A Private Enforcement Remedy for Information Misuse

57 Pages Posted: 21 Mar 2019 Last revised: 4 Nov 2019

See all articles by Peter Ormerod

Peter Ormerod

Northern Illinois University College of Law

Date Written: February 23, 2019

Abstract

Misuse of users’ personally identifiable information is persistent and pervasive. This article addresses two questions: Why is information misuse so common and so severe? And how could domestic law change to make it less so?

I use a simple model to illustrate that companies externalize information misuse costs onto users, which has two related but distinct effects: chronic underinvestment in information security and excessive retention of user data. I then seize on this observation to propose a specific legal vehicle at the heart of this article—what I call a private enforcement remedy. This private enforcement remedy has four essential features.

First, the remedy must be created under state law. State law provides a viable alternative when federal courts have used constitutional standing doctrine to express overt hostility to privacy harms.

Second, the law should impose a fiduciary duty on entities that collect or retain users’ information. Structuring the remedy this way insulates it from attack by a weaponized First Amendment.

Third, breach of an information fiduciary’s duty should be a strict liability tort. The arguments for strict liability in products cases apply with even greater force to informational harms.

Fourth, the statute that creates this private enforcement remedy should prescribe a schedule that begins with nominal damages and attorneys’ fees for strict liability, and it should increase monetary penalties with a defendant’s culpability. The remedy’s central purpose is to reshape incentives, so the damages schedule should not be unduly punitive or effect a windfall for plaintiffs’ attorneys.

Keywords: digital privacy, cybersecurity, data breach, information security, data misuse, standing, Spokeo v. Robins, information fiduciary, Sorrell v. IMS Health, strict liability, nominal damages, federal courts

Suggested Citation

Ormerod, Peter, A Private Enforcement Remedy for Information Misuse (February 23, 2019). 60 B.C. L. Rev. 1893, Available at SSRN: https://ssrn.com/abstract=3340674

Peter Ormerod (Contact Author)

Northern Illinois University College of Law ( email )

Swen Parson Hall
DeKalb, IL 60115
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
124
Abstract Views
1,269
Rank
407,732
PlumX Metrics