Navigating Data Security Challenges: Policy Innovations and Reform Options

Data breaches can lead to identity theft, fraudulent use of credit cards or financial accounts, and disclosure of other personally sensitive information to those who have no right to know it. But firms that collect and process data are not taking enough precautions to prevent data breaches. In “Navigating Data Security Challenges: Policy Innovations and Reform Options,” Tracy Miller makes the case that legislating strict liability standards would motivate firms to adopt better data security measures. 

The Deficiencies of Existing Policy

The Federal Trade Commission (FTC) and the courts currently enforce data security. However, neither gives firms enough incentives to take precautions against data breaches: The FTC generally lacks the authority to require monetary restitution, and courts often deny standing to breach victims. In other words, the negative consequences of data breaches to firms are often too small relative to the cost of those breaches to individual victims.

The Advantages of Litigation Over Regulation

Because of the difficulty of determining negligence, Congress or state legislatures should give courts authority to impose strict liability for data breaches on firms that are custodians of consumer data.

• Strict liability could lead to the imposition of larger and more consistent penalties. These penalties could reduce the number and severity of data breaches and result in a more optimal mix of harm and spending to reduce it. 
• Firms would have more incentive to take precautions to prevent data breaches. They would likely pass the cost of breaches along to their consumers in the form of higher prices or fewer services in exchange for access to their data. This step would spread the cost of breaches to all consumers, while those whose data is stolen in a breach would be compensated for their loss. 
• The FTC should continue to play an important role in cooperation with state attorneys general in penalizing firms on a case-by-case basis for unreasonable data security practices. Congress could enhance this role by granting the agency authority to obtain monetary restitution.

A Second-Best Approach

What if Congress and state legislatures fail to impose a strict liability standard? Then the FTC should continue to enforce a reasonableness standard. In addition to providing guidance through nonlegislative rules to clarify how the agency applies the standard, the FTC should seek the assistance of state attorneys general, with courts stepping in when the losses are large enough and widespread enough to justify a class action.