Andrew Clearwater, Reducing Data Security Breaches Through Enhancements in Property, Tort and Contract Law

By privacylaw | Posted on

Andrew Clearwater, Reducing Data Security Breaches Through Enhancements in Property, Tort and Contract Law

Comment by: Kristen Mathews

PLSC 2011

Workshop draft abstract:

The power inequalities that exist when information is transferred between individuals and bureaucracies have left consumers vulnerable to data breaches. While data breach disclosure laws have improved consumer protection and informed the marketplace of security risks, consumers are not entirely rational and they continue to suffer from behavioral biases that hinder their ability to reduce or avoid loss. Many breach notification letters go ignored, and those that are read provide little recourse as most consumers do not know how to act on the information. Many consumers whose data is exposed do not suffer any actual incident of identity theft, moreover, and are thus faced with the nearly impossible challenge of demonstrating a particularized injury under tort law. The mere fear of future identity theft is generally insufficient to warrant damages.

Courts applying tort and contract law generally incorporate prior assumptions about privacy that fail to mitigate or compensate for the rapid escalation of data breaches today. For instance, Bell v. Acxiom Corp. demonstrates that standing requirements can be hard to meet due to the lack of a concrete or particularized harm for many victims of data breaches. Additionally, Key v. DSW Inc. shows that courts are reluctant to analogize the need for credit monitoring in breach cases to the need for medical monitoring in product liability cases. Only where a special relationship exists, as it did in Bell v. Mich. Council, No. 246684, have courts found a duty to safeguard personal data.

This paper investigates the problem of data breaches through the lenses of property, tort, and contract law and analyzes proposals in each of these areas to reduce security breaches, or at least compensate consumers for their harm. Proposals investigated include: a right to personal information alienability paired with a well policed personal information market; the creation of new causes of action such as “breach of trust;” the creation of an affirmative duty to secure personal data for all data stewards that maintain consumers’ personal information; and improving the chances of consumer success under breach of contract theory by shifting the burden of proof on damages to the data steward.