About a week ago, a friend of mine (whose name will be withheld unless he or she tells me to reveal it) asked what I thought about the approach to damages taken by the plaintiffs in Pisciotta v. Old National Bancorp (previous blog post about that case is here). In that case, the plaintiffs, in addition to asking for damages to cover credit monitoring costs, also requested compensation for emotional damage caused by elevated risk of identity theft. The problem is that, as in most identity exposure cases, the court dismissed the plaintiffs' cause of action saying that they had suffered no present compensable injury because their identities hadn't actually been stolen. The emotional harm the plaintiffs may have suffered was dismissed as being connected to the potential future harm, rather than to any completed present harm.
My guess is that plaintiffs in the future aren't likely to get much mileage out of emotional harm arguments. Courts have uniformly rejected claims for damages based on exposure of data, and the 7th Circuit in Pisciotta v. Old National Bancorp was simply following the trend. Where plaintiffs may be more successful is cases where they can show that they have suffered some direct out of pocket cost (other than credit monitoring) as a result of a security breach. This includes not only individual consumers who are victims of identity theft, but also other commercial entities, such as banks, who are forced to spend money by the breach itself (e.g., by reissuing credit cards).