FTC Hearings on Competition & Consumer Protection in the 21st Century – Topic 9: Data Security
Comments of the International Center for Law & Economics
Topic 9: Data Security
We thank the Commission for the opportunity to comment on “Competition and Consumer Protection in the 21st Century Hearings.”
The International Center for Law and Economics (ICLE) is a nonprofit, nonpartisan research center whose work promotes the use of law & economics methodologies to inform public policy debates. We believe that intellectually rigorous, data-driven analysis will lead to efficient policy solutions that promote consumer welfare and global economic growth.
ICLE’s scholars have written extensively on competition and consumer protection policy. Some of our writings are included as references in the comment below. Additional materials may be found at our website: www.laweconcenter.org.
In this comment, we primarily address the ninth topic raised by the Commission, concerning “the U.S. framework related to consumer data security, and the FTC’s data security enforcement program.”
Our comment addresses several pressing issues. It starts by outlining the flawed strategy which the FTC currently deploys to deal with data security issues. In a nutshell, the comment argues that the Commission’s overreliance on enforcement by consent decrees has created a quasi-regulatory approach to data security, as opposed to the emergence of a common law on data security. In doing so, the FTC has adulterated some of the cornerstones of common law negligence, namely: the assessment of reasonable care on the part of the tortfeasor, the thorough analysis of causality, an economically grounded computation of harm, and the establishment that harm is likely absent some level of care.
Given these failings, we urge the FTC to consider implementing reforms that might bring its decisional practice closer to the common law tradition. These include giving more weight to economic analysis (notably by allowing the FTC’s Bureau of Economics to play a greater role in data security proceedings), adopting modest measures that would increase the transparency of the FTC’s data security decisions (thereby increasing legal predictability), bringing greater judicial review to data security proceedings, and incentivizing firms to better communicate their data security activities.