What are you looking for?

Showing 9 of 83 Results in Health Care

ICLE Comments on FTC ANPR on Commercial Surveillance and Data Security

Regulatory Comments Executive Summary The Federal Trade Commission (“FTC”) has issued an Advanced Notice of Proposed Rulemaking (“ANPR”) on “Commercial Surveillance and Data Security,”[1] initiating a proceeding . . .

Executive Summary

The Federal Trade Commission (“FTC”) has issued an Advanced Notice of Proposed Rulemaking (“ANPR”) on “Commercial Surveillance and Data Security,”[1] initiating a proceeding intended to result in binding rules regarding “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.”[2]

There is reason to believe that streamlined and uniform federal data-security or privacy regulations could be both beneficial and within the FTC’s competence and authority. But the approach suggested by the ANPR—simultaneously sweeping and vague—appears very likely to do more harm than good. Most notably, the ANPR evinces an approach that barely acknowledges either the limits of the FTC’s authority or the tremendous consumer benefits produced by the information economy.

The FTC is uniquely positioned to understand the complexities entailed in regulating privacy and data security. It has expertise and experience in both consumer-protection and competition matters. With regard to privacy and data security, in particular, it has decades of experience bringing enforcement actions for violations of the FTC Act’s prohibition of deceptive and unfair practices. Its enforcement experience also has been bolstered by its statutory mission to conduct economic and policy research, which has, not incidentally, comprised numerous hearings, workshops, studies, and reports on issues pertinent to data policy.

The ANPR does not build on the Commission’s experience and expertise as it could, however, and its dearth of economic analysis is especially striking. Moreover, the Commission’s authority is not unbounded, and neither are its resources. Both limitations are salient when the Commission considers adopting substantive—or “legislative”— regulations under either Section 18 or Section 6 of the FTC Act. As we discuss below, the current proceeding is deficient on both substantive and procedural grounds. Absent an express grant of authority and the requisite resources from Congress, the Commission would be ill-advised to consider, much less to adopt, the kinds of sweeping data regulations that the Commercial Surveillance ANPR appears to contemplate.

A.      The FTC Must Provide More Detail Than Is Contained in the ANPR

The ANPR states that it was issued pursuant to the Commission’s Section 18 authority,[3] which both grants and restrains the FTC’s authority to adopt regulations with respect to “unfair or deceptive acts or practices in or affecting competition” (“UDAP”).[4] Rulemaking under Section 18 of the FTC Act[5] requires that the Commission follow a careful process. As a preliminary matter, it must identify for both Congress and the public an area of inquiry under the Commission’s jurisdiction; the Commission’s objectives in the rulemaking; and regulatory alternatives under consideration.[6] Unfortunately, the Commission has not met these obligations in this ANPR.

Under Section 18, the Commission may adopt “rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce”[7] under Section 5 of the FTC Act. Section 18 imposes express procedural requirements, in addition to those set out for this ANPR. These include, but are not limited to, requirements for a Notice of Proposed Rulemaking (“NPRM”). Section 18 also incorporates by reference the procedures prescribed by the Administrative Procedure Act.[8]

As noted, Section 18’s requirements for an ANPR are brief and preliminary but they are nonetheless real. In contravention of the requirements of Section 18, this ANPR does not clearly describe any “objectives which the Commission seeks to achieve,” and it provides no indication of “possible regulatory alternatives under consideration by the Commission.”[9] Instead, it provides a laundry list of putative harms, and it fails to identify even the most basic benefits that may be associated with diverse commercial-data practices. It does not describe the Commission’s current assessment of, or position on, those practices. And it provides no sense of the direction the Commission intends to take regarding potential rules.

Failing to identify the Commission’s objectives or proposals under consideration, this ANPR fails in its basic purpose to “invite… suggestions or alternative methods for achieving [the] objectives.”[10]

B.       The Commission Must Undertake a Cost-Benefit Analysis that Defines Harms, Identifies Benefits, and Weights the Two

Any rules the Commission issues under a Section 18 proceeding must emerge from a cost-benefit analysis.[11] Both the potential harms and the benefits of challenged conduct must be well-defined, and they must be weighed against each other. Even at this early stage of the process, the FTC is obligated to provide more than a suggestion that some harm might be occurring, and to provide more than a hint of how it might handle those harms.

This is also good procedure for policymaking more generally, irrespective of the Commission’s statutory obligations under Section 18. Before engaging in a deeply interventionist regulatory experiment—such as imposing strict privacy regulations that contravene revealed consumer preferences—the Commission should publicly state empirically justified reasons to do so. In other words, there should be demonstrable market failures in the provision of “privacy” (however we define that term) before centralized regulation co-opts the voluntary choices of consumers and firms in the economy, and before it supplants the ability to redress any residual, cognizable harms through law enforcement with broad, economywide, ex ante rules.

Thus, a vital threshold question for any rules issued under this proceeding is whether and why markets operating without specific privacy regulation generate a suboptimal provision of privacy protection. Without this inquiry, it is unclear whether there are problems requiring regulatory intervention and, if so, what they are. Without knowing their purpose, any rules adopted are likely to be ineffective, at best, and harmful, at worst. They may increase costs for consumers and businesses alike, chill innovation, mandate harmful prescriptions for alleged privacy harms while failing to address the most serious and persistent harms, or exacerbate the risks of harm—or all of the above.

Particularly in the United States, where informational privacy is treated both legally and socially as more of a consumer preference (albeit, perhaps, a particularly important one) than a fundamental right,[12] it is difficult to determine whether our current regime produces the “right” amount of privacy protection. That cannot be determined by observing that some advocates and consumers who are particularly privacy-sensitive opine that there should be more, or more of a certain sort; nor is it enough that there have been some well-publicized violations of privacy and cases of demonstrable harm. Indeed, the fact that revealed preferences in the market tend toward relatively less privacy protection is evidence that advocates may be seeking to create a level and a type of privacy protection for which there is simply no broad-based demand. Absent a pervasive defect that suggests a broad disconnect between revealed and actual preferences, as well as a pattern of substantial net harm, the Commission should be extremely cautious before adopting preemptive and sweeping regulations.

At a minimum, the foregoing indicates that the Commission must undertake several steps before this ANPR is close to satisfying the requirements of Section 18, not to mention good government:

  • First, the Commission must proffer an adequate definition of “commercial surveillance.” While the ANPR is framed around this ominous-sounding term,[13] it is functionally defined in a way that is both sweeping and vague. It appears to encompass virtually all commercial uses of “consumer data,” albeit without providing a workable definition of “consumer data.”[14] If the Commission is contemplating a general data regulation, it should say so and enumerate the objectives such a regulation would serve. In the current ANPR, the Commission has done neither.
  • Second, the Commission must do more than merely cite diverse potential harms arising from what it terms “commercial surveillance.” The Commission has a long history of pursuing privacy and data-security cases, and it should rely on this past practice to define with specificity the types of harms—cognizable as injuries under Section 5—that it intends to pursue.

The Commission must also adequately account for the potential harms to innovation and competition that can arise from the adoption of new privacy and data-security regulations. Resources that firms invest in compliance cannot be invested in product development, customer service, or any of a host of other ends. And compliance with overly broad constraints will often curtail or deter the sort of experimentation that is at the heart of innovation.

Moreover, there is a potential tension between privacy and data security, such that mandates to increase privacy can diminish firms’ ability to ensure data security. The EU’s experience with the General Data Protection Regulation (“GDPR”) has demonstrated some of this dynamic.[15] These realities must be incorporated into the Commission’s assessment.

  • Third, the Commission must do more than merely nod to potential benefits that the modern data-driven economy provides to consumers. The clear benefits that arise from information sharing must be considered. Since the dawn of the Internet, free digital services have created significant consumer surplus. This trend continues today: Research using both survey and experimental methods has consistently found substantial benefits for consumers from sharing information in exchange for free (or subsidized) digital products. Moreover, productive conduct and consumer benefits are not limited to free digital products and services. Myriad products and services—from health care to finance to education—are made more efficient, and more widely available, by the commercial use of various forms of consumer data.

C.      The ANPR Must Account for the Effect of Any ‘Commercial Surveillance’ Rules on Consumer Welfare and Competition

The Commission is obligated to consider the likely effects of data regulation on consumers and competition. That ought to be a requirement for regulation generally, but it is an express, statutory requirement for unfairness regulation under Section 18 of the FTC Act. The Commission is uniquely well-situated to meet that mandate by virtue of its distinctive, dual competition and consumer-protection missions. Indeed, the Commission’s antitrust-enforcement experience dates to the agency’s inception. In addition, the Commission can access the considerable expertise of its Bureau of Economics, which employs experts in both industrial organization and consumer-protection economics. Yet much of that expertise appears absent from the ANPR.

This ANPR does not specify, or even sketch, the data regulations being contemplated by the Commission. Neither does it specify the Commission’s goals in the rulemaking or alternative regulatory approaches under consideration, although both are required by statute. Consequently, one cannot assess the net effects of any proposed “commercial surveillance and data security” rule on competition or consumers, because there simply is no proposed rule to assess.

The economic literature, however, does suggest caution:

  • First, as a general matter, regulations that impose substantial fixed costs on regulated firms tend to burden smaller firms and entrants more than they do large firms and incumbents.[16]
  • Second, studies of specific domestic-privacy and data-security requirements underscore the potential for unintended consequences, including competitive costs.[17]
  • Third, empirical studies of the effects of general data regulations in foreign jurisdictions, such as the EU’s GDPR, suggest that such regulations have indeed led to substantial competitive harms.[18]

The literature on the effects of GDPR and other data regulations is particularly instructive. Although it is neither definitive nor complete, it has thus far found slender (at best) benefits to competition or consumers from data regulations and considerable costs and harms from their imposition. Further experience with and study of data regulations could yield a more nuanced picture. And, again, the FTC is well-positioned to contribute to and foster a greater understanding of the competitive effects of various types of data regulation. Doing so could be greatly beneficial to policymaking, competition, and consumer welfare, precisely because specific data practices can produce substantial benefits, harms, or a complex admixture of the two. But documented harms and speculative benefits of regulation recommend caution, not blind intervention.

D.      Conclusion

The Commission should take account of a further reality: the rules it contemplates will be created in an environment filled with other privacy regulators. Although the United States does not have a single, omnibus, privacy regulation, this does not mean that the country does not have “privacy law.” Indeed, generally applicable laws providing a wide range of privacy and data-security protections already exist at both the federal and state level. These include consumer-protection laws that apply to companies’ data use and security practices,[19] as well as those that have been developed in common law (property, contract, and tort) and criminal codes.[20] In addition, there are sector-specific regulations pertaining to particular kinds of information, such as medical records, personal information collected online from children, and credit reporting, as well as regulations prohibiting the use of data in a manner that might lead to certain kinds of illegal discrimination.[21]

Despite the FTC’s noted experience in a certain slice of privacy regulation, Congress has not made the FTC the central privacy regulatory body. Neither has Congress granted the Commission the resources likely required for such a regulator. Congress has wrestled with complex tradeoffs in several areas and has allowed—through design and otherwise—various authorities to emerge. Where Congress has provided for privacy regulation, it has tailored the law to address specific concerns in specific sectors, or with respect to specific types of information. Moreover, in each case, it has balanced privacy and security concerns with other policy priorities. That balancing requires technical expertise, but it also entails essentially political judgements about the relative value of diverse policy goals; in that latter regard, it is a job for Congress.

There are, as well, questions of resource allocation that may attend an express statutory charge. We cannot gainsay the importance of the FTC’s privacy and data-security enforcement work under Section 5 of the FTC Act. At the same time, we cannot help but notice a misfit between the Commission’s congressionally allocated resources and the obligations that are entailed by data regulations of the scope contemplated in the ANPR. By way of contrast, we note that, since the compliance date of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy rule, the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) has investigated and resolved nearly 30,000 cases involving HIPAA-covered entities and their business associates; for appropriate cases of knowing disclosure or obtaining of protected health information, OCR has referred more than 1,500 cases to the U.S. Department of Justice (“DOJ”) for criminal prosecution.[22]

In his dissent from the issuance of this ANPR, former Commissioner Noah Phillips noted the massive and complicated undertaking it initiates:

Legislating comprehensive national rules for consumer data privacy and security is a complicated undertaking. Any law our nation adopts will have vast economic significance. It will impact many thousands of companies, millions of citizens, and billions upon billions of dollars in commerce. It will involve real trade-offs between, for example, innovation, jobs, and economic growth on the one hand and protection from privacy harms on the other. (It will also require some level of social consensus about which harms the law can and should address.) Like most regulations, comprehensive rules for data privacy and security will likely displace some amount of competition. Reducing the ability of companies to use data about consumers, which today facilitates the provision of free services, may result in higher prices—an effect that policymakers would be remiss not to consider in our current inflationary environment.[23]

This is particularly true given the Commission’s long history of work in this area. The Commission has undertaken decades of investigations and a multitude of workshops and hearings on privacy and related topics. This ANPR nods to that history, but it does not appear to make much use of it, possibly because much of it contains lessons that pull in different directions. Overall, that impressive body of work does not remotely point to the need for a single, comprehensive privacy rule. Rather, it has demonstrated that privacy regulation is complicated. It is complicated not just as a technical matter, but also because of the immense variety of consumers’ attitudes, expectations, and preferences with respect to privacy and the use of data in the economy.

The Commercial Surveillance ANPR poses 95 questions, many of which will find some answers in this prior history if it is adequately consulted. The Commission has generally evidenced admirable restraint and assessed the relevant tradeoffs, recognizing that the authorized collection and use of consumer information by companies confers enormous benefits, even as it entails some risks. Indeed, the overwhelming conclusion of decades of intense scrutiny is that the application of ex ante privacy principles across industries is a fraught exercise, as each industry—indeed each firm within an industry—faces a different set of consumer expectations about its provision of innovative services and offering of privacy protections.

These considerations all militate in favor of regulatory restraint by the FTC as a matter of policy. They also require restraint, and an emphasis on established jurisdiction, given the Supreme Court’s recent “major questions” jurisprudence.[24] As noted in the statements of several commissioners, West Virginia v. EPA[25] clarifies the constitutional limits on an agency’s authority to extend the reach of its jurisdiction via regulation. In brief, the broader the economic and political sweep of data regulations the Commission might propose, the more likely it is that such regulations exceed the FTC’s authority. If the “major questions doctrine” is implicated, the burden is on the agency to establish the specific grant of authority that is claimed.[26] Moreover, the Court was clear that a merely colorable claim of statutory implementation is inadequate to establish the authority to issue sweeping regulations with major economic and political implications.[27]

Download the full comments here.

 

[1] Trade Regulation Rule on Commercial Surveillance and Data Security, 87 Fed. Reg. 51273 (Aug. 22, 2022) (to be codified at 16 C.F.R. Ch. 1) [hereinafter “ANPR” or “Commercial Surveillance ANPR”].

[2] Id. at 51277.

[3] Id. at 51276.

[4] That is, “unfair or deceptive acts or practices in or affecting commerce,” as they are prohibited under Section 5 of the FTC Act, 15 U.S.C. § 45(a)(1).

[5] 15 U.S.C. § 57a.

[6] 15 U.S.C. § 57a(b)(2)(A).

[7] 15 U.S.C. § 57a(a)(1)(B).

[8] 15 U.S.C. § 57a(b)(1) (“When prescribing a rule under subsection (a)(1)(B) of this section, the Commission shall proceed in accordance with section 553 of title 5.”)

[9] 15 U.S.C. § 57a(b)(2)(i).

[10] 15 U.S.C. § 57a(b)(2)(ii).

[11] See Section III, infra (regarding the role of cost-benefit analysis under Magnuson-Moss and the statutory requirements of Section 18).

[12] Except, of course, when it comes to government access to private information, i.e., under the Fourth Amendment.

[13] See, e.g., ANPR, supra note 1 at 51273-75.

[14] The purported definition of consumer data in the ANPR, and the scope of activities around consumer data, are so overbroad as to encompass virtually the entirety of modern economic activity: “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information. These data include both information that consumers actively provide—say, when they affirmatively register for a service or make a purchase—as well as personal identifiers and other information that companies collect, for example, when a consumer casually browses the web or opens an app. This latter category is far broader than the first.” Id. at 51277.

[15] See, e.g., Coline Boniface, et al., Security Analysis of Subject Access Request Procedures, in Privacy Technologies & Policy: 7th Annual Privacy Forum (Maurizio Naldi, et al. eds., 2019).

[16] See, e.g., James Campbell, Avi Goldfarb & Catherine Tucker, Privacy Regulation and Market Structure, 24 J. Econ. & Mgmt. Strategy 47 (2015); Alex Marthews & Catherine Tucker, Privacy Policy and Competition, Econ. Stud. at Brookings (December 2019), available at https://www.brookings.edu/wp-content/uploads/2019/12/ES-12.04.19-Marthews-Tucker.pdf.

[17] See, e.g., Jin-Hyuk Kim & Liad Wagman, Screening Incentives and Privacy Protection in Financial Markets: A Theoretical and Empirical Analysis, 46 RAND J. Econ. 1 (2015).

[18] See, e.g., Jian Jia, Ginger Zhe Jin & Liad Wagman, The Short-run Effects of the General Data Protection Regulation on Technology Venture Investment, 40 Marketing Sci. 661 (2021).

[19] See, e.g., FTC Act, 15 U.S.C. § 45(a) et seq.

[20] See Privacy-Common Law, Law Library —American Law and Legal Information, http://law.jrank.org/pages/9409/Privacy-Common-Law.html (last visited Oct. 16, 2022).

[21] See, e.g., Comments of the Association of National Advertisers on the Competition and Consumer Protection in the 21st Century Hearings, Project Number P181201, available at https://docplayer.net/93116976-Before-the-federal-trade-commission-washington-d-c-comments-of-the-association-of-national-advertisers-on-the.html: [T]he Health Information Portability and Accountability Act (“HIPAA”) regulates certain health data; the Fair Credit Reporting Act (“FCRA”) regulates the use of consumer data for eligibility purposes; the Children’s Online Privacy Protection Act (“COPPA”) addresses personal information collected online from children; and the Gramm–Leach–Bliley Act (“GLBA”) focuses on consumers’ financial privacy; the Equal Employment Opportunity Commission (“EEOC”) enforces a variety of anti-discrimination laws in the workplace including the Pregnancy Discrimination Act (“PDA”) and American with Disabilities Act (“ADA”); the Fair Housing Act (“FHA”) protects against discrimination in housing; and the Equal Credit Opportunity Act (“ECOA”) protects against discrimination in mortgage and other forms of lending. Id. at 6.

[22] Dep’t Health & Human Servs., Health Information Privacy, Enforcement Highlights, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html (HHS Office of Civil Rights, last reviewed Sep. 14, 2022).

[23] ANPR at 51293 (Dissenting Statement of Comm’r Noah J. Phillips).

[24] See W. Virginia v. Env’t Prot. Agency, 142 S. Ct. 2587, 2595 (2022) (citing a line of cases including Utility Air Regulatory Group v. EPA, 573 U. S. 302 (2014); Gonzales v. Oregon, 546 U. S. 243 (2006); FDA v. Whitman v. American Trucking Assns., Inc., 531 U. S. 457, 468 (2001); and Brown & Williamson Tobacco Corp., 529 U. S. 120, 159 (2000)).

[25] Id.

[26] See id. at 2613 (citing William Eskridge, Interpreting Law: A Primer on How to Read Statutes and the Constitution 288 (2016)).

[27] Id. at 2608-09.

Continue reading
Data Security & Privacy

Inframarginal Externalities: COVID-19, Vaccines, and Universal Mandates

Scholarship COVID-19 vaccine mandates are in place or being debated across the world. Standard neoclassical economics argues that the marginal social benefit from vaccination exceeds the . . .

COVID-19 vaccine mandates are in place or being debated across the world. Standard neoclassical economics argues that the marginal social benefit from vaccination exceeds the marginal private benefit; everyone vaccinated against a given infectious disease protects others by not transmitting the disease. Consequently, private levels of vaccination will be lower than the socially optimal levels due to free-riding, which requires mandates to overcome the problem. We argue that universal mandates based on free-riding are less compelling for COVID-19. We argue that because the virus can be transmitted even after receiving the vaccine, most of the benefits of the COVID-19 vaccine are internalized: vaccinated individuals are protected from the worst effects of the disease. Therefore, any positive externality may be inframarginal or policy irrelevant. Even when all the benefits are not internalized by the individual, the externalities mainly are local, mostly affecting family and closely associated individuals, requiring local institutional (private and civil society) arrangements to boost vaccine rates, even in a global pandemic. Economists and politicians must justify such universal vaccine mandates on some basis other than free-riding.

Read the full paper here.

Continue reading
Innovation & the New Economy

COVID-19 Vaccine Effectiveness and the Evidence on Boosters: A Systematic Review (with Partial Evidence on the Omicron Variant)

Scholarship Abstract Background. The need for COVID-19 vaccine booster shots is controversial. When boosters were under active review in the U.S. in 2021, Krause et al.[1] . . .

Abstract

Background. The need for COVID-19 vaccine booster shots is controversial. When boosters were under active review in the U.S. in 2021, Krause et al.[1] and others have argued that need for a COVID-19 booster for all adults has not been sufficiently established. In late 2021, U.S. regulators initially limited booster eligibility, waited months before allowing boosters for all adults, and even longer before recommending them, with public health officials sending mixed messages on booster value. We conduct a systematic review of COVID-19 vaccine effectiveness (VE) for primary and booster doses.

Methods. We conducted a systematic review of studies reporting COVID-19 vaccine efficacy or VE against four endpoints: any infection, symptomatic infection, hospitalization, and death for the four principal vaccines used in developed Western countries (BNT162b2, mRNA1273, Ad26.CoV2.S, and ChAdOx1-S), waning VE, and booster VE, during the period of Delta-variant prevalence. We reviewed all studies appearing on PubMed over Jan. 1, 2021 through March 31, 2022, supplemented with our own knowledge of other sources. 63 studies met defined inclusion and exclusion criteria.

Findings. The mRNA vaccines (BNT162b2, mRNA1273) had very high initial VE but experienced significant VE waning after approximately six months, including against severe disease and mortality, with BNT162b2 declining faster than mRNA1273. Both mRNA vaccines outperformed the Ad26.CoV2.S and ChAdOx1-S viral vector vaccines. Booster doses reduced symptomatic infection, severe disease, and mortality. Initial evidence supports booster value against the Omicron variant.

Interpretation. Strong epidemiological evidence supports waning VE for primary COVID-19 vaccination and the value of a booster dose, roughly 6 months after initial vaccination. The emergence of the Omicron variant strengthens the value of booster doses to recipients. Boosters also provide spillover benefits to others, both vaccinated and unvaccinated, by reducing downstream infections; reducing shortage risk for scarce COVID treatments; and reducing hospital overload.

Continue reading
Innovation & the New Economy

How Do Insurers Price Medical Malpractice Insurance?

Scholarship Abstract We study the factors that predict medical malpractice (“med mal”) insurance premia, using national data from Medical Liability Monitor over 1990 to 2017. A . . .

Abstract

We study the factors that predict medical malpractice (“med mal”) insurance premia, using national data from Medical Liability Monitor over 1990 to 2017. A number of core findings are not easily explained by standard economic theory. First, we estimate long run elasticities of premia to insurers’ direct cost (payouts plus defense costs), allowing for lags of up to four years, of only around +0.40, when one might expect elasticities near one. Second, state caps on malpractice damages predict a roughly 50% higher ratio of premia to direct costs even though, in competitive markets, a damages cap should affect premia primarily through effect on cost. A difference-in-differences analysis of the “new cap” states that adopted caps during the early 2000’s provides evidence supporting a causal link between cap adoption and the ratio of premium to direct cost. Third, the premium-to-cost ratio, which one might expect to be fairly constant over time, instead varies widely both across states at a given time and within states across time. Our results suggest that insurance companies do not fully adjust revenues to changes in direct costs even over long time periods. Insurers in new-cap states have been able to charge apparently supra-competitive prices for a sustained period.

Continue reading
Financial Regulation & Corporate Governance

Optimizing Cybersecurity Risk in Medical Cyber-Physical Devices

Scholarship Abstract Medical devices are increasingly connected, both to cyber networks and to sensors collecting data from physical stimuli. These cyber-physical systems pose a new host . . .

Abstract

Medical devices are increasingly connected, both to cyber networks and to sensors collecting data from physical stimuli. These cyber-physical systems pose a new host of deadly security risks that traditional notions of cybersecurity struggle to take into account. Previously, we could predict how algorithms would function as they drew on defined inputs. But cyber-physical systems draw on unbounded inputs from the real world. Moreover, with wide networks of cyber-physical medical devices, a single cybersecurity breach could pose lethal dangers to masses of patients.

The U.S. Food and Drug Administration (FDA) is tasked with regulating medical devices to ensure safety and effectiveness, but its regulatory approach—designed decades ago to regulate traditional medical hardware—is ill-suited to the unique problems of cybersecurity. Because perfect cybersecurity is impossible and every cybersecurity improvement entails costs to affordability and health, designers need standards that balance costs and benefits to inform the optimal level of risk. FDA, however, conducts limited cost-benefit analyses, believing that its authorizing statute forbids consideration of economic costs.

We draw on statutory text and case law to show that this belief is mistaken and that FDA can and should conduct cost-benefit analyses to ensure safety and effectiveness, especially in the context of cybersecurity. We describe three approaches FDA could take to implement this analysis as a practical matter. Of these three, we recommend an approach modeled after the Federal Trade Commission’s cost-benefit test. Regardless of the specific approach FDA chooses, however, the critical point is that the agency must weigh costs and benefits to ensure the right level of cybersecurity. Until then, medical device designers will face continued uncertainty as cybersecurity threats become increasingly dangerous.

Continue reading
Data Security & Privacy

Statement of R.J. Lehmann, Roundtable on Pandemic Risk

Written Testimonies & Filings Opening Statement of R.J. Lehmann Editor-in-Chief and Senior Fellow International Center for Law & Economics “Roundtable on Pandemic Risk” Hosted by Ranking Member French Smith . . .

Opening Statement of

R.J. Lehmann

Editor-in-Chief and Senior Fellow

International Center for Law & Economics

“Roundtable on Pandemic Risk”

Hosted by

Ranking Member French Smith and Members of

U.S. House Committee on Financial Services,

Subcommittee on Housing, Community Development, and Insurance

Congressman Smith, and Members of the Committee and Subcommittee,

My name is R.J. Lehmann, and I am editor-in-chief and senior fellow with the International Center for Law & Economics. ICLE is a nonprofit, nonpartisan research center that works to develop and disseminate academic output in the law & economics tradition, in order to build the intellectual foundation for rigorous, economically grounded public policy.

Two years into the COVID-19 pandemic, it is appropriate that Congress explore whether a more targeted and potentially permanent approach would be preferable to the ad hoc pandemic assistance programs like Paycheck Protection Program, which have directed trillions of dollars of federal relief to affected employers and employees. It is also reasonable to inquire what role, if any, should be played by the insurance industry, the sector traditionally tasked with responding to disaster.

There are almost certainly lessons to be learned from COVID, and there may well be a role to play for insurance companies, agents, and claims adjusters in any future pandemic program Congress might devise. But I want to raise a note of skepticism that insurance products generally—and business-interruption insurance, in particular—are really the best means to respond to the macroeconomic challenges raised by pandemics.

First, the capital that the global insurance and reinsurance industry would ever be willing to devote to the risk of pandemics would never come close to approaching the scale of the problem. Unlike governments, insurers and reinsurers cannot print money. To respond to a loss event like a pandemic, they would need to have those assets on hand. Any world in which the insurance industry had the resources to replace half of global GDP is a world in which people are buying far too much insurance.

Proposals like the Pandemic Risk Insurance Act (PRIA) tacitly acknowledge this limitation, which is why they would have the industry retain only de minimis risk of 5%. Obviously, that risk-share contribution would not significantly offset costs to the taxpayer, but it might be a worthy idea if the goal is to leverage the industry’s expertise and capacity in other ways.

Most frequently cited among these is that insurers know how to price risk. That is true and, in many contexts, assigning risk-weighted premia performs a valuable social function. In the context of the pandemic, for example, it is crucial that businesses’ liability and workers’ compensation insurance rates reflect risk, because that produces the price signals that offer incentives for businesses to adopt safer practices and avoid spreading infection to their customers or their employees. But it is not as clear that assigning pandemic-risk insurance rates according to risk would achieve a socially desirable goal. Indeed, if businesses like bars and restaurants, which are most exposed the risk of closure in the event of a pandemic, had to pay insurance rates that reflected their risk, they would, at the margin, be less likely to buy the coverage. It would undermine the entire purpose of the program if those businesses that need the protection the most would be least likely to afford it.

This question of take-up is particularly important when you remember that only about a third of businesses currently have business-interruption insurance, and that’s with a product that does not cover risks like pandemic. While adding pandemic coverage might make the product more attractive, it will certainly be more expensive, even if it’s subsidized. It would not be ideal to attach a relief program to aid businesses with the risk of pandemic to an insurance product that most businesses do not have.

It’s also notable that, unlike the terrorism insurance crisis in 2002, in which lenders were canceling financing of projects that weren’t insured for terrorism risk, by and large, we are not seeing something similar today—at least, not with business-interruption insurance, which has never covered pandemic risk. There are other insurance products, like events cancellation and production insurance for films and television shows, where there’s more evidence of some degree of market dislocation, and those might be areas more ripe for a targeted solution.

Finally, I would caution Congress to be humble in what it can project about future public-health emergencies. The next crisis may look nothing like the current one, and even the current one continues to surprise us. Early in 2020, I consulted with the major insurance trades on the proposal that ultimately became the Business Continuity Protection Plan (BCPP). At the time, we debated whether a program that offered three months of assistance would be exceedingly generous. When I testified before the Subcommittee on this topic in November 2020, vaccines were about to start rolling out and it seemed this all was coming to a close. There are good reasons to want a transparent and predictable set of rules, but it may be that ad hoc solutions designed in the moment to address the problem immediately before us, are the best that we can do.

With that, I look forward to your questions.

Read the full written testimony here.

Continue reading
Financial Regulation & Corporate Governance

Make May 31 World No Smoking Day, Not No Nicotine Day

Popular Media May 31 is World No Tobacco Day and the World Health Organization wants smokers to “commit to quit.” Unfortunately, as with so many issues recently, . . .

May 31 is World No Tobacco Day and the World Health Organization wants smokers to “commit to quit.” Unfortunately, as with so many issues recently, the WHO misunderstands the problem—and its solution is both patronizing and ineffective. Worse, other WHO policies, such as its opposition to less harmful nicotine products, actually make it more difficult for smokers to quit.

Read the full piece here.

Continue reading

J&J ‘Pause’ Underscores What Government Gets Wrong About Risk

Popular Media Just 10 days after issuing it, the U.S. Food and Drug Administration and the U.S. Centers for Disease Control and Prevention lifted their “pause” on the use . . .

Just 10 days after issuing it, the U.S. Food and Drug Administration and the U.S. Centers for Disease Control and Prevention lifted their “pause” on the use of the Johnson & Johnson COVID-19 vaccine. Initially sparked by six reported cases of a rare blood clot, out of more than 6.8 million doses administered, the decision also came amid a pandemic that continues to infect 50,000 more Americans every day.

Read the full piece here.

Continue reading
Innovation & the New Economy