On Aug. 24, 1924, Helen Palsgraf was standing on a Long Island Rail Road (LIRR) platform waiting for the train. As she waited, a different train stopped at the platform and two men ran to catch it. The first man boarded easily but the other man, who was carrying a package, tried to board the train as it was moving and lost his balance. A LIRR guard on the moving train, reached forward to help while a different guard on the platform pushed him from behind, to stop him from falling. These efforts caused the man to drop the nondescript package of fireworks he was carrying, which exploded when they hit the ground, causing a large scale on the other end of the platform to fall and injure Palsgraf. As most lawyers know, this true story was the subject of the infamous New York Court of Appeals decision, Palsgraf v. Long Island Railroad, 248 N.Y. 339, 340-341 (1928). Palsgraf was the first case to establish the limitations of negligence by drawing an invisible “liability line” in the sand, with proximate cause and liability for an act on one side, and remote cause and no liability on the other. 

As important as this case is, though, what could it possibly have to do with cyber risk—two words, proximate cause. We are currently on the precipice of a dramatic shift in the way cyber risk is viewed and how the accompanying liabilities are assigned, and the foundation for this change stems all the way back to the fundamentals of proximate cause.