A Private Enforcement Remedy for Information Misuse
63 Pages Posted: 21 Mar 2019 Last revised: 29 May 2019
Date Written: February 23, 2019
Misuse of users’ personally identifiable information is persistent and pervasive. This article addresses two questions: Why is information misuse so common and so severe? And how could domestic law change to make it less so?
I use a simple model to illustrate that companies externalize information misuse costs onto users, which has two related but distinct effects: chronic underinvestment in information security and excessive retention of user data. I then seize on this observation to propose a specific legal vehicle at the heart of this article—what I call a private enforcement remedy. This private enforcement remedy has four essential features.
First, the remedy must be created under state law. State law provides a viable alternative when federal courts have used constitutional standing doctrine to express overt hostility to privacy harms.
Second, the law should impose a fiduciary duty on entities that collect or retain users’ information. Structuring the remedy this way insulates it from attack by a weaponized First Amendment.
Third, breach of an information fiduciary’s duty should be a strict liability tort. The arguments for strict liability in products cases apply with even greater force to informational harms.
Fourth, the statute that creates this private enforcement remedy should prescribe a schedule that begins with nominal damages and attorneys’ fees for strict liability, and it should increase monetary penalties with a defendant’s culpability. The remedy’s central purpose is to reshape incentives, so the damages schedule should not be unduly punitive or effect a windfall for plaintiffs’ attorneys.
Keywords: digital privacy, cybersecurity, data breach, information security, data misuse, standing, Spokeo v. Robins, information fiduciary, Sorrell v. IMS Health, strict liability, nominal damages, federal courts
Suggested Citation: Suggested Citation