Data Security and the FTC's UnCommon Law

Author:Justin (Gus) Hurwitz
Position:Assistant Professor of Law, University of Nebraska College of Law. J.D.
Pages:955-1021
SUMMARY

There were more data breaches in 2014 than any prior year, including the well-publicized attacks on Sony, Target, JPMorgan, and Home Depot—and uncountably more on individuals and smaller companies. This pace continued into 2015, with attacks against Anthem BCBS, Hacking Team, eBay, Trump Hotels, and Ashley Madison, and with a notable expansion into attacks on government targets, including major... (see full summary)

 
FREE EXCERPT
955
Data Security and the FTC’s UnCommon
Law
Justin (Gus) Hurwitz*
ABSTRACT: There were more data breaches in 2014 than any prior year,
including the well-publicized attacks on Sony, Target, JPMorgan, and Home
Depot—and uncountably more on individuals and smaller companies. This
pace continued into 2015, with attacks against Anthem BCBS, Hacking
Team, eBay, Trump Hotels, and Ashley Madison, and with a notable
expansion into attacks on government targets, including major breaches from
OPM and the IRS. Over the past 15 years, and in response to the lack of any
comprehensive legal framework for addressing data security concerns, the FTC
has acted as the primary regulator of data security practices in the United
States. In this role, the FTC has used ad-hoc enforcement of its statutory
“unfair acts and practices” authority to develop a “common law” of data
security.
This Article raises concerns that the FTC’s self-styled “common-law” approach
to data security regulation is yielding an unsound body of law. It argues that
the FTC’s approach lacks critical features of the common law that are
necessary for the development of jurisprudentially legitimate rules, and also
that this approach raises jurisdictional and due process concerns. It builds
on these critiques to recommend an alternative approach for the FTC to
consider: treating a firm’s lack of an affirmative data security policy as an
unfair practice.
In so doing, this Article makes contributions to ongoing pressing discussions
about how the law and regulators should respond to data security issues. It
also makes contributions to ongoing scholarly discussions of agency choice of
procedure and due process, both of which are of active and increasing interest
in the administrative and regulatory law communities.
* Assistant Professor of Law, University of Nebraska College of Law. J. D., University of
Chicago Law School; M.A., Economics, George Mason University; B.A., St. John’s College. With
thanks to participants at the George Mason University Law and Economics Center Roundtable
on Data Security, IPSC 2014, workshop participants at the Universities of Nebraska, Oklahoma,
and Indiana-Bloomington, and in particular to Berin Szoka, Woody Hartzog, and Dan Solove, as
well as Jane Bambauer, Eric Berger, Derek Bambauer, James Cooper, Margaret Hu, Bruce
Kobayashi, Steve Willborn, and Todd Zywicki, among others. This Article resulted from an earlier
project co-authored with Berin Szoka.
956 IOWA LAW REVIEW [Vol. 101:955
I. INTRODUCTION ............................................................................. 957
II. THE FTC’S “COMMON LAW ......................................................... 963
A. THE FTC’S “UNFAIRNESS PHOENIX ......................................... 964
B. WHAT IS THE FTC’S “COMMON LAW”? .................................... 966
C. THE GENESIS OF THE FTC’S “COMMON LAW ........................... 967
D. EARLY JUDICIAL RESPONSES TO THE FTC’S APPROACH TO
DATA SECURITY ...................................................................... 971
III. THE FTC’S “COMMON LAW IS NOT COMMON LAW .................... 980
A. WHAT IS COMMON LAW? ........................................................ 980
B. THERES NOTHING COMMON ABOUT THE FTC’S “COMMON
LAW ...................................................................................... 984
IV. RULEMAKING VS. ADJUDICATION IN ADMINISTRATIVE LAW .......... 988
A. THE BROAD CONTEXT OF AGENCY CHOICE OF PROCEDURE:
RULEMAKING & ADJUDICATION ............................................... 989
B. CHENERY II AND AGENCY CHOICE OF PROCEDURE .................... 990
C. WYMAN-GORDON, BELL-AEROSPACE, AND THE FAILED
CHALLENGE TO DISCRETION .................................................... 993
D. FROM CHEVRON TO MEAD ..................................................... 994
V. THE COMMISSIONS ADMINISTRATIVE JURISPRUDENCE ................ 997
A. THE RULEMAKING VS. ADJUDICATORY MINDSETS ...................... 998
B. THE FTC’S RULEMAKING DOMAIN ......................................... 1000
C. OTHER CONCERNS: FAIR NOTICE & JURISDICTION .................. 1002
D. OTHER CONCERNS: CONFLICTING INCENTIVES ........................ 1006
VI. THE ROLE OF FTC ADJUDICATION IN LAW MAKING AND DATA
SECURITY ..................................................................................... 1008
A. THE NEED FOR AND CHALLENGE OF ADJUDICATION ................. 1008
B. EFFECTIVE ADJUDICATION ...................................................... 1012
C. A ROLE FOR THE FTC IN DATA SECURITY ............................... 1015
VII. CONCLUSION .............................................................................. 1017
AFTERWORD ................................................................................ 1018
2016] THE FTC’S UNCOMMON LAW 957
I. INTRODUCTION
According to Federal Bureau of Investigation (“FBI”) Director James
Comey, “There are two kinds of big companies in the United States. There
are those who’ve been hacked . . . and those who don’t know they’ve been
hacked . . . .”1 Indeed, a recent report estimates that 43% of companies
experienced data breaches in 2014.2 In recent years, these breaches affected
some of the largest, most sophisticated firms in the world, including Sony,
Target, eBay, JPMorgan, Home Depot, Anthem BCBS, Hacking Team, Ashley
Madison, and CHS Community Health Systems—as well as government
targets such as OPM and the IRS.3 These and other attacks result from a broad
range of motivations, including politics, espionage, theft of financial or
personal information, and simple vandalism. Yet, we have no effective—let
alone comprehensive—legal framework to prevent or respond to these
attacks.
Over the past 15 years, the Federal Trade Commission (“FTC”) has
attempted to fill this void, acting as the primary regulator of online privacy
and data security in the United States. This Article questions both the
jurisdiction and efficacy of the FTC’s role in addressing data security
concerns. The Commission has come into this role largely because of the
breadth and ill-defined boundaries of its authorizing statute, read in
conjunction with some limited authority to regulate narrow privacy and data
security issues under cognate statutes.4 Since the advent of the consumer
Internet, there has been a palpable regulatory vacuum in these areas. But
regulation abhors a vacuum, and—though ill-suited to the task—the FTC has
been quick to fill it.
The FTC has brought over 50 enforcement actions relating to online data
security over the past decade (and over another 100 privacy actions).5 In its
data security cases, the FTC generally takes action against firms whose
computers have been compromised by hackers seeking access to customer
1. James Cook, FBI Director: China Has Hacked Every Big US Company, BUS. INSIDER (Oct. 6, 2014,
6:24 AM), http://www.businessinsider.com/fbi-director-china-has-hacked-every-big-us-company-2014-
10 (quoting J ames Comey, FBI Director).
2. PONEMON INST. LLC, IS YOUR COMPANY READY FOR A BIG DATA BREACH?: THE SECOND
ANNUAL STUDY ON DATA BREACH PREPAREDNES S 1 (2014), http://www.experian.com/assets/data-
breach/brochures/2014-ponemon-2nd-annual-preparedness.pdf.
3. See, e.g., PONEMON INST. LLC, 2014: A YEAR OF MEGA BREACHES 1 (2015), http://www.
ponemon.org/local/upload/file/2014%20The%20Year%20of%20the%20Mega%20Breach%
20FINAL_3.pdf.
4. For instance, the FTC has some authority to regulate disclosures of information about
consumers of financial products under the Gramm–Leach–Bliley Act, 15 U.S.C. §§ 6801–6809
(2012), and has authority to regulate p rivacy issues relating to children’s use of th e Internet through
the Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501–6506 (2012).
5. See FED. TRADE COMMN, 2014 PRIVACY AND DATA SECURITY UPDATE (2014), http://www.ftc.
gov/system/files/documents/reports/privacy-data-security-update-2014/privacydatasecurityupdate_
2014.pdf.

To continue reading

FREE SIGN UP