Marian K. Riedy


Over the past decade, the number of security breaches that have compromised business records containing the personal information of millions of American consumers has soared. The legal world has largely responded in a traditional fashion: by rushing to the courthouse seeking damages for various alleged injuries from the same businesses that had their computers and networks breached by criminal hackers. Corporate misconduct is a classic justification for expending societal resources to hold a company accountable and deter other companies from engaging in similar, harmful conduct. However, company data on consumers and clients may be compromised in situations involving no corporate misconduct. In fact, in many situations the hacker is the primary culprit. The theft of personal information causes minimal harm to consumers, while the business-the putative defendant-suffers far greater costs associated with a breach. Prevention is costly and difficult, and predicting which companies will be hacked, as well as the means by which it will occur, is next to impossible. For these and other reasons, it may be time to consider a data victims' compensation fund in lieu of private civil litigation. This fund would provide a more efficient and effective mechanism for identifying and exacting financial penalties from only the truly "bad apples "-companies that significantly fail to employ reasonable measures to secure data. Additionally, the fund would provide prompt and fair compensation to individuals harmed by a data breach.