No Harm, No Foul? Exploring the Harm Caused by Data Breaches

Abstract

This thesis explores the harm that occurs to individuals whose data has been exposed to a third party as a result of a data breach, but which has not been used to commit identity theft or fraud. The vast majority of Americans disclose their Personally Identifiable Information (PII) to private entities almost everyday. Yet this information is increasingly insecure in those hands, as a recent rise in data breaches makes evident. Law responded to this problem, in part, by criminalizing hacking and identity theft. But have individuals suffered harm when their data has been made vulnerable? Where the hacker has not used the PII to commit fraud, American courts have concluded that there is simply no harm for them to redress. This thesis examines the premise that individuals have not suffered harm unless they have sustained a concrete financial injury. Part I engages scholarly literature to explain the concept of autonomy. This Part develops how each of liberty, dignity and privacy protect the value of autonomy in American law. Part II then applies each of these concepts in the data breach context to show that the resulting harm is to an individual's autonomy. Unlike other instances in which autonomy is vulnerable, here neither privacy nor liberty can be convincingly used as a legal tool to protect it. Instead, the proper tool is the invocation of dignitary harms. Faced with an uncertainty about how their information may be used, victims lose awareness of their negative freedom. This harm deserves legal redress. Finally, Part III argues for the practical utility of the harm inquiry. Recently, the FTC has been challenged to identify what, if any, injuries befall consumers whose data has been made vulnerable where there has been no identity theft. This thesis urges the recognition of the harm as one to individual's dignity. Doing so refocuses the inquiry against the companies who hold PII, instead of the hacker who acquires it. Doing so also justifies FTC actions against such companies.