Cybersecurity, Identity Theft, and the Limits of Tort Liability

From Cybersecurity Wiki
Revision as of 16:40, 17 June 2010 by Felix (talk | contribs) (New page: ==Full Title of Reference== Cybersecurity, Identity Theft, and the Limits of Tort Liability ==Full Citation== Cybersecurity, Identity Theft, and the Limits of Tort Liability (bepress Le...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Full Title of Reference

Cybersecurity, Identity Theft, and the Limits of Tort Liability

Full Citation

Cybersecurity, Identity Theft, and the Limits of Tort Liability (bepress Legal Series. Working Paper 713, 2005). Web

BibTeX

Categorization

Key Words

identity fraud/theft, communications privacy law

Synopsis

This article considers to what extent database possessors (such as credit card companies and universities) can be held liable for harm caused to data subjects (such as consumers, applicants, and alumni) when information relating to those persons is hacked or otherwise subject to improper access. Addressing common-law and statutory sources (including new legislation in 17 states) the article clearly differentiates the duty to safeguard data from the duty to notify data subjects that the security of their information has been breached. By analogy to the “medical-monitoring damages” which some states award in toxic-exposure cases, the article argues that “security-monitoring damages” should be available in database-intrusion cases. More specifically, the article proposes that, in cases of ordinary negligence, the interests of society will be best served by limiting recoverable economics losses to the cost of security-monitoring damages once a database possessor discloses to the affected individual the fact that data has been improperly accessed. This approach will encourage database possessors to discover and reveal instances of data intrusion. It will also place data subjects in a position to protect their own interests by monitoring their economic and personal security when there is heightened vulnerability.

Additional Notes and Highlights

Outline: 

    The Vulnerable Foundations of Modern Society ................................................. Page 1

II. The Duty to Protect Database Information ........................................................ Page 10 

    A.     Statutes Legislatively Creating a Cause of Action .................................                       Page 10
    B.     Statutes Judicially Determined to Set the Standard of Care ................                               Page 12
           1.     The Gramm-Leach-Bliley Act ......................................................                  Page 13
           2.     State Security Breach Notification Laws ....................................                       Page 18
    C.     Basic Tort Principles .................................................................................   Page 19
           1.     Palsgraf, Kline, and Related Cases ..............................................                  Page 19
           2.     Public Policy Analysis ...................................................................         Page 23
           3.     Voluntary Assumption of Duty ....................................................                  Page 25
    D.     Fiduciary Obligations ...............................................................................     Page 27

III. The Duty to Reveal Evidence of Security Breaches ........................................... Page 30 

    A.     Statutory Duties ........................................................................................ Page 31
    B.     Basic Tort Principles .................................................................................   Page 36
                  General Duty or Limited Duty .....................................................                 Page 36
           1.
           2.     The Obligation to Correct Previous Statements ........................                             Page 40
           3.     Conduct Creating a Continuing Risk of Physical Harm ...........                                    Page 41
    C.     Fiduciary Duty of Candor ........................................................................         Page 43

IV. Limiting Cybersecurity Tort Liability ................................................................ Page 44 

           The Economic-Loss Rule ..........................................................................         Page 44
    A.
    B.     Emotional-Distress Damages ...................................................................            Page 52
           Security-Monitoring Damages .................................................................             Page 54
    C.

V. Conclusion: Security in Insecure Times ............................................................ Page 60

Retrieved from "http://cyber.harvard.edu/cybersecurity/?title=Cybersecurity,_Identity_Theft,_and_the_Limits_of_Tort_Liability&oldid=1408"