Imagine a chemical company accidentally disperses toxic gas over a neighborhood. Instead of telling residents right away, the company waits six weeks. Rather than directly informing everyone affected, the company tells citizens to enter their address online to see if they were exposed.
The company offers a year of health monitoring to those who register within a narrow time window, but has no plan to compensate those whose monitoring reveals bad news. Those who don’t sign up on time are on their own.
Now imagine that there is a judge, who is supposed to help hold the chemical company accountable — and has all the tools to do so — but waits for a government regulator to take the lead. Because there are no laws about this exact kind of gas leak, the judge decides that the chemical company doesn’t owe anybody anything.
Hard to imagine? Yet here we are.
Essentially, this is what has happened after revelation that a data breach at Equifax exposed the personal information of more than half the nation’s adults. The company’s best offer is free credit monitoring for a year, but only after victims provide more personal information. Equifax has no public plan to compensate those impacted, because our laws do not require it to pay the actual cost of this kind of harm.
Having personal data exposed online might feel less frightening than toxic gas. But data breaches cause serious harm. Imagine applying for a mortgage or a loan to pay your daughter’s college tuition and finding that identity thieves had amassed debts in your name. You might be able to right the situation, but how many hours and how much in legal fees would it take?
The whole economy will feel the pain. Indeed, every company not named Equifax will suffer, as their employees spend working hours worrying about what to do about the breach, signing up for credit monitoring and waiting to reach customer-service agents.
Simply put, the data economy has outgrown our consumer-protection regulations and we are on our own. We’re stuck, waiting for Congress to act while lobbyists encourage them to wait.
It does not have to be this way. More than a half-century ago, U.S. judges realized products and supply chains had become so complicated that victims could never prove exactly what or who caused their harm. Thus emerged the doctrine of strict products liability — the legal principle based in common law that manufacturers, distributors and sellers are liable for any injury their products cause, regardless of how well-designed the product is or who is ultimately responsible for the harm.
Legislatures have codified those rules, but it was judges — who see both victims seeking compensation and companies struggling to stay above water — who made the rule. This system worked: Obligations fell on those who could meet them, products became safer, reckless companies went out of business.
But common law has faltered. Our risks today come from data, not things. Companies like Equifax don’t face bet-the-company liability that companies making things do. Instead, they worry only about a Swiss cheese system of regulations that carry sanctions that are predictable, so companies can treat them as a cost of doing business.
This is why so many data and finance companies keep harming consumers. Companies wouldn’t allow these breaches if they had to compensate society for their harms. Perhaps it’s time to admit our experiment with regulating consumer protection has failed and return consumer protection to judges.
Especially in under-regulated fields such as privacy, some old-fashioned judge-made doctrine could bring the accountability we lack. And if the legislature does not like the result, it can always change the law.
Danielle D’Onfro is a law lecturer at Washington University in St. Louis.