Credit-Monitoring Damages in Cybersecurity Tort Litigation

摘要

Part I of this Article provides an overview of the importance of credit monitoring and of tort claims related to cybersecurity. It also discusses the duty to protect digital personal information and to disclose breaches of cybersecurity, as well as the reasons why the economic loss rule should not bar claims for the costs of credit monitoring. Part II of this Article discusses the precedent dealing with credit-monitoring damages, related business practices, class-action settlements, and judicial and administrative sanctions. Part III explores the issue of whether credit-monitoring damages are analogous to the medical-monitoring damages that many states award to victims of toxic exposure. Part IV then considers arguments against the compensability of credit-monitoring damages in cybersecurity lawsuits. These include the alleged lack of present injury in cases where the plaintiff has not experienced identity theft and the ability of potential plaintiffs to self-protect against economic harm by purchasing credit-monitoring services. Part V then explains why courts should allow victims of data-security breaches to recover compensation for the costs of credit monitoring. The Article argues that protection from identity theft should be as widespread as commercial use of computerized personal information and that businesses should be required to internalize the costs of their negligent data practices. In many instances, businesses are well-situated to efficiently spread identity theft prevention costs among those who benefit from the use of computerized personal information. Finally, this Article concludes that plaintiffs should be able to recover credit-monitoring costs often in cybersecurity litigation.