Scholarship

When “Reasonable” Isn’t: The FTC’s Standard-less Data Security Standard

Summary

Although the FTC is well-staffed with highly skilled economists, its approach to data security is disappointingly light on economic analysis. The unfortunate result of this lacuna is an approach to these complex issues lacking in analytical rigor and the humility borne of analysis grounded in sound economics. In particular, the Commission’s “reasonableness” approach to assessing whether data security practices are unfair under Section 5 of the FTC Act lacks all but the most superficial trappings of the well-established law and economics of torts, from which the concept is borrowed.

In actuality, however, the Commission’s manufactured “reasonableness” standard — which, as its name suggests, purports to evaluate data security practices under a negligence-like framework — actually amounts in effect to a rule of strict liability for any company that collects personally identifiable data. This is manifestly not what Section 5 intends.

In its recent LabMD opinion, the Commission describes its approach as “cost-benefit analysis.” But simply listing out (some) costs and benefits is not the same thing as analyzing them. Recognizing that tradeoffs exist is a good start, but it is not a sufficient end, and “reasonableness” — if it is to be anything other than the mercurial preferences of three FTC commissioners — must contain analytical content.

Persistent and unyielding uncertainty over the contours of the FTC’s data security standard means that companies may be required to accept the reality that, no matter what they do short of the extremes, liability is possible. Worse, there is no way reliably to judge whether conduct (short of obvious fringe cases) is even likely to increase liability risk.

The FTC’s recent LabMD case highlights the scope of the problem and the lack of economic analytical rigor endemic to the FTC’s purported data security standard. To be sure, other factors also contribute to the lack of certainty and sufficient rigor, (i.e., matters of process at the agency), but at root sits a “standardless” standard, masquerading as an economic framework.

This paper explores these defects, paying particular attention to the FTC’s decision in LabMD and subsequent district court proceedings in the case.