Following a data breach or other cyberattack, the concept of “reasonable” duty, broadly construed, is essential to a plaintiff’s potential causes of action, such as negligence, negligence per se, breach of contract, breach of fiduciary duty, and any number of statutory claims. The impact of an organization’s discretionary choices, such as whether to take specific security steps for a system, may result in potential risk to an individual, another organization, or the organization itself. Although organizations regularly engage in cybersecurity risk analysis, they may not understand what practices will be considered reasonable in a court of law and are therefore unable to anticipate downstream legal issues. Attorneys are likewise unable to confidently advise their clients on how to best avoid liability. This Article examines, in detail, potential sources for reasonably defining duty, and how organizations and attorneys might consider legal duty through the lens of cybersecurity risk management.
Specifically, I call for a two-part cybersecurity duty analytic model: static, or objective duty informed by industry practices, and dynamic, or subjective duty informed by situational risk. For some doctrinal areas, this may work primarily as an analytic model, while for others, such as negligence, this could be formalized as a test. By offering a model for analyzing what cybersecurity duty ought to be, organizations can adequately understand how potential legal risk might be evaluated in order to implement practices that protect would-be plaintiffs and avoid liability.
Moreover, courts can use this model to determine whether organizations have made decisions that avoid real, foreseeable risk to the plaintiff. Indeed, amidst an increasing frequency and diversity of cyberliability claims, legal analysis informed by actual risk analysis ensures that reasonable, rather than perfect, cybersecurity practices can be developed precedentially over time.
Charlotte A. Tschider is an Assistant Professor at the Loyola University Chicago School of Law. I would like to thank the many people who have shaped the creation of this Article, offering guidance and draft reviews along the way, including Gus Hurwitz, David Thaw, Derek Bambauer, William McGeveran, Lauren Scholz, Blake E. Reid, and Sharon K. Sandeen. I would like to especially thank Steven M. Bellovin and participants of the 2020 Privacy Law Scholars Conference for their thoughts on the topic, my exceptionally talented research assistant, Annalisa Kolb, for her analysis of cases that led to this paper, and the editorial board of the Yale Law & Policy Review, especially Ali Fraerman, for excellent recommendations on edits to this Article.
