Cybersecurity law, both in statutory and case law, is primarily based on the premise that data breaches result exclusively in financial harms. Intuitively, legal scholarship has largely focused on financial harms to the exclusion of non-financial harms— emotional and mental—that also arise from data breaches. A critical mass of research in psychology, psychiatry, and internet studies shows that consumers whose information has been compromised suffer from serious emotional and mental conditions as a result. This Article seeks to evaluate cybersecurity law in light of this reality and proposes a framework to address these psychological data breach harms.
Psychological data breach harms raise significant challenges for which the law does not adequately account. Consumers suffering these harms are unlikely to pursue litigation and, even if consumers do pursue litigation, are unlikely to prevail because of both standing and cause of action reasons. In a similar vein, different cybersecurity law frameworks, such as the Computer Fraud and Abuse Act, data security laws, data breach notification laws, and Federal Trade Commission enforcement, do not generally recognize harms that are non-monetary in nature. Moreover, companies suffering data breaches are not legally required to offer any assistance to, or mitigation response for, consumers who suffer psychological harms. Contributing to these challenges is the fact that breached companies are often not even required to disclose breaches that are unlikely to cause future financial harm.
Cybersecurity law currently overlooks a conceptual framework for psychological data breach harms; this Article offers that framework. First, this Article argues for the recognition of psychological data breach harms in the context of cybersecurity from the very outset. Second, this Article makes concrete recommendations on how psychological data breach harms ought to be addressed, both by regulators and breached entities, as well as recommends the appropriate remedies. Finally, this Article calls for a reconsideration of what “personal information” means and for the expansion of information categories that cybersecurity law should protect.
Author: Ido Kilovaty
Volume 23, Issue 1