Academic journal article Journal of Corporation Law

Fight or Comply: The Federal Trade Commission's Power to Hold Companies Liable for Data Security Breaches

Academic journal article Journal of Corporation Law

Fight or Comply: The Federal Trade Commission's Power to Hold Companies Liable for Data Security Breaches

Article excerpt


Verizon's 2014 Data Breach Investigations Report named 2013 "the year of the retailer breach."1 In July, Harbor Freight, an American tool vendor, reported the largest retailer breach ever.2 The breach affected over 445 stores and 200 million customers.3 Retailers, however, were not the only companies to fall victim to data breaches. CNN, the Washington Post, Time Magazine, the New York Post, and the New York Times were all targets of cyber-espionage in 2013.4 One possible explanation for the increased level of data security breaches is criminals becoming more technology savvy, but the Verizon report concluded that despite the high levels of breaches in 2013, nine basic hacking patterns account for 95% of all breaches. 5 Therefore, the problem lies within the business networks rather than in an increase of criminal sophistication.

The Federal Trade Commission (FTC) reacted to large-scale, highly publicized data breaches by filing complaints against businesses lacking data security protections to prevent breaches.6 The FTC's recent actions resulted in companies and scholars questioning the FTC's jurisdictional authority and inquiring about the constitutionality of the agency's actions regarding data security.7 The primary issue stems from the vague standard to which the FTC holds companies.8 This Note addresses why the FTC possesses the authority to regulate data security under the FTC Act, examines the legal standard to which companies are held, and advises companies on how to act in the current regulatory atmosphere. Part II describes the operational basis of the FTC and provides a history of the agency's involvement with data security regulation, including recent litigation. Part III explains recent court decisions and analyzes their effect on current regulation. Part IV is two-fold. First, Section IV.A addresses why the recent court decisions were correct in upholding FTC authority over data security regulation. Second, Section IV.B recommends businesses comply with current regulation by following FTC settlements and industry developed best practices while lobbying for clarification of the FTC's expectations of data security.


This Part will review the current framework of the FTC. The framework includes specific statutory provisions as well as FTC-established policy. Additionally, a brief history of the FTC's involvement with data security then provides background for the current legal fights surrounding the FTC's jurisdiction.

A. Statutory Framework: The Federal Trade Commission Act

The FTC Act empowers the FTC under section 5 to prevent companies "from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce."9 Under the authority of the FTC Act, the FTC regulates data security using deceptive practice claims and unfair practice claims.10 Companies engage in deceptive practices when they violate their own data privacy policies.11 In a deceptive practices claim, the FTC must show the company made a material representation that would mislead reasonably acting consumers. 12 The FTC holds broad discretion to determine what constitutes an unfair practice.13 The FTC must ensure the unfair practice "causes or is likely to cause substantial injury to consumers which is not reasonably avoided by consumers themselves"14 and is "not outweighed by countervailing benefits to consumers or to competition."15 When the FTC files complaints against companies for unfair practices involving data securities, the FTC utilizes a standard of reasonableness and determines whether the company's data security systems "reasonably" protect consumers from substantial harm.16

The FTC also holds the power to issue rules to specifically define what unfair practices are. However, the FTC Act requires Magnuson-Moss rulemaking, a more extensive rulemaking process than the typical Administrative Procedure Act requirements. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.