Unreasonable: A Strict Liability Solution to the FTC’s Data Security Problem
Michigan Technology Law Review, forthcoming 2021
42 Pages Posted: 29 Jul 2020 Last revised: 21 Apr 2021
Date Written: July 24, 2020
For over two decades, the FTC creatively employed its capacious statute to police against shoddy data practices. Although the FTC’s actions arguably were needed at the time to fill a gap in enforcement, there are reasons to believe that its current approach has outlived its usefulness and is in serious need of updating. In particular, our analysis shows that the FTC’s current approach to data security is unlikely to instill anything close to optimal incentives for data holders. These shortcomings cannot be fixed through changes to the FTC enforcement approach, as they are largely generated by a mismatch between the tools that Congress gave it over a century ago and what it needs to foster firms’ incentives to mimic socially optimal levels of care for the data they hold. Not only does the current framework likely suffer from informational deficiencies attendant to its focus on “reasonable” security that render liability standards uncertain, it also lacks the ability obtain the type of relief that will force firms to internalize the costs of their data security decisions. We examine the problem of data security enforcement through the lens of the economics of optimal precautions and identify several reasons why a strict liability regime administered by the FTC, under which firms pay for the expected harm from breaches they cause, is likely to be superior to the current framework that revolves around the concept of reasonableness. The benefits from strict liability flow from the likelihood that firms do not fully internalize the costs and benefits of their data security decisions and the relatively large informational burdens associated with measuring actual and optimal care under a negligence regime. We also show why in this informational environment strict liability is better than negligence for developing a vibrant market for cyber insurance, which will allow data security regulation to be de facto outsourced to insurers who will contract with firms for optimal levels of care. Because these private contracts will harness private information on costs and benefits from precautions, they are likely to incentivize more efficient behavior.
Keywords: FTC, Federal Trade Commission, data security, optimal care, strict liability, negligence, cyber insurance
JEL Classification: K20, K22, K23, K29
Suggested Citation: Suggested Citation