at SSRN: https://ssrn.com/abstract=3785734 or http://dx.doi.org/10.2139/ssrn.3785734

Ido Kilovaty (Contact Author)

University of Arkansas - School of Law ( email )

260 Waterman Hall
Fayetteville, AR 72701
United States

Yale University - Law School ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
351
Abstract Views
2,069
Rank
156,345
PlumX Metrics