A Private Enforcement Remedy for Information Misuse

Abstract

Misuse of users’ personally identifiable information is persistent and pervasive. This Article addresses two questions: why is information misuse so common and so severe and how could domestic law change to make it less so? I use a simple model to illustrate that companies externalize information misuse costs onto users, which has two related but distinct effects: chronic underinvestment in information security and excessive retention of user data. I then seize on this observation to propose a specific legal vehicle at the heart of this Article—a private enforcement remedy. This private enforcement remedy has four essential features. First, the remedy must be created under state law. State law provides a viable alternative when federal courts have used the constitutional standing doctrine to express overt hostility to privacy harms. Second, the law should impose a fiduciary duty on entities that collect or retain users’ information. Structuring the remedy this way insulates it from attack by a weaponized First Amendment. Third, breach of an information fiduciary’s duty should be a strict liability tort. The arguments for strict liability in products liability cases apply with even greater force to informational harms. Fourth, the statute that creates this private enforcement remedy should prescribe a schedule that begins with nominal damages and attorney’s fees for strict liability, and it should increase monetary penalties with a defendant’s culpability. The remedy’s central purpose is to reshape incentives, so the damages schedule should not be unduly punitive or effect a windfall for plaintiffs’ attorneys.