Commercial, governmental, and nonprofit organizations are more frequently reporting instances of data security breaches. This has, in turn, raised fears of identity theft. In some limited instances, companies that maintain large amounts of personal information—such as credit reporting agencies—have been subject to statutory duties to protect that personal information. In some instances, such legislation has also permitted a private cause of action for breach of these duties. Legislatures have expanded these statutes to encompass, at least to a limited degree, all business entities that collect personal information. Recent precedent indicates that courts may follow this trend by declaring security breaches generally foreseeable, and finding a common law duty on the part of companies to protect their data. The ability of a plaintiff to prove compensable harm from the negligent release of personal information, however, may be more difficult than showing the existence of a duty.
Derek A. Bishop,
To Serve and Protect: Do Businesses Have a Legal Duty to Protect Collections of Personal Information?,
3 Shidler J. L. Com. & Tech.
Available at: https://digitalcommons.law.uw.edu/wjlta/vol3/iss2/3