When 'Reasonable' Isn't: The FTC's Standard-Less Data Security Standard

54 Pages Posted: 25 Sep 2017

See all articles by Geoffrey A. Manne

Geoffrey A. Manne

International Center for Law & Economics (ICLE)

Kristian Stout

International Center for Law & Economics (ICLE)

Date Written: August 31, 2017


Although the FTC is well-staffed with highly skilled economists, its approach to data security is disappointingly light on economic analysis. The unfortunate result of this lacuna is an approach to these complex issues lacking in analytical rigor and the humility borne of analysis grounded in sound economics. In particular, the Commission’s “reasonableness” approach to assessing whether data security practices are unfair under Section 5 of the FTC Act lacks all but the most superficial trappings of the well-established law and economics of torts, from which the concept is borrowed.

In actuality, however, the Commission’s manufactured “reasonableness” standard — which, as its name suggests, purports to evaluate data security practices under a negligence-like framework — actually amounts in effect to a rule of strict liability for any company that collects personally identifiable data. This is manifestly not what Section 5 intends.

In its recent LabMD opinion, the Commission describes its approach as “cost-benefit analysis.” But simply listing out (some) costs and benefits is not the same thing as analyzing them. Recognizing that tradeoffs exist is a good start, but it is not a sufficient end, and “reasonableness” — if it is to be anything other than the mercurial preferences of three FTC commissioners — must contain analytical content.

Persistent and unyielding uncertainty over the contours of the FTC's data security standard means that companies may be required to accept the reality that, no matter what they do short of the extremes, liability is possible. Worse, there is no way reliably to judge whether conduct (short of obvious fringe cases) is even likely to increase liability risk.

The FTC’s recent LabMD case highlights the scope of the problem and the lack of economic analytical rigor endemic to the FTC’s purported data security standard. To be sure, other factors also contribute to the lack of certainty and sufficient rigor, (i.e., matters of process at the agency), but at root sits a “standardless” standard, masquerading as an economic framework.

This paper explores these defects, paying particular attention to the FTC’s decision in LabMD and subsequent district court proceedings in the case.

Keywords: Data security, FTC, Consumer protection, Federal Trade Commission, LabMD, Section 5

JEL Classification: K21, K23, L51, O23

Suggested Citation

Manne, Geoffrey and Stout, Kristian, When 'Reasonable' Isn't: The FTC's Standard-Less Data Security Standard (August 31, 2017). Journal of Law, Economics and Policy, Forthcoming, Available at SSRN: https://ssrn.com/abstract=3041533

Geoffrey Manne (Contact Author)

International Center for Law & Economics (ICLE) ( email )

1104 NW 15th Ave.
Suite 300
Portland, OR 97209
United States
503-770-0076 (Phone)

HOME PAGE: http://www.laweconcenter.org

Kristian Stout

International Center for Law & Economics (ICLE) ( email )

2117 NE Oregon St.
Ste 501
Portland, OR Oregon 97232
United States
5037700076 (Phone)
5037700076 (Fax)

HOME PAGE: http://www.laweconcenter.org

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics