Duty of Due Care in Negligence Law: Who Owes It?

Richard Warner, a Professor at Chicago-Kent College of Law, discusses negligence and the duty of due care in various scenarios. The concept of duty of care is explored in relation to strangers, like in the case of Rachel and Roger, with an emphasis on exceptions. Blackbaud, a cloud software company, raises questions about liability and duty to clients in data breach incidents.

• Negligence law
• Duty of care
• Chicago-Kent College of Law
• Blackbaud
• Data breach

maky_618 Follow

Uploaded on Nov 21, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Negligence: Who Owes A Duty of Due Care? Richard Warner, Professor, Chicago-Kent College of Law

2. Comparison to Dittman Dittman rests on two points. UMPC s collecting and storing employee data created a risk of a data breach by third parties. The harm that did occur was within the scope of that risk. The defendant in Blackbaud claims that neither point applies to it because, as a software-as-a-service (SaaS) provider, its clients control the data they store with Blackbaud. The court rejects Blackbaud s claim. In doing so, it makes it clear that the answer to Who is in the best position to defend against unauthorized access? plays a key role in assigning liability.

3. Strangers and Duty Suppose Rachel is boating on a lake when she sees a motor boat negligently speed by Roger s canoe, causing it to capsize and leaving Roger clinging to it. Roger is a stranger someone she has never met nor ever had any sort of dealings with. Does Rachel have a duty of due care that requires her to assist Roger?

4. No Duty She does not. Tort law does not recognize a duty to assist strangers.

5. Blackbaud Blackbaud is cloud software company that provides data collection and maintenance software solutions for administration, fundraising, marketing, and analytics to social good entities. Non-profit organizations, foundations, educational institutions, faith communities, and healthcare organizations. It collects and stores Personally Identifiable Information ( PII ) and Protected Health Information ( PHI ).

6. Strangers? Blackbaud claims its clients are strangers because Blackbaud as a software-as-a- service (SaaS) provider. As such, it just provides an online platform which offers a variety of software options clients can select and modify. The clients determine what data to store and what to do with it.

7. No Liability for Blackbaud? Blackbaud asks the court to think of them as Alice in her canoe and their clients as Roger in his. They claim that when a client s canoe is overturned by the data breach, Blackbaud has no liability for the resulting harm the data breach being analogous to the speeding boat. Do you agree? (a) Yes (b) No

8. Exceptions to No Duty To Strangers Special relationship To the victim To the person causing the injury Voluntarily undertaken duty Carelessly or intentionally creating the risk. Statutes (e.g., state motor vehicle codes)

9. An Analogy

10. Shaw v. Psychemedics Corp. BMW contracted with a lab to drug tests its employees. It incorrectly reported Shaw, an employee, as positive for cocaine. Shaw sued for negligence. Should the lab be liable? (a) Yes (b) No (c) Not sure

11. Shaw v. Psychemedics Corp. The court notes: The primary purpose was to test for drugs. The lab had complete control over the samples during testing. Negligent testing would foreseeably impose economic losses on employees. Imposing a duty of due care would further the policy of deterring negligence. Conclusion: The contract created a relationship that supported finding a duty of due care.

12. Comparing Shaw Purpose: Part of the purpose is to maintain and secure data. Control: Even thought it is software-as-a- service with options chosen by the client, Blackbaud still has the most control over the security of the data. Thus, Blackbaud remains in the best position to prevent harm associated with a data breach to its systems. Compare Kline.

13. Comparing Shaw Foreseeability: despite Blackbaud's acknowledgement of the risk of cyberattacks and repeated notifications of the inadequacy of its systems, Blackbaud failed to correct, update, or upgrade its security protections. Policy: Same as Shaw.

14. A Difference: Criminal Conduct Hacking into the website was a crime. A contractually created duty of duty care may not include a duty to prevent harm from criminal activity by third parties. If you hire me as limo driver, I owe you a duty of due care to drive carefully, but I do not owe you a duty to prevent others from driving carelessly and, in ways I cannot prevent, running into us.

15. A Special Relationship Still Blackbaud argues that the foregoing points are not enough to make them liable for the criminal conduct of third parties (= the hackers who took the data). The court rejects the claim because Blackbaud s negligent behavior created the risk. despite Blackbaud's acknowledgement of the risk of cyberattacks and repeated notifications of the inadequacy of its systems, Blackbaud failed to correct, update, or upgrade its security protections.

16. Extensive Negligence Liability Many websites have Contracts in which they promise adequate security, where careless or intentional behavior creates a risk of unauthorized access. So those websites owe a duty of due care to those the subjects of the data which they hold. Further, a contract is not required to create the duty.