Courts have increasingly been called upon to examine whether organizations have a duty under the common law to protect and secure the personal data of their employees, clients and customers. Where courts have recognized that duty, they then have to determine the standard of care required to meet it. While the duty and the attendant standard of care are likely to develop slowly if left to the common law, tort theories of negligence may provide the necessary flexibility that organizations need in the data security context.

Plaintiffs may pursue tort theories of liability because the duty of data security that exits in nontort contexts generally does not provide an effective remedy for the individual whose data is exposed in a data breach. For example, certain statutory and regulatory frameworks, such as the HIPAA Security Rule and the New York Department of Financial Services’ Cybersecurity Regulation, create a duty of data security. Nevertheless, these frameworks are focused on particular industry sectors, do not apply more broadly, and generally do not include a private right of action. Similarly, the FTC and state attorneys general have defined a failure to adequately secure personal data as an unfair trade practice under consumer protection laws, but those laws often do not provide a private cause of action. Data breach notification law may cause companies to implement security measures in an attempt to avoid the costs of a breach notification. With several notable exceptions, however, those laws do not explicitly create a duty of data security. And data breach notification laws, for the most part, do not create private rights of action.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]