It’s the most wonderful time of the year… for data breaches. Target may have compromised as many as 40 million credit and debit cards used by shoppers in their stores. What liability will they face?
At George Mason’s excellent workshop on cybersecurity, there was a spirited debate over the mechanisms of enforcing security standards. (This in large measure derives from Woody Hartzog and Dan Solove’s excellent paper on the FTC’s enforcement work, which they analogize to the development of the common law in tort, among other areas.) Those who criticize the FTC prefer, generally, the use of tort to regulate cybersecurity. And, their critique often accuses the FTC of neglecting to consider the offsetting consumer benefits of failing to invest in cybersecurity (15 USC 45(n)). I think those arguments are profoundly misguided. Here’s why:
Imagine you go to Whole Foods. You’re walking down the aisle with exotic shade-grown turtle-harvested coffee and notice that, in the middle of it, there’s an open pit that is filled with water and man-eating sharks. People are carefully edging around it; a few teeter on the edge, causing the sharks to circle faster, but they recover and make it past. So, as best you can tell, no one has yet been harmed by the shark pit in the middle of the grocery aisle. And, admittedly, kids in the store are fascinated by the sharks, providing them valuable entertainment while their parents overspend. Should Whole Foods be liable for the shark pit?
This is the flaw with tort regulation, and with the balancing test for the FTC’s Section 5 enforcement of cybersecurity. If there’s a data spill, plaintiffs have to wait until something bad happens – until there’s identity theft, or financial fraud, or some other definite harm – to sue. Without that, they lack standing: there’s no concrete harm to redress. And even with that harm, the plaintiffs are going to have a tough time proving causation: did the spill lead to the identity theft? How do they know? More important, how can they demonstrate it sufficient to overcome a motion to dismiss? The dirty secret is that tort doctrine is a dismal failure for redressing cybersecurity breaches. On every element of a claim – duty, breach, harm, causation – a court can (and almost always does) find a failure of proof. Even utter incompetence – not changing default passwords, for example – usually doesn’t lead to liability. Tort simply doesn’t work. Anyone arguing for it seriously is going to have to advocate for doctrinal change, not just using the standard causes of action. Similarly, claims that there isn’t any provable harm from cybersecurity breaches assume two things: one, that hackers are systematically stupid and irrational (apparently they spend time breaking in to corporate databases and then utterly fail to exploit the information they gain), and two, there’s simply no connection between spills of given people’s data and resulting identity theft, fraud, spearphishing, etc. Even if you’re ready to believe six impossible things before breakfast, this is a stretch.
The second part – the tradeoffs – is nearly as ridiculous. Sure, consumers may benefit a bit from companies that don’t employ cybersecurity precautions: perhaps prices are just a bit less. But I’d also benefit in the same way from pharmaceuticals with no clinical trials, or airlines with no NTSB or FAA regulation. That’s an argument against regulation at all, rather than a tradeoff. Given the massive information asymmetries that pervade cybersecurity, the idea of evaluating the benefits of insecurity, on behalf of consumers, is silly. The kids may well enjoy seeing the sharks in the open pit in the middle of the aisle. Perhaps we ought to factor that into the analysis of whether Whole Foods gets to have the James Bond-esque shark trap in the store. But I think that stretches utilitarianism to the point of ridicule. It’s not just that I don’t think having a slightly cheaper ride on The Mangler at the carnival is a poor trade-off, given how hard it is to inspect safety or to hold a judgment-proof vendor accountable. It’s that we don’t want The Mangler to exist in the first place.
There’s a lot of resistance to regulating cybersecurity. The trouble is that these arguments are typically Panglossian: this is the best of all possible worlds, and additional legal strictures would simply make things worse for everyone. The benefit is that these positions are often risible on inspection. Unless, of course, you like the prospect of shark attack during grocery shopping.