Value of Personal Information Theories in Data Privacy Class Actions

A theory of harm frequently alleged in consumer and employee data breach class actions is that plaintiffs “lost the value of personal information.” That is, plaintiffs allege that their sensitive information held by the defendant had value, and the cyberattack on the defendant exfiltrating the data diminished that value.

Assessing economic injury and damages under this type of theory presents economists with questions that may seem semantic but are in fact foundational. What does it mean for “data” to have “value”? And what does it mean for the “value” of “data” to “be lost” as a result of unauthorized disclosure in a cyberattack?

This article will provide an introduction for practitioners to the economic concepts behind these questions.

Market Value Methodologies & Exfiltrated Data

As a starting point for assessing “value of information” theories, it is important to remember that the relevant economic framework is the comparison of what actually happened—the “actual world”—and what would have happened if the cyberattack at issue in the particular litigation did not occur—the “but-for world.”

That is, for a given individual in a proposed class to have suffered economic injury under this theory, it must be the case that the value of the exfiltrated data to that individual diminished relative to a but-for world because of the cyberattack. Put differently, it must be the case that the exfiltrated data would be worth more to the individual class member in the but-for world.

Importantly, the relevant economic question is not whether—in general—certain data may have certain types of value to certain types of entities. This distinction is important because the economic arguments with respect to “value of information” claims often purport to rely on “market value” methodologies.

To read and download the full article please click here.