Cybersecurity, Data Breaches, and the Economic Loss Doctrine

49 Pages Posted: 29 Jul 2015

Date Written: July 28, 2015


Data breaches are pervasive and costly. Recent civil data breach cases have centered on the consumer credit card payment chain in the retail industry. An important issue in such cases is whether the economic loss doctrine should bar negligence claims for purely pecuniary losses suffered by a non-negligent party, such as an issuing bank or a federal credit union that must incur costs to reimburse cardholders for fraudulent use of stolen card numbers. The economic loss doctrine should not bar these claims. Large scale data networks, such as the consumer credit card network, often entail significant network externalities. These include externalities relating to market concentration as well as to the "weakest link" nature of security in these networks. Although the primary players in these networks are tied together in a complex web of contractual relationships, there are significant transaction costs involved with any effort to change or monitor another party’s security measures. Moreover, "outside" entities such as third party payment processors, which are not in contractual privity with all other parties in the network, have become ubiquitous. Under these circumstances, a negligence rule should help improve cybersecurity hygiene and promote a more robust cyber risk insurance market.

Keywords: cybersecurity, data breach, externalities, negligence, economic loss rule, economic loss doctrine

JEL Classification: D62, K00, K13, K21

Suggested Citation

Opderbeck, David W., Cybersecurity, Data Breaches, and the Economic Loss Doctrine (July 28, 2015). Seton Hall Public Law Research Paper No. 2015-05, Available at SSRN: or

David W. Opderbeck (Contact Author)

Seton Hall Law School ( email )

One Newark Center
Newark, NJ 07102-5210
United States
973-642-8496 (Phone)

Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics