Response to McGeveran’s The Duty of Data Security: Not the Objective Duty He Wants, Maybe the Subjective Duty We Need
William McGeveran’s recent article, The Duty of Data Security, is a significant contribution to ongoing debates about what duty firms holding electronic information about consumers owe in ensuring the security of that data. It also supports the opposite conclusion from that which McGeveran articulates. McGeveran frames the article as identifying a clear duty of data security. This response argues that in his efforts to locate a clear duty in existing data security law he has identified a standard that, in all meaningful ways, is one of subjective (not objective) reasonableness – and therefore offers no clarity at all. There is likely room for disagreement on both sides of this argument – both that which McGeveran makes and my response to it. The ultimate purpose of this response, however, is to recognize this aspect of the duty that McGeveran has identified and to reframe it in the familiar terms of objective vs. subjective reasonableness. This distinction is both useful and important, and has gone unremarked upon in two decades of discussions about the data security obligations.