Liability for Data Injuries
68 Pages Posted: 30 Jul 2018 Last revised: 5 Apr 2019
Date Written: June 26, 2018
Data insecurity affects the general public to a significant degree, and the law needs to step forward and cope with the challenges posed by data breaches, data misuse, and data injuries. The primary goal of this article is to provide a thorough analytical framework for data breach cases that specifically focuses on the evolutions needed in the areas of duty and injury in shaping the contours of liability for data injuries. This article represents the first comprehensive analysis of a duty to secure data within the modern context of data insecurity. While most of our focus is on data breaches, the principles explored in this article are broad enough to be applied helpfully in data misuse cases as well, including the recent controversy over Facebook’s permissive data use practices.
We examine duty as a part of a negligence framework for data insecurity harms, and we argue that courts should recognize a legal duty to secure data. This duty is made necessary by pervasive cognitive biases that result in systematic underestimation of cyber risk by firms and individuals and interfere with the risk management process. A legal duty to secure data is also supported by statutory trends towards liability for people who were upstream or downstream of a data thief.
We also analyze data injuries. Courts struggle with fitting data insecurity injuries within the existing legal models, but part of the reason for that is the preoccupation with economic harm, which is a poor method for quantifying privacy injuries. The erosion of privacy through neglect of security is troubling, and the legal system must shift away from traditional economic measurements of injury and focus instead on the fact that data insecurity is a social harm. Data insecurity is a privacy injury and an injury to autonomy that interferes with self-determination, and it should be analyzed as such. Our article represents another step forward in the process of aligning legal protections with the societal shifts driven by technological changes.
Suggested Citation: Suggested Citation