Journal of Internet Law
Established tort principles carefully applied to the contemporary problems of cybersecurity and identity theft can perform a key role in protecting the economic foundations of modern life. Tort law offers an appropriate legal regime for allocating the risks and spreading the costs of database intrusion-related losses. It can also create incentives, on the part of both database possessors and data subjects, to minimize the harm associated with breaches of database security.
In considering this field of tort law, it is useful to differentiate three questions. The first issue is whether database possessors have a legal duty to safeguard data subjects’ personal information from unauthorized access by hackers or others. The second issue is if there is not a duty to protect computerized information from intruders, is whether a database possessor has a legal obligation to disclose evidence of a security breach to data subjects once an intrusion occurs. The third issue is how far liability should extend when the database possessor has failed to exercise reasonable care to protect data or to disclose information about an intrusion.
Numerous lawsuits have recently been filed against data possessors (such as banks and universities) by data subjects (such as customers and alumni) seeking damages for harm caused by breaches of data security. Whether and to what extent courts hold database possessors liable caused by improper data access are questions of huge importance. If those who make and interpret the laws too hastily conclude that database possessors are not liable for losses occasioned by unauthorized data access, important opportunities to reduce and distribute the costs of computerized technology will be lost. If liability is too readily assessed, important institutions will be adversely affected and with them the prosperity of modern society
Vincent R. Johnson, Data Security and Tort Liability, 11 J. Internet L. 22 (2008).