An Unreasonable Solution: Rethinking the FTC's Current Approach to Data Security

42 Pages Posted: 29 Jul 2020

See all articles by James C. Cooper

James C. Cooper

George Mason University - Antonin Scalia Law School, Faculty

Bruce H. Kobayashi

George Mason University - Antonin Scalia Law School

Date Written: July 24, 2020

Abstract

Since the early 2000s, the FTC creatively employed its capacious statute to target shoddy data practices. Although the FTC’s actions arguably were needed at the time to fill a gap in enforcement, there are reasons to believe that its current approach has outlived its usefulness and is in serious need of updating. In particular, our analysis shows that the FTC’s current approach to data security is unlikely to instill anything close to optimal incentives for data holders. These shortcomings cannot be fixed through changes to the FTC enforcement approach, as they are largely generated by a mismatch between the tools that Congress gave it over a century ago and what it needs to foster firms’ incentives to mimic socially optimal levels of care for the data they hold. Not only does the current framework likely suffer from informational deficiencies attendant to its focus on “reasonable” security that render liability standards uncertain, it also lacks the ability obtain the type of relief that will force firms to internalize the costs of their data security decisions. We examine the problem of data security enforcement through the lens of the economics of optimal precautions and identify several reasons why a strict liability regime administered by the FTC in which firms pay for the expected harm from breaches they cause is likely to be superior to the current framework that revolves around the concept of reasonableness. The benefits from strict liability flow from the likelihood that firms do not fully internalize the costs and benefits of their data security decisions and the relatively large informational burdens associated with measuring actual and optimal care under a negligence regime. We also show why in this informational environment strict liability is better than negligence for developing a vibrant market for cyber insurance, which will allow data security regulation to be de facto outsourced to insurers who will contract with firms for optimal levels of care. Because these private contracts will harness private information on costs and benefits from precautions, they are likely to incentivize more efficient behavior.

Keywords: FTC, Federal Trade Commission, data security, optimal care, strict liability, negligence, cyber insurance

JEL Classification: K20, K22, K23, K29

Suggested Citation

Cooper, James C. and Kobayashi, Bruce H., An Unreasonable Solution: Rethinking the FTC's Current Approach to Data Security (July 24, 2020). George Mason Law & Economics Research Paper No. 20-23, Available at SSRN: https://ssrn.com/abstract=3660116 or http://dx.doi.org/10.2139/ssrn.3660116

James C. Cooper (Contact Author)

George Mason University - Antonin Scalia Law School, Faculty ( email )

3301 Fairfax Drive
Arlington, VA 22201
United States
703-993-9582 (Phone)

Bruce H. Kobayashi

George Mason University - Antonin Scalia Law School ( email )

3301 Fairfax Drive
Arlington, VA 22201
United States
703-993-8034 (Phone)
703-993-8088 (Fax)

HOME PAGE: http://mason.gmu.edu/~bkobayas

Here is the Coronavirus
related research on SSRN

Paper statistics

Downloads
38
Abstract Views
251
PlumX Metrics