From: Volokh, Eugene <>
Date: 06/07/2022 22:21:37 UTC
Subject: RE: Kinsey identifying dissident for Saudi government isn't negligent

By the way, I neglected to note, as a bookend case, Remsburg v. Docusearch, 149 N.H. 148 (2003), where the court allowed a negligence lawsuit against a private investigator who found information that a stalker then used to kill his target:


[A] party who realizes or should realize that his conduct has created a condition which involves an unreasonable risk of harm to another has a duty to exercise reasonable care to prevent the risk from occurring. The exact occurrence or precise injuries need not have been foreseeable. Rather, where the defendant's conduct has created an unreasonable risk of criminal misconduct, a duty is owed to those foreseeably endangered. See id.


Thus, if a private investigator or information broker's (hereinafter "investigator" collectively) disclosure of information to a client creates a foreseeable risk of criminal misconduct against the third person whose information was disclosed, the investigator owes a duty to exercise reasonable care not to subject the third person to an unreasonable risk of harm. In determining whether the risk of criminal misconduct is foreseeable to an investigator, we examine two risks of information disclosure implicated by this case: stalking and identity theft....


The threats posed by stalking and identity theft lead us to conclude that the risk of criminal misconduct is sufficiently foreseeable so that an investigator has a duty to exercise reasonable care in disclosing a third person's personal information to a client. And we so hold. This is especially true when, as in this case, the investigator does not know the client or the client's purpose in seeking the information.





From: Volokh, Eugene
Sent: Wednesday, July 6, 2022 10:57 AM
Subject: Kinsey identifying dissident for Saudi government isn't negligent


So the Second Circuit held yesterday in Abdulaziz v. McKinsey & Co., Inc.,, concluding that McKinsey as a matter of law lacked a duty of care under New York law, largely on the grounds that “[g]enerally, there is no ‘duty to control the conduct of third persons to prevent them from causing injury to others.’”  (“Abdulaziz pled that, after receiving the report, the Saudi government responded by targeting him with assassination attempts and arrested, tortured, and harassed his family members and friends currently living in Saudi Arabia.”)


But I wonder whether this is quite right:  Plaintiff was suing McKinsey not for its failure to control the Saudi government, but for its own actions in providing information to the Saudi government that allegedly helped cause the injury to him.  The court deals with this by saying,


Other than the foreseeability of risk, Abdulaziz provides no reason why sharing the report was itself a breach of a cognizable duty of care running from McKinsey to Abdulaziz, and he fails to distinguish such a putative duty from similar ones rejected by New York courts. See Valeriano v. Rome Sentinel Co., 842 N.Y.S.2d 805, 806 (4th Dep’t 2007) (no duty not to publish another’s personal information absent a “statutory, contractual or fiduciary duty to protect the confidentiality of plaintiff’s personal information”). Thus, even if McKinsey knew or should have known that the Saudi government would target Abdulaziz after learning of his dissident activity from the report, Abdulaziz has not plausibly alleged a breach of a duty of care cognizable under New York law.


But Valeriano dealt only with the alleged harm of publishing personal information as such (New York doesn’t generally recognize privacy torts); here, the claim is of harm stemming from the alleged assassination attempts and physical injury to family members and friends – perhaps not recoverable under another theory, but not quite the same as Valeriano, I think.


My question:  If I give someone a gun, when I should have known that he was likely to use it for criminal purposes, I’d be guilty of negligence, under a negligent entrustment, theory.  If I give someone information, when I should have known that he was likely to use it for criminal purposes, wouldn’t this likewise be a presumptively valid negligence claim, though with a possible First Amendment defense, or a possible no-duty rule stemming from the special status of information, and not from a “no duty to control third parties” theory?  Or am I analyzing the case incorrectly?  Thanks,


Eugene Volokh

UCLA School of Law