A Duty to Safeguard: Data Breach Litigation Through a Quasi-bailment Lens

• Publication year: 2018

A Duty to Safeguard: Data Breach Litigation Through a Quasi-Bailment Lens

Miles Christian Skedvold
University of Georgia School of Law

A DUTY TO SAFEGUARD: DATA BREACH LITIGATION THROUGH A QUASI-BAILMENT LENS

Miles Christian Skedsvold^*

[Page 201]

I. INTRODUCTION....................................................................................................202

II. BACKGROUND.....................................................................................................205

A. THE TYPICAL CAUSES OF ACTION................................................................206

1. Shareholder Derivative Suits.......................................................206
2. Securities Fraud Class Actions....................................................206
3. Governmental Enforcement Actions.............................................207
4. Consumer Class Actions..............................................................208

B. THE QUASI-BAILMENT THEORY....................................................................213

III. ANALYSIS............................................................................................................215

A. INDIVIDUALS HAVE A PROPERTY INTEREST IN THEIR PII......................................................................................215
B. COMMERCIAL TRANSACTIONS INVOLVING PII MAY PLAUSIBLY INVOLVE A BAILMENT AGREEMENT..........................................................220
C. PROTECTING PII AGAINST THIRD-PARTY CRIMINAL ACCESS FALLS WITHIN THE SCOPE OF THE IMPLIED BAILMENT AGREEMENT...........................................................................................................223
D. WHILE A BAILEE CANNOT "RETURN" PII IN THE ORDINARY SENSE, THE BAILEE RETAINS OR DISPOSES OF THE PII ACCORDING TO CONDITIONS OF THE BAILMENT IMPLIED IN CUSTOM...........................................................................................224

IV. CONCLUSION......................................................................................................225

[Page 202]

I. INTRODUCTION

This Note was not originally about Equifax. I decided to write a Note about Data Breach Litigation during my 1L summer internship, after working on the early stages of a putative class action lawsuit against a healthcare provider. The breach involved compromising the personally identifiable information (PII)—including sensitive medical information—of as many as 531,000 people. At the time, I thought that was a lot.

The project ended up occupying a fair amount of my time that summer, and by the time classes started back I thought I had something of a pet theory for stating a common law claim for negligent data security. This Note will make the case for that theory.

Then Equifax. In early September, news broke that Equifax had been the victim of one of the largest data breaches ever recorded.¹ The breach, Equifax told us, compromised the personally identifiable information of as many as 143 million Americans—nearly half the adult population of the United States.² Perhaps most striking was CNN's report that

[u]nlike other data breaches, not all of the people affected by the Equifax breach may be aware that they're customers of the company. Equifax gets its data from credit card companies, banks, retailers, and lenders who report on the credit activity of individuals to credit reporting agencies, as well as by purchasing public records.³

It wasn't long before I would tell a classmate, a professor, or a friend about my Note topic, and they would reply, "Oh cool, so you're writing about Equifax?" And so it was—my Note was swept up in the breach. Fine. I guess I'm writing about Equifax.

But, in reality, there is more than that at stake here. What I fear will escape notice is that, depending on who you ask, Equifax isn't even the largest recorded data breach,⁴ and it certainly wasn't the only one this year. Said another way, this was not a one-off event. Years before the Equifax breach, data from the U.S. Department of Health and Human Services noted 1,059 breaches impacting

[Page 203]

close to 32 million individuals.⁵ In 2017 alone, Yahoo, Uber, Verizon, and NetProspex all suffered breaches affecting no less than 14 million people—each.⁶

Even before news of the Equifax Breach broke, data security concerns were becoming more common and more pressing. "In the course of our everyday activities, we routinely reveal our names, addresses, and social security numbers as well as our financial decisions, health problems, tastes, habits, political and religious affiliations, sexual orientation, hobbies, and love affairs."⁷ Some such transactions are unavoidable, like healthcare, insurance, employment and taxation, and even benefits and entitlements. The frightening reality is that once the information is conveyed, one loses the ability to ensure its security.

Certainly, steps can be taken to protect oneself against identity theft and related harm—but no system is foolproof. Moreover, even to the extent such harm can be remedied, it is not difficult to imagine contexts in which a credit freeze or similar circumstances can cause meaningful harm by hobbling a person's ability to make large scale and important purchases. The more immediate impact, however, is seen in the estimated $4.1 billion consumers would end up paying to freeze their credit.⁸

The other side of the data-breach coin is that commercial entities collecting and storing large quantities of PII face a constant threat of criminal hacking to steal and sell customer PII on the black market.⁹ Estimates placed Equifax's losses from the breach between $200 and $300 million by Christmas 2017.¹⁰ Moreover, it is virtually impossible to monetarily gauge what is, without a doubt, an unprecedented loss of consumer confidence in corporate information storage.¹¹

Where there is a loss, there is a lawsuit. On September 11th, 2017, less than a week after the breach was announced, Reuters reported that more than thirty lawsuits had already been filed.¹² It appears that dozens more were filed in

[Page 204]

subsequent weeks,¹³ but exact numbers are difficult to estimate amid consolidations, venue changes, voluntary dismissals, and suits against Equifax unrelated to the breach. Most of these are still in the early stages as this Note is being revised in early January 2018. These include individuals, financial institutions,¹⁴ and even the City of San Francisco.¹⁵

While most states have statutes that require consumer notification of a data breach,¹⁶ many do not yet have statutes directly governing data security practices.¹⁷ In the absence of an overarching framework, the problem that presents itself is that a multi and cross-jurisdictional problem is treated in vastly different ways, and sometimes not addressed at all. This uncertainty creates numerous problems in a commercial world based more and more on the collection, sale, and storage of PII.

For one thing, victims of PII theft due to negligent security are often left largely without remedy.¹⁸ Credit monitoring is generally "the universal 'band aid' offered to consumers,"¹⁹ but it is by no means a complete solution. For one thing, credit monitoring only detects credit fraud—not the scores of other vehicles for fraud using PII—and it lasts for a finite amount of time.²⁰ As one senior industry analyst put it, "[b]ad guys can be very patient, so it's important to keep an eye out long after this story fades from the headlines."²¹

Conversely, holders of PII can face tremendous uncertainty with respect to their responsibility to safeguard information across jurisdictions, even in neighboring states.²² The nature and scope of statutory duties differ, in turn

[Page 205]

requiring complicated compliance regimes.²³ Even before the Equifax breach, the "patchwork" of federal and state laws and regulations governing data security was "generating more interest than ever" as businesses that store consumer information wondered "how these developments should impact their data security practices."²⁴

This note argues that litigants and courts should conceptualize a duty to safeguard PII under a bailment theory. Despite the relative novelty of the factual scenario, recognizing such a duty is simply a question of applying firmly established common law principles. The first such principle is the intangible property rights a person holds with respect to their PII. By definition, such information is specific to the individual and is widely recognized as being for the beneficial use of that individual as a participant in society. Next, although PII is not a tangible "thing," and certainly not a single "thing," the trust involved in giving it over to another party in order to facilitate the exchange of money for goods or services is reminiscent of a common law bailment for mutual benefit. Finally, age old principles of property law establish a duty of reasonable care with respect to the object—the breach of which gives rise to a cause of action for negligent data security.

Part II of this Note will discuss the background of data security litigation, including state and federal statutory duties, the gaps and problems associated with inconsistent treatment among these authorities, and the common law principles involved in asserting a duty to safeguard. Part III of this Note will analyze the rights individuals have in their personally identifiable information and the dynamics of the commercial bailment relationship created by the exchange of PII. Part IV will conclude by arguing that courts and litigants should conceptualize the standard cause of action for negligent data security under a quasi-bailment theory.

II. BACKGROUND

Relatively speaking, litigation of data breaches as such is still in its infancy. Thus,

[d]espite this groundswell of potential claimants, there is no single set of laws setting forth the legal duty of care or the bases for civil liability in data breach settings. Consequently, aggrieved

[Page...