This Article examines what harm occurs to individuals whose data have been made vulnerable (that is, out of the original receiving party’s control) in the wake of a data breach, but who have not yet been victims of identity theft. In addition, this Article discusses whether the law responds to any harm that does not occur. In addressing these questions, the Article attempts to avoid a marked tendency to resort to so-called intuitionist arguments, in which harm is assumed as self-evident but not described. Instead, this Article examines what harm occurs at each discrete sequence of events within the data breach context: (1) the transfer of PII from the individual to the PII recipient; (2) the storage and security of the PII; and (3) the breach itself.
