Data breaches are pervasive and costly. Recent civil data breach cases have centered on the consumer credit card payment chain in the retail industry. An important issue in such cases is whether the economic loss doctrine should bar negligence claims for purely pecuniary losses suffered by a non-negligent party, such as an issuing bank or a federal credit union that must incur costs to reimburse cardholders for the fraudulent use of stolen card numbers.
The economic loss doctrine should not bar these claims. Large-scale data networks, such as consumer credit card networks, often entail significant network externalities. These include externalities relating to market concentration as well as to the “weakest link” nature of security in these networks. Although the primary players in these networks are tied together in a complex web of contractual relationships, there are significant transaction costs involved with any effort to change or monitor another party’s security measures. Moreover, “outside” entities such as third-party payment processors, which are not in contractual privity with all other parties in the network, have become ubiquitous. Under these circumstances, a negligence rule should help improve cybersecurity hygiene and promote a more robust cyber risk insurance market.
75 Md. L. Rev. 935 (2016)