A Long-Standing Debate Reflections on Risk and Anxiety: A Theory of Data Breach Harms by Daniel Solove and Danielle Keats Citron

Response - Online Edition - Volume 96

I jumped at the opportunity to respond to Risk and Anxiety: A Theory of Data Breach Harms[1] by two of the leading lights of privacy law. I find I am hard-pressed to name two scholars who have had a greater influence on the arc of contemporary privacy law than Daniel Solove and Danielle Keats Citron. Professor Solove co-founded (with Chris Hoofnagle) the flagship privacy law conference[2] and is the author of many of the field’s foundational texts.[3] Like Beatles albums in the 1960s, each new Professor Citron paper seems to anticipate and channel the direction of the discipline.[4] Both scholars help set the collegial and supportive tone that surprises and delights new entrants to the field.

This jointly-authored Article contributes mightily to our understanding of a critical aspect of privacy: harm. As Professors Solove and Citron carefully evidence, courts are reticent to countenance the harms that flow from a violation of privacy, even as they compensate similar harms in other contexts.[5] Thus while exposing a plaintiff to an environmental or health risk may be compensable, few decisions vindicate victims of a data breach unless or until they experience actual identity theft.[6] Courts have recognized subjective harms such as fear since the night W de S threw his fateful axe at M de S.[7] But courts seldom recognize harm in anxieties over data exposure so significant that they have contributed to suicide.[8]

Such privacy harm exceptionalism is pervasive and problematic.[9] Yet Professors Solove and Citron’s account is in a sense hopeful: perhaps courts are reticent to countenance privacy harms for traditional reasons such as the lack of a limiting principle or the concern over plaintiff fraud. The central contribution of the Article resides in its deep excavation of the “ample conceptual foundations” for recognizing risk and anxiety as concrete harms in the context of privacy and in the rigorous framework it offers courts to assess these harms.[10]

While not quite as specific as, for instance, Lior Strahilevitz’s invocation of social network theory to calibrate reputational harms,[11] the Solove–Citron approach equips courts with far better tools by which to identify, calibrate, and address privacy harms resulting from a data breach. I have little doubt that courts will look to this Article as they navigate data breach litigation, an area of jurisprudence that only grows in impact and importance year by year.

Despite my widespread agreement with Risk and Anxiety, I suspect the analysis is missing a step. Presumably Congress can create a protectable interest—including a privacy interest—where none existed before.[12] The question is whether Congress, with enough specificity of intent, could create a right to be free from privacy risk or anxiety or whether the very nature of these injuries somehow offends Article III.[13] In this way, privacy harm turns out to be an interesting testing ground for a longstanding debate about the limits of legislatively conferred standing.[14] And solving the puzzle of privacy harm arguably requires addressing this debate directly.

Privacy exceptionalism is pervasive; it is not universal. Consider the experiences of many plaintiffs with the Fair and Accurate Credit Transaction Act (FACTA).[15] As of 2006, FACTA requires all businesses to truncate a consumer’s credit card number on any electronically printed receipt precisely to avoid the risk of identity theft.[16] FACTA has a private cause of action and provides for statutory damages of up to $1,000 per violation.[17] For years, plaintiffs’ lawyers made a lucrative practice of suing businesses that failed to comply with FACTA. A good deal of these lawsuits succeeded without regard to whether the unmasked credit card number actually caused a monetary harm.[18] That is why you almost never see a non-complaint receipt anymore. These courts did not wring their hands over risk or anxiety because the law instructed them not to.

Not all FACTA cases went forward.[19] And plaintiffs have fared far worse in other contexts. Compare the Supreme Court’s interpretation of the Privacy Act of 1974.[20] Federal Aviation Administration v. Cooper,[21] involved a licensed pilot living with human immunodeficiency virus or HIV.[22] The Social Security Administration contravened the Privacy Act by sharing Stanmore Cooper’s status with the Federal Aviation Administration, which resulted, among other things, in Cooper losing his license and employment.[23]

Like FACTA, the Privacy Act furnishes victims with a private cause of action.[24] And like FACTA, the Privacy Act guarantees minimum damages, providing that “the United States shall be liable to the individual in an amount equal to the sum of actual damages sustained by the individual as a result of the refusal or failure, but in no case shall a person entitled to recovery receive less than the sum of $1000.”[25] Congress promulgated the Privacy Act amidst a passionate debate over whether the mere existence of government databases represents an affront to citizen autonomy. The language seems clear enough that anyone who suffers an “adverse effect,”[26] such as the destruction of their very livelihood, from a violation of the Act is entitled to at least $1000, but up to their actual damages.[27] Nevertheless, the Supreme Court somehow read into this language the intent by Congress to require the plaintiff to show specific pecuniary harm and dismissed the case on this basis.[28]

Why do plaintiffs succeed under FACTA but lose under the Privacy Act when, in both instances, the plaintiff showed a violation of a statute meant to safeguard their data with a private cause of action and minimum statutory damages?

Maybe the answer can be found, as Professors Solove and Citron assume, in the failure of courts to appreciate privacy harm’s fullest scope. But there are other theories to rule out. Note that the Supreme Court tortured the language of the Privacy Act, finding Congressional intent to deny recovery absent evidence of actual harm in a minimum damages clause, rather than premise the decision entirely on standing.[29] Perhaps even with greater care and specificity as to the nature of the protected interest, Congress might have bound the courts to permit compensation for a far wider range of injuries than literal pecuniary loss.

Accordingly, I would be curious as to what guidance Professors Solove and Citron might offer lawmakers. What language could a lawmaker, inclined to address privacy harm exceptionalism head on through the political process, employ that would avoid the pitfalls of Cooper? And what lessons do the authors believe the context of privacy can teach us about the capacity of the legislatures to create a protectable interest where none existed before?

Risk and Anxiety represents a wonderful contribution to an important topic. Perhaps it is a testament to the Article’s success that it leaves this reader wanting to hear more. I am grateful for this opportunity to comment and to the authors themselves for their creativity, mentoring, and grace.

  1. .Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data Breach Harms, 96 Texas L. Rev. 737, 737 *2018).
  2. .Privacy Law Scholars Conference, U.C. Berkeley Sch. of Law 2, Oct. 2, 2013, http://sites.law.berkeley.edu/privacylaw/wp-content/uploads/sites/8/2013/02/plsc2009.pdf [https://perma.cc/3YNT-867B].
  3. .See, e.g., Daniel J. Solove, Understanding Privacy (2010); Daniel J. Solove, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (2008).
  4. .See, e.g., Danielle Keats Citron, Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age, 80 S. Cal. L. Rev. 241 (2007).
  5. .Solove & Citron, supra note 1, at 738–47.
  6. .Id. at 741–42.
  7. .I de S et ux. v. W de S, Y.B.Lib.Ass. folio 99, placitum 60 (Assizes 1348), reprinted in William L. Prosser & John W. Wade, Cases and Materials on Torts 36 (5th ed. 1971) (early assault case).
  8. .Solove & Citron, supra note 1, at 765 (citing Woodrow Hartzog & Danielle Citron, Five Unexpected Lessons from the Ashley Madison Breach, Ars Technica (Dec. 19, 2016), https://arstechnica.co.uk/tech-policy/2016/12/op-ed-five-unexpected-lessons-from-the-ashley-madison-breach/ [https://perma.cc/32JW-3USU]).
  9. .See generally Ryan Calo, Privacy Harm Exceptionalism, 12 Colo. Tech. L.J. 361 (2014).
  10. .Solove & Citron, supra note 1, at 745.
  11. .Lior Strahilevitz, A Social Networks Theory of Privacy, 72 U. Chi. L. Rev. 919, 974–75 (2005).
  12. .See William A. Fletcher, The Structure of Standing, 98 Yale L.J. 221, 223–24 (1988).
  13. .See Gladstone Realtors v. Village of Bellwood, 441 U.S. 91, 99 (1979) (reiterating the actual or threatened injury requirement of constitutional standing).
  14. .See Heather Elliott, Congress’s Inability to Solve Standing Problems, 91 Boston U. L. Rev. 159, 162, 171 (2011) (noting the confusion surrounding standing doctrine over several decades); Evan Tsen Lee & Josephine Mason Ellis, The Standing Doctrine’s Dirty Little Secret, 107 Nw. U. L. Rev. 169, 170–75 (2012) (discussing the contradictions in standing doctrine).
  15. .Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. §§ 1681–1681x (2012).
  16. .Id. § 1681c(g)(1).
  17. .Id. § 1681n.
  18. .See e.g., Deschaaf v. American Valet & Limousine Inc., 234 F. Supp. 3d 964, 970 (D. Ariz. 2017); Wood v. J. Choo USA, Inc., 201 F. Supp. 3d 1332, 1337–38 (S.D. Fla. 2016); Guarisma v. Microsoft Corp., 209 F. Supp. 3d 1261, 1266 (S.D. Fla. 2016); Altman v. White House Black Market, No. 1:15-cv-2451-SCJ, 2016 WL 3946780, *1 (N.D. Ga. July 13, 2016) (“Plaintiff does not allege actual damages . . . .”).
  19. .E.g., Katz v. Donna Karan Int’l Inc., No. 14 Civ. 740 (PAC), 2017 WL 2191605, *7 (S.D.N.Y. May 17, 2017); O’Shea v. Richard & Son, LLC, No. 15 Civ. 9069 (KPF), 2017 WL 3327602, *8 (S.D.N.Y. Aug. 3, 2017).
  20. .5 U.S.C. § 552 (2012).
  21. .566 U.S. 284 (2012).
  22. .Id. at 287.
  23. .Id. at 288.
  24. .5 U.S.C. § 552a(g)(4)(a).
  25. .Id.
  26. .Id. at § 552a(g)(1)(d).
  27. .Id. at § 552a(g)(4)(a).
  28. .Cooper, 566 U.S. at 298–99.
  29. .See id.