Cybersecurity, Data Breaches, and the Economic Loss Doctrine
49 Pages Posted: 29 Jul 2015
Date Written: July 28, 2015
Data breaches are pervasive and costly. Recent civil data breach cases have centered on the consumer credit card payment chain in the retail industry. An important issue in such cases is whether the economic loss doctrine should bar negligence claims for purely pecuniary losses suffered by a non-negligent party, such as an issuing bank or a federal credit union that must incur costs to reimburse cardholders for fraudulent use of stolen card numbers. The economic loss doctrine should not bar these claims. Large scale data networks, such as the consumer credit card network, often entail significant network externalities. These include externalities relating to market concentration as well as to the "weakest link" nature of security in these networks. Although the primary players in these networks are tied together in a complex web of contractual relationships, there are significant transaction costs involved with any effort to change or monitor another party’s security measures. Moreover, "outside" entities such as third party payment processors, which are not in contractual privity with all other parties in the network, have become ubiquitous. Under these circumstances, a negligence rule should help improve cybersecurity hygiene and promote a more robust cyber risk insurance market.
Keywords: cybersecurity, data breach, externalities, negligence, economic loss rule, economic loss doctrine
JEL Classification: D62, K00, K13, K21
Suggested Citation: Suggested Citation