8. Private Law Liability for Faulty ICT
Guy Bourdin was a famous fashion photographer with major and enduring influence on fashion magazines. This image, however, stems from just before he conquered and transformed the field, showing a technically superb shot of a fractured surface. Private law liability for faulty ICT suffers from the fact that injury or damage cannot easily be proven, especially in the realm of data protection. Fractures may be hidden under the surface and the cracks may not be identifiable at the level of individual persons.
What if a new version of an operating system (OS) is launched, enabling users to upgrade automatically or manually? Do such upgrades have legal effect?
maybe those who upgrade manually run security risks, including breakdown of their application, if they fail timely implementation of the upgrade;
maybe previous versions of the OS will not be supported after some time (no updates), meaning that those running the OS on hardware that does not support the upgrade will be left unprotected;
maybe those who subscribed to automated updates on the new version of the OS inadvertently install spyware that causes harm to their private life, business interest or employee status.
What if one’s smart fridge communicates with a host of providers (from the hardware manufacturer to the providers of the OS and various applications, such as those of online groceries or health insurance providers that monitor eating habits)? Does such communication have legal effect?
maybe the fridge is confronted with power cuts due to issues in the smart energy grid that results in electrocution, because this scenario has not been foreseen by its adaptive software;
maybe the fridge is run based on a smart contract, implemented via a blockchain that disconnects the fridge due to a default in payment, causing a short circuit;
maybe the fridge starts ordering the same food from a number of different groceries due to a bug in its system, whereas these contracts are automatically executed without recourse to nullification.
The reader can easily imagine other instances where ICT – whether adaptive or self-executing – causes physical, material, economic or emotional harm. For instance, if one misses an important appointment due to the washing machine catching fire (material damage to the machine, the bathroom), which causes one to default on a contract that results in loss of income (economic damage), or one witnesses frightening bodily harm or death of a close relative due to the fire which results in a post-traumatic stress syndrome (emotional damage). Maybe the fact that one’s personal data have been leaked by an insurance company in a major data breach causes enduring anxiety about who may have accessed, sold or otherwise shared the data.
The question of whether such damage could have legal effect is a matter of tort law. Legal conditions for such legal effect demand that these harms can be attributed to e.g. the manufacturer, to the OS provider, the retailer, the insurance company where the breach occurred, to the helpdesk provider that gave the wrong advice, or to the firm that leased the car, the washing machine, or the fridge (as this firm may have changed its default settings, thus causing the harm).
Maybe, on the other hand, the washing machine simply does not function as well as before, ever since an update has been installed. Maybe the brakes of a connected car are in turbulence due to a bug in the OS. This raises the question of whether one could sue the seller based on non-conformity of the product or service with what could reasonably expect, considering its function and the price, or on the basis of a defect.
In this chapter I will focus on third party liability or tort law, as an important example of how private law liability may step in to deter developers, manufacturers, sellers, and users of ICT from developing, selling or using faulty ICT.
8.1 Back to basics
Before moving head-on into third party liability we first revisit the basics presented in the first part of this book.
8.1.1 Chapter 3: Private law distinctions
In private law we discriminate between absolute and relative rights, where absolute rights play out in the relationships between a legal subject and all other legal subjects (within a jurisdiction) with regard to a specific object (a movable, real estate or an immaterial good such as a work or an invention, or even with regard to a receivable).1 In case of an absolute right all others must refrain from interfering with the object. Relative rights play out between designated legal subjects, such as the parties to a contract or a tortfeasor and their victim. Liability based on tort is called third-party liability, because it is not based on the direct relationship between the parties to a contract, but involves a third party. In some jurisdictions it is possible to issue a tort action against one’s contracting party. This means that one does not base the action on breach of contract, but on the other party being liable for damage on grounds of tort.
As discussed in chapter 3, the purpose of private law can be summarised under the headings of (1) respecting individual autonomy, (2) ensuring fairness, such as compensation of inequality that would diminish individual autonomy, which may require a party to e.g. inform the other party or to shift the burden of proof to the party with access to relevant evidence, and, (3) the societal trust that is pivotal for the functioning of economic markets. Private law is restricted by constitutional limitations (government may, under strict conditions dispossess the owner of real estate in the general interest), by international human rights law (horizontal effect of privacy), and by administrative law (e.g. requiring a permit to renovate one’s own property).
Private law contains more default law, especially in the domain of contract law, where the freedom to contract often implies that contracting parties may deviate from the legal provisions that would otherwise rule their contract. Property law contains more mandatory law, due to its third-party effects (property law affects all others as it concerns absolute rights). Due to the legality principle, public law contains mostly mandatory law (as legal powers of government bodies should clarify what citizens can expect).
The legality principle also plays a major role in the criminal law. The set of all unlawful cyber conduct contains e.g. cyber torts, violations of cyber-related contracts, and violations of cyber-related administrative law. Only a small part of this set concerns cybercrime, because only unlawful conduct that has been explicitly criminalised constitutes a crime.
Finally, let’s once again consider the notions of a legal subject and a legal object.
A legal subject (a natural person or legal person) is an entity capable of acting in law, bearing legal rights and legal obligations in relation to other legal subjects.
A legal object (a good: intellectual property rights; real estate; tangibles; other rights and obligations): an entity that is the object of legal relationships between legal subjects.
In the case of a tort, the legal subjects are the tortfeasor and the victim, while the legal object is a prohibition to engage in tortuous conduct (in the case of an injunction) and/or an obligation to pay damages, i.e. the right to be compensated for the damage one suffered.
8.1.2 Chapter 4: International and supranational law
International Private Law (IPL) concerns ‘the law of conflicts’ that determines applicable law and the jurisdiction of national courts in cases where different jurisdictions may be applicable both regarding the substance (which law is applicable) and regarding the competence of a court (which national courts have the power to admit a case). In the end IPL is national law, since national law decides whether its courts have competence and what law they should apply. As this leads to conflicts whenever different states decide differently on the same case, international treaties have been concluded to prevent overlapping jurisdiction or conflicting applicable content.
There is no supranational private law, despite numerous attempts to agree on a ‘European private law’, so third-party liability for faulty ICT cannot be based on EU tort law. In the context of the goal of creating and sustaining the internal EU market there are many reasons for such a ‘common’ private law, as it would increase legal certainty for companies providing products and services across national borders, achieving at least minimal harmonisation that would also protect EU consumers and small companies, while preventing and reducing unbalanced competition (market entry) and administrative burdens (that vary depending on requirements stemming from national tort law).
There is, however, a set of relevant EU directives that requires harmonisation on issues that overlap with tort law,2 such as Product liability directive,3 the Unfair commercial practices directive,4 the eCommerce directive (see 188.8.131.52 above),5 and the ePrivacy Directive (with a potentially new liability regime under the upcoming ePrivacy Regulation).6 Being directives, the harmonisation is somewhat limited by the fact that MSs have to implement the directives into their national legal framework, instead of having to adhere to one and the same text. Nevertheless, where such directives require MSs to enable tort liability (or provide exemptions), the CJEU usually finds that such requirements must be understood in an autonomous manner that enables a consistent interpretation throughout the Union.7 Art. 82 of the GDPR may become an interesting example of such an ‘autonomous’ interpretation (see above 184.108.40.206 and below 8.1.3).
8.1.3 Chapter 5: Data protection law
The GDPR has a specific chapter that is dedicated to the enforcement of the regulation (see also above 220.127.116.11). This chapter contains the following articles: Article 77 Right to lodge a complaint with a supervisory authority; Article 78 Right to an effective judicial remedy against a supervisory authority; Article 79 Right to an effective judicial remedy against a controller or processor; Article 80 Representation of data subjects; Article 82 Right to compensation and liability; Article 83 General conditions for imposing administrative fines; 83.1 effective, proportionate and dissuasive, 83.4 maximum 2% global turnover, 83.5 maximum 4% global turnover; 84 Penalties, especially for infringements not subject to the fines of art. 83, and those penalties should again be effective, proportionate and dissuasive .
So far, most of the attention has focused on the fines. The chapter contains a very smart set of private law remedies, however, that may provide highly effective incentives to companies processing personal data.
79 Right to an effective judicial remedy against a controller or processor
1.Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have
the right to an effective judicial remedy
where he or she considers that
his or her rights under this Regulation have been infringed
as a result of the processing of his or her personal data
in non-compliance with this Regulation.
This article basically stipulates that data subjects should be able to lodge an injunction against a controller they believe to be unlawfully processing their personal data. As the remedy must be ‘effective’ we may expect court orders reinforced with penalty payments in case of non-compliance.
As filing a court case is neither easy nor obvious for individual data subjects, art. 80 provides important possibilities for collective action, despite the fact that there is no consensus on a dedicated directive on Union-wide collective action (notably not for compensation of damages).
80 Representation of data subjects
1.The data subject shall have the right to mandate
a not-for-profit body, organisation or association
which has been properly constituted in accordance with the law of a Member State,
has statutory objectives which are in the public interest,
and is active in the field of the protection of data subjects' rights and freedoms
with regard to the protection of their personal data
to lodge the complaint on his or her behalf,
to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and
to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.
This is very interesting because—whereas this leaves collective action regarding compensation up to the MSs—MSs will have to allow data subjects to mandate their right to file an injunction to prohibit unlawful processing based on art. 79 to a relevant not-for-profit body. The second paragraph of art. 80 also leaves up to the MSs the possibility to enable a relevant not-for-profit body to start such actions on their own behalf.
Art. 82, finally, requires that MSs create private law liability for unlawful processing that causes harm or damage:
Article 82 Right to compensation and liability
1.Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have
the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable
for the damage caused by processing which infringes this Regulation.
A processor shall be liable for the damage caused by processing only
where it has not complied with obligations of this Regulation
specifically directed to processors or
where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if
it proves that it is not in any way responsible for the event giving rise to the damage.
Paragraph 4 and 5 add several liability for joint controllers and the distribution of liability between processors and controllers.
As we will see in the next sections, tort liability comes in different shapes and versions. The reasonably granular stipulations of private law liability under the GDPR will probably contribute to legal certainty within the EU market regarding the legal effect of unlawful processing, thus avoiding different liabilities depending on different regimes of private law in the MSs.
8.2 Tort law in Europe
In continental Europe, and in the parts of Africa, Latin America and Asia that were influenced by its legal systems, private law has been codified by the legislator, such as the French Code Civil or the German Bürgerliches Gesetzbuch or the Netherlands Burgerlijk Wetboek. Such legal systems are usually referred to as the ‘civil law’ tradition. In Britain, the US, Canada, Australia and India, private law is part of the ‘common law’, which is based in ‘precedent’ or case law, rather than codification. This may lead to the conclusion that in civil law traditions code is all that matters, whereas in common law all depends on adherence to previous case law or precedent. Today, this is no longer the case. Whereas civil law takes its clue from legislation, the interpretation of the code requires keen attention to prior case law; whereas common law takes its clue from prior case law, its interpretation requires keen attention to implied rules and principles that involve a similar systemisation as aimed for by way of codification.
In this section I will briefly revisit the main legal conditions that must be fulfilled to speak of a tortuous act (see also 3.2.3 above). I will take into account the various civil and common law jurisdictions that ‘make up’ Europe, because even if the UK were to leave the EU, economic intercourse within and between the UK and the EU will benefit from mutual recognition and proper understanding of the main pillars of tort law. In the light of remote access and remote control, enabled by hyperconnectivity and computational power, tort law will have to accommodate liability whenever a tort action has effects outside the jurisdiction where such action was initiated.
I will briefly discuss the requirements of damage, causation, fault liability, strict liability, ending with questions around compensation and deterrence as the overarching goals of tort law.
Damage is the first requirement for a successful tort action, insofar as one wishes to obtain compensation. Such damage may refer to economic loss, personal injury, or a violation of personality rights; damages may be claimed for pain and suffering, for the violation of one’s dignity and for the death of a beloved person. So-called ‘wrongful life’ claims suggest that damage may even be established where a severely handicapped person is born due to the violation of a duty of care by a healthcare institution that failed to notify the prospective parents of an increased risk of such a handicap, thus preventing them from deciding to have an abortion.
Causation is the second requirement, since the damage must have been caused by the incriminated tortuous act, to qualify for compensation. Usually, establishing causation refers to the co-called ‘conditio sine qua non’, which means that without the relevant act the damage would not have occurred. This, however, refers to any action involved in the chain of events that led to the damage. The decision by the grandparent of the alleged tortfeasor to move to another country is also a ‘conditio sine qua non’, but will not be taken into account. To narrow down the ‘relevant cause’ we need a normative understanding of causation (which obviously has nothing to do with a ‘subjective’ understanding). Courts will take into account the remoteness of the damage, based on doctrines around ‘proximate cause’ (which seeks the nearest relevant cause rather than some remote forerunner), ‘adequate cause’ (which requires that the relevant action seriously increases the probability that the relevant damage occurs), or—more abstractly—‘reasonable attribution’ (which determines whether it is reasonable to qualify the relevant action as having caused the damage). Whatever theory is employed, to have the legal effect of a tort, a certain and direct causal connection is preferable to an uncertain and/or indirect connection. Beyond a certain threshold, causation will not be attributed.
The reduction of the space opened by the ‘conditio sine qua non’ criterion is often achieved by taking into account the foreseeability of the damage. For instance, Dutch case law requires car drivers to foresee that other users of a public road will not comply with traffic rules. This means that cars may have to anticipate cyclists without light after dark. This clearly brings out the normative aspect of the causality attribution, because for instance pedestrians crossing a zebra crossing need not anticipate speeding cars. Also, the wish to protect victims in personal injury cases and the blameworthiness of the tortfeasor can play a role in the attribution of causality. For instance in the case of harm caused by asbestos or specific medication (e.g DES). Often, it is not possible to identity which potential tortfeasors actually ‘caused’ what individual harm, e.g. because the victim worked for several companies that used asbestos or the victim cannot prove which brand of medication was subscribed. Solutions to such problems are e.g. the imputation of several liability, or liability in proportion to the market share, often in combination with a reversal of burden of proof, which brings us to the difference between different types of liability.
Liability regimes can be distinguished in terms of fault liability or strict liability, with some shades of grey in between.
Fault liability is based on the maxim that each victim bears their own damage, unless a special reason applies to shift the burden. Such special reasons may be: (1) fault, which assumes intentional wrongdoing, or (2) negligence, which assumes a failure to exercise reasonable care. Negligence is objectified by referring to the care that a reasonable person would or should have taken. Some diehard computationalists believe this can be caught in a formula. In US v Carroll Towing Co,8 the famous US Judge Learned Hand developed the following formula:
Since there are occasions when every vessel will break from her moorings, and since, if she does, she becomes a menace to those about her; the owner's duty, as in other similar situations, to provide against resulting injuries is a function of three variables: (1) The probability that she will break away; (2) the gravity of the resulting injury, if she does; (3) the burden of adequate precautions. Possibly it serves to bring this notion into relief to state it in algebraic terms: if the probability of an accident is called P, the injury L and the burden of precautions B, liablity depends on whether B is less than L multiplied by P, i.e. whether B < PL.
As you may guess, a specific branch of Law and Economics (the so-called Chicago School) has picked up on this to develop intriguing theories on the utility of tort law as a means to prevent tortuous conduct. We will return to this issue under ‘compensation and deterrence’ at the end of this section.
An important extension of fault liability regards vicarious liability, which attributes the liability for tortuous conduct of one person to another person, often a legal person. For instance, the employer may be liable for tortuous conduct of their employees, insofar as the damage was caused in the normal course of the business.
Strict liability diverts from the baseline that each victim should bear their own damage. This exception is often applied to a legal person that profits from the danger they create, considering that they are able to ensure against liability. One can think of strict liability for
inherently dangerous people, goods or activities (with so-called ‘uncontrollable energy’), which are nevertheless not prohibited. One can think of strict liability of parents for the acts of their children; of car drivers that cause an accident with a pedestrian; of pet-holders for their animals, or of the employer for work done at a construction site, and, perhaps, strict liability for the seller or user of inherently dangerous products and services with applied AI;9
products or things that are not inherently dangerous but turn out defective for the purpose they were designed for (defective products, including products or services with applied AI).
Remedies in tort law can be distinguished as providing compensation or deterrence (or both). Tort law basically requires that people act as reasonable persons. Attributing liability for failure to do so enables to shift the damage they cause from the victim to the tortfeasor, or at least to provide monetary compensation. At the same time, it incentivises potential tortfeasors to abstain from conduct that may cause damage. As we have seen, sometimes tort law is used to compensate victims of damage caused by dangerous activities that society finds legitimate, such as driving a car. This implies that tort liability should not be confused with punishment and may not even imply wrongfulness. It should therefore be distinguished from criminal law, but also from social security or private insurance on the side of the victim which may both compensate victims for harm and damage but will not have any deterrent effect on potential tortfeasors (that may feel they can get away by externalising the costs of their decisions).
8.3 Third-party liability for unlawful processing and other cyber torts
Third party liability is defined as liability in the absence of a contract, where the victim and the tortfeasor do not have a direct relationship, which may e.g. cause difficulty in identifying the tortfeasor. The distance between victim and third party may be Euclidian (geographic) or otherwise, for instance due to the kind of network effects that ‘cyber’ applications generate. The emergence of cybercrime and the six relevant differences we identified compared with traditional crime, also apply to cyber torts: differences in distance, scale, speed, distribution, invisibility and visibility, brought about by the underlying automation and hyperconnectivity of networked computational systems (see 6.1.2).
Some of the issues of third-party liability also relate to the political economy of big tech monopolies, often analysed under the heading of the ‘platform economy’. The exemption of liability for ISPs (art. 12-14 eCommerce directive, discussed above at 18.104.22.168) has resulted in difficulties for the allocation of responsibility in case of copyright infringements, child pornography, and ID theft that are enabled and mediated by ISPs. In the case of Brein v Ziggo (regarding a court order to block TPB, see above 22.214.171.124), the CJEU decided that the TPB—that claimed to be a mere intermediary—was itself infringing copyright. The CJEU thus allocated third-party liability to the ISP. Some may find this an infringement of the freedom of expression, as it requires ‘mere conduit’ ISPs to block ‘hosting’ ISPs, thus restricting the freedom of information of the users of the ‘hosting’ ISP. Similar arguments have been made regarding art. 13 of the proposed upgrade of the Copyright directive (see above 126.96.36.199).
An important issue in the domain of third-party liability is that individual attempts to sue big players may not be effective in sustaining the societal trust that private law aims to achieve. This may be due to the fact that no concrete injury can be identified, that the costs of legal action overrule the benefits of compensation, or the simple fact that small players may not have the understanding, the time or the money to figure out how to assert their rights. One way to solve this problem is collective action, for instance by allowing people to mandate their claims to relevant not-for-profit associations, or by allowing a relevant not-for-profit to sue big players in their own name. Such collective action may be very effective, especially in the case of (1) an injunction to arrest unlawful conduct, enforced with penalty payments for non-compliance, and in the case of (2) requesting a modest amount of compensation for a massive number of victims. As discussed in 188.8.131.52, art. 80 GDPR offers new roads into an effective third-party liability regime, geared to preventing the relevant conduct by way of collective action. Though art. 80 does not require MSs to enable collective action to sue for damages, it does require them to enable collective action to stop unlawful processing.
8.3.1 Privacy harms
Finally, let me briefly discuss two examples of case law regarding ‘privacy torts’ within common law jurisdictions, which—as noted above—have a granular ‘law of torts’ rather than a general ‘tort law’ (as in civil law jurisdictions).
184.108.40.206 Canadian ‘tort of intrusion upon seclusion’
In Jones v. Tsige, the Canadian Court of Appeal for Ontario decided for the first time on a ‘tort of intrusion upon seclusion’. The facts of the case are the follows:10
In July 2009, the appellant, Sandra Jones, discovered that the respondent, Winnie Tsige, had been surreptitiously looking at Jones’ banking records. Tsige and Jones did not know each other despite the fact that they both worked for the same bank and Tsige had formed a common-law relationship with Jones’ former husband. As a bank employee, Tsige had full access to Jones’ banking information and, contrary to the bank’s policy, looked into Jones’ banking records at least 174 times over a period of four years.
The case is illuminating as it aims to establish whether the common law recognises this type of privacy tort, based on an extensive investigation into common law jurisdictions (including Canada, the US and the UK). The Court argues that technological developments have indeed resulted in the need to recognise such a tort under common law. They find that the legal effect of something qualifying as a ‘tort of intrusion upon seclusion’ depends on the following 3 legal conditions:11
the defendant's conduct must be intentional (which includes recklessness);
the defendant must have invaded, without lawful justification, the plaintiff's private affairs or concerns;
a reasonable person would regard the invasion as highly offensive, causing distress, humiliation or anguish.
The ‘reasonable person’ test should prevent claims that are based on plaintiff’s subjective sensitivities or unusual privacy concerns.12
The court also states that:13
Proof of harm to a recognized economic interest is not an element of the cause of action. (…) I believe it important to emphasize that given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum.
So, on the one hand the Court is willing to accept privacy harms that do not concern an economic interest, on the other hand the Court believes that the intangible nature of the harm implies compensation by way of ‘a modest conventional sum’.
220.127.116.11 UK ‘tort of misuse of private information’
In the case of Murray v Express Newspapers plc and another,14 photographs were secretly taken (with a long-focus lens) of the young son of J.K. Rowling in a buggy, with his parents walking down a street. They were taken by a photographic agency, to be sold to interested parties, such as in this case the publisher of The Sunday Express magazine, which published one of the pictures. The question whether this may constitute the tort of ‘misuse of private information’ was answered in reference to the following legal conditions:
the plaintiff convincingly argues that they had a ‘reasonable expectation of privacy’ in the information, and
the defendant cannot convincingly argue that a relevant justification applies, for instance claiming an overriding ‘public interest’ in publication.
The Court of Appeal extensively investigated the case law of the ECtHR and the UK Data Protection Act (implementing the—then—applicable EU Data Protection directive), to test whether the plaintiff could reasonably argue to have a ‘reasonable expectation of privacy’, and whether—if so—the proportionality test regarding justification could overrule such expectation.
It also discussed and rejected the verdict of the court of first instance with regard to its assessment of whether the plaintiff could substantiate damage:15
Damage is not restricted to physical damage but includes pecuniary loss. An award is compensatory and includes the loss of the chance to sell the confidential information in question (…).
The conclusion here must be that within the context of the common law, old and new types of privacy torts are developing, due to the changing technological landscape.
8.3.2 Cyber torts?
Under the heading of cybercrime we discussed the difference that makes a difference between cybercrimes and traditional crimes. As mentioned above, similar differences apply to the idea of cyber torts. We can, for instance, think of damage caused by malware, illegal access, ID fraud, domain hacking, by bullying, stalking, defaming, humiliating, grooming, by blocking access or availability and by time-consuming and irritating communications such as spam. Privacy harms informed by hyperconnected computational systems could easily fall within the scope of cyber torts.
Types of torts could include: data breaches, unlawful processing of personal data, but also third party liability for damage caused by non-conformity in the sale of goods or services, reputation damage, and safety hazards.
Types of damage could include: compensatory or punitive damages; direct and consequential damages; loss of earnings, loss of earning capacity or loss of profit; material and immaterial damages; and present or future injury.
The examples given in the beginning of this chapter, highlighting damage caused by connected cars, smart fridges and intelligent washing machines, on the cusp of robotics, cloud robotics and the IoT, clearly raise a number of questions about the scope of the duty of care, the role of foreseeability when defining intent in the context of machine learning applications, issues of distributed causality in the case of integrated software and hardware components, the responsibility of the end user for eventual consequential damage to others, and extent to which unlawful processing of personal data in itself could be qualified as immaterial damage under EU data protection law, irrespective of the subjective experience of a data subject. I expect that private law liability, together with data protection law, competition law and consumer protection, will take the lead in reconfiguring the legal landscape of the onlife world. This should contribute to more adaptive legal protection and a better distribution of checks and balances between technology developers, manufacturers, retail, service providers and end-users.
A short cross-jurisdictional introduction to tort law:
Smits, Jan M. 2016. Advanced Introduction to Private Law. Cheltenham, UK ; Northampton, MA, USA: Edward Elgar Pub.
On privacy harms:
Calo, Ryan. 2014. ‘Privacy Harm Exceptionalism’. Colorado Technology Law Journal 12 (2): 361–64.
Solove, Daniel J., and Danielle K. Citron. 2018. ‘Risk and Anxiety. A Theory of Data-Breach Harms’. Texas Law Review 96 (4): 737–86.
Discussions of cyber torts:
Koch, Bernhard A. 2014. ‘Cyber Torts: Something Virtually New?’ Journal of European Tort Law 5 (2): 133–164. https://doi.org/10.1515/jetl-2014-0009.
Rustad, Michael, and Thomas Koenig. 2005. ‘The Tort of Negligent Enablement of Cybercrime’. Berkeley Technology Law Journal 20 (4): 1553. https://doi.org/doi:10.15779/Z38JX0S.
Rustad, Michael L., and Thomas H. Koenig. 2005. ‘Harmonizing Cybertort Law for Europe and America’. Journal of High Technology Law 5: 13.