Privacy law scholar Daniel Solove has a great opinion piece, inspired, in part, by the Maine Supreme Court ruling in the Hannaford Bros. case. Dan writes, in part:
There are at least three general bases upon which plaintiffs argue they are injured by a data security breach:
1. The exposure of their data has caused them emotional distress.
2. The exposure of their data has subjected them to an increased risk of harm from identity theft, fraud, or other injury.
3. The exposure of their data has resulted in their having to expend time and money to prevent future fraud, such as signing up for credit monitoring, contacting credit reporting agencies and placing fraud alerts on their accounts, and so on.
Courts have rejected all three of these arguments. In many data security breach cases, courts are dismissing claims not because companies practiced reasonable security and weren’t negligent — indeed, in many cases, companies were grossly negligent, even reckless. I’m continually stunned by how shoddy security practices keep occurring — such as the all-too-common lost laptop with millions of unencrypted records of consumer data. Instead, courts are dismissing cases even in the face of negligence (or worse) because they conclude that people aren’t really harmed by the exposure of their data.
Read more on Concurring Opinions.