George Mason Law Review`
When someone improperly accesses or discloses an individual’s personal information, the subject of that data breach is often at an increased risk of identity theft. One way for an affected data subject to guard against this risk is to subscribe to a credit-monitoring service. Recently, potential cybersecurity defendants have provided credit-monitoring services to affected data subjects voluntarily, and courts have approved credit-monitoring compensation as part of class-action settlements. These developments demonstrate that credit-monitoring expenditures are both reasonable and necessary when a serious breach of data security occurs. Furthermore, the economic loss rule should not bar recovery of credit-monitoring damages because the data-protection obligations imposed by state and federal data-security laws are not a proper subject for private bargaining.
By requiring data possessors to cover credit-monitoring costs, courts will deter breaches of cybersecurity. Data possessors will have an incentive to implement reasonable precautions to guard against unauthorized data access and to avoid unnecessarily risky practices related to the handling and storing of digital personal information. Moreover, judicial recognition of this element of damages will tend to reduce the costs of cyber-related losses. Thus, treating credit-monitoring damages as compensable is not only consistent with basic legal principles and established tort theories, but also supported by several principles of public policy that have played a major role in shaping contemporary American tort law.
Vincent R. Johnson, Credit-Monitoring Damages in Cybersecurity Tort Litigation, 19 Geo. Mason L. Rev. 113 (2011).