Notice & Comment

A Regulatory Compliance Defense for Data Breach Actions

Typically, compliance with statute, regulation, or industry custom does not provide a complete defense to tort liability.  The State of Ohio recently adopted legislation, Ohio Substitute Senate Bill 220 (“S.B. 220”)(codified at Ohio Rev. Stat. §§1354.01-.05), to establish a regulatory compliance defense for tort actions seeking recompense for data breaches.  The enrolled legislation and the Ohio Legislative Service Commission’s summary of the statute is accessible here.

Regulatory Compliance and Compliance with Industry Custom Generally

Generally, compliance with a statute or regulatory requirement does not provide a complete defense to tort liability.  RESTATEMENT (THIRD) OF TORTS: PHYSICAL & EMOTIONAL HARM §16(a) & comm. (a) (2010); RESTATEMENT (THIRD), TORTS: PRODUCTS LIABILITY § 4(a).  Though the enacting legislature (or perhaps even an agency) can specify otherwise, it is “uncommon” for state statutes to contain provisions that either “explicitly rule out additional tort obligations” or could “plausibly be interpreted as doing so,” RESTATEMENT (THIRD) OF TORTS: PHYS. & EMOT. HARM, §16, Reporter’s Notes, comm. (a).  However, federal statutes and regulations may preempt state common law, in effect making compliance with federal law a complete defense to state tort liability.  See Geier v. American Honda Motor Co., 529 U.S. 861, 881-83 (2000).[1]

Compliance with industry custom or practice also does not provide a complete defense to tort liability.  RESTATEMENT (THIRD) OF TORTS: PHYS. & EMOT. HARM §13.  “The rule concerning compliance with custom is based in part on a concern that the self-interest of a class of actors will lead them to provide inadequate levels of safety.”  Id. §16, comm. (b).[2]  This is less of a concern with regard to a regulatory compliance defense because the safety standards are, theoretically at least, set by disinterested decisionmakers.  There can be an overlap between privately-developed standards and government standards, as agencies sometimes incorporate such privately-developed standards by reference.[3]

In my view, the discomfort with the regulatory compliance defense reflects four concerns about regulatory statutes and administrative rules.  First, there is a concern that the legislative and regulatory processes are biased in favor of business and regulated entities, and so safety standards established through such processes tend to be minimal, not optimal.[4]  Interest group theory[5] and the theory of regulatory capture buttress such fears.

Second, the political system is procedurally-biased against regulation.  Bicameralism and presentment, and various roadblocks in the legislative process mean that a legislative majority might conclude that a safety regulation is needed long before that majority manages to navigate legislative impediments to action and succeeds in enacting or updating the safety standard.[6]  Even the process within administrative agencies for adopting safety regulations can take extended periods of time, as the concerns with rulemaking “ossification” suggest.[7]

Third, at times there is a substantive bias against making conduct unlawful.  Some safety statutes carry criminal penalties.  We give wide berth to dangerous conduct when it comes to the imposition of such penalties; we want to make sure conduct is sufficiently egregious to justify a penal response.[8]  Laws specifying blood alcohol content level for purposes of drunk driving laws provide an example.

Fourth, we have a general concern about rules’ inflexibility.  Rules are almost invariably underinclusive or overinclusive, and thus provide undesirable treatment of conduct in many specific cases.[9]  Particularly when a statute is underinclusive, it will fail to reach some conduct creating the sort of risk the rule was designed to eliminate.  Moreover, statutes generally pre-date the conduct to be assessed, judges and juries can assess the conduct after it occurs when the full context surrounding the actor’s decision is apparent.  The Restatement (Third) reflects this concern about safety statutes that prescribe the appropriate conduct in usual circumstances, but not unusual ones.  RESTATEMENT (THIRD) OF TORTS: PHYSICAL & ECOMOTIONAL HARM §16, comm. (e).[10]

In Ohio in particular, there may be an additional obstacle to recognition of a regulatory compliance defense based on state agency regulations, namely the judiciary’s skepticism toward administrative rulemaking.  At least in the context of whether violation of a regulatory requirement constitutes per se negligence, the Ohio Supreme Court treats administrative rules less favorably that statutory commands.  Chambers v. St. Mary’s School, 82 Ohio St.3d 563, 568, 697 N.E.2d 198, 203 (1998).  The Court declined to, in effect, “bestow upon administrative agencies” unaccountable to the electorate and lacking the authority to dictate public policy, “the ability to propose and adopt rules which alter the proof requirements between litigants.”  82 Ohio St. 3d at 568, 697 N.E.2d at 202.

Despite all of the above concerns, several judges and scholars have noted that in some cases a regulatory compliance defense is particularly appropriate. RESTATEMENT (THIRD) OF TORTS: PHYS. & EMOT. HARM §16 & Reporter’s Notes, comm. (f) (collecting sources).  One of the most influential judicial opinions on this score is Oregon Supreme Court Justice Hans Linde’s concurring opinion in Wilson v. Piper Aircraft Corp., 282 Or. 61, 83-84, 577 P.2d 1322, 1334-35 (Ore. 1978)(Linde, J., concurring).  There, he suggested, the defense was appropriate in products liability cases:

“when the design of a product is subject not only to prescribed performance standards but to government supervised testing and specific approval or disapproval on safety grounds, . . . unless one of two things can be shown: either that the standards of safety and utility assigned to the regulatory scheme are less inclusive or demanding than the premises of the law of products liability, or that the regulatory agency did not address the allegedly defective element of the design or in some way fell short of its assigned task.”

A Michigan initiative on this score received a great deal of attention in the 1990’s.  In 1995, the Michigan legislature adopted a statute that established a regulatory compliance defense applicable to product liability actions against pharmaceutical manufacturers.  Michigan Compiled Laws §600:2946(5) (conclusive presumption that drug approved by FDA is not “defective”).[11]

Ohio Substitute S.B. 220

We live in what some have characterized as “an age of data breach.”  Benjamin Dynkin & Barry Dynkin, Derivative Liability In The Wake Of A Cyber Attack, 28 ALB. L.J. SCI. & TECH. 23, 24 (2018).  According to some experts, the 1,579 data breaches that occurred in 2017 alone compromised 178,955,069 records.  Id. at 25 & n.7.  And those data breaches have exposed a broad range of commercial entities to data breach litigation. David Zetoony et al., 2017 Data Breach Litigation Report, BRYAN CAVE LLP 3-6 (discussing class actions).  Negligence appears to be gaining ascendancy as the theory of choice for private litigants.  Id. at 6-7.[12]

S.B. 220 creates a “safe harbor” making a regulatory compliance defense available.  A business can choose to satisfy requirements for protecting either personal information or both personal and restricted information.  Personal information consists of unencrypted versions of a person’s social security number, driver’s license number, or account number and access information for credit or debit cards.  Ohio Rev. Code Ann. §1354.01(D) (incorporating by reference the definition of “personal information” in Ohio Rev. Code Ann. §1349.19(7)).  Restricted information is any unencrypted information about an individual that alone or in combination either can be used to distinguish or trace the individual’s identity or that is linked or linkable to the individual.  Ohio Rev. Code Ann. §1354.01(E).

To come within either safe harbor, for personal information or for personal and sensitive information, the business must (1) “create, maintain, and comply” with a written cybersecurity program (2) that (a) meets the Act’s “design, scale, and scope” requirements and (b) “reasonably conforms” to one of the industry-recognized cybersecurity frameworks listed in the Act.  Ohio Rev. Code Ann. §1354.02(A).  If the entity protects only personal information, it is “entitled to an affirmative defense to any tort action brought under Ohio law in an Ohio court alleging “that the failure to implement information security controls resulted in a data breach concerning personal information.”  Ohio Rev. Code Ann. §1354.02(D)(1). If an entity meets the same requirements for both personal and restricted information, it is “entitled to an affirmative defense to any . . . cause of action involving data breach concerning personal information or restricted information.”  Ohio Rev. Code Ann. §1354.02(D)(2).

The appropriate scale and scope of the entity’s cybersecurity program is determined by: (a) the entity’s size and complexity, (b) the nature and scope of its activities, (c) the sensitivity of the information it maintains, (d) the cost and availability of information security tools that reduce vulnerability, and (e) the resources available to the entity.  Ohio Rev. Code Ann. §1354.02(C).

The reasonable conformity requirement can be satisfied in one of three ways.

First, an entity can comply with (a) one of three protocols developed by the National Institute of Science and Technology, or (b) protocols developed by the Federal Risk and Authorization Management Program or the International Organization for Standardization/Electrotechnical Commission, or (c) the standards set forth in the Center for Internet Security Critical Security Controls for Effective Cyber Defense,.  Ohio Rev. Code Ann. §1354.03(A)(1).

Alternatively in can reasonably comply with the Payment Card Industry Data Security Standard and the current version of one of the applicable frameworks listed in the first option.  Ohio Rev. Code Ann. §1354.03(C)(1).

As a third alternative, entities regulated by the state and/or federal government can reasonably comply with the current version of: (1) the Health Insurance Portability and Accountability Act of 1966 (HIPAA) regulations; (2) Title V of the Gramm-Leach-Bliley Act of 2014, (3) the Federal Information Security Modernization Act of 2014, or (4) the Health Information Technology for Economic and Clinical Health Act.  Ohio Rev. Code Ann. §1354.03(B)(1).

The Act does not create a cause of action against an entity for failure to follow the its cybersecurity requirements.  Ohio Rev. Code Ann. §1354.04.  Thus a failure to satisfy the S.B. 220 “safe harbor” requirements is actionable only if another law creates such a cause of action.  Ohio Legislative Services Commission, Final Analysis of Sub. S.B. 220 8 (Nov. 2, 2018).  Indeed, in specifying its intent, the legislature explained that the law “does not, and is not intended to, create minimum cybersecurity standard that must be achieved, nor may it be read to impose liability upon businesses that do not maintain practices in compliance with the Act.” S.B. 220, §2.

It will be interesting to see what impact S.B. 220 has on data breach litigation in Ohio and whether other states will adopt similar litigation.

# # # # # # #

[1] Often federal statutes will have “savings clauses” that permit imposition of liability in state common law tort actions.  See, Geier, 529 U.S. at 867-68.

[2] See, The T.J. Hooper, 60 F.2d 737, 740 (2d Cir. 1932)(L. Hand, J.).

[3] See, Emily S. Bremer, Incorporation By Reference In An Open-Government Age, 36 HARV. J.L. & PUB. POL’Y 131 (2013).

[4] Theresa Moran Schwartz, The Role of Federal Safety Regulations in Products Liability Actions, 41 VAND. L. REV. 1121, 1147-50 (1988).

[5] The theory that smaller groups can more easily organize and devote resources to collective action. Thus when costs or benefits of legislative action are concentrated on a small group, but the corresponding benefits and costs are diffused among a much larger group, the smaller group will tend to prevail over the larger one.  See, e.g., Jonathan R. Macey, Promoting Public-Regarding Legislation through Statutory Interpretation: An Interest Group Model, 86 COLUM. L. REV. 223, 229-33 (1986).

[6] Schwartz, supra, at 1144 (“[a]gencies and legislatures are unable to respond rapidly to new information and new technology; hence their standards quickly can become outdated”).

[7] Id., at 1151.

[8] Id. at 1123-24.

[9] Bernard W. Bell, Dead Again: The Nondelegation Doctrine, the Rules/Standards Dilemma, and the Line Item Veto, 44 VILLANOVA L. REV. 189, 199-201 (1999).

[10] Indeed, even with respect to statutory violations, a defendant may avoid liability for a violation that causes an injury if in the particular circumstances violation of the statute was the safest course.  RESTATEMENT (THIRD) OF TORTS §15(e) (2010); id., comm. (f); see, Tedla v. Ellman, 280 N.Y. 124, 19 N.E.2d 987 (Ct. App. 1939).  There is a rough analogue in administrative law doctrine, see, e.g., Heckler v. Campbell, 461 U.S. 458, 467 & n.11 (1983); Wait Radio v. FCC, 418 F.2d 1153, 1157 (D.C. Cir. 1969)(“That an agency may discharge its responsibilities by promulgating rules of general application which, in the overall perspective, establish the ‘public interest’ for a broad range of situations, does not relieve it of an obligation to seek out the ‘public interest’ in particular, individualized cases.”).

[11] 1995 Mich. Legis. Serv., P.A. 249 (S.B. 344) (West)(available at WESTLAW)(amending Mich. Comp .L. §600:2946).

[12] The FTC sometimes brings suit for unfair methods of competition and deceptive trade practices when a company fails to comply with its published cyber-security policies.  See, e.g., F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015); FTC, Privacy & Data Breach Update (2016), accessible at, https://www.ftc.gov/reports/privacy-data-security-update-2016#data.