COMPARATIVE LEGAL FRAMEWORKS FOR THE COMPENSATION OF NON-MATERIAL HARM FROM CYBERATTACKS

Abstract

Cyberattacks frequently inflict not only financial losses but also significant non-material harm, including psychological distress, reputational damage, and loss of control over personal data. Legal frameworks across jurisdictions vary widely in how they recognize and compensate such intangible harm. This thesis provides a comparative analysis of how the European Union, the United Kingdom, the United States, and Japan address non-material damage resulting from cyber incidents. It finds that EU law explicitly allows compensation for non-material harm (for example, under data protection regulations), and recent court decisions have affirmed that even loss of data control or emotional upset can be compensable if actual and proven. In contrast, English courts have been more cautious, generally requiring proof of distress beyond a de minimis threshold before awarding damages for data breaches, although UK privacy torts have recognized loss of privacy itself as a head of damage in egregious cases. The U.S. legal approach remains the most restrictive – victims of cyberattacks often struggle to sue for purely emotional or reputational harm absent concrete financial injury, due to stringent standing and damage requirements, though some state laws now provide statutory damages for data breaches. Japan’s system, influenced by civil law principles, acknowledges mental anguish from privacy violations as compensable even without economic loss, but awards are typically modest, reflecting a policy of recognition rather than punishment.