Data Security and the FTC's UnCommon Law

67 Pages Posted: 7 Mar 2015 Last revised: 8 Feb 2016

See all articles by Justin (Gus) Hurwitz

Justin (Gus) Hurwitz

International Center for Law & Economics (ICLE); University of Pennsylvania Law School

Date Written: March 5, 2015


2014 saw more data breaches than any prior year, including the well-publicized attacks on Sony, Target, JPMorgan, and Home Depot — and uncountably more on individuals and smaller companies. This pace continued into 2015, with attacks against Anthem BCBS, Hacking Team, eBay, Trump Hotels, and Ashley Madison, and with a notable expansion into attacks on government targets, including major breaches from OPM and the IRS. And it is likely to continue into the foreseeable future. Over the past 15 years, and in response to the lack of any comprehensive legal framework for addressing data security concerns, the FTC has acted as the primary regulator of data security practices in the United States. In this role, the FTC has used ad-hoc enforcement of its statutory “unfair acts and practices” authority to develop a “common law” of data security.

This article raises concerns that the FTC’s self-styled “common-law” approach to data security regulation is yielding an unsound body of law. It argues that the FTC’s approach lacks critical features of the common law that are necessary for the development of jurisprudentially legitimate rules, and also that this approach raises jurisdictional and due process concerns. It builds on these critiques to recommend an alternative approach for the FTC to consider: treating a firm’s lack of an affirmative data security policy as an unfair practice.

In so doing, this article makes contributions to ongoing discussions about how the law and regulators should respond to data security issues. It offers critical evaluations the pending LabMD and Wyndham cases. It also makes contributions to ongoing scholarly discussions of agency choice of procedure and due process, both of which are of active and increasing interest in the administrative and regulatory law communities.

Keywords: FTC, UDAP, Unfairness, Unfair acts and practices, common law, data security, choice of procedure, Chenery

Suggested Citation

Hurwitz, Justin (Gus), Data Security and the FTC's UnCommon Law (March 5, 2015). Iowa Law Review, Forthcoming, Available at SSRN:

Justin (Gus) Hurwitz (Contact Author)

International Center for Law & Economics (ICLE) ( email )

5005 SW Meadows Rd.
Suite 300
Lake Oswego, OR 97035
United States

University of Pennsylvania Law School ( email )

3501 Sansom Street
Philadelphia, PA 19104
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics