A Private Enforcement Remedy for Information Misuse

63 Pages Posted: 21 Mar 2019 Last revised: 29 May 2019

Date Written: February 23, 2019

Abstract

Misuse of users’ personally identifiable information is persistent and pervasive. This article addresses two questions: Why is information misuse so common and so severe? And how could domestic law change to make it less so?

I use a simple model to illustrate that companies externalize information misuse costs onto users, which has two related but distinct effects: chronic underinvestment in information security and excessive retention of user data. I then seize on this observation to propose a specific legal vehicle at the heart of this article—what I call a private enforcement remedy. This private enforcement remedy has four essential features.

First, the remedy must be created under state law. State law provides a viable alternative when federal courts have used constitutional standing doctrine to express overt hostility to privacy harms.

Second, the law should impose a fiduciary duty on entities that collect or retain users’ information. Structuring the remedy this way insulates it from attack by a weaponized First Amendment.

Third, breach of an information fiduciary’s duty should be a strict liability tort. The arguments for strict liability in products cases apply with even greater force to informational harms.

Fourth, the statute that creates this private enforcement remedy should prescribe a schedule that begins with nominal damages and attorneys’ fees for strict liability, and it should increase monetary penalties with a defendant’s culpability. The remedy’s central purpose is to reshape incentives, so the damages schedule should not be unduly punitive or effect a windfall for plaintiffs’ attorneys.

Keywords: digital privacy, cybersecurity, data breach, information security, data misuse, standing, Spokeo v. Robins, information fiduciary, Sorrell v. IMS Health, strict liability, nominal damages, federal courts

Suggested Citation

Ormerod, Peter, A Private Enforcement Remedy for Information Misuse (February 23, 2019). 60 Boston College Law Review, Forthcoming. Available at SSRN: https://ssrn.com/abstract=3340674

Peter Ormerod (Contact Author)

Western Carolina University ( email )

United States

Register to save articles to
your library

Register

Paper statistics

Downloads
59
Abstract Views
438
rank
357,706
PlumX Metrics