Data Security and the FTC's UnCommon Law
67 Pages Posted: 7 Mar 2015 Last revised: 8 Feb 2016
Date Written: March 5, 2015
Abstract
2014 saw more data breaches than any prior year, including the well-publicized attacks on Sony, Target, JPMorgan, and Home Depot — and uncountably more on individuals and smaller companies. This pace continued into 2015, with attacks against Anthem BCBS, Hacking Team, eBay, Trump Hotels, and Ashley Madison, and with a notable expansion into attacks on government targets, including major breaches from OPM and the IRS. And it is likely to continue into the foreseeable future. Over the past 15 years, and in response to the lack of any comprehensive legal framework for addressing data security concerns, the FTC has acted as the primary regulator of data security practices in the United States. In this role, the FTC has used ad-hoc enforcement of its statutory “unfair acts and practices” authority to develop a “common law” of data security.
This article raises concerns that the FTC’s self-styled “common-law” approach to data security regulation is yielding an unsound body of law. It argues that the FTC’s approach lacks critical features of the common law that are necessary for the development of jurisprudentially legitimate rules, and also that this approach raises jurisdictional and due process concerns. It builds on these critiques to recommend an alternative approach for the FTC to consider: treating a firm’s lack of an affirmative data security policy as an unfair practice.
In so doing, this article makes contributions to ongoing discussions about how the law and regulators should respond to data security issues. It offers critical evaluations the pending LabMD and Wyndham cases. It also makes contributions to ongoing scholarly discussions of agency choice of procedure and due process, both of which are of active and increasing interest in the administrative and regulatory law communities.
Keywords: FTC, UDAP, Unfairness, Unfair acts and practices, common law, data security, choice of procedure, Chenery
Suggested Citation: Suggested Citation