Amicus brief of ICLE & TechFreedom, LabMD Inc., v. Federal Trade Commission, 11th Circuit
Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 [“Section 5”], is a consumer protection statute, not a data security rule. See Commission Statement of Policy on the Scope of Consumer Unfairness Jurisdiction, Letter from the FTC to Hon. Wendell Ford and Hon. John Danforth, United States Senate (Dec. 17, 1980) [“Unfairness Statement”], reprinted in International Harvester Co., 104 FTC 949, 1073 (1984) [“International Harvester”] (quoting 83 Cong. Rec. 3255 (1938) (remarks of Senator Wheeler)) (“Unjustified consumer injury is the primary focus of the FTC Act….’”).
This fundamental point has been lost in the Commission’s approach to data security. The touchstone for Section 5 actions is not “reasonableness,” but consumer welfare: Does this enforcement action deter a preventable “unfair” act or practice that, on net, harms consumer welfare, and do the benefits to consumers from this action outweigh its costs? Section 5’s purpose is neither fundamentally remedial nor prescriptive. Concern for consumer welfare means deterring bad conduct, avoiding over-deterrence of pro-consumer conduct, minimizing compliance costs, and minimizing administrative costs (by focusing only on substantial harms) — not preventing every possible harm. Instead of weighing such factors carefully, or even performing a proper analysis of negligence, as it purports to do, the Commission has effectively created a strict liability standard unmoored from Section 5.
Across the Commission’s purported guidance on data security, it has likewise failed to articulate a standard by which companies themselves should weigh costs and benefits to determine which risks are sufficiently foreseeable that they can be mitigated cost-effectively. Thus, in addition to violating the intent of Congress, the FTC has also violated the Constitution by failing to provide companies like LabMD with “fair notice” of the agency’s interpretation of what Section 5 requires.