South Carolina Law Review
Tort law is the best vehicle for allocating the risks and spreading the costs of database intrusion. It can incentivize database possessors (“possessors”) and data subjects to minimize the harm associated with breaches of database security while also balancing each party’s interests. Life is built upon computerized databases and the information of those databases is subject to hackers and other cyber-threats, which can cause catastrophic damage. It is hard to identify hackers; however, a better object for recovery is likely the possessors who fail to prevent or reveal a security breach.
The law governing database possessors’ liability is far from settled; however, possessors have a duty to: (1) protect the information stored; and (2) disclose evidence of breaches. These duties can arise out of statute, principles of tort law, or the fiduciary duty doctrine, with each of the source shaping the duty imposed on possessors and the scope of their potential liability. The scope of database possessor liability is judiciously limited by the Economic Loss Rule, limiting the scope of potential liability vested upon possessors to Security-Monitoring costs, a remedy that balances the interests of data possessors and subjects. Tort principles, when carefully applied to contemporary cybersecurity, can perform a key role in protecting the economic foundations of modern life.
Vincent R. Johnson, Cybersecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L. Rev. 255 (2005).