Data insecurity affects the general public to a significant degree, and the law needs to step forward and cope with the challenges posed by data breaches, data misuse, and data injuries. The primary goal of this article is to provide a thorough analytical framework for data breach cases that specifically focuses on the evolutions needed in the areas of duty and injury in shaping the contours of liability for data injuries. This article represents the first comprehensive analysis of a duty to secure data within the modern context of data insecurity. While most of our focus is on data breaches, the principles explored in this article are likely broad enough to be applied helpfully in data misuse cases as well, including the recent controversy over Facebook’s permissive data use practices.
We examine duty as a part of a negligence framework for data insecurity harms, and we argue that courts should recognize a legal duty to secure data. This duty is made necessary by pervasive cognitive biases that result in systematic underestimation of cyber risk by firms and individuals and interfere with the risk management process. A legal duty to secure data is also supported by statutory trends towards liability for people who were upstream or downstream of a data thief.
Courts struggle with fitting data insecurity injuries within the existing legal models, but part of the reason for that is the preoccupation with economic harm, which is a poor method for quantifying privacy injuries. The erosion of privacy through neglect of security is troubling, and the legal system must shift away from traditional economic measurements of injury and focus instead on the fact that data insecurity is a social harm. Data insecurity is a privacy injury and an injury to autonomy that interferes with self-determination, and it should be analyzed as such. We urge courts to acknowledge that, in the interest of reducing data insecurity, companies entrusted with the sensitive information of others have a duty to secure data in their systems. We also propose a modified version of the data breach compensation fund proposal recently put forth by Riedy and Hanus.
Kesan, Jay P and Hayes, Carol Mullins, Liability for Data Injuries (June 26, 2018). University of Illinois Law Review, forthcoming; University of Illinois College of Law Legal Studies Research Paper No 18-28.