Comments of the International Center for Law and Economics, In the Matter of Informational Injury Workshop, FTC
In its description of this workshop, the Commission notes that “consumers may suffer injury when information about them is misused,” and suggests that this workshop “will address questions such as how to best characterize these injuries, how to accurately measure such injuries,” and so on. While these are crucial questions, we offer these comments in order to address another set of questions that is missing from the event’s description: How should the Commission determine whether or not, in fact, the conduct leading to such injuries constitutes actionable “misuse?” The question is a fundamental one that must be addressed in order to evaluate how businesses, consumers, and the Commission itself do and should respond to purported informational injuries.
Fundamentally, there is a great deal of ambiguity about how consumer protection law should treat data and data breaches. When there is a data breach, the calculation of the extent of informational harm (if any) to consumers is a difficult one. This is complicated, of course, by the sometimes tenuous connection between conduct and injury. It is further complicated, even assuming that particularized harm can be accurately assessed, by the need to balance harms against the benefits conferred by decisions within the firm to optimize a product or service, to lower prices, or to promote other consumer-valued features, such as ease-of-use, performance, and so forth. Where the same conduct that may produce informational injury also produces consumer benefit, determining whether the net effect is, in fact, harmful or not is essential.
The Commission purports to evaluate injury (along with the other elements required by Section 5(n) of the FTC Act) under a so-called “reasonableness” standard. Superficially, at least, this seems sensible: Unfairness entails a balancing of risk, benefits, and harms, and a weighing of avoidance costs consistent with a negligence regime.3 Easily seen and arguably encompassed within this language are concepts from the common law of negligence such as causation, foreseeability and duty of care. The FTC collapses this into its “reasonableness” approach, specifically eschewing strict liability:
The touchstone of the Commission’s approach to data security is reasonableness: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities…. [T]he Commission… does not require perfect security; reasonable and appropriate security is a continuous process of assessing and addressing risks; there is no one-size-fits-all data security program; and the mere fact that a breach occurred does not mean that a company has violated the law.
Giving purchase to a reasonableness approach under the Commission’s own guidance would seem to require establishing (i) a clear baseline of appropriate conduct, (ii) a company’s deviation from that baseline, (iii) proof that its deviation caused, or was significantly likely to cause, harm, (iv) substantial harm, (v) proof that the benefits of (e.g., the cost savings from) a company’s conduct didn’t outweigh the expected costs, and (vi) a demonstration that consumers’ costs of avoiding harm would have been greater than the cost of the harm.
Unfortunately, by eliding the distinct elements of a Section 5 unfairness analysis in the data security context, the FTC’s reasonableness approach risks ignoring Congress’ plain requirement that the Commission demonstrate duty, causality and substantiality, and perform a cost-benefit analysis of risk and avoidance costs.
While the FTC pays lip service to addressing these elements, its inductive, short-cut approach of attempting to define reasonableness by reference to the collection of practices previously condemned by its enforcement actions need not — and, in practice, does not — actually entail doing so. Instead, we “don’t know… whether… practices that have not yet been addressed by the FTC are ‘reasonable’ or not,” and we don’t know how the Commission would actually weigh them in an actual rigorous analysis.
At the root of this workshop is the implicit recognition that some, including the FTC itself, have asserted that the unauthorized exposure of private information may be, in and of itself, a harm to individuals, apart from any concrete economic consequences that may result from the exposure. In the FTC’s Opinion in LabMD, for instance, the Commission asserted that
the disclosure of sensitive health or medical information [that] causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n)… disclosure of the mere fact that medical tests were performed irreparably breached consumers’ privacy, which can involve “embarrassment or other negative outcomes, including reputational harm.”
We would contend, however, that defining and evaluating the types of “informational harms” that should be actionable in the case of a data breach, requires that the Commission also address fundamental problems with its overall approach to identifying cognizable injury and determining liability under Section 5.
As we discuss below and explain in detail in the attached paper, the FTC’s current “reasonableness standard” for liability under Section 5 runs the risk of being no standard at all. And it is impossible to escape the troubling conclusion that ultimately (and wrongly) the mere retention of data by a firm could be enough to violate Section 5 under this approach.
Such an approach does not comport with the scope of the Congressional grant of authority in Section 5, particularly as it was explicitly limited by Section 5(n). Instead, it converts what should be thought of fundamentally as a demanding cost-benefit requirement meant to limit the Commission’s discretion into a lenient strict liability standard. Before the Commission can understand how to fit different sorts of potential harms into its enforcement framework, it should clarify its approach, and ensure that it is in line with the text and intent of Section 5.