The Duty of Data Security

74 Pages Posted: 7 Jul 2018 Last revised: 13 Dec 2018

See all articles by William McGeveran

William McGeveran

University of Minnesota Law School

Date Written: June 19, 2018

Abstract

As data breaches become larger and more frequent, the question naturally arises: what precautions does the law require of the data custodians who hold our personal information in their digital files? What is the legal duty of data security? According to some scholars and lawyers, the law is insufficiently specific, concrete, or uniform to answer that question. Attorneys representing companies that have been breached go so far as to argue that the duty of data security is “an unknown (and unknowable) standard.” Under this view, private entities warehouse vast quantities of personal data, but cannot possibly ascertain the obligations the law imposes on them to protect it.

That claim is balderdash. This Article demonstrates that the law is already settling upon a well-defined, if context-dependent, duty of data security. It examines fourteen different sources of data security obligations for private companies in the United States, half of them formal legal rules and half derived from the private ordering of industry-based requirements. This analysis demonstrates how all these frameworks, selected to represent the breadth of data security obligations, are converging on a common set of standards. The numerous sources of a duty of data security sound together in harmony, not cacophony. The nascent consensus formulates a duty just as clear as countless other requirements of reasonableness that permeate the law.

In addition, this Article identifies normative justifications for the content and nature of this emerging duty of data security, particularly its underpinning in principles of reasonableness and risk assessment. Indeed, the duty of data security is taking its early steps along a well-worn path in the law. It is being guided by deeply familiar legal forces, including the preference for standards over rules when governing fast-moving and complex subjects; the adoption of industry custom, which has shaped law from early contract doctrine to modern professional liability; and even a version of Judge Learned Hand’s cost-benefit calculus from the legendary Carroll Towing decision.

Keywords: Cybersecurity, Data Security, Privacy, Information Privacy, Cyberlaw, Consumer, FTC, Insurance

JEL Classification: K10, K20, K23

Suggested Citation

McGeveran, William, The Duty of Data Security (June 19, 2018). 102 Minnesota Law Review, 2018, Forthcoming, Available at SSRN: https://ssrn.com/abstract=3198872

William McGeveran (Contact Author)

University of Minnesota Law School ( email )

229 19th Avenue South
Minneapolis, MN 55455
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
724
Abstract Views
3,735
Rank
65,008
PlumX Metrics