Contributed by William C. Burnham, Monmouth County, New Jersey, 2L Roger Williams University Law School
A common motif in privacy law is the overarching concern for “consumer protection.” Curiously, these laws offer extremely limited avenues of recovery for individual consumer-victims of a data breach. Generally, most state data breach laws (and overlapping sector-specific federal laws) require commercial entities to merely notify consumers in a timely manner to avoid liability. If the commercial entity fails to timely notify consumers, it faces potential sanctions to individual states and federal agencies rather than the consumer-victim.
This appears to be a flaw in the overall scheme of privacy law—the same legal scheme that is built around a pillar of consumer protection. Accordingly, some consumers have sought recovery in the form of state tort and contract actions. (See Walgreen, Co. v. Hinchy 21 N.E.3d 99 (Ind. Ct. App. 2014)). The infamous Hinchy decision temporarily sent a chill down the collective back of the private sector, yet this case is confined to its riveting but very extreme set of facts. On the whole, it does not appear that state common law actions—absent egregious factual circumstances—are a true avenue for individual recovery.
The current patchwork quilt of American privacy law appears to offer only an illusory remedy to consumer-victims of data breaches. The only way to truly combat this flaw is to re-write significant portions of privacy law to provide adequate remedy for the actual consumers harmed by data breaches. Wholesale changes are admittedly politically unrealistic and raise counter policy concerns such as a sudden burden on the judiciary or the enigmatic “flood gates” concern. From the perspective of the consumer, rewriting privacy law to allow for private lawsuits may do more harm than good. Hypothetically, the cost liability of these lawsuits would likely be pushed on the consumer in the form of increased prices. Similarly, these lawsuits could deplete the coffers of a defendant-business and render it insolvent before more serious injuries to consumers manifest themselves. In sum, it is incumbent on policy makers to ensure that the consumer is, in fact, adequately protected. Allowing an avenue for individual lawsuits in the event of a data breach is potentially a rather axiomatic solution to the consumer protection hypocrisy in privacy law policy. Yet, if implemented, this solution must be appropriately tapered to preemptively address the various nuances and counter policy concerns that undermine such an approach.