Unreasonable: A Strict Liability Solution to the FTC’s Data Security Problem

Michigan Technology Law Review, forthcoming 2021

George Mason Law & Economics Research Paper No. 20-23

42 Pages Posted: 29 Jul 2020 Last revised: 21 Apr 2021

See all articles by James C. Cooper

James C. Cooper

George Mason University - Antonin Scalia Law School, Faculty

Bruce H. Kobayashi

George Mason University - Antonin Scalia Law School

Date Written: July 24, 2020

Abstract

For over two decades, the FTC creatively employed its capacious statute to police against shoddy data practices. Although the FTC’s actions arguably were needed at the time to fill a gap in enforcement, there are reasons to believe that its current approach has outlived its usefulness and is in serious need of updating. In particular, our analysis shows that the FTC’s current approach to data security is unlikely to instill anything close to optimal incentives for data holders. These shortcomings cannot be fixed through changes to the FTC enforcement approach, as they are largely generated by a mismatch between the tools that Congress gave it over a century ago and what it needs to foster firms’ incentives to mimic socially optimal levels of care for the data they hold. Not only does the current framework likely suffer from informational deficiencies attendant to its focus on “reasonable” security that render liability standards uncertain, it also lacks the ability obtain the type of relief that will force firms to internalize the costs of their data security decisions. We examine the problem of data security enforcement through the lens of the economics of optimal precautions and identify several reasons why a strict liability regime administered by the FTC, under which firms pay for the expected harm from breaches they cause, is likely to be superior to the current framework that revolves around the concept of reasonableness. The benefits from strict liability flow from the likelihood that firms do not fully internalize the costs and benefits of their data security decisions and the relatively large informational burdens associated with measuring actual and optimal care under a negligence regime. We also show why in this informational environment strict liability is better than negligence for developing a vibrant market for cyber insurance, which will allow data security regulation to be de facto outsourced to insurers who will contract with firms for optimal levels of care. Because these private contracts will harness private information on costs and benefits from precautions, they are likely to incentivize more efficient behavior.

Keywords: FTC, Federal Trade Commission, data security, optimal care, strict liability, negligence, cyber insurance

JEL Classification: K20, K22, K23, K29

Suggested Citation

Cooper, James C. and Kobayashi, Bruce H., Unreasonable: A Strict Liability Solution to the FTC’s Data Security Problem (July 24, 2020). Michigan Technology Law Review, forthcoming 2021, George Mason Law & Economics Research Paper No. 20-23, Available at SSRN: https://ssrn.com/abstract=3660116 or http://dx.doi.org/10.2139/ssrn.3660116

James C. Cooper (Contact Author)

George Mason University - Antonin Scalia Law School, Faculty ( email )

3301 Fairfax Drive
Arlington, VA 22201
United States
703-993-9582 (Phone)

Bruce H. Kobayashi

George Mason University - Antonin Scalia Law School ( email )

3301 Fairfax Drive
Arlington, VA 22201
United States
703-993-8034 (Phone)
703-993-8088 (Fax)

HOME PAGE: http://mason.gmu.edu/~bkobayas

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
80
Abstract Views
415
rank
366,219
PlumX Metrics