Cybersecurity, Identity Theft, and the Limits of Tort Liability
Full Title of Reference
Cybersecurity, Identity Theft, and the Limits of Tort Liability
- Threats and Actors: Actors and Incentives
- Issues: Economics of Cybersecurity; Incentives; Information Sharing/Disclosure; Privacy
- Approaches: Regulation/Liability
This article considers to what extent database possessors (such as credit card companies and universities) can be held liable for harm caused to data subjects (such as consumers, applicants, and alumni) when information relating to those persons is hacked or otherwise subject to improper access. Addressing common-law and statutory sources the article differentiates the duty to safeguard data from the duty to notify data subjects that the security of their information has been breached. By analogy to the “medical-monitoring damages” which some states award in toxic-exposure cases, the article argues that “security-monitoring damages” should be available in database-intrusion cases. More specifically, the article proposes that, in cases of ordinary negligence, the interests of society will be best served by limiting recoverable economics losses to the cost of security-monitoring damages once a database possessor discloses to the affected individual the fact that data has been improperly accessed. This approach will encourage database possessors to discover and reveal instances of data intrusion. It will also place data subjects in a position to protect their own interests by monitoring their economic and personal security when there is heightened vulnerability.
The Duty to Protect Personal Information
A legal duty to exercise due care for storage of personal information may arise from statute or common law. Statutorily created duties may specifically allow or disallow a private right of action where that duty is breached. If a statute is silent on a private right of action, a plaintiff may bring a tort suit under common law legal theories establishing a duty to protect information. Alternately, a statute which mandates specific action be taken to protect personal information may serve as a predicate for a tort action under the theory of negligence per se. Under this theory, a court may determine that violation of a statute designed to protect a group the plaintiff is a member of from the type of harm the plaintiff suffered sets the standard for negligence to impose civil liability. However, where a statute merely requires that data be adequately protected, as opposed to mandating a particular data protection technique, it is not useful to speak of negligence per se.
Under the common law, a a database possessor's duty to safeguard information from intruders may arise because the possessor is in the best position to take the necessary measures for overall protection of data. However the parties must have a relationship recognized by law for that duty to arise. "The strongest cases for imposing a common law duty to guard data from intruders will be those in which there is a business relationship between the defendant database possessor and the plaintiff data subject. This conclusion makes sense on economic as well as doctrinal grounds. Imposing a duty of care in these cases will force the database possessor, who benefits from the use of computerized information, to internalize losses relating to improperly accessed data as a cost of doing business. That duty will in turn create an incentive for database possessors to scrutinize whether their business methods are really worth the costs they entail. At the same time, the imposition of a duty in a business context gives the database possessor a means for distributing the loss by adjusting the price of the goods or services it sells to the class of persons that ultimately benefits from the defendant's business methods. That reallocation of losses will help ensure that the costs relating to improperly accessed data will not fall with crushing weight on either the data subject or the database possessor. "
"Imposing a tort duty under which database possessors will be liable for negligent data security practices will inevitably leave many questions unanswered. To say that an enterprise has a duty to exercise reasonable care to ensure data security provides no clear guidance as to practical questions, such as how often patches should be applied to security software. But these types of questions are no different than those that courts face in a thousand other settings when they apply the rules of negligence liability. Over the long run, the burden of uncertainty will be minimized by evolving guidance found in scholarship discussing court decisions and legislation, the development of industry customs, and the promulgation of regulations which help define conduct required of a potential defendant seeking to avoid liability.
The Duty to Reveal Evidence of Security Breaches
Even where there is no basis for a tort claim for failure to reasonably protect a database containing personal information, there may exist a duty to disclose information regarding an actual breach in data security. "There are at least four ways of imposing on potential defendants a duty to reveal a compromise in database security. First, a statute may impose a duty, either as a result of the statute's express terms or as a result of judicial reliance on the statute as the proper expression of the standard of care. Second, a duty may arise from common law principles governing negligence liability generally. Third, there may be a duty under law of misrepresentation, which imposes a general duty to update previously accurate statements (e.g., statements relating to data security) that are the basis for pending or continuing reliance by the recipient of the statements. Finally, failure-to-act rules may require the exercise of reasonable care to avoid or minimize damages if a database possessor's conduct created a continuing risk of physical harm."
Limiting Cyberspace Tort Liability
The economic loss rule disallows recovery of financial losses unless the plaintiff can show damage to his person or property. "[T]he economic-loss rule serves three very different functions: avoidance of too broad a scope of liability; insistence that damages be proved with certainty; and definition of the doctrinal boundary between contract law and torts."
It is fairly easy to demonstrate actual out-of-pocket losses due to a data breach so such losses should be reimbursable in tort. However, "requests for recovery and compensation for time spent restoring one's good credit or for opportunities lost as a result of a bad credit rating" should not be recoverable. "Victims of identity theft spend six hundred hours on average to restore their credit. The harm suffered by these victims is tremendous, but valuing these lost hours would be difficult. If these damages amounted to compensation for the plaintiffs' time measured at their usual hourly rate of earnings, the awards to professionals, minimum wage workers, and unemployed homemakers would vary widely - perhaps without good reason. Similarly, if every victim received the same amount for the value of lost time, how would that amount be set? Ensuring uniformity in valuing damages for lost time is a task better committed to legislatures than to the multitude of fact-finders who will preside over numerous tort claims."
"The problems of compensating for the value of lost opportunities - such as the lost chance to buy a house, obtain a car loan, or open a cell phone account - are also obvious. How does one prove precisely which opportunities the plaintiff lost and what those opportunities meant in economic terms to the plaintiff? In addition, there is a clear risk of imposing an excessively wide range of liability. Negligence requires only a momentary misstep, whether in the data protection arena or in other contexts. To say that a negligent database possessor should be liable to a broad class of persons for all of their lost opportunities - as well as out-of-pocket and perhaps other damages - would quickly pose a serious risk of liability disproportionate to fault. These issues suggest that courts have a greater reason to apply the economic-loss rule to bar claims for lost time and lost opportunities than to hold that a plaintiff cannot recover out-of-pocket losses."
Incentives to Reveal Security Breaches
It does make sense to require data possessors to provide notification of security violations. "Database possessors who suffer a security breach are often reluctant to discover and report those developments for fear of triggering adverse publicity, legal liability, or increased attacks by hackers. As a result, there is often an undesirable lag between the occurrence of an intrusion, discovery of that breach, and revelation of the events to data subjects." Yet, "revelation that a breach of security occurred enables data subjects to protect their interests through increased vigilance against identity theft and other types of harm."
"[L]egislatures should give database possessors a legal incentive to discover and report unauthorized database intrusions. That incentive could take the form of a limitation on liability. One reasonable option would be to cap the database possessor's exposure to liability at the moment the database possessor reveals the breach to the data subject. ... Once the database possessor provides notice of the security breach, the data subject is in a better position than the database possessor to monitor the risk of harm and to take action against threats to the data subject's credit and personal security. The cap on damages could take the form of limiting liability to an amount equivalent to the out-of-pocket costs of monitoring security and taking reasonably necessary steps to prevent identity theft and other losses." This cap would not apply in cases of egregious conduct. "A plaintiff who can establish that the defendant acted with reckless indifference or intentional disregard in failing to protect data should be able to avoid the limitation on liability."
"The bargain of capping a cybersecurity plaintiff's damages at the cost of monitoring security if the database possessor provides notification of a security breach is not a bad one. From the standpoint of the data subject, the plaintiff may be better off with a warning and reimbursement for the out-of-pocket costs of vigilance than gambling on a tort action against the database possessor. A tort suit would be fraught with many obstacles: a possibly short statute of limitations if the intruder does not quickly exploit the improperly accessed data; a risk that the court will not find the database possessor's negligence to be a proximate cause of resulting criminal conduct; a likelihood that the economic-loss or "exposure" rules may bar key portions of the damages; and a possibility that the court might find that the database possessor had no duty at all."
"Nor is the bargain bad for database possessors. Capping damages at the cost of security monitoring would avoid the risk of catastrophic liability for personal injuries that sometimes occur, the possibility of exposure to property-damage claims, and the chance that a court might narrowly construe the applicability of the economic-loss rule. Some companies faced with the risk of liability from loss of personal data have voluntarily provided affected persons with security-monitoring protection."
"Moreover, society would be better off if the law capped damages at the cost of security monitoring in exchange for victim notification whenever there is a security breach. The only ways to minimize the losses stemming from database intrusions (aside from criminal penalties, which seem ineffective) are to spur investment in data security, to discover when intrusions occur, and to warn persons whose interests are at risk. A cap on damages in exchange for notification of security breaches would not undercut the database possessors' incentives to invest in data security. Database possessors would still be subject to state and federal laws that impose various sanctions relating to cybersecurity; they would still face the threats of bad publicity and consumer disaffection resulting from disclosure of security breaches; and at least some possessors (e.g., credit card companies) would still stand to lose millions of dollars as a result of fraudulent use of personal information. However, capping damages at security-monitoring costs would help to ensure that database possessors are not subject to ruinous tort judgments. The cap would create incentives to discover security breaches and to internalize the resulting security-monitoring costs that those intrusions entail. Consumers would also be better able to protect their own interest in the variety of ways discussed above. In addition, the cap on damages might also reduce the threat of overburdening already overworked federal and state courts. The cap would greatly simplify damages issues in cybersecurity cases and guidance from the courts would quickly define the average costs of security monitoring, thereby promoting the settlement of cases. Indeed, limiting liability to security-monitoring damages is also likely to promote insurance coverage of intruder-related losses by making the extent of liability more certain, thereby facilitating the pricing of insurance coverage."
Additional Notes and Highlights
I. The Vulnerable Foundations of Modern Society II. The Duty to Protect Database Information A. Statutes Legislatively Creating a Cause of Action B. Statutes Judicially Determined to Set the Standard of Care 1. The Gramm-Leach-Bliley Act 2. State Security Breach Notification Laws C. Basic Tort Principles 1. Palsgraf, Kline, and Related Cases 2. Public Policy Analysis 3. Voluntary Assumption of Duty D. Fiduciary Obligations III. The Duty to Reveal Evidence of Security Breaches A. Statutory Duties B. Basic Tort Principles 1. General Duty or Limited Duty 2. The Obligation to Correct Previous Statements 3. Conduct Creating a Continuing Risk of Physical Harm C. Fiduciary Duty of Candor IV. Limiting Cybersecurity Tort Liability A. The Economic-Loss Rule B. Emotional-Distress Damages C. Security-Monitoring Damages V. Conclusion: Security in Insecure Times