Cybersecurity and Data Breach Harms: Theory and Reality

David W. Opderbeck

This Article challenges the view among some privacy scholars that private law should routinely recognize dignitary, emotional distress, or potential future harms in commercial data breach cases. Such harms might be cognizable in specific and relatively rare circumstances, but they are not empirically or doctrinally viable in the mine run of cases. A realistic account of how commercial cybercrime works and how cybercriminals make money demonstrates that a reasonable person should not become excessively anxious upon receipt of a data breach notification. At this point in the history of cyberspace, commercial cybercrime is a systemic problem more than an individual one. Systemic solutions focused on strengthening data security provisions in comprehensive privacy laws, enhancing payment card security, updating fraud prevention measures related to credit reporting, and reforming aspects of the credit reporting and U.S. Social Security numbering systems should play a more important role than private litigation. A focus on anxiety-based harms in data breach cases, in contrast, would yield few cybersecurity benefits while distorting longstanding tort doctrines and transferring rents to class action lawyers.