Recently, TJX, Inc. announced that computer hackers breached several of TJX’s databases containing the driver’s license and credit card numbers of over 47 million customers. Within a month, a class action lawsuit attempting to hold TJX responsible for losing control of this information was filed. In the past, class action lawsuits based on the release of consumer’s personal data have failed because the plaintiffs have not alleged sufficient harms. This article examines legal claims relating to the release of personal data by companies during security breaches. To date, courts have refused to find individuals harmed by the negligent release of information, without proof that the information has been misused by a third party. In addition, courts have not found a substantial enough causal link between the release and the fraudulent use. This article also examines several doctrines which may in the future be used to limit potential defendant liability from class action claims stemming from the release of personal information.
Derek A. Bishop,
No Harm, No Foul: Limits on Damages Awards for Individuals Subject to a Data Breach,
4 Shidler J. L. Com. & Tech.
Available at: https://digitalcommons.law.uw.edu/wjlta/vol4/iss4/5