The Duty of Data Security

By William McGeveran. Full text here.

With the increasing size and frequency of data breaches, several aspects of the law such as regulatory powers and penalties merit reconsideration. Some critics, however, have argued that the law makes the duty of data security inherently unclear—in the words of one legal brief, “an unknown (and unknowable) standard.” Under this view, private entities warehouse vast quantities of personal data, but cannot possibly ascertain the obligations the law imposes on them to protect it.

That claim is balderdash. This Article demonstrates that the law is already settling upon a well-defined, if context-dependent, duty of data security. It examines fourteen different sources of data security obligations for private companies in the United States, half of them formal legal rules and half derived from the private ordering of industry-based requirements. This analysis demonstrates how all these frameworks, selected to represent the breadth of data security obligations, are converging on a common set of standards. The numerous sources of a duty of data security sound together in harmony, not cacophony. The nascent consensus formulates a duty just as clear as countless other requirements of reasonableness that permeate the law.

In addition, this Article identifies normative justifications for the content and nature of this emerging duty of data security, particularly its underpinning in principles of reasonableness and risk assessment. Indeed, the duty of data security is taking its early steps along a well-worn path in the law. It is being guided by deeply familiar legal forces, including the preference for standards over rules when governing fast-moving and complex subjects; the adoption of industry custom, which has shaped law from early contract doctrine to modern professional liability; and even a version of Judge Learned Hand’s cost-benefit calculus from the legendary Carroll Towing decision.