Resurrecting Magnuson-Moss Rulemaking: The FTC at a Data Security Crossroads

52 Pages Posted: 19 Apr 2019 Last revised: 16 Jun 2020

See all articles by Ian Davis

Ian Davis

Independent; Emory University, School of Law, Students

Date Written: February 20, 2019


Welcome to the digital age, where consumer data is more valuable than gold. In this era of information, companies treat personal data as a prized commodity, leveraging its potential to boost business and engage an ever-growing number of customers. Yet when companies fail to protect the sensitive data that they hold, consumers are left with few avenues to obtain redress for the harms they may have suffered. In an effort to protect consumers, the Federal Trade Commission has been policing inadequate data security practices since the early 2000s. Using its broad authority under Section 5 of the Federal Trade Commission Act, the FTC routinely brings enforcement actions against companies that have sustained data breaches, yet could have implemented reasonable security measures to prevent them. In the vast majority of proceedings, the violating entity chooses to settle with the FTC rather than incur the various costs associated with litigation. The orders that accompany the conclusion of every enforcement proceeding typically require the violator to enact a comprehensive data security overhaul.

In 2018, such an FTC order was vacated by the Eleventh Circuit Court of Appeals. On the heels of this decision, it is apparent that the FTC must recalibrate its approach to enforcing unlawful data security practices. This Comment contends that the Commission should draw on its substantial experience with data protection and promulgate a rule that transparently specifies the standard by which data security is to be regulated. Although the FTC’s decision to abstain from using its Magnuson-Moss rulemaking authority may have been prudent in the early days of its foray into data security, times have changed. Embracing the heightened public participation interwoven throughout the hybrid rulemaking process, the FTC is fully capable of delineating a data security standard in a reasonable amount of time. And once the rule-based standard is in place, the FTC can reap the benefits of a framework that provides the regulated community with enhanced guidance and the consumer public with greater protection from preventable data harms.

Keywords: Data Security, FTC, Federal Trade Commission, Magnuson-Moss, Cyber Security, Hybrid Rulemaking

Suggested Citation

Davis, Ian and Davis, Ian, Resurrecting Magnuson-Moss Rulemaking: The FTC at a Data Security Crossroads (February 20, 2019). Ian M. Davis, "Resurrecting Magnuson-Moss Rulemaking: The FTC at a Data Security Crossroads" 69 Emory Law Journal 781 (2020), Available at SSRN:

Ian Davis (Contact Author)

Emory University, School of Law, Students ( email )

Atlanta, GA
United States


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics