Courts have increasingly been called upon to examine whether organizations have a duty under the common law to protect and secure the personal data of their employees, clients and customers. Where courts have recognized that duty, they then have to determine the standard of care required to meet it. While the duty and the attendant standard of care are likely to develop slowly if left to the common law, tort theories of negligence may provide the necessary flexibility that organizations need in the data security context.

Plaintiffs may pursue tort theories of liability because the duty of data security that exits in nontort contexts generally does not provide an effective remedy for the individual whose data is exposed in a data breach. For example, certain statutory and regulatory frameworks, such as the HIPAA Security Rule and the New York Department of Financial Services’ Cybersecurity Regulation, create a duty of data security. Nevertheless, these frameworks are focused on particular industry sectors, do not apply more broadly, and generally do not include a private right of action. Similarly, the FTC and state attorneys general have defined a failure to adequately secure personal data as an unfair trade practice under consumer protection laws, but those laws often do not provide a private cause of action. Data breach notification law may cause companies to implement security measures in an attempt to avoid the costs of a breach notification. With several notable exceptions, however, those laws do not explicitly create a duty of data security. And data breach notification laws, for the most part, do not create private rights of action.