The Economic Loss Doctrine & Data Breach Litigation: Applying the “Venerable Chestnut of Tort Law” in the Age of the Internet

Abstract

Data controllers and processors are increasingly finding themselves the targets of hackers who steal the personal identifiable information (PII) stored in their systems and sell it on the dark web. Data subjects, whose PII is exposed in a data breach, routinely have been turning to data breach litigation as a means of compensation for the damages that they suffer. Routinely, plaintiffs have pleaded negligence causes of action against data controllers or processors. A plaintiff’s ability to overcome procedural hurdles, not the merits of their case, often dictates the success or failure of these tort claims. One prominent hurdle is the economic loss doctrine (ELD), a rule that restricts tort recovery for purely economic damages. The ELD is a ubiquitous doctrine with a variety of applications and paradigms in tort law. Data breach litigation, however, does not implicate the doctrine’s policy goals of promoting private ordering and preventing unlimited and unforeseeable liability. Instead, this Note argues that the ELD in data breach litigation should be more pliable and include a special relationship test that the plaintiffs are presumed to satisfy.