The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
From Tuesday's Abdulaziz v. McKinsey & Co., Inc. (opinion by Chief Judge Debra Ann Livingston and Judges José Cabranes and Michael Park):
Abdulaziz describes himself as "a political dissident from the Kingdom of Saudi Arabia … who now resides in Montreal, Quebec." He sued [McKinsey] …, alleging that McKinsey created a PowerPoint report for the government of Saudi Arabia, identifying Abdulaziz as one of three influential dissidents using Twitter to criticize certain policies of the Saudi government, Saudi royal family, and Saudi crown prince Mohammad Bin Salman ("MBS"). Abdulaziz pled that, after receiving the report, the Saudi government responded by targeting him with assassination attempts and arrested, tortured, and harassed his family members and friends currently living in Saudi Arabia.
No liability, said the court:
Other than the foreseeability of risk, Abdulaziz provides no reason why sharing the report was itself a breach of a cognizable duty of care running from McKinsey to Abdulaziz, and he fails to distinguish such a putative duty from similar ones rejected by New York courts. See Valeriano v. Rome Sentinel Co., 842 N.Y.S.2d 805, 806 (4th Dep't 2007) (no duty not to publish another's personal information absent a "statutory, contractual or fiduciary duty to protect the confidentiality of plaintiff's personal information"). Thus, even if McKinsey knew or should have known that the Saudi government would target Abdulaziz after learning of his dissident activity from the report, Abdulaziz has not plausibly alleged a breach of a duty of care cognizable under New York law.
But Valeriano dealt only with the alleged harm of publishing personal information as such (New York doesn't generally recognize privacy torts); here, the claim is of harm stemming from the alleged assassination attempts and physical injury to family members and friends. Perhaps there might be some other reasons why such damages are not recoverable (for instance, because they caused only emotional distress without physical harm to plaintiff, and because he can't sue for injury to others); but I don't think the Valeriano argument is quite apt here.
And indeed some courts may allow liability for negligently conveying information to someone, when a reasonable person should have realized the recipient was dangerous, much as one could be liable for negligently lending (though generally not for negligently selling) a gun or a car to someone, when a reasonable person should have realized the recipient was dangerous. See Remsburg v. Docusearch (N.H. 2003), where the court allowed a negligence lawsuit against a private investigator who found information for a client that the client then used to kill someone:
[A] party who realizes or should realize that his conduct has created a condition which involves an unreasonable risk of harm to another has a duty to exercise reasonable care to prevent the risk from occurring. The exact occurrence or precise injuries need not have been foreseeable. Rather, where the defendant's conduct has created an unreasonable risk of criminal misconduct, a duty is owed to those foreseeably endangered. See id.
Thus, if a private investigator['s] … disclosure of information to a client creates a foreseeable risk of criminal misconduct against the third person whose information was disclosed, the investigator owes a duty to exercise reasonable care not to subject the third person to an unreasonable risk of harm. In determining whether the risk of criminal misconduct is foreseeable to an investigator, we examine two risks of information disclosure implicated by this case: stalking and identity theft….
The threats posed by stalking and identity theft lead us to conclude that the risk of criminal misconduct is sufficiently foreseeable so that an investigator has a duty to exercise reasonable care in disclosing a third person's personal information to a client. And we so hold. This is especially true when, as in this case, the investigator does not know the client or the client's purpose in seeking the information.
There may be reasons to be skeptical of such liability in general; perhaps, for instance, businesses who sell information or explosives textbooks or guns or cars or gasoline shouldn't be in effect required to "reasonably" investigate their own clients to see if they will misuse their products or services. The result in Abdulaziz might thus be more correct than the one in Remsburg. Still, it's an interesting and important question, which I thought I'd note.