Download this Paper Open PDF in Browser

Protecting Confidential Information Entrusted to Others in Business Transactions: Data Breaches, Identity Theft, and Tort Liability

29 Pages Posted: 12 Sep 2017  

Mark Geistfeld

New York University School of Law

Date Written: September 1, 2017

Abstract

Tort litigation over data breaches — defined here as the theft of one’s confidential information entrusted to another in a business transaction — most commonly involves the negligence cause of action. These claims turn on a number of issues that require searching analysis, including the manner in which the economic loss rule affects the tort duty, the relation between the negligence standard of care and strict liability, and the appropriate forms of compensable loss. Substantive analysis of these issues shows that they all can be resolved in favor of the negligence claim, which in turn justifies a rule of strict liability. The economic loss rule does not provide a substantive rationale for barring tort claims because customers do not have the information necessary to adequately protect their interests by contracting. Moreover, the common-law tort duty can be independently justified by the legislative policy decisions embodied in statutes that regulate data breaches. To prove a breach of the duty to exercise reasonable care, the victims of identity theft will often face considerable evidentiary difficulties stemming either from the complexity of data-security systems or the unreliability of other relevant evidence involving the conduct of defendant’s employees. For reasons recognized by tort law in analogous contexts, the evidentiary difficulties of proving negligence can justify a rule of strict liability for enforcing the tort duty to exercise reasonable care. Finally, the important forms of damages caused by identity theft — the cost of credit-monitoring services and the like, unauthorized charges, and any significant loss of time and emotional distress — are all compensable as a matter of basic tort principles. Strict tort liability in these cases ultimately finds justification in the important public policy of maintaining the integrity of market transactions.

Suggested Citation

Geistfeld, Mark, Protecting Confidential Information Entrusted to Others in Business Transactions: Data Breaches, Identity Theft, and Tort Liability (September 1, 2017). DePaul Law Review, Vol. 66, No. 385, 2017; NYU Law and Economics Research Paper No. 17-32; NYU School of Law, Public Law Research Paper No. 17-31. Available at SSRN: https://ssrn.com/abstract=3034469

Mark Geistfeld (Contact Author)

New York University School of Law ( email )

40 Washington Square South
Room 411A
New York, NY 10012-1099
United States
212-998-6683 (Phone)

Paper statistics

Downloads
65
Rank
295,320
Abstract Views
142