My new article was just published: Risk and Anxiety: A Theory of Data Breach Harms, 96 Texas Law Review 737 (2018). I co-authored the piece with Professor Danielle Keats Citron. We argue that the issue of harm needs a serious rethinking. Courts are too quick to conclude that data breaches don’t create harm. There are two key dimensions to data breach harm — risk and anxiety — both of which have been an area of struggle for courts.
Many courts find that anything involving risk is too difficult to measure and not concrete enough to constitute actual injury. Yet, outside of the world of the judiciary, other fields and industries have recognized risk as something concrete. Today, risk is readily quantified, addressed, and factored into countless decisions of great importance. As we note in the article: “Ironically, the very companies being sued for data breaches make high-stakes decisions about cyber security based upon an analysis of risk.” Despite the challenges of addressing risk, courts in other areas of law have done just that. These bodies of law are oddly ignored in data breach cases.
When it comes to anxiety — the emotional distress people might feel based upon a breach — courts often quickly dismiss it by noting that emotional distress alone is too vague and unsupportable in proof to be recognized as harm. Yet in other areas of law, emotional distress alone is sufficient to establish harm. In many cases, this fact is so well-settled that harm is rarely an issue in dispute.
We aim to provide greater coherence to this troubled body of law. We work our way through a series of examples — various types of data breach — and discuss whether harm should be recognized. We don’t think harm should be recognized in all instances, but there are many situations where we would find harm where the majority of courts today would not.
The article can be downloaded for free on SSRN.
Here’s the abstract:
In this post, I provide a brief overview of my scholarship last year.
I co-authored Risk and Anxiety: A Theory of Data Breach Harms with Professor Daniel Keats Citron. The piece is forthcoming in Texas Law Review this year. Even though there continues to be a steady flow of data breaches, there remains significant confusion in the courts around the issue of harm. Courts struggle with data breach harms because they are intangible, risk-oriented, and diffuse. Professor Citron and I argue: “Despite the intangible nature of these injuries, data breaches inflict real compensable injuries. Data breaches raise significant public concern and legislative activity. Would all this concern and activity exist if there were no harm? Why would more than 90% of the states pass data-breach notification laws in the past decade if breaches did not cause harm?” We provide examples of different types of data breaches and discuss whether harm should be recognized. We argue that there are many instances where we would find harm that the majority of courts today would not.
Download Risk and Anxiety: A Theory of Data Breach Harms for free.
Here are some notable books on privacy and security from 2017. To see a more comprehensive list of nonfiction works about privacy and security, Professor Paul Schwartz and I maintain a resource page on Nonfiction Privacy + Security Books.
Countless women have been coming forward to say #MeToo and share their traumatic stories of sexual harassment and assault. But there are many stories we’re not hearing. These stories are being silenced by extremely broad nondisclosure agreements (NDAs), some made at the outset of employment and others when settling litigation over sexual harassment. They stop victims from talking. They also silence other employees who witness sexual harassment of co-workers. NDAs were a powerful device used by Harvey Weinstein to hush up what he was doing.
In her new book, You Don’t Own Me: How Mattel v. MGA Entertainment Exposed Barbie’s Dark Side, Professor Orly Lobel tells a fascinating story about the Barbie versus Bratz litigation, which went on for about a decade. Her book is a page turner — told as a story that could readily be a movie. The book succeeds brilliantly as a gripping tale. But it goes beyond great storytelling to explore many important issues related to business, employment, and intellectual property: the enormous power of corporate employers, the weaponized use of intellectual property to stifle innovation, the dismal failure of business ethics, the troubling use of nondisclosure agreements (NDAs) to maintain dominance and power, and the punishing litigation process. Continue Reading
In response to government surveillance or massive data gathering, many people say that there’s nothing to worry about. “I’ve got nothing to hide,” they declare. “The only people who should worry are those who are doing something immoral or illegal.”
The nothing-to-hide argument is ubiquitous. This is why I wrote an essay about it 10 years ago called “I’ve Got Nothing to Hide,” and Other Misunderstandings of Privacy, 44 San Diego Law Review 745 (2007). It was a short law review piece, one that I thought would be read by only a few people. But to my surprise, this essay really resonated with many people, and it received an unusually high number of downloads for a law review essay. I later expanded the ideas in the essay into a book: Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale University Press 2011).
This year is the 10th anniversary of the piece. A lot has happened between then and now. Not too long before I wrote my essay, there were revelations of illegal NSA surveillance. A significant percentage of the public supported the NSA surveillance, and the nothing-to-hide argument was trotted out again and again. This was the climate in which I wrote the essay.
Later on, in 2013, Edward Snowden revealed that the NSA was engaging in extensive surveillance far beyond its legal authority. Snowden declared: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” This time, there was a significantly large percentage of the public that didn’t side with the NSA but instead demanded scrutiny and accountability.
Nevertheless, the nothing-to-hide argument is far from vanquished. There will always be a need for citizens to demand accountability and oversight of government surveillance, or else we will gradually slide into a more dystopian world.
Here are a few short excerpts from my nothing-to-hide essay: