Addressing data breach harms has become a great challenge in the administration of privacy law in the United States. Several data breach cases have been dismissed by US courts because the victims cannot prove cognizable harm. The current US legal system emphasizes that data breach victims must prove that they have suffered an “injury in fact,” which means that the injury suffered must be concrete and particularized. Data breach harms are futuristic and hard-to-quantify, reasons for which they may not fit in the “injury in fact” requirement. Furthermore, victims of data violations have attempted to plead economic loss to prove the harm suffered, but with no success. This article suggests a new approach that aims at addressing privacy harms without necessarily proving economically quantifiable harm.