The U.S. Federal Trade Commission (FTC) continues to expand its presence in online data regulation. On August 13 the FTC announced a forthcoming workshop to explore appropriate policies toward “big data,” a term used to refer to advancing technologies that are dramatically expanding the commercial collection, analysis, use, and storage of data. This initiative follows on the heels of the FTC’s May 2014 data broker report, which recommended that Congress impose a variety of requirements on companies that legally collect and sell consumers’ personal information. (Among other requirements, companies would be required to create consumer data “portals” and implement business procedures that allow consumers to edit and suppress use of their data.) The FTC also is calling for legislation that would enhance its authority over data security standards and empower it to issue rules requiring companies to inform consumers of security breaches.
These recent regulatory initiatives are in addition to the Commission’s active consumer data enforcement efforts. Some of these efforts are pursuant to three targeted statutory authorizations – the FTC’s Safeguards Rule (promulgated pursuant to the Gramm-Leach-Bliley Act and directed at non-bank financial institutions), the Fair Credit Reporting Act (directed at consumer protecting agencies), and the Children’s Online Privacy Protection Act (directed at children’s information collected online).
The bulk of the FTC’s enforcement efforts, however, stem from its general authority to proscribe unfair or deceptive practices under Section 5(a)(1) of the FTC Act. Since 2002, pursuant to its Section 5 powers, the FTC has filed and settled over 50 cases alleging that private companies used deceptive or ineffective (and thus unfair) practices in storing their data. (Twitter, LexisNexis, ChoicePoint, GMR Transcription Services, GeneLink, Inc., and mobile device provider HTC are just a few of the firms that have agreed to settle.) Settlements have involved consent decrees under which the company in question agreed to take a wide variety of “corrective measures” to avoid future harm.
As a matter of first principles, one may question the desirability of FTC data security investigations under Section 5. Firms have every incentive to avoid data protection breaches that harm their customers, in order to avoid the harm to reputation and business values that stem from such lapses. At the same time, firms must weigh the costs of alternative data protection systems in determining what the appropriate degree of protection should be. Economic logic indicates that the optimal business policy is not one that focuses solely on implementing the strongest data protection system program without regard to cost. Rather, the optimal policy is to invest in enhancing corporate data security up to the point where the marginal benefits of additional security equal the marginal costs, and no further. Although individual businesses can only roughly approximate this outcome, one may expect that market forces will tend toward the optimal result, as firms that underinvest in data security lose customers and firms that overinvest in security find themselves priced out of the market. There is no obvious “market failure” that suggests the market should not work adequately in the data security area. Indeed, there is a large (and growing) amount of information on security systems available to business, and a thriving labor market for IT security specialists to whom companies can turn in designing their security programs. Nevertheless, it would be naive in the extreme to believe that the FTC will choose to abandon its efforts to apply Section 5 to this area. With that in mind, let us examine more closely the problems with existing FTC Section 5 data security settlements, with an eye to determining what improvements the Commission might beneficially make if it is so inclined.
The HTC settlement illustrates the breadth of decree-specific obligations the FTC has imposed. HTC was required to “establish a comprehensive security program, undergo independent security assessments for 20 years, and develop and release software patches to fix security vulnerabilities.” HTC also agreed to detailed security protocols that would be monitored by a third party. The FTC did not cite specific harmful security breaches to justify these sanctions; HTC was merely charged with a failure to “take reasonable steps” to secure smartphone software. Nor did the FTC explain what specific steps short of the decree requirements would have been deemed “reasonable.”
The HTC settlement exemplifies the FTC’s “security by design” approach to data security, under which the agency informs firms after the fact what they should have done, without exploring what they might have done to pass muster. Although some academics view the FTC settlements as contributing usefully to a developing “common law” of data privacy, supporters of this approach ignore its inherent ex ante vagueness and the costs decree-specific mandates impose on companies.
Another serious problem stems from the enormous investigative and litigation costs associated with challenging an FTC complaint in this area – costs that incentivize most firms to quickly accede to consent decree terms even if they are onerous. The sad case of LabMD, a small cancer detection lab, serves as warning to businesses that choose to engage in long-term administrative litigation against the FTC. Due to the cost burden of the FTC’s multi-year litigation against it (which is still ongoing as of this writing), LabMD was forced to wind down its operations, and it stopped accepting new patients in January 2014.
The LabMD case suggests that FTC data security initiatives, carried out without regard to the scale or resources of the affected companies, have the potential to harm competition. Relatively large companies are much better able to absorb FTC litigation and investigation costs. Thus, it may be in the large firms’ interests to encourage the FTC to support intrusive and burdensome new FTC data security initiatives, as part of a “raising rivals’ costs” strategy to cripple or eliminate smaller rivals. As a competition and consumer welfare watchdog, the FTC should keep this risk in mind when weighing the merits of expanding data security regulations or launching new data security investigations.
A common thread runs through the FTC’s myriad activities in data privacy “space” – the FTC’s failure to address whether its actions are cost-beneficial. There is little doubt that the FTC’s enforcement actions impose substantial costs, both on businesses subject to decree and investigation, and on other firms possessing data that must contemplate business system redesigns to forestall potential future liability. As a result, business innovation suffers. Furthermore, those costs are passed on at least in part to consumers, in the form of higher prices and a reduction in the quality and quantity of new products and services. The FTC should, consistent with its consumer welfare mandate, carefully weigh these costs against the presumed benefits flowing from a reduction in future data breaches. A failure to carry out a cost-benefit appraisal, even a rudimentary one, makes it impossible to determine whether the FTC’s much touted data privacy projects are enhancing or reducing consumer welfare.
FTC Commissioner Josh Wright recently gave voice to the importance of cost benefit analysis in commenting on the FTC’s data brokerage report – a comment that applies equally well to all of the FTC’s data protection and privacy initiatives:
“I would . . . like to see evidence of the incidence and scope of consumer harms rather than just speculative hypotheticals about how consumers might be harmed before regulation aimed at reducing those harms is implemented. Accordingly, the FTC would need to quantify more definitively the incidence or value of data broker practices to consumers before taking or endorsing regulatory or legislative action. . . . We have no idea what the costs for businesses would be to implement consumer control over any and all data shared by data brokers and to what extent these costs would ultimately be passed on to consumers. Once again, a critical safeguard to insure against the risk that our recommendations and actions do more harm than good for consumers is to require appropriate and thorough cost-benefit analysis before acting. This failure could be especially important where the costs to businesses from complying with any recommendations are high, but where the ultimate benefit generated for consumers is minimal. . . . If consumers have minimal concerns about the sharing of certain types of information – perhaps information that is already publicly available – I think we should know that before requiring data brokers to alter their practices and expend resources and incur costs that will be passed on to consumers.”
The FTC could take several actions to improve its data enforcement policies. First and foremost, it could issue Data Security Guidelines that (1) clarify the FTC’s enforcement actions regarding data security will be rooted in cost-benefit analysis, and (2) will take into account investigative costs as well as (3) reasonable industry self-regulatory efforts. (Such Guidelines should be framed solely as limiting principles that tie the FTC’s hands to avoid enforcement excesses. They should studiously avoid dictating to industry the data security principles that firms should adopt.) Second, it could establish an FTC website portal that features continuously updated information on the Guidelines and other sources of guidance on data security. Third, it could employ cost-benefit analysis before pursuing any new regulatory initiatives, legislative recommendations, or investigations related to other areas of data protection. Fourth, it could urge its foreign counterpart agencies to adopt similar cost-benefit approaches to data security regulation.
Congress could also improve the situation by enacting a narrowly tailored statute that preempts all state regulation related to data protection. Forty-seven states now have legislation in this area, which adds additional burdens to those already imposed by federal law. Furthermore, differences among state laws render the data protection efforts of merchants who may have to safeguard data from across the country enormously complex and onerous. Given the inherently interstate nature of electronic commerce and associated data breaches, preemption of state regulation in this area would comport with federalism principles. (Consistent with public choice realities, there is always the risk, of course, that Congress might be tempted to go beyond narrow preemption and create new and unnecessary federal powers in this area. I believe, however, that such a risk is worth running, given the potential magnitude of excessive regulatory burdens, and the ability to articulate a persuasive public policy case for narrow preemptive legislation.)
Stay tuned for a more fulsome discussion of these issues by me.