Causation and Harm in Data Breach Litigation

Cybersecurity Law & Strategy, February 2019

Demonstrating that a data breach has resulted in harm can be difficult, because it is often unclear how the breached data were used or will be used by the hackers. As a result, plaintiffs in data breach litigation typically allege harm in terms of increased risk of future injury rather than a harm that has already occurred. Because of the conjectural nature of this harm, establishing whether present or future alleged harm was caused by a given data breach can be difficult.

In the article, "Causation and Harm In Data Breach Litigation," published in’s Cybersecurity Law & Strategy newsletter and Legaltech News, Analysis Group Principal Brian Ellman and Managing Principal Jee-Yeon Lehmann propose a new framework assessing causality and harm in data breach litigations based on a familiar paradigm in medical and product liability litigation. In this framework, the causation inquiry has two components: (1) general causation (is there a plausible link between the data that were breached and the harm alleged to have occurred?); and (2) specific causation (what is the likelihood that the particular data breach was responsible for the particular injury?).

Mr. Ellman and Dr. Lehmann examine this causal paradigm in detail and discuss a recent data breach case in which the plaintiffs were able to successfully establish both general and specific causation. They point out that while clearing this threshold will often be challenging, litigators on both sides of these cases would do well to consider this framework as they strive to maximize their clients’ chances of success.

Read a PDF of the article

View the feature on Legaltech News



Ellman B, Lehmann J