Nicolas Vermeys shows that by limiting security breach notification requirements to a privacy issue, legislators have narrowed the scope of possible claims and, therefore, the chances of success of class action suits based on these claims. In the absence of legislative will to address this issue, lawyers should reconsider their approach to security breach liability issues. Legal responses to security breaches address only their impact on personal information and therefore limit the ability of those affected to seek recourse beyond privacy claims. Further, even within these claims, such an approach places unattainable evidentiary burdens on plaintiffs. They often face difficulties proving compensable privacy harms and establishing causality and, as a result, are unable to meet the certification threshold. A broader approach to security breaches that focuses on all elements of the AIC (Availability, Integrity, and Confidentiality) triad – and moves beyond privacy – can strengthen and broaden the range of legal options for victims of security breaches.