Last week, in an opinion piece in the Washington Post, WashU law professor Danielle D'Onfro proposed one way to hold Equifax accountable: "some old-fashioned judge-made doctrine." According to D'Onfro, "the data economy has outgrown our consumer protection regulations and we are on our own." She refers to a "Swiss cheese system of regulations that carry sanctions that are far smaller than they look," and, because "[t]hose costs are predictable, . . . companies can treat sanctions for non-compliance as a cost of doing business." In D'Onfro's view, it may be time to "admit that our experiment with prospectively regulating consumer protection has failed and return consumer protection to judges." For historical reference, she points to the judge-made doctrine of strict products liability. For D'Onfro, a robust common law approach is especially needed in "under-regulated fields such as privacy."
I certainly wouldn't say that our statutory consumer protection regime has "failed," but I think many would agree that it's been too slow to address some emerging consumer protection issues, like privacy and data security. The question at the end of the day is, what's the best way to avoid another Equifax from happening? You can bet that companies would improve their data security practices if they knew that they'd be strictly liable for any harm resulting from a breach.
Courts are starting to see Equifax litigation. Apparently, more than 50 class action lawsuits have already been filed, and, as was noted on this blog yesterday, Massachusetts Attorney General Maura Healey filed the nation's first enforcement action. One of the first private class action complaints filed alleges a single claim of negligence under Oregon state law. Obviously, the litigation is just getting started, but we'll soon see how the common law responds to the Equifax breach.
