Earlier this week, Facebook announced that 50 million user accounts had been compromised in a data breach. This is just the latest episode in a series of high profile and far-reaching data breaches in which consumers’ sensitive personal and financial information has been exposed or stolen. Discourse about issues relating to data protection frequently center on prevention: how to make systems more secure from hacking and other cyber attacks, or how to improve detection speed when such attacks are successful.
However, there is another aspect of digital data breaches that deserves attention: liability. What legal options do affected consumers have? Can one of the 50 million people whose accounts have been hacked sue Facebook for negligence? In similar situations, the answer has been no. Part of the problem is that the duty to provide data privacy and security does not neatly fit into any established category in tort law. The common law does not recognize a general cause of action resulting from the accession or theft of a consumer’s private information. Plaintiffs may thus find it necessary to argue that special circumstances mean the company owes consumers a specific duty, like a fiduciary duty. For example, a class-action lawsuit against Equifax for a 2017 data breach was brought on the theory that the company had a duty to protect personal information. The strength of the plaintiffs’ legal claim is being tested—Equifax has filed a motion to dismiss that awaits ruling in the Northern District of Georgia.
If Equifax succeeds in defeating the claim that it owed a duty, the plaintiffs will be in serious trouble. This is because the common law generally does not see data theft as a harm in and of itself. Plaintiffs must allege something additional like identity theft. Thanks to the economic loss doctrine, plaintiffs who fail to establish a cognizable duty owed by the company usually can’t sue for negligence even if they have suffered financial harm as a result of a data breach. These issues are real: In 2015, a Pennsylvania state court cited the economic loss doctrine when it tossed out a lawsuit brought on behalf of more than 62,000 past and present employees of the University of Pittsburgh Medical Center following the theft of personal information from the Center’s computer system. The Pennsylvania court went on to say that given the prevalence of hacking, it would be untenable to impose a general duty to protect the confidential information of employees from data breaches. It is true that such a duty would be a huge burden on companies everywhere, but perhaps they are functionally and economically in a better position than consumers to protect data.
So what is to be done? Is the status quo desirable? One potential solution would be through contracting. User terms of service could include a clause imposing liability on the data-keeping organization in the event a user’s confidential information is accessed or stolen by an unauthorized third party. But the prospects for such a solution are grim. In the digital era, consumers must essentially accept the terms dictated by the service provider; it’s a stretch to believe Facebook will negotiate one-on-one with users regarding its terms of service. The practical justifications for avoiding individual negotiations are obvious, but the consequence is that the contracting channel is likely foreclosed as a means of strengthening the legal rights of victims of data theft.
A more viable alternative would be the legislative creation of duties, causes of action, and remedies for general data breaches. Many states have laws requiring companies to give notification of data breaches, though fewer have granted private causes of action. While there are good reasons to be cautious about imposing broad liability, concerns about creating a general duty for companies to protect the data they collect from consumers could be overblown. The negligence standard merely demands reasonable precautions and efforts to protect data; in the inevitable event of a data breach, any company that has taken reasonable steps to prevent and contain such breaches will not be held liable. This would strike the proper balance between recognizing the impossibility of preventing all data breaches and providing consumers with some recourse when their personal information is accessed or stolen.*
* Matt Garry is an Associate Editor for the Michigan Technology Law Review.