WASHINGTON, DC — The Federal Trade Commission must do more to guide companies as they craft internal data security compliance plans — so they have “fair notice” of how much data security the FTC will consider “reasonable.” Thus argued TechFreedom and the International Center for Law & Economics in an amicus brief filed yesterday with the Eleventh Circuit Court of Appeals.

This is a landmark case for the Internet,” said TechFreedom President Berin Szóka. “At issue is just how much leeway the FTC — effectively the Federal Technology Commission — will have in regulating the Internet, from data security to product design to any number of other emerging issues. The question is not whether the FTC can protect consumers, but how it weighs costs and benefits. Striking the right balance is critical. We’re not talking about the obvious — like fraud or shady sales tactics. This is about how to keep up with constantly evolving threats. The FTC can and should do better to give companies fair notice of how to comply with the law.”

LabMD, a small Georgia cancer testing lab. closed its doors in 2014 after spending years defending its good name from the FTC. But in November 2015, the FTC’s independent Administrative Law Judge, tossed out the FTC’s 2013 lawsuit. The full Commission, unsurprisingly, reversed, and LabMD is now asking the appeals court to block the suit. In November, the Eleventh Circuit granted LabMD a stay, agreeing with the ALJ that the FTC’s logic ignores Congress’s requirement that the FTC must show that alleged consumer injury is “likely” — i.e., not just possible, but probable.

The stage is now set for the first court ruling on the merits of the FTC’s approach to data security since it began bringing such cases in 2002 — and only the second on the limits of the FTC’s broad “unfairness” power since the agency defined it in 1980.

The TechFreedom-ICLE brief argues:

The touchstone for Section 5 actions is not “reasonableness,” but consumer welfare: Does this enforcement action deter a preventable “unfair” act or practice that, on net, harms consumer welfare, and do the benefits to consumers from this action outweigh its costs? … Instead of weighing such factors carefully, or even performing a proper analysis of negligence, as it purports to do, the Commission has effectively created a strict liability standard unmoored from Section 5.

Across the Commission’s purported guidance on data security, it has likewise failed to articulate a standard by which companies themselves should weigh costs and benefits to determine which risks are sufficiently foreseeable that they can be mitigated cost-effectively. Thus, in addition to violating the intent of Congress, the FTC has also violated the Constitution by failing to provide companies like LabMD with “fair notice” of the agency’s interpretation of what Section 5 requires.

The FTC essentially claims that the mere occurrence of a breach is enough to declare a company’s security ‘unreasonable’ — but that can’t be right,” said Geoffrey Manne, Executive Director of the International Center for Law & Economics. “Any company that stores personal data risks a data breach that may cause injury to someone. That approach makes every company presumptively guilty — and distinguishes ‘fair’ from ‘unfair’ practices on little more than prosecutorial whim, rather than the cost-benefit analysis required by the statute. Just because something could happen doesn’t mean it is ‘likely,’ Nor does it mean enforcement is appropriate. In this case, for example, the FTC’s five-year pursuit of LabMD has ‘likely’ killed cancer patients by driving up the cost of testing, at least on the margin. It’s time for the courts to ask: ‘Was it worth it?’”


We can be reached for comment at media@techfreedom.org. See our other work on the FTC: