Moving Beyond 'Reasonable': Clarifying the FTC's Use of Its Unfairness Authority in Data Security Enforcement Actions

Abstract

Data security breaches, which compromise private consumer information, seem to be an ever-increasing threat. To stem this tide, the Federal Trade Commission (FTC) has been using its authority to enforce the prohibition against unfair business practices under Section 5 of the Federal Trade Commission Act (Section 5) to hold companies accountable when they fail to employ data security measures that could prevent breaches. Specifically, the FTC brings enforcement actions where it finds that companies have failed to implement “reasonable” data security measures. However, companies and scholars argue that the FTC has not provided adequate notice of what data security practices it considers “reasonable” for the purposes of Section 5.This Note first explains and critically analyzes several existing proposals that seek to bring clarity to the FTC’s application of its unfairness authority in the data security context. Then, this Note proposes a novel solution that encourages the FTC to explicitly outline its minimum data security requirements via nonlegislative rulemaking. Additionally, this Note contends that any FTC rulemaking should incorporate a principle of proportionality to ensure that companies know what data security measures they should implement based on the relative sensitivity of the consumer data that they retain. Lastly, this Note suggests that the FTC should also incorporate a safe harbor provision so that compliant companies know that, by following the FTC’s guidelines, they will be immune from Section 5 enforcement actions.