The Duty of Data Security
74 Pages Posted: 7 Jul 2018 Last revised: 13 Dec 2018
Date Written: June 19, 2018
As data breaches become larger and more frequent, the question naturally arises: what precautions does the law require of the data custodians who hold our personal information in their digital files? What is the legal duty of data security? According to some scholars and lawyers, the law is insufficiently specific, concrete, or uniform to answer that question. Attorneys representing companies that have been breached go so far as to argue that the duty of data security is “an unknown (and unknowable) standard.” Under this view, private entities warehouse vast quantities of personal data, but cannot possibly ascertain the obligations the law imposes on them to protect it.
That claim is balderdash. This Article demonstrates that the law is already settling upon a well-defined, if context-dependent, duty of data security. It examines fourteen different sources of data security obligations for private companies in the United States, half of them formal legal rules and half derived from the private ordering of industry-based requirements. This analysis demonstrates how all these frameworks, selected to represent the breadth of data security obligations, are converging on a common set of standards. The numerous sources of a duty of data security sound together in harmony, not cacophony. The nascent consensus formulates a duty just as clear as countless other requirements of reasonableness that permeate the law.
In addition, this Article identifies normative justifications for the content and nature of this emerging duty of data security, particularly its underpinning in principles of reasonableness and risk assessment. Indeed, the duty of data security is taking its early steps along a well-worn path in the law. It is being guided by deeply familiar legal forces, including the preference for standards over rules when governing fast-moving and complex subjects; the adoption of industry custom, which has shaped law from early contract doctrine to modern professional liability; and even a version of Judge Learned Hand’s cost-benefit calculus from the legendary Carroll Towing decision.
Keywords: Cybersecurity, Data Security, Privacy, Information Privacy, Cyberlaw, Consumer, FTC, Insurance
JEL Classification: K10, K20, K23
Suggested Citation: Suggested Citation