William & Mary Business Law Review


John A. Fisher


Every time we swipe our debit cards, pay our bills online, or sign up for a service like Netflix, we are entrusting important identifying information to the companies with which we do business. Most of the time, those companies take seriously the obligation to protect our data and prevent it from falling into the hands of those who would use it to benefit themselves at our expense. Some companies, however, fail to do enough to meet that burden, making it easier for identity thieves to inflict personal and financial injury on consumers. To date, our legal system has essentially denied consumers a remedy against these negligent businesses.

This Note seeks to explore the problem of data breach and offer solutions for both improving electronic data security and establishing a remedy for consumers. To elaborate on this problem, this Note examines two high-profile data breaches: the famous “TJX breach” and the more recent breaches suffered by the Sony Corporation. In both of these cases, millions of customers had their data exposed as a result of a failure to implement basic security protocols or update existing security models to incorporate advances in technology.

This Note will (1) examine the problem of data breach; (2) articulate means of establishing security standards for businesses; (3) argue for federal codification and regulation of those standards; and (4) argue that consumers should be empowered with a negligence cause of action, grounded in the theory of negligence per se, to hold businesses to those standards.

Included in

Torts Commons