Danielle K. Citron has put a new paper on SSRN,
“Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age.” It is highly readable for the lay audience, and lays out (what I think is) a strong case for strict liability in personal data breaches. The abstract of the paper reads:
A defining problem at the dawn of the Information Age will be securing computer databases of ultra-sensitive personal information. These reservoirs of data fuel our Internet economy but endanger individuals when their information escapes into the hands of cyber-criminals. This juxtaposition of opportunities for rapid economic growth and novel dangers recalls similar challenges society and law faced at the outset of the Industrial Age. Then, reservoirs collected water to power textile mills: the water was harmless in repose but wrought havoc when it escaped. After initially resisting Rylands v. Fletcher’s strict liability standard as undermining economic development, American courts and scholars embraced it once the economy matured and catastrophes such as the Johnstown Flood made those hazards impossible to ignore.
Public choice analysis suggests that a meaningful public law response to insecure databases is as unlikely now as it was in the early Industrial Age. The Industrial Age’s experience can, however, help guide us to an appropriate private law remedy for the new risks and new types of harm of the early Information Age. Just as the Industrial Revolution’s maturation tipped the balance in favor of early tort theorists arguing that America needed, and could afford, a Rylands solution, so too the Information Revolution’s deep roots in American society and many strains of contemporary tort theory support strict liability for bursting cyber-reservoirs of personal data instead of a negligence regime overmatched by fast-changing technology. More broadly, the early Industrial Age offers valuable lessons for addressing other important Information Age problems.