This Article seeks to improve enforcement of the duty of companies to safeguard personal data in their possession. It is notoriously difficult for data breach victims to succeed in class actions against companies that failed to take reasonable steps to safeguard their personal data. Many commentators have argued that existing legal rules should be relaxed or applied differently in data breach cases.

This Article argues instead that litigants and the courts should take more seriously unjust enrichment as a cause of action in those cases. The Article makes two main contributions. First, it critically analyzes the two main theories of unjust enrichment observed in data breach cases: the overpayment theory and the “would not have shopped” theory. It in turn proposes an alternative, and more plausible, account of the elements that must be proved for the overpayment theory. Second, it explains how the facilitative effects of these unjust enrichment claims on class actions solve a powerful enforcement deficit with respect to data security.