Negligence Law - An Introduction
by John Bandler
Negligence is an important area of law that affects us all. As individuals and anyone making decisions about an organization, we need to appreciate basic principles of negligence law to guide our action. Further, it is an area of traditional law with deep implications for cybersecurity and privacy.
Negligence in a nutshell
A touchstone of negligence law is to act reasonably and diligently. That is a basic principle to guide conduct. After all, few organizations when promoting their goods or services (or when defending a legal claim) want to characterize themselves as sloppy, deficient, or reckless. Thus, when I am guiding organizations in complex areas of cybersecurity or privacy, one of my first areas of legal guidance is the exhortation to be reasonable and diligent, a direct reference to negligence law. In fact, many cybersecurity and privacy laws incorporate a "reasonableness" standard into their own language.
Other areas of law incorporate this reasonableness standard, including permissible reasonable use of force in self defense by a private citizen, or by police officers making and arrest and encountering resistance.
The traditional elements of negligence are duty, breach, and causation.
- Duty owed (e.g., the defendant owed the plaintiff a duty)
- Breach of that duty (the defendant breached the duty, failed to live up to a standard of care)
- Causation of damages (the breach of the duty caused damages to the plaintiff. Put more technically, the breach "proximately caused" the damages).
Let's look at each of these elements.
We all have general duties in our lives, and sometimes have specific duties. Here are some examples:
- Drivers on public roads have duties to comply with traffic laws and drive with reasonable care
- Doctors have duties to their patients
- Attorneys have duties to their clients
- Stores, hotels, and premises owners have duties to provide reasonable security and reasonably safe premises
- Organizations holding personal information of others may have a duty to employ reasonable cybersecurity
There are many circumstances where plaintiffs allege a breach of that duty, for example:
- A driver was inattentive, texting, speeding, going through a stop sign, etc. and thus violated a duty to drive carefully (thus causing an accident, etc.)
- A doctor breached a duty, botched a procedure or gave bad medical advice, committing malpractice, etc.
- A lawyer breached a duty, committed malpractice, etc.
- A store failed to keep floors clean, a customer slipped on a spill, etc.
- A hotel failed to employ reasonable security, the guest was assaulted by an attacker
- An organization failed to reasonably secure data, a cybercriminal breached the data
This final element requires establishing that the breach of the duty proximately caused damages to the plaintiff.
Proximate cause is a legal standard as whether the defendant's actions were sufficient to make the defendant responsible.
Proximate cause is a higher standard than "but-for causation", also known as "cause-in-fact" or "sine qua non" causation. "But-for" causation is easy to show, and there may be many such "but-for" causation factors for a particular incident. Again, "but-for" causation is insufficient to meet the legal standard of causation. As an example:
- A calls B at the end of the day with a business question and makes B late leaving work. B is driving home, and struck by C, who failed to stop at a stop-sign.
- Both A and C committed acts which are "but for" causes of the accident. If A hadn't called B, B would have been safely past the intersection when C went through it. If C had stopped at the stop sign, the accident would not have happened.
- Only C's action is the proximate cause of the accident. C failed to stop and yield at the stop sign, this proximately caused the accident.
There is a second part to this element, damages. (Note that the Wex summary linked to below actually divides the negligence elements into four, separating causation and damages, which is a concept I like). Thus the plaintiff needs to show that the breach caused the damages, and establish the amount of the damages that were caused.
Strict liability compared
Consider that some torts are "strict liability torts", where the plaintiff does not need to show any negligence at all, no breach and no duty and no failure to meet a reasonable standard of care. All the plaintiff needs to show is that the defendant engaged in certain conduct and that caused damages.
Negligence and safety on physical premises
As I teach private security and law and as I apply negligence concepts to the cyber realm, it is helpful to discuss how negligence principles apply in a physical premises.
A property owner or manager may have a duty to maintain a reasonably safe property for anyone that it is reasonably anticipated may visit. Thus:
- A grocery store may have a duty to maintain reasonably clean floors, without trip hazards
- Property owners may have a duty to maintain the sidewalk, and clear snow and ice or other hazards
- Reasonable security measures against crime may need to be implemented (see next).
Applying negligence to brick-and-mortar security
Property owners and managers may need to take reasonable measures to deter, prevent, or investigate crime.
After a serious crime occurs (such as theft, robbery, assault, rape, murder) a plaintiff may look for potential civil defendants. A prime target is the individual that committed the horrifical offense, however such criminals are often not productive civil defendants. Sometimes this criminal is never identified or apprehended. Often they are "judgement proof", which means they have no assets or would never pay if ordered to pay. Thus, other defendants are sought, including the property owners, managers, and security organizations.
Thus, in a residential building, motel, hotel, or premises where a serious crime has occurred that victimized many, the victims may allege security negligence, under this legal theory:
The property owner or manager had a legal duty to employ reasonable security measures and provide a reasonably safe environment, the defendant breached that duty, the breach of that duty caused damages, in that it allowed a third-party criminal to commit the crime.
Negligence and cybersecurity and cybercrime
Now let us carry our knowledge of negligence law one step further into the cyber realm. Organizations hold personal information of customers, clients, and consumers. More and more, the evolution of legal principles and statutes (including privacy and cybersecurity laws) provide consumers with rights over their own personal information, and impose duties upon organizations.
If a cybercrime involves a data breach of this personal information, a potential claim may sound of negligence, that:
- The organization had a duty to hold that personal information with reasonable cybersecurity,
- The organization breached that duty (and employed sloppy or deficient cybersecurity)
- Which allowed a cybercriminal to commit a data breach
- This breach caused damages (here it gets more complicated).
Data breaches are not the only cybercrime. There are many other examples where failure to have good cybersecurity practices can lead to an outright theft. The best example of this is Email Based Funds Transfer Frauds. After such an event, large sums of money are stolen, and multiple parties are left debating about various legal and factual issues, including:
- Who owed duties to whom
- Who breached the duties
- What would reasonable conduct be
- What acts occurred, by whom, and when
- How did actions deviate from this standard of reasonable conduct
We see that negligence law encompasses much of what we do, and is important for any manager or executive to understand, and ties in with cybersecurity and privacy.
This is a brief summary with simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This is not legal advice nor consulting advice, and is not tailored to your circumstances.
If your organization needs help to protect from cybercrime, improve cybersecurity, create or improve policies, or comply with cybersecurity related laws and regulations, please contact me.
- Introduction to Law
- Helpful Legal Resources and Links
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Introduction to Cybersecurity and Information Security
- Wex articles on various legal topics https://www.law.cornell.edu/wex/wex_articles
- Negligence law summary at Cornell LII https://www.law.cornell.edu/wex/negligence
- Cybercrime Investigations Chapter 5, Fundamental Principles of Criminal and Civil Law, and Chapter 9
This article is hosted at https://johnbandler.com/negligence-law. Copyright John Bandler, all rights reserved.
A version of this article is available on Medium.com, at https://johnbandler.medium.com/negligence-law-an-introduction-6c038b234e25 (though not kept as current, and without links and some of the formatting).
Originally Posted 4/3/2022. Updated 09/23/2022.