Lose Your Money, Lose Your Privacy, but the Corporation Will Still Win
Corporate Data Breaches and the Economic Loss Doctrine
With information readily available and stored on the Internet, what stops an intruder from gaining unauthorized access to private information? Simple: strong cybersecurity. While having heightened security measures seem like a no-brainer, cybersecurity is lacking in many large organizations, leaving customers victims of economic loss. Adding insult to injury, the corporation’s inadequate security is shielded from negligence claims due to the Economic Loss Doctrine, which bars claims of solely economic loss.
In the past five years nearly every American has had a reason to worry that their personal information was illegally obtained in a data breach. Stolen data ranges from simple information like street addresses or shopping tendencies, to private information, such as medical records and social security numbers. While it is easy to point fingers at the hackers that navigated onto the network and server, they are not alone to blame. When a company’s security network is breached it is often due to inadequate safety measures being implemented to protect private information, giving the hacker an entryway to obtain unauthorized material. Failing to properly secure information leaves the company equally responsible. Data breaches are not limited to one particular type of company; companies targeted range from large size retail chains, such as Targetand BJ’s Wholesale,to electronics companies like Sony, and everything in between.
With the large number of companies making the news due to a security breach, an underlying assumption has prevailed that companies are expected to take reasonable measures to properly safeguard private information. Since a company is benefitting by obtaining consumers’ personal information and has the ability to continually update security measures, it is reasonable to expect that a company would be held responsible for allowing a breach, and therefore liable for the wrongdoings that transpired. If companies were held liable, rudimentary sanctions would include paying the customers (or banks) back for improper spending on their respective credit cards due to the data breach and providing services to monitor the stolen information.
Unfortunately, consumers have had to assume a majority of the burden when trying to hold companies responsible for inadequate security measures and forcing the company to right their wrongs. Plaintiffs must overcome several obstacles to prove they are worthy of recovery, and for many, it has been an uphill battle. Lack of Article III standing has kept many litigants out of courtrooms, and is largely responsible for our lack of cybersecurity case law. An equally troubling legal barrier, ensuring plaintiffs can’t recover if their personal information has been stolen in a data breach, is the Economic Loss Doctrine.
This paper proceeds in four parts. Part I explains the history and background of the Economic Loss Doctrine. Part II analyzes the barriers to plaintiffs when the Economic Loss Doctrine is enforced. Part III discusses the different approaches adopted by states and examines exceptions to the Economic Loss Doctrine. Part IV presents recommendations to ensure individuals can receive recovery from companies with lacking cybersecurity.
I. Origins of the Economic Loss Doctrine
The Economic Loss Doctrine dates back to 1927 when the United States Supreme Court heard Robins Dry Dock and Repair Co. v. Flint. However, the Economic Loss Doctrine’s application in tort claims is best explained through the Kinsmancases.
The Kinsmancases began with an improperly moored barge breaking loose. The barge then crashed into a second barge, which caused the second barge’s moorings to break. The two barges continued down the Buffalo River until they collided with a bridge. The collision with the bridge caused the river to overflow and subsequently flooded the private property surrounding the bridge. The private property owners sued and were able to recover under a negligence theory for their property damage. The court reasoned that the flooding was a foreseeable result of the barge-owner’s negligence in improperly securing the moorings.
Beyond the property damage, the barges caused even more havoc by slowing traffic on the river for nearly two months. As a result, deliveries were delayed. Among the delayed deliveries were grain shipments to a grain elevator downstream from the bridge. The owner of the grain elevator brought suit on the notion that the barge created the delay that kept the grain from being delivered promptly. While the court could see the factual chain of causation stemming from the first barge breaking loose, it ruled that the delay of grain shipments was not foreseeable and that the claim would fail due to proximate cause. The court held that the economic losses were too remote or speculative to permit recovery, leaving future courts with the question of how far “downstream” they should allow tort recovery.
It is now generally understood that “negligent harm to economic advantage alone is too remote for recovery under a negligence theory.” Further, the Economic Loss Doctrine provides that physical damages must exist alongside economic losses for a plaintiff to be able to recover economic damages. Since most hacking occurs in cyberspace, it has been challenging for plaintiffs to prove physical damage beyond economic loss.
II. Barriers to Injury Created by the Economic Loss Doctrine
Negligence is defined as conduct that “falls below the standard established by law for the protection of others against unreasonable risk of harm.”Negligence can be categorized as both an act and an omission. In an ordinary, common law negligence claim, the plaintiff must be able to prove that the defendant owed a legal duty to the plaintiff, that the defendant breached the duty, and that the defendant’s breach caused a cognizable injury to the plaintiff.
While cybersecurity litigation is still in its infancy, courts have generally held there is a duty to protect private information. Specifically, a company that stores employee and customer information has a legal duty to properly protect said information. In attempts to further develop the proper standard of care, courts have looked to regulatory agencies and industry standards for guidance. When companies fail to secure information in a reasonable way, they are said to have breached their duty.
While some issues arise with causation, a plaintiff generally needs to be able to link the improper use of their information to a breach that has occurred. For example, if an individual’s credit card was used by an unauthorized person shortly after their bank had a data breach, it is likely the plaintiff could prove “but for” the bank’s breach the unauthorized user would not have gained access to the credit card information, and therefore would not have fraudulently used the plaintiff’s credit card. Assuming the individual was not victim to multiple breaches that could have been the source of bank fraud, it is likely proximate cause would be satisfied as well. The true barrier to a successful claim arises when a plaintiff must show they had a “cognizable injury.”
Proving a cognizable injury requires plaintiffs to show that the exposure of their personal information resulted in actualdamages. For actual damage to occur, there must be personal injury or property damages. According to the Economic Loss Doctrine, actual damages cannot be from economic loss alone.
Although unauthorized access to one’s social security number or credit card information may harmthem personally, this alone does not sway the court. The plaintiff must be able to demonstrate harm beyond the fact that their private information was improperly accessed; they must establish that the information was used in an unauthorized way that would result in damage. Further complicating the issue, if the plaintiff’s bank or credit card company reimbursed the plaintiff for an unauthorized purchase, there is no recoverable loss because the money has already been replaced.
Many courts have denied plaintiffs recovery in data breach cases because they have not suffered personal injury or property damage. Rather, the plaintiffs have only suffered an economic loss, and the Economic Loss Doctrine bars their tort claim.
III. Different States Implementing Different Approaches
The Economic Loss Doctrine creates a relatively cut and dry rule about barring plaintiffs from recovery of a solely economic loss. However, some states have created ways around this harsh rule, and have allowed circumstances that would provide recovery for only economic harm. States have the opportunity to interpret the doctrine, and therefore the Economic Loss Doctrine can differ on a state-by-state basis. This means that a plaintiff suing due to a data breach may be successful in one state, but if the plaintiff were to bring the same claim in a different state it would be barred.
Some states take a narrow approach, while other states interpret the doctrine broadly. The majority rule, and most rigid interpretation of the doctrine, bars recovery unless a plaintiff can establish their injuries were not only economic in nature, but also involved physical harm, either to their person or property. This is the most defendant friendly standard, and is the way that most companies that have had a data breach get charges dismissed. While there are very few, some states take a minority view of the doctrine, meaning they completely disregard the Economic Loss Doctrine and allow plaintiffs to recover for economic losses even if there was no physical damage.
Some states take an intermediate approach to the doctrine. The intermediate rule is similar to the majority rule; however, it is less stringent and acknowledges exceptions to the doctrine. The majority rule focuses only on the damage incurred, while the intermediate rule focuses on the defect itself or the manner in which the failure occurred. In cases involving purely economic harm, the court will look to see if there was a “special relationship” between the plaintiff and defendant or if there was an “independent duty” owed.
The special relationship exception arises when there is a special relationship of trust existing between the plaintiff and the defendant, often stemming from a professional relationship or a fiduciary duty. Special relationships can also be evoked from contractual relationships that have a duty of good faith and fair dealing.
The independent duty exception usually arises when there is a contract binding the two parties. If an independent duty can be traced to something other than the contract, then the plaintiff may be able to use this exception and sue for economic loss.
While there are different interpretations of the Economic Loss Doctrine allowing recovery and narrow exceptions to navigate around its harsh penalties, most states follow the strict majority approach. Until it is more mainstream to adopt the minority approach, or more exceptions are incorporated into the intermediate approach, it seems most cybersecurity negligence claims will remain barred.
IV.Analysis of the Economic Loss Doctrine’s Applicability in the Present-Day and Recommendations Moving Forward
The purpose of the Economic Loss Doctrine is to ensure liability ends somewhere, rather than permitting unlimited liability for everything occurring in a factual chain of events. While the Economic Loss Doctrine is necessary to protect negligent individuals from unforeseeable liability, its protections have extended too far and must step aside in regards to data breach cases.
Whether it be sending a text message or paying bills, in present-day society the Internet is king and plays an integral role in our day-to-day activities. What is more, companies are providing greater communication and access options over the Internet than are available in-person. With more and more interactions shifting to cyberspace, it is not unlikely that harm to the customer will occur, however, it is nearly impossible that any physical damage will result. Alas, if there is no physical damage, companies can continue to act negligently, in large part, because of the Economic Loss Doctrine.
As it stands, the doctrine ensures companies cannot be held liable for sensitive information stolen through a security breach because it is an abstract harm not accompanied by any physical damage. If companies are never, or at least rarely, held liable for absent or lacking security systems, it is unlikely companies will put forth the time, effort, or money necessary to beef up their security and monitoring efforts. The Economic Loss Doctrine stands in the way of companies being held accountable and will continue to hinder future successes in cybersecurity litigation until there is an exception created for data breaches.
The Economic Loss Doctrine should not be removed; however, it should not be used in data breach cases or it must be modified. While the doctrine remains relevant because it guarantees a person does not have unlimited liability for unforeseeable risks, it has no justification to remain in cybersecurity claims because breaches foreseeable in many circumstances. Breaches are absolutely foreseeable when an organization does not have safeguards in place and does not continue to monitor and update their security systems.
Many banks are fearful criminals would want to break into their vaults, and thus take numerous precautions such as hiring security guards, installing alarm systems, and having key-card access. These are all seen as reasonable measures to protect the valuables inside, and if a bank did not have these safeguards in place, many would question why they failed to take adequate measures to protect their assets. Today, everything from pictures to bank account information is stored on a server. Just as it is obvious that a criminal would want to break into a bank, it is equally foreseeable that hackers would want to access a company’s servers for the data that they hold, leaving the company responsible for proper protection.
Moving forward, there should be minimum standards set in place that must be met by companies storing private information. This would not only make it easier for plaintiffs to file suit, but also alleviate some of the burden on courts to prove duty and breach. More industry standards and regulation would allow for courts to feel more comfortable recognizing there was a duty breached by the company that resulted in harm to the plaintiff.
Among the standards should be a requirement to have a Chief Information Security Officer (CISO) that oversees cybersecurity efforts. The CISO could serve as the intermediary and company representative to regulators. The CISO would be tasked with ensuring security measures are up-to-date with regulations and that the company is engaging in monitoring efforts of their own to continually boost efficiency of security. In addition, companies should schedule time to take their networks offline for maintenance and updates. This would allow time to create patches to fix security vulnerabilities and bugs that hackers would otherwise use to enter the network.
Cybersecurity regulations and litigation are uncharted waters. While the FTC and SEC have recently heightened their efforts, still at issue are the minimal federal legislations regulating cybersecurity liability and no set standard for cybersecurity programs to follow. Even though regulations and case law should have been sifting through data breach issues previously, it is a step in the right direction that regulators are starting to take notice of the problems. While these are positive strides, the issue remains that litigation and case law are light years behind. The Internet, and specifically Internet hacking, seemed to take off and leave regulations and standard of care behind. While lack of uniform standards can be partially to blame, barriers to entry are a large issue.
Most cybersecurity claims are barred from being brought to court. If these actions can never make it to trial, case law will never develop, which will only widen the gap in cybersecurity regulation and make it more difficult to hold companies that have been breached accountable. This is why a cybersecurity exception, or carve-out, is necessary for the Economic Loss Doctrine. Plaintiffs that were wronged need to be made whole, and companies that allow breaches to occur must be held accountable. For this to happen, the law needs to evolve, which can only be done by allowing negligence claims to be heard in court, and thus removing the Economic Loss Doctrine from corporate data breach cases. Lax cybersecurity and lack of monitoring can no longer be tolerated, while this is largely the sentiment shared in society, the legal system must reflect this too for changes to occur.
In conclusion, the Economic Loss Doctrine should not be abolished. However, as it stands, the Economic Loss Doctrine should not be relevant to corporate data security cases. While the doctrine is necessary in traditional negligence claims to limit liability of unforeseeable risk, it is inappropriate to rely on it when data breaches are foreseeable due to inadequate security measures. Since cybersecurity occurs in cyberspace, which inherently lacks in-person contact, there will never be physical damage, and rather will only result in purely economic harm. If these cases are never pursued in the courtroom, laws will never develop to protect consumers and hold breached companies accountable. As of this moment, the Economic Loss Doctrine prevents cybersecurity breaches with only economic harm to be heard in court, which is why it must be changed, and fast.
See generallySara Ashley O’Brien, Giant Equifax Data Breach: 143 million people could be affected, (Sep. 8, 2017), http://money.cnn.com/2017/09/07/technology/business/equifax-data-breach/index.html;Kevin McCoy, Cyber Hack got Access to Over 700,000 IRS Accounts,(Feb. 26, 2016), https://www.usatoday.com/story/money/2016/02/26/cyber-hack-gained-access-more-than-700000-irs-accounts/80992822/.
In reTarget Corporation Customer Data Security Breach Litigation, 64 F.Supp.3d 1304, 1309 (D.Minn. 2014).
Sovereign Bank v. B.J.’s Wholesale Club, Inc., 533 F.3d 162, 168 (3d Cir. 2008).
In reSony Gaming Networks and Customer Data Security Data Breach Litigation, 613 F.Supp.2d 108, 127.
A plaintiff has the burden of demonstrating (1) that she has suffered an injury-in-fact, (2) that the injury-in-fact is fairly traceable to the defendant’s unlawful conduct, and (3) redressability. To prove injury-in-fact, a plaintiff must show “an invasion of a legally protected interest which is (a) concreted and particularized . . . and (b) actual or imminent, not just conjectural or hypothetical. Further, a threat may be considered an injury so long as it is “certainly impending.” see Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992); see Whitmore v. Arkansas, 495 U.S. 149, 158 (1990); see alsoJeff Kosseff, Cybersecurity Law 53 (John Wiley & Sons, Inc., 1st ed. 2017) [hereinafter Kosseff].
Robins Dry Dock and Repair Co. v. Flint, 275 U.S. 303 (1927) (“[A] tort to the person or property of one man does not make the tortfeasor liable to another merely because the injured person was under a contract with that other, unknown to the doer of the wrong”); see Kosseffat 67.
In re Kinsman Transit Co. (Kinsman I), 338 F.2d 708 (2d Cir. 1964); In re Kinsman Transit Co. (Kinsman II), 288 F.2d 821 (2d Cir. 1968); seeDavid W. Opderbeck, Cybersecurity, Data Breaches, and the Economic Loss Doctrine in the Payment Card Industry, 75 Md. L. Rev.935, 950–51 (2016) [hereinafter Opderbeck].
See In re Kinsman Transit Co. (Kinsman I) at 708; see also Opderbeckat 950–51 (2016).
See In re Kinsman Transit Co. (Kinsman II) at 821; see also Opderbeckat 950–51 (2016).
Aikens v. Baltimore and Ohio R. Co., 501 A.2d 277 (1985).
Restatement (Second) of Torts § 282; seeScott J. Shackelford, Andrew A. Proia, Brenton Martell & Amanda N. Craig, Toward a Global Cybersecurity Standard of Care?: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices, 50 Tx. Int’l L.J. 305, 314 (2015) [hereinafter Shackelford].
Kosseffat 65; but seeMichael Hooker & Jason Pill, You’ve been Hacked, and Now You’re Being Sued: The Developing World of Cybersecurity Litigation, 90 Fla. Bar. J. 30 (2016) [hereinafter Hooker] (“Some courts have gone so far as to hold a duty to protect against data security breaches exists only when a plaintiff voluntarily provides a defendant with personal information and thereby establishes a direct relationship with the defendant.”).
Hookerat 30 (outlining the specific areas of cybersecurity issues the SEC plans to increase focus on for future regulation); Shackelford at 322 (citing 16 C.F.R. § 314.3(a) (2014) (referencing the FTC’s safeguard rule that requires covered financial institutions to “develop, implement, and maintain a comprehensive information security program that . . . contains administrative, technical, and physical safeguards that are appropriate to [an organization’s] size and complexity, the nature and scope of [an organization’s] activities, and the sensitivity of any customer information at issue”); In re Michaels Stores Pin Pad Litigation, 830 F. Supp. 2d 514, 522 (N.D. Ill. 2011) (ruling that failure to comply with the payment card industry’s heightened PIN Security Requirements was enough to show Michaels did not meet the necessary standard of care); seeKosseffat 66 (“If the court is subject to mandatory security requirements, such as an industry standard set of protocols, courts may view those requirements as a legal duty, for the purpose of a negligence lawsuit.”).
Id.at 67 (“Perhaps the largest barrier to plaintiffs in negligence claims arising from data breaches is demonstrating that the breach of the legal duty caused a cognizable injury.”).
Hookerat 30 (Perhaps the biggest obstacle for data breach class plaintiffs has been proving that the exposure of their personal information resulted in actual damages. Although a plaintiff’s Social Security number or other private information may have been improperly accessed, the plaintiff frequently cannot establish that this information actually was used by an unauthorized way.”).
Id.(Moreover, if the plaintiff’s bank or credit card company provides reimbursement for the unauthorized access, which often occurs in data breach cases, there is obviously no recoverable loss.”).
See Economic Loss Doctrine in All 50 States, (Oct. 24, 2017) https://www.mwl-law.com/wp-content/uploads/2013/03/economic-loss-doctrine-in-all-50-states.pdf [hereinafter All 50 States].
In the In re Targetdata breach cases, the Economic Loss Doctrine stood as grounds for dismissal in five of the eleven states negligence claims were filed. The states where the Economic Loss Doctrine barred plaintiffs’ tort claims were Alaska, California, Illinois, Iowa, and Massachusetts; see Kosseffat 67.
See Jim Wren, Applying the Economic Loss Rule in Texas, 64 Baylor L. Rev. 204, 233 (2012) [Hereinafter Wren] (“[A] majority approach establish[es] a bright line economic loss rule to bar negligence and potentially other tort actions for pure economic loss.”).
Id.(“[The] minority approach. . . rejects such a broad economic loss rule in favor of a more traditional but restricted foreseeability analysis.”); see All 50 States(“The Minority Rule essentially rejects the strict application of the [Economic Loss Doctrine] and allows a plaintiff to recover in tort for economic loss without limitation. The minority rule is followed loosely by only a handful of states . . . include[ing] Arkansas, Connecticut, Louisiana, and Virginia.”).
See All 50 States(“[T]he Majority Rule in some states eroded into what has become known as the Intermediate Rule. [which] allows for tort recoveries under certain limited circumstances, attempting to differentiate between the disappointed consumer and the endangered consumer.”).
Id.(“The Intermediate Rule has advantages over the Majority Rule, and addresses some of its shortcomings. It offers equitable justice by looking at the nature of the defect.”).
Kosseffat 67 (“[S]ome states recognize an ‘independent duty’ exception to the doctrine, meaning that ‘the rule does not apply where the duty alleged is an independent duty that does not arise from commercial expectations. [S]ome states recognize an exception to the doctrine if there is a ‘special relationship’ between the plaintiff and defendant.”).
Wrenat 270 n.347 (citing English v. Fischer, 660 S.W.2d 521, 254 (Tex. 1983) (Spears, J., concurring)) (explaining “courts have found fiduciary or other special relationships in many familiar areas including agency, partnership, joint adventurers, insurance, oil and gas, and professional services”).
Stacey A. Carroll, Economic Loss Rule Article(last visited Dec. 13, 2017), http://carroll-firm.com/wp-content/uploads/2013/12/Economic-Loss-Rule-Article.pdf. (citing Bulmer v. Southern Bell Tel. & Tel. Co., 317 S.E.2d 893, 895 (1984)) (“[S]pecial contractual relationships include . . . those between principal and agent, bailor and bailee, attorney and client, physician and patient, carrier and passenger or shipping, and master and servant.”).
See All 50 States (“The Independent Duty Rule acts as another exception . . . allow[ing] . . . recovery of economic loss damages in tort when an independent duty can be traced to a source other than the parties’ contract. Under this rule, economic damages are barred only when a contract expressly or by necessary implication elects to replace tort principles actually or potentially establishing an independent duty.”); A Rose by Another Name: The Economic Loss Rule and the Independent Duty Doctrine(Mar. 1, 2011), http://abnormaluse.com/2011/03/rose-by-any-other-name-economic-loss.html (“The test is not simply whether an injury is an economic loss arising from a breach of contract, but rather whether the injury is traceable also to a breach of tort law duty of care arising independently of the contract.”).
See Opderbeckat 938 (“Today’s global economy cannot function without the Internet, the ‘cloud,’ email, networked computer automation, and other components of ‘cyberspace,’ including the global consumer credit card payment networks.”).
See Shackelford at 319 (citing Ponemon Inst. 2010 Annual Study: U.S. Cost of a Data Breach 32 (2011)) (“[C]ompanies with CISOs have been show to save more than 20% on data breach costs other those that do not.”).
Hooker, supranote 13, at 30.