Diana Reuter, left, and Brian Kint, right, with Cozen O'Connor.

Courts have increasingly been called upon to examine whether organizations have a duty under the common law to protect and secure the personal data of their employees, clients and customers. Where courts have recognized that duty, they then have to determine the standard of care required to meet it. While the duty and the attendant standard of care are likely to develop slowly if left to the common law, tort theories of negligence may provide the necessary flexibility that organizations need in the data security context.

Plaintiffs may pursue tort theories of liability because the duty of data security that exits in nontort contexts generally does not provide an effective remedy for the individual whose data is exposed in a data breach. For example, certain statutory and regulatory frameworks, such as the HIPAA Security Rule and the New York Department of Financial Services' Cybersecurity Regulation, create a duty of data security. Nevertheless, these frameworks are focused on particular industry sectors, do not apply more broadly, and generally do not include a private right of action. Similarly, the FTC and state attorneys general have defined a failure to adequately secure personal data as an unfair trade practice under consumer protection laws, but those laws often do not provide a private cause of action. Data breach notification law may cause companies to implement security measures in an attempt to avoid the costs of a breach notification. With several notable exceptions, however, those laws do not explicitly create a duty of data security. And data breach notification laws, for the most part, do not create private rights of action.

A duty of data security based in contract is also unlikely to help an individual whose personal information is part of a data breach. While companies increasingly will contractually require their vendors and service providers to adhere to specified data security standards when handling the personal information of the company's customers, those contracts do not create a direct duty between the companies involved and the individual customers whose personal information is compromised. And courts oftentimes find a company's privacy policy to be "broad statements of company policy [that] do not generally give rise to contract claims." See Dyer v. Northwest Airlines, 334 F.Supp.2d 1196, 1200 (D.N.D. 2004). This is especially true where individuals cannot show that they actually read and relied on the privacy policy.

Given the limitations of the statutory and contractual frameworks, litigants have asserted a duty of data security under common law tort theories. These efforts have focused on three theories of liability.

First, litigants have advanced a duty of data security under the long-standing tort principle that a party has a duty to not take affirmative acts that unreasonably expose others to a risk of harm. See, e.g., In re Sony Gaming Networks & Customer Data Security Breach Litigation, 996 F.Supp.2d 942, 966 (S.D. Cal. 2014). This theory, however, can run into problems in the data security context because data breaches are often not the result of the breached company's affirmative acts. Rather, they are often the result of the breached company's failure to act, such as failing to encrypt data, and the affirmative act of an unknown hacker. Some courts have seized on this distinction and refused to recognize a duty when faced with this situation. See, e.g., Veridian Credit Union v. Eddie Bauer, 295 F.Supp.3d 1140, 1158 (W.D. Wash. 2017).

A second theory, based on a foreseeability of harm analysis, attempts to overcome this problem. Under this theory, a party has an affirmative duty to act where that action is necessary to protect another from the foreseeable acts of a third party. See, e.g., In re Target Customer Data Security Breach Litigation, 64 F.Supp.3d 1304, 1308 (D. Minn. 2014). This theory, however, also has its limitations. It requires an act by a third party, and therefore does not provide a viable claim where a data breach is accidental or caused solely by the actions of the breached party. It also requires specific foreseeability, such as well-known vulnerabilities of a certain system or highly publicized data breaches in a certain industry. A party that is simply caught off guard may be able to avoid liability.

A third theory of a duty of data security focuses on the relationship between the parties. For example, courts have ruled that a defendant has a duty to secure personal data that it collects as a condition of employment, Dittman v. UPMC, 196 A.3d 1036, 1047 (Pa. 2018), or as a condition to obtain life insurance, Daly v. Metro. Life Ins. Co., 782 N.Y.S.2d 530, 535 (Sup. Ct. 2004). These courts sometimes emphasize the fiduciary-like nature of the parties' relationship in these instances. Yet other courts have specifically rejected a duty of data security based solely on the relationship between the parties. See, e.g., Cooney v. Chicago Public School, 943 N.E.2d 23, 28-29 (Ill. App. Ct. 2010). It also remains to be seen whether the jurisdictions that have embraced this theory will extend it to data acquired in arms-length commercial transactions or limit it to situations where there is a special relationship between the breached entity and the affected individuals.

Even when courts recognize a duty of data security under tort theories, the question remains as to what standard of care meets that duty.

One option is to import the statutory and regulatory standards discussed earlier as evidence of negligence. Courts often do this in other contexts such as violation of FDA regulations in products liability lawsuits. See, Godelia v. Doe, 881 F.3d 1309, 1318 (11th Cir. 2018) ("In Florida, the violation of a statute may be utilized as evidence of negligence.") A problem may arise in the data security context, however, because the statutory and regulatory standards often employ a "reasonableness" standard that is designed to be flexible based on entity's size, the organizational structure, and the potential risk of harm should the data be improperly accessed or disclosed. For example, the European Union's General Data Protection Regulation (GDPR), one of the world's most comprehensive data protection laws, does not define specific security measures an organization should have in place. Rather, it requires a level of security "appropriate to the risk," taking into account the state of the art and the costs of implementation and the nature of the personal data to be protected. See Regulation (EU) 2016/679 of the European Parliament and of the Council (Art. 32). Without more, such as expert testimony, these regulations may be of little help to a jury that is tasked with determining whether a defendant acted reasonably.

Another option is to evaluate an organization's data security plan in light of industry standards. While some of these industry standards employ a reasonableness or appropriateness standard like the statutory and regulatory frameworks described above, others provide requirements that are more concrete. For example, the National Institutes for Standards and Technology (NIST) Cybersecurity Framework focuses on "appropriate safeguards." The Center for Internet Security (CIS) Controls, on the other hand, is more prescriptive, setting out industry best practices. The more concrete standards could help inform a jury of specific security requirements expected of an organization.

Notably, the clarification of the standard of care is likely to be a slow process if left to the courts and the common law. Data breach lawsuits face a number of obstacles that prevent them from reaching the merits, even if a duty is firmly established. Litigants in federal court may be unable to demonstrate a concrete injury necessary for Article III standing. See, e.g., Spokeo v. Robbins, 136 S.Ct. 1540 (2016). Courts may view any increased risk of future harm as too speculative to maintain suit. See Randolph v. ING Life Insurance & Annuity, 486 F.Supp.2d 1, 8 (D.D.C. 2007) ("Plaintiffs' allegations … amount to mere speculation that at some unspecified point in the indefinite future they will be the victims of identity theft."). The plaintiffs may be unable to prove compensable damages. And even where compensable damages can be proven, they are likely to be unsubstantial, making class action litigation, which faces the obstacles of class certification, the only economically viable means of relief. All of these factors, combined with the prevalence of settlement in civil litigation, mean that few data breach cases are likely to reach the merits and provide guidance on defining the standard of care in data security cases.

In any event, development of the standard of care through tort litigation has advantages. Data security is largely standards based, not rules based, and this flexibility serves the unique needs of organizations of all sizes. Similarly, a reasonableness standard under tort theories leaves room for industry and corporation-specific interpretations. It seems likely that a corporation able to show a good-faith effort toward meeting any data security framework appropriate to its size, resources and context will meet the reasonableness threshold.

Brian Kint is a Philadelphia-based member of the technology, privacy and data security practice at Cozen O'Connor. Kint's mix of legal knowledge and IT experience make him uniquely situated to advise clients on constantly changing data privacy and cybersecurity issues.He is both an attorney and a Certified Information Privacy Professional (CIPP/US & CIPP/E). He can be reached at [email protected].

Attorney Dianna Reuter is a privacy and security analyst at the Children's Hospital of Philadelphia. There she manages the privacy law efforts of a team of skilled biomedical and data science professionals in the creation of a data and informatics program that links clinical and biological data and provides world-class computational tools to solve pressing issues in child health.