Cybersecurity, Identity Theft, and the Limits of Tort Liability

From Cybersecurity Wiki
Jump to navigation Jump to search

Full Title of Reference

Cybersecurity, Identity Theft, and the Limits of Tort Liability

Full Citation

Vincent R. Johnson, Cybersecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L. Rev. 255 (2005). Web AltWeb



Key Words

Identity Fraud/Theft, Communications Privacy Law, Hacker, Password Weakness


This article considers to what extent database possessors (such as credit card companies and universities) can be held liable for harm caused to data subjects (such as consumers, applicants, and alumni) when information relating to those persons is hacked or otherwise subject to improper access. Addressing common-law and statutory sources (including new legislation in 17 states) the article clearly differentiates the duty to safeguard data from the duty to notify data subjects that the security of their information has been breached. By analogy to the “medical-monitoring damages” which some states award in toxic-exposure cases, the article argues that “security-monitoring damages” should be available in database-intrusion cases. More specifically, the article proposes that, in cases of ordinary negligence, the interests of society will be best served by limiting recoverable economics losses to the cost of security-monitoring damages once a database possessor discloses to the affected individual the fact that data has been improperly accessed. This approach will encourage database possessors to discover and reveal instances of data intrusion. It will also place data subjects in a position to protect their own interests by monitoring their economic and personal security when there is heightened vulnerability.

The Duty to Protect Personal Information

A legal duty to exercise due care for storage of personal information may arise from statute or common law. Statutorily created duties may specifically allow or disallow a private right of action where that duty is breached. If a statute is silent on a private right of action, a plaintiff may bring a tort suit under common law legal theories establishing a duty to protect information. Alternately, a statute which mandates specific action be taken to protect personal information may serve as a predicate for a tort action under the theory of negligence per se. Under this theory, a court may determine that violation of a statute designed to protect a group the plaintiff is a member from the type of harm the plaintiff suffered sets the standard for negligence to impose civil liability. However, where a statute merely requires that data be adequately protected, as opposed to mandating a particular data protection technique, it is not useful to speak of negligence per se.

Under the common law, a a database possessor's duty to safeguard information from intruders may arise because the possessor is in the best position to take the necessary measures for overall protection of data. However the parties must have a relationship recognized by law for that duty to arise. "The strongest cases for imposing a common law duty to guard data from intruders will be those in which there is a business relationship between the defendant database possessor and the plaintiff data subject. This conclusion makes sense on economic as well as doctrinal grounds. Imposing a duty of care in these cases will force the database possessor, who benefits from the use of computerized information, to internalize losses relating to improperly accessed data as a cost of doing business. That duty will in turn create an incentive for database possessors to scrutinize whether their business methods are really worth the costs they entail. At the same time, the imposition of a duty in a business context gives the database possessor a means for distributing the loss by adjusting the price of the goods or services it sells to the class of persons that ultimately benefits from the defendant's business methods. That reallocation of losses will help ensure that the costs relating to improperly accessed data will not fall with crushing weight on either the data subject or the database possessor. "

"Imposing a tort duty under which database possessors will be liable for negligent data security practices will inevitably leave many questions unanswered. To say that an enterprise has a duty to exercise reasonable care to ensure data security provides no clear guidance as to practical questions, such as how often patches should be applied to security software. But these types of questions are no different than those that courts face in a thousand other settings when they apply the rules of negligence liability. Over the long run, the burden of uncertainty will be minimized by evolving guidance found in scholarship discussing court decisions and legislation, the development of industry customs, and the promulgation of regulations which help define conduct required of a potential defendant seeking to avoid liability.

Even if courts do not find a duty to safeguard data, there may be a legally enforceable data-protection obligation based on a voluntary assumption of duty principles. Where the possessor of a database makes affirmative representations that it keeps private and a customer relies on those representations, "a court might reasonably interpret such a privacy policy as an undertaking to exercise reasonable care, and might conclude that a breach of that duty would support a tort cause of action."

The Duty to Reveal Evidence of Security Breaches

Additional Notes and Highlights


 I.  The Vulnerable Foundations of Modern Society
 II.  The Duty to Protect Database Information
    A.     Statutes Legislatively Creating a Cause of Action
    B.     Statutes Judicially Determined to Set the Standard of Care
           1.     The Gramm-Leach-Bliley Act
           2.     State Security Breach Notification Laws
    C.     Basic Tort Principles
           1.     Palsgraf, Kline, and Related Cases
           2.     Public Policy Analysis
           3.     Voluntary Assumption of Duty
    D.     Fiduciary Obligations
 III. The Duty to Reveal Evidence of Security Breaches
    A.     Statutory Duties
    B.     Basic Tort Principles
           1.     General Duty or Limited Duty
           2.     The Obligation to Correct Previous Statements
           3.     Conduct Creating a Continuing Risk of Physical Harm
    C.     Fiduciary Duty of Candor
 IV.  Limiting Cybersecurity Tort Liability
    A.     The Economic-Loss Rule
    B.     Emotional-Distress Damages
    C.     Security-Monitoring Damages
 V.   Conclusion: Security in Insecure Times