Data security breach cases are fertile ground to explore the impact of the economic loss rule and to challenge the conceptual underpinnings of this judge-made doctrine. The extent to which the economic loss rule serves as a formidable barrier to credit card data security breach cases depends upon the underlying state law; in particular, whether a state adopts the majority or minority position on the rule, as well as how it defines various exceptions thereto. Upon closer examination, it becomes clear that the rule operates in a fundamentally distinct manner in the ‘stranger paradigm’ as compared to the ‘contracting parties paradigm’. What makes the credit card data security breach cases so vexing is that they often straddle the stranger/contracting parties paradigms. The credit card data breach cases can be reframed in a coherent way that defers to contractual allocation of risk and responsibility but nonetheless allows tort liability to be deployed when needed to ensure the internalization of third-party costs. Seen from a broader regulatory perspective – especially taking into account state statutory provisions relating to enforcement of private industry standards in the credit card arena – the economic loss rule functions as a boundary-policing doctrine between tort and regulation as alternative mechanisms to regulate private parties. Moreover, as a more robust third-party liability insurance market emerges in response to a greater threat of tort liability, insurers will engage in further risk management, exerting more potent regulatory control.
Sharkey, Catherine M, Can Data Breach Claims Survive the Economic Loss Rule? (July 1, 2017). DePaul Law Review, volume 66, no 2, 2017.