A Private Enforcement Remedy for Information Misuse

57 Pages Posted: 21 Mar 2019 Last revised: 4 Nov 2019

See all articles by Peter Ormerod

Peter Ormerod

Northern Illinois University College of Law

Date Written: February 23, 2019


Misuse of users’ personally identifiable information is persistent and pervasive. This article addresses two questions: Why is information misuse so common and so severe? And how could domestic law change to make it less so?

I use a simple model to illustrate that companies externalize information misuse costs onto users, which has two related but distinct effects: chronic underinvestment in information security and excessive retention of user data. I then seize on this observation to propose a specific legal vehicle at the heart of this article—what I call a private enforcement remedy. This private enforcement remedy has four essential features.

First, the remedy must be created under state law. State law provides a viable alternative when federal courts have used constitutional standing doctrine to express overt hostility to privacy harms.

Second, the law should impose a fiduciary duty on entities that collect or retain users’ information. Structuring the remedy this way insulates it from attack by a weaponized First Amendment.

Third, breach of an information fiduciary’s duty should be a strict liability tort. The arguments for strict liability in products cases apply with even greater force to informational harms.

Fourth, the statute that creates this private enforcement remedy should prescribe a schedule that begins with nominal damages and attorneys’ fees for strict liability, and it should increase monetary penalties with a defendant’s culpability. The remedy’s central purpose is to reshape incentives, so the damages schedule should not be unduly punitive or effect a windfall for plaintiffs’ attorneys.

Keywords: digital privacy, cybersecurity, data breach, information security, data misuse, standing, Spokeo v. Robins, information fiduciary, Sorrell v. IMS Health, strict liability, nominal damages, federal courts

Suggested Citation

Ormerod, Peter, A Private Enforcement Remedy for Information Misuse (February 23, 2019). 60 B.C. L. Rev. 1893, Available at SSRN: https://ssrn.com/abstract=3340674

Peter Ormerod (Contact Author)

Northern Illinois University College of Law ( email )

Swen Parson Hall
DeKalb, IL 60115
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics