The Yale Law Journal

VOLUME
127
2017-2018
Forum

Beyond the Privacy Torts: Reinvigorating a Common Law Approach for Data Breaches

11 Jan 2018

abstract. Data breaches continue to roil the headlines, yet regulation and legislation are unlikely to provide a timely solution to protect consumers. Meanwhile, individuals are left, at best, in a state of data insecurity and, at worst, in a compromised economic situation. State common law provides a path forward. Rather than rely on statutory claims or the privacy torts to protect consumer data, this Essay suggests that courts should recognize how contemporary transactions implicate fiduciary-like relationships of trust. By designating what this Essay terms data confidants as a limited form of information fiduciary, courts can reinvigorate the tort of breach of confidence as a remedy for aggrieved consumers.

We have a data breach problem. The recent breach of the credit-monitoring agency Equifax implicated the social security numbers, birth dates, and personal information of more than 140 million Americans.1 Given the richness and sensitivity of this intensely personal data, this breach may be “among [the] wors[t] ever.”2 The incidence of breaches and number of people affected continues to climb. The first half of 2017 witnessed a twenty-nine percent increase in breaches as compared to the same period the year before.3 And in October 2017, the media reported that three billion users of Yahoo! email accounts were affected by a 2013 breach.4

This state of affairs should concern policymakers and consumers alike. Congress has failed to enact legislative reform for years.5 Proposals generally rise, then stall, within a familiar cycle of (1) major breach; (2) introduction of one or more data security bills; and (3) legislative inaction. Following the 2015 Target and Home Depot breaches, for instance, there were three bills proposed by Senate Democrats in the first four months of 2015 alone.6 And once the 2016 Yahoo! breach became public knowledge, at least three draft proposals were introduced in the Senate, each backed by different partisan combinations and interest group blocs.7 Since the 2017 Equifax breach, there has been renewed legislative attention in the form of congressional hearings,8 and bills have again been introduced.9 But the history of inaction seems unlikely to change given the current political climate.10 More likely, once the uproar fades, the status quo will return until the next big data breach spurs renewed calls for change.11

Timely statutory reform also seems unlikely because it is not clear what the ambitions of such a statute should be.12 Should reform focus, for instance, on improving consumer notifications after a breach, specifying security standards to try to prevent a breach in the first instance, or some hybrid of the two? Further, these proposals have their own challenges. First, the ex post strategy of notification alone might fail to meaningfully empower consumers because it would not necessarily alter overall security standards or affect corporate incentives to invest in security. Yet if notice alone is not enough and the objective is to promulgate some form of overarching security standard ex ante (either alone or in a hybrid model), then determining what technical requirements to apply across different industries is no easy matter. There are also policy obstacles insofar as the American sector-by-sector approach to the treatment of private information largely rejects holistic regulation with regard to the collection, use, and disclosure of information.13 Prospects for quick, overarching, top-down legislative reform are thus slim.14

Yet the issue of data breaches will not simply resolve itself. A world without breaches is improbable,15 and consumers are limited in how they can address the issue on their own.16 The status quo can thus result in significant individual economic and emotional harm.17 This Essay moves past this impasse by arguing that common law courts can and should provide a legal remedy by recognizing the tort of breach of confidentiality as a cause of action available to individuals affected by data breaches. Part I assesses why the leading common law solution, the privacy torts, represents an unsatisfying response to the harms caused by data breaches. Part II situates the tort of breach of confidentiality as a superior alternative. Part III sketches the components of the tort and suggests how a court can update the common law and apply this cause of action in the digital economy.

I. the limitations of the privacy torts

Given legislative inertia and uncertainty regarding how legislative and regulatory action should address data breaches, a return to common law roots in state court18 can provide an alternative remedy for aggrieved individuals. Since a breach results in the disclosure of private data, a privacy tort, such as intrusion upon seclusion,19 public disclosure of embarrassing private facts,20 false light,21 or appropriation,22 would appear the most obvious remedy. Yet, however obvious it may seem, the limitations of the privacy torts counsel in favor of a new model.

First, the privacy torts raise constitutional concerns. There has been a growing sense in recent decades that a robust instantiation of the privacy torts risks infringing on the First Amendment right to freedom of speech and press.23 Consider, for example, the tort of disclosure of private data: since this cause of action would hold the defendant liable for publication or dissemination of information, it could permit private plaintiffs to prevent or remove the speech of others in ways that chill or censor speech and are thus antithetical to First Amendment values.24 Accordingly, the privacy torts may be of limited practical and doctrinal utility in a society that also prioritizes freedom of speech.25

The privacy torts also face a conceptual hurdle because their emphasis on public exposure26 of private information is misplaced in the data breach context.27 The traditional model of the privacy torts entails a unitary actor (such as a newspaper28) broadcasting a private person’s information and thereby interfering with the right to be “let alone.”29 The tort of public disclosure of embarrassing private facts, for example, contemplates that there are certain intimate facts about each person, the public exposure of which could wrong them such that there would be no need to plead or prove special damages to obtain a legal remedy.30 This framework construes privacy in terms of content that is disseminated (and thereby exposed), with an emphasis on publication as the cause of the harm.

Such a focus on the actual public exposure and dissemination of private information is a poor analytic fit for data breaches, which involve a data holder’s failure to securely maintain private information in the first instance. Imagine I share my name, address, and telephone number with a company as part of a business transaction. Even if just one person (the thief) gains access to this information, injury occurs at the moment that the information is stolen, as soon as the data holder’s operational and systemic security decisions have allowed a breach to occur. The company has violated my trust that any initial disclosure of information was limited to the particular context of the transaction with that distinct entity.31 Furthermore, if my disclosure of data to a commercial actor led the original business to share information with a third party in order to complete the transaction, then I impliedly trusted that third party to maintain my data securely as part of the chain of commerce—and my confidences are also violated if it is the third party that is breached. In either instance, the core point is how the nature of the harm resulting from the data holder’s failure to secure personal information is distinct from the privacy torts’ focus on information’s publication, dissemination, and use.

Before turning to the technical details of such an explicit or implied duty in Part III below, it is worth further underscoring the human dynamics that motivate the proposed legal intervention. The Equifax and Yahoo! data breaches cast the harmful impact on human beings into especially vivid relief. In the case of Equifax, the breach of a credit-monitoring agency potentially affected anyone who has ever obtained a credit report,32 even if an individual did not intentionally give information to Equifax. The only way a consumer might have maintained the security of their data would have been to refrain from opening any credit or debit card, an unreasonable solution in today’s economy. Yet if a data breach ensues, the cost of engaging in such a transaction might be years of rebuilding credit, potentially inhibiting an individual’s ability to purchase a home, fund a business, or pursue other financial objectives.33 And even if there is no immediate, measurable effect on an individual’s credit score, a person who learns their data has been breached must be ever vigilant and wary of the threat that their identity will be stolen in the future.34 The ongoing emotional and economic impacts of data breaches are thus profound.35

Equifax is not the first to expose a large swath of American adults to the ongoing “terror” and years of financial difficulties potentially caused by a breach.36 As illustrated by an October 2017 announcement from Yahoo!37 revealing that three billion email accounts were hacked in 2013, the choice to participate in the information economy by opening an email account creates similar risks. Once a company to which an individual discloses data has been breached, there is little that the individual can do to prevent unauthorized access to their information. It is true that consumers can attempt self-help measures such as changing passwords, monitoring credit information, and exercising vigilance in subsequent online activity by, for instance, using extra caution before clicking on links in emails and confirming that an allegedly encrypted link is in fact properly secured before transmitting sensitive data.38 But such self-help measures only go so far to prevent a breach outright,39 and may be of especially limited efficacy after the fact.

The reality is that even hyper-vigilant consumers affected by data breaches may face ongoing problems. Some consumers even find themselves unable to prevent the breached entity itself from continuing to access their data, as was the case after the Equifax breach.40 Furthermore, ex post remedial measures such as the provision of free credit card monitoring, which Equifax offered after its breach,41 cannot undo the fact that a customer’s social security number has been stolen, creating a heightened risk of identity theft for the foreseeable future.42 Data breaches, in short, cause myriad, lasting harms that begin the moment a company fails to maintain data securely.

II. away from privacy, toward confidentiality

Taking seriously the idea that the harm experienced in a data breach begins the moment that the data holder fails to secure the data that the consumer43 has provided to it, this Essay advances the tort of breach of confidentiality44 as an alternative to the privacy torts.45 The envisioned cause of action would be available when one party (the data holder) has a legal duty to refrain from disclosing specific information provided to it by another party (the consumer). Where the elements of the tort are met,46 a court may impose liability for disclosure of the information shared by the original party as a breach of the duty of confidentiality.47 This framework is rooted in the belief that when a consumer discloses personal, potentially sensitive information to an entity, they trust that this data will remain secure.48

To delineate the nature of the relationship between data holders and consumers, this Essay argues that data holders are properly understood as a subtype of what Jack Balkin calls “information fiduciaries.”49 Balkin presents information fiduciaries as a class of entities that have “a relationship of trust with a [beneficiary] party” and are “authorized to hold some-thing valuable” on behalf of that beneficiary.50 Given this relationship of trust, such entities should properly be understood as possessing “special duties to act in ways that do not harm the interests of the people whose information they collect, analyze, use, sell, and distribute.”51 Extrapolating from Balkin’s suggestion that information fiduciaries could have duties that differ from traditional fiduciaries,52 it is appropriate to tailor subcategories of information fiduciaries to fit different sorts of information-sharing relationships.

This Essay argues that given their relationship to consumers, the holders of consumer data in commercial transactions should be labeled with a distinct term: data confidants. Data confidants have a duty to securely maintain the information that they receive from customers. This envisioned confidential relationship does not arise from an explicit contractual agreement. It is instead akin to an implied fiduciary relationship53 that may develop after “one party places trust and confidence in a second person with that second person’s knowledge.”54 Even if this sort of relationship may not be “exceptional” in the manner required to find a duty under current tort law, it coheres with the sense of frustration, disappointment, or even outrage that a person may feel when someone they trusted with their personal information fails to maintain that trust. Furthermore, if customers did not voluntarily disclose their information in the first place by entering into a formal relationship with the breached entity,55 then they may feel even more outraged if that entity knew it had their data, yet made operational choices that failed to secure it. The proposed tort of breach of confidence can address and respond to these facts on the ground,56 and would thus permit the common law to evolve to meet the challenges posed by contemporary social and economic conditions.57

III. the nature of the tort: envisioning data confidence

To understand how the tort of confidentiality would function in practice, it is helpful both to contextualize the tort within existing doctrine and to consider its elements with more specificity. The remainder of this Essay presents a framework inspired by the development of products liability tort law as a form of consumer protection. Just as courts expanded manufacturers’ duty of care partly in response to the burgeoning automobile industry,58 so should courts reconsider the liability regime for data holders, whose choices regarding systems design and maintenance affect consumers in increasingly significant ways.59 Recognizing the need for iteration and further scholarship as common law courts address particular cases on the ground, the following Sections begin the conversation by sketching core components of the proposed tort of confidentiality.

A. Duty

An entity should adhere to the duties of a data confidant if a similarly-situated consumer would disclose data only if they reasonably understood there to be an implicit or explicit guarantee of confidentiality.60 Positioning data confidants as a form of fiduciary61 is the key to invoking the tort in this flexible, yet still bounded, manner. Fiduciary law relies on fact-bound analysis to identify implied as well as explicit relationships of trust,62 making its application appropriate when the consumer—as a condition of engaging in a transaction—would reasonably expect the data holder to treat their personal information securely.63

To assess such expectations and determine whether there is in fact a data confidant duty in a given case, a trier of fact might ask whether a reasonable person would have shared the information in question if they had believed the data would not be secure. If the answer is “no,” then it is reasonable to expect confidentiality in the transaction. As a simple example, consumers expect their transaction data to remain secure when they purchase a good, and presumably would not use a credit card to make a purchase if they knew that their financial information would not be securely maintained.64 Accordingly, transactions that involve online information processing or electronic storage of information, a business such as Target or Neiman Marcus would have a general duty to keep its consumers’ credit card and associated identifying information confidential if that data was initially disclosed in the context of purchasing a good.65 In addition, the guarantee of confidentiality should impliedly extend to third-party actors associated with the initial transaction. Equifax’s treatment of consumer data, which involved individuals who were not even aware that Equifax had their information, is an example of this class of interactions. To capture the complex relationships entailed in today’s data-driven commercial transactions, courts should assess whether data holders owe a duty regardless of whether the person explicitly engaged with them in a commercial interaction. The critical question from a confidentiality standpoint remains whether consumers would have disclosed the data in the first instance, absent the expectation that their personal, private data would remain secure throughout the transaction.

There is space, moreover, to consider further winnowing if liability proves too expansive to permit the common-law system to handle claims in the nuanced, fact-sensitive manner espoused in this Essay. For example, one option would be to narrow the available categories of liability based on the sensitivity of the data, requiring a consumer to prove that the breach of confidentiality involved, say, health or financial data before the data confidant duty would apply. Although this approach might reproduce some of the disadvantages of sectoral regulation,66 it would target the harm engendered by data security intrusions in a way that current law does not. The tort of breach of confidence is, in short, a flexible and practical remedy.

B. Breach

Inspired by the manner in which products liability law evolved throughout the twentieth century, this Essay advocates for tort law to develop a strict liability model for breach of confidence. This approach would shift the cost of harms resulting from data breaches to data holders whose commerce relies on consumer data, rather than requiring these costs to be borne by injured consumers who may be unable to protect themselves.67

The recommendation of a strict liability regime in the data breach context is distinct from the negligence claims filed in the wake of Equifax68 and several other data breaches.69 Assuming that some data breaches will inevitably occur,70 a traditional negligence-based cause of action might initially seem more appropriate to avoid raising the duty of care so high as to make the cost of engaging in a socially desirable activity (here, data transactions) prohibitive. However, Guido Calabresi’s classic theory of “optimal deterrence” points toward a different approach.71 If data breaches are understood as a form of accident, then the proper inquiry is how to allocate costs to achieve optimal deterrence.72 A limited rule of strict liability can shift costs to the defendant in a way that is especially appropriate where plaintiffs can do little to prevent or mitigate the resulting harm and defendants are better positioned to avoid the cost of the accident. Both of these conditions obtain in the data breach context. First, even an informed and security-sensitive consumer may be unable to pursue effective self-help measures.73 Second, as discussed in more detail below, the data holder is better positioned to pinpoint the steps that would bolster security for that entity in an efficient manner74 as compared to the consumer, who is unlikely to be privy to the data holder’s technological and operational practices.

Out of fairness to the data holder, the proposed strict liability framework would be appropriate only in instances in which the plaintiff can establish that a company’s conduct has failed to meet a well-instantiated security guideline or otherwise fallen below an established security standard.75 As an element of the prima facie case, a court could require the plaintiff to establish that the company did not comply with a known standard such as the FTC’s Fair Information Practice Principles (FIPPs).76 The 2017 Equifax breach, for instance, involved basic operational errors, such as the failure to install a software patch.77 Similarly, the breaches affecting Yahoo! appear to have occurred after the company repeatedly failed to update what was known to be a flawed encryption method.78 Both of these company’s actions arguably fall short of the FIPP guidance on data integrity/security, which stipulates that “[s]ecurity involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data”.79

To be sure, this framework would not hold data confidants liable across the board, and some data breach victims would still be left without redress. If, for instance, a company complied with all known security standards and there was still a breach that affected a consumer’s data, then that plaintiff would not be able to meet the requisite strict liability burden of proof.80 What would change under the proposed strict liability formulation, however, is that a data confidant could no longer avoid liability if a breach occurred after that data confidant did not implement a known security standard or best practice and thereby failed to protect known consumers. Accordingly, in situations where the plaintiff can provide such concrete proof, and where the data confidant relationship is clearly established, shifting from negligence to a strict liability approach to address breaches provides a way to take seriously the harm to consumers when those whom they reasonably expect to secure their data fail to do so.

A critic might still find this approach problematic. Since a third-party hacker commits the illicit actions that are the direct cause of a data breach,81 one could contend that the data confidant should not be held responsible for the third party’s misdeeds. However, the principles drawn from the strict liability manufacturing defects branch of products liability law82 demonstrate why this intervening act should not necessarily eliminate the data confidant’s liability. Here, strict liability obtains if a data confidant engages in data transactions without implementing established security standards, with the knowledge that its organization will use personal data, and its operations in fact permit a breach of that data. From a policy perspective, strict liability is appropriate; an intervening act should not cut off liability if the data confidant’s security practices and operational choices increased the probability that the intervening act could occur or made the act possible in the first instance.83

C. Damages

Finally, a court must address the question of remedies for a data breach. Until there is further study of the number of potential lawsuits and the scope of data confidant liability under the proposed tort, it would be premature to offer too much prescription regarding damages awards. Rather, this Essay focuses on a more fundamental point: common law courts possess the functional capacity to appraise breach of confidentiality as a harm that merits damages. This analytic move is not only pragmatic, insofar as such common law analysis is tied to facts on the ground, but also instrumental from a policy perspective. Regardless of the amount of the damages award, the possibility of liability (especially if claims are aggregated via class action suits, as has been the case for recent data breaches84) could incentivize companies to invest in basic steps that would better secure consumer data—and protect the trust that consumers reasonably expect in transactions with data confidants. This approach thus supports this Essay’s basic contention that the common law can adapt to provide a legal remedy given the improbability of a timely regulatory or legislative response to data breaches.

As one possible path forward, courts could adapt the Restatement (Second) of Torts’s approach to damages in privacy cases.85 Under such a rubric, damages would be available for harm to the confidentiality interest in cases where the plaintiff has proven that they were injured because an entity that they reasonably expected to act as a data confidant failed to secure their data.86 Though some may find it troubling to ask a court to assign monetary value to the violation of a person’s confidence and the associated invasion of personal information, it is in reality quite similar to the analysis already conducted by common law courts with regard to privacy (for privacy torts87) and reputation (for defamation88).89 Damages need not be an element of the prima facie case, but instead could be assessed separately through a “prudential,” case-specific filter.90 Where the plaintiff meets their burden of proof, damages could also be awarded for mental distress, such as anxiety and loss of peace of mind,91 that can result from a failure to maintain private data securely. Regardless of the precise formulation, the bottom line is that the award of monetary remedies can be crafted to foster doctrinal continuity at the same time that the distinctive requirements of the proposed breach of confidence tort permit evolution of the law.

* * *

If the security of information is to be taken seriously in the face of recent breaches like the Equifax incident, then the common law should update its content to ensure that personal, private data is robustly protected. This Essay contends that such an update requires recourse to a remedy when an entity that holds itself out as a data confidant fails to adopt established best practices and industry standards for its operations and security protocols. Such an actor has not maintained the trust that its consumers vested in it. It is past time to wait for a regulatory fix that may never come. A common law solution rooted in tort law’s confidentiality principles is worth pursuing to empower consumers in today’s information economy.

Alicia Solow-Niederman is a fellow at the UCLA School of Law’s Program on Understanding Law, Science, and Evidence (PULSE). She graduated from Stanford University with distinction in communication and political science and received her J.D. from Harvard Law School, cum laude, where she served on the editorial board of the Harvard Law Review. She would like to thank the following individuals for their insightful comments, suggestions, and encouragement: Amy Johnson, Greg Muren, Leah Plunkett, Richard Re, Morgan Weiland, Jordi Weinstock, and the editors of the Yale Law Journal. She is grateful to Jonathan Goldberg and Henry Smith, whose 2016 Private Law Workshop inspired and informed the arguments advanced in this Essay, to the Berkman Klein Center for Internet & Society faculty and staff, especially Yochai Benkler, Urs Gasser, and Jonathan Zittrain, for their guidance along the way, and to her family for their tireless support. The views presented here as well as any errors are hers alone.

Preferred Citation: Alicia Solow-Niederman, Beyond the Privacy Torts: Reinvigorating a Common Law Approach for Data Breaches, 127 Yale L.J. F. 614 (2018), http://www.yalelawjournal.org/forum/beyond-the-privacy-torts.