How to stop another Equifax-style data breach
Imagine a chemical company accidentally disperses toxic gas over a neighborhood. Instead of telling residents right away, the company waits six weeks, breaking the news only after putting up a crisis-management website. Rather than directly informing everyone affected, the company tells citizens to enter their address online to see if they were in the exposure area.
The company offers a year of health monitoring to those who register within a narrow time window, but has no plan to compensate those whose monitoring reveals bad news. Those who don’t sign up for monitoring on time are on their own.
Now imagine that there is a government official, a judge, who is supposed to help hold the chemical company accountable — and has all of the tools to do so — but this official waits for a different government official, a regulator, to take the lead. Because there are no laws about this exact kind of gas leak, the judge decides that the chemical company doesn’t owe anybody anything.
Hard to imagine? Yet here we are. In essential detail, this is what has happened following revelation that a data breach at Equifax exposed the personal information of more than half of the nation’s adult population. The company’s best offer is free credit monitoring for a year, but only after victims provide more personal information. Equifax has no public plan to compensate impacted individuals and communities. And it need not have a plan, because our laws do not require it to pay the actual cost of this kind of harm.
Having personal data exposed online might feel less frightening than exposure to toxic gas. But data breaches cause serious harm. Imagine applying for a mortgage or a loan to pay your daughter’s college tuition and finding out that identity thieves had amassed debts in your name. You might be able to right the situation, but how many hours on the phone would it take? What kind of legal fees would you have to incur?
It isn’t just the direct victims of identify fraud who foot the bill. The whole economy will feel the pain of decreased productivity and reduced consumption. Indeed, every company not named Equifax will suffer in the coming weeks, as their employees spend working hours worrying about what to do about the breach, signing up for credit monitoring and waiting to reach customerservice agents.
Simply put, the data economy has outgrown our consumer protection regulations and we are on our own. We’re stuck, waiting for Congress to regulate while industry lobbyists encourage them to wait longer still.
It does not have to be this way. More than a half-century ago, U.S. judges realized that products and supply chains had become so complicated that vic- tims could never prove exactly what or who caused their harm. Thus emerged the doctrine of strict products liability — the legal principle based in common law that manufacturers, distributors and sellers are liable for any injury their products cause, regardless of how well-designed the product is or who is ultimately responsible for the harm.
Legislatures have codified those rules, but it was judges — who see both the victims seeking compensation and the companies struggling to stay above water — who made the rule. This system worked mostly well: Obligations fell on those who could meet them, products became safer, reckless companies went out of business.
But common law has faltered recently. Regulatory interference has prevented it from adapting to modern risks. Our risks today come from data, not things. Companies like Equifax don’t face bet-the-company liability that companies making things do. Instead, they worry only about a Swiss cheese system of regulations that carry sanctions that are far smaller than they look. Those costs are predictable, so companies can treat sanctions for noncompliance as a cost of doing business.
This is why so many data and finance companies keep harming consumers. Companies wouldn’t allow these breaches of trust to keep happening if they had to compensate society for their harms. Perhaps it’s time to admit that our experiment with prospectively regulating consumer protection has failed and return consumer protection to judges.
This wouldn’t be judicial activism; it’s doing what the judiciary has done since our founding. Indeed, following the American Revolution, one of the first acts of the newly independent state legislatures was to pass reception statutes to import English common law and empower the new state judiciaries to continue making law in the common law tradition.
Especially in under-regulated fields such as privacy, some oldfashioned judge-made doctrine could bring the accountability that we currently lack. And if the legislature does not like the result, it can always change the law.