Nick Szabo takes issue with an article I pointed to in “Reservoirs of Data” in his post, “Citron’s ‘data reservoirs:’ putting liability at the wrong end of the problem:”
Bottom line: liability should be put on the low-cost avoider. This is not merely a rule of negligence but a guideline for determining where any kind of liability should fall in any new area of commerce. The idea that the data brokers are the low cost avoiders in this system is highly implausible. Rather, here as with most other harms, it is those parties most proximate to the harm who can most easily prevent it. Furthermore, the evidence needed to hold parties liable will be far more reliably available for the proximate harmer than the remote data leaker.
Organizations that use widely distributed and easily leaked data like SSNs as authenticators, and who currently depend on such weak authentications for credit reporting and debt collection, can switch to more secure passwords at lower costs than would be imposed by Citron’s regime. Organizations that fail to use secure authenticators, especially organizations that report information to credit bureaus or attempt to collect debts based on insecure authenticators, should bear the liability for identity theft due to the known insecurity of those authenticators, rather than organizations who inevitably leak already widely distributed data.
Is the low cost avoider really the debt collector? What about the cost to the consumer of a decreased credit score? Isn’t the low cost avoider here the credit agency? Aren’t they well positioned to take note of discrepancies in the reports they aggregate together?