Ying Hu


This Article seeks to improve enforcement of the duty of companies to safeguard personal data in their possession. It is notoriously difficult for data breach victims to succeed in class actions against companies that failed to take reasonable steps to safeguard their personal data. Many commentators have argued that existing legal rules should be relaxed or applied differently in data breach cases.

This Article argues instead that litigants and the courts should take more seriously unjust enrichment as a cause of action in those cases. The Article makes two main contributions. First, it critically analyzes the two main theories of unjust enrichment observed in data breach cases: the overpayment theory and the “would not have shopped” theory. It in turn proposes an alternative, and more plausible, account of the elements that must be proved for the overpayment theory. Second, it explains how the facilitative effects of these unjust enrichment claims on class actions solve a powerful enforcement deficit with respect to data security.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.