The FTC, the Unfairness Doctrine and Data Security Litigation: Has the Commission Gone Too Far?
Michael D. Scott
Southwestern Law School
August 21, 2007
The Federal Trade Commission has taken the lead in the online privacy arena. It initially promoted self-regulation, but eventually realized that self-regulation was not working. Thereafter it began taking legal action against entities that violated the terms of their own privacy policies as deceptive trade practices. More recently, the Commission began filing complaints under its unfairness doctrine against companies that experienced data security breaches.
This article analyzes these latest cases under the carefully developed requirements of the unfairness doctrine, and argues that these actions were improperly filed. It further argues that the complaints and consent orders in these cases have provided no real guidance as to what a company should do (or not do) to avoid being the target of an unfairness action if it is the victim of a security breach.
The article proposes specific legislation that would give the Commission express authority to take action against companies that experience data security breaches, but only under well-defined regulations developed by the Commission in collaboration with the affected industries and with input from all interested parties.
Data security and the prevention of identity theft are too important to be left to the whim of the FTC or any other government agency. Companies need to know what is expected of them, so that they can implement appropriate technologies and put in place proper procedures to provide an adequate level of protection for sensitive consumer data. Enacting specific legislation, as proposed in this article, would go a long way toward achieving that goal.
Number of Pages in PDF File: 68
Keywords: FTC, unfairness, data security, breach, identity theft
JEL Classification: K20, K42, L50, L86, O33, O38
Date posted: September 5, 2007