Document Type



Privacy Law | Securities Law


Personal data is a cost of admission for much of modern life. Employers, tech companies, advertisers, information brokers, and others collect huge quantities of data about us all. Yet outside of a few highly-regulated industries, American companies face few legal restrictions on how they manage and use that data. Until now, individuals have had very limited remedies when their data is stolen from data collectors. But change is afoot. In a significant recent decision, the Pennsylvania Supreme Court took a consequential step holding that entities collecting personal data owe a duty of reasonable care to protect data subjects against harm.

This tort decision left a critical question unresolved. What is “harm” in the context of privacy? What is it exactly that data collectors must protect data subjects against? This Article takes one state’s doctrinal move as a jumping-off point to consider a question of immense national importance—how to apply common law negligence principles in cases involving the disclosure and misuse of personal data, and specifically, what a “duty to care” means in the unsettled realm of privacy law. Building off Jack Balkin’s work, this Article proposes that fiduciary law offers an appealing framework for conceptualizing privacy harms and the corresponding responsibilities of the entities who are collecting our data. In doing so, it begins the conversation of how tort law can take a central place in protecting individuals when data holders betray their trust.