Document Type



Tort litigation over data breaches—defined here as the theft of one’s confidential information entrusted to another in a business transaction—most commonly involves the negligence cause of action. These claims turn on a number of issues that require searching analysis, including the manner in which the economic loss rule affects the tort duty, the relation between the negligence standard of care and strict liability, and the appropriate forms of compensable loss. Substantive analysis of these issues shows that they all can be resolved in favor of the negligence claim, which in turn justifies a rule of strict liability. The economic loss rule does not provide a substantive rationale for barring tort claims because customers do not have the information necessary to adequately protect their interests by contracting. Moreover, the common-law tort duty can be independently justified by the legislative policy decisions embodied in statutes that regulate data breaches. To prove a breach of the duty to exercise reasonable care, the victims of identity theft will often face considerable evidentiary difficulties stemming either from the complexity of data-security systems or the unreliability of other relevant evidence involving the conduct of defendant’s employees. For reasons recognized by tort law in analogous contexts, the evidentiary difficulties of proving negligence can justify a rule of strict liability for enforcing the tort duty to exercise reasonable care. Finally, the important forms of damages caused by identity theft—the cost of credit-monitoring services and the like, unauthorized charges, and any significant loss of time and emotional distress—are all compensable as a matter of basic tort principles. Strict tort liability in these cases ultimately finds justification in the important public policy of maintaining the integrity of market transactions.

Date of Authorship for this Version