Sarah Ludington (Duke University School of Law) has posted Reining in the Data Traders: A Tort for the Misuse of Personal Information (Maryland Law Review, Vol. 66, 2006) on SSRN. Here is the abstract:
In 2005, three spectacular data security breaches focused public attention on the vast databases of personal information held by data traders such as ChoicePoint and LexisNexis, and the vulnerability of that data. The personal information of hundreds of thousands of people had either been hacked or sold to identity thieves, yet the data traders refused to reveal to those people the specifics of the information sold or stolen. While Congress and many state legislatures swiftly introduced bills to force data traders to be more accountable to their data subjects, fewer states actually enacted laws, and none of the federal bills were taken to a vote before the election in 2006. In large part, individuals remain powerless to discover the information a data trader holds about them, to discover what information was sold or stolen, to prevent data traders from using their personal information in unauthorized ways, or to hold data traders accountable for lax security.
The Article argues that a new common law tort should be used to force reform and accountability on data traders, and to provide remedies for individuals who have suffered harm to their core privacy interests of choice and control-choice about who may receive their information, control over the information revealed, and how the recipient of that information may use it. The Article examines the current legislative and common law regimes, concluding that there are no effective remedies for individuals who have suffered harm from data misuse. Given the ineffective legislative response to the security breaches of 2005, the Article argues that the existing scheme of common law privacy torts should be expanded to create a new tort for information misuse. The new tort borrows from existing privacy torts-in particular, the tort of appropriation-and existing privacy statutes, importing the Fair Information Practices from the Privacy Act of 1974 as a standard of care.