Here’s the problem: data breaches are on the rise, but they may not cause provable losses. This gap exists because traditional legal theories do not adequately protect the privacy interests at stake. Should the law have a method for identifying and capturing wrongful gain from those breaches? If so, should private plaintiffs be able to strip such gains in order to undo unjust enrichment and deter opportunism? Bernard Chao articulates why the law of unjust enrichment and restitution present a viable pathway for plaintiffs to hold data breachers accountable by disgorging gains earned from the breach. As Chao’s article shows, the law of unjust enrichment will provide both a basis for a more viable cause of action and a preferred remedy. The preferred remedy is disgorgement of profits.
Chao effectively shows the need for this paper as well as the justification for the lure of restitution. The lack of familiarity with and misconceptions about this body of law make Chao’s task a difficult one. Redesigning the solution requires an appreciation of law that is beyond the working knowledge of countless law professors, litigators, and judges. Scholars bemoan data breach laws as insufficient. Some scholars and judges see data breach problems as governed by common doctrinal boxes such as tort, privacy, and contract law, and assume one or more of those boxes forecloses any ability to pursue unjust enrichment paths. This limited conception needs to change. Unjust enrichment and restitution law is equally applicable, and ultimately, more advantageous as a pathway to recovery. Restitution has the ability to address the wrong, and shape an ideal remedy that overcomes otherwise insurmountable obstacles for the victims of data breach. It is not without limits. Once raised properly, judges and juries can effectively fashion the relief to avoid unjust enrichment. Chao’s work will go far in achieving this critical repositioning of the law of restitution.
Existing scholarship suggests broadening conceptions of privacy harms. Rethinking what constitutes harms adds value to the scholarly dialogue. But, as Chao demonstrates, those theories will continue to encounter obstacles of proof given the elements of such causes of action. It is true that judicial interpretations of harm are sometimes restricted unnecessarily to financial losses. Incorporating intangible harms is a step in the right direction, but it does not solve all of the possible proof problems. Unjust enrichment law avoids this roadblock by removing the focus from compensating for plaintiff’s losses to preventing the wrongdoer’s unjust gains made as a result of the data breach.
The first part of Chao’s article describes typical privacy losses and how establishing the proof of those losses will be the downfall of most plaintiffs. Both the law of contract and tort pose barriers to recovery for victims: The goals of such causes of action have traditionally been to compensate victims for loss. As he wisely notes, these barriers have no real connection to the underlying merits of the privacy victims’ allegations of wrongdoing. Conventional bodies of law view plaintiffs’ intangible or hard-to-prove damages as not cognizable. If an individual can’t sell her own data, how can she prove that misuse of that data has caused her to sustain a financial loss? Further, the fact that she has not sold her own data shows that she values it above the market price; thus demonstrating that a market-price measure of damages would also be inadequate. This is the problem the classic doctrines of compensatory remedies pose for plaintiffs.
Further, Chao addresses the obstacle of constitutional standing as it relates to plaintiff’s need to show actual injury. He usefully explores Clapper v. Amnesty International, and Spokeo, Inc. v. Robins. Chao builds on the critiques raised by other scholars such as Felix Wu who criticize standing doctrine’s current strictures. As Chao notes, standing requirements continue to pose significant hurdles for plaintiffs. Chao then suggests the law of unjust enrichment and restitution as the best solution to all these problems. Gain-based theories add a wrinkle to standing jurisprudence, but unjust enrichment claims meet standing strictures, as the Spokeo amicus brief filed by restitution and remedies scholars demonstrated.
Instead of focusing on plaintiff’s harm, unjust enrichment keys to defendant’s wrongful gain. Chao asserts that privacy scholars have ignored unjust enrichment and forgotten restitution remedies. According to Chao, Daniel Solove and Danielle Keats Citron’s important contribution on data breach harms only notes unjust enrichment in passing as one possible way to address the injury. Unfortunately, they are not alone. Lawyers and courts, too, fail to treat restitution seriously. As Chao explains, the law of unjust enrichment and restitution disappeared from the American legal mindset. Doug Laycock documented this lamentable absence from our collective imaginations in his important work: Restoring Restitution to the Canon. Chao is correct that there is much work needed to rebuild this foundation.
It starts with education. Chao’s article offers definitions to assist readers with both the underlying theories of restitution as well as its remedies including disgorgement. He also explores exactly how the law of restitution applies to privacy breaches, and how it overcomes many of the doctrinal hurdles found in tort, contract, and constitutional law. The incredible work of the American Law Institute’s Restatement (Third) of Restitution and Unjust Enrichment (2011) is another amazing resource with over 1,400 pages of applications and related commentary. American law schools should offer courses in restitution again. Andrew Kull, the Reporter for the Restatement, and Ward Farnsworth authored a wonderful restitution casebook in the hopes that if you build it, they will come. I was lucky enough to teach this material in an advanced course at the University of Florida Levin College of Law. My students frequently wondered why they hadn’t studied any of the restitution cases before. They appreciated the variety of scenarios that could raise unjust enrichment, and the ways that the law of unjust enrichment and its remedies could offer relief where other bodies of law failed. The remedial power of restitution’s disgorgement and its constructive trust have undeniable appeal. We also spent much time discussing viable defenses to restitution claims and remedies. The law of unjust enrichment contains its own doctrinal hurdles, and company defendants will raise a host of defenses including efforts to offset profits with those it had every right to make. Courts are capable of balancing the interests of justice with doctrines of limitation such as attribution. But unjust enrichment will go far to open more access to claims and remedies than more traditional claims covering data breaches.
Until more are able to offer courses in restitution, we are fortunate to have thoughtful articles like Bernard Chao’s that conduct inquiries in the forgotten corners of the law. Restitution may not be a panacea, but restitution has more than enough to offer to solve many thorny problems raised by privacy and data breaches. If a company improperly uses a victim’s data and profits from that wrongful use, why shouldn’t the law honor a claim to disgorge that unjust gain? Chao concludes that the law should, and I agree.