2016] THE FTC’S UNCOMMON LAW 957
According to Federal Bureau of Investigation (“FBI”) Director James
Comey, “There are two kinds of big companies in the United States. There
are those who’ve been hacked . . . and those who don’t know they’ve been
hacked . . . .”1 Indeed, a recent report estimates that 43% of companies
experienced data breaches in 2014.2 In recent years, these breaches affected
some of the largest, most sophisticated firms in the world, including Sony,
Target, eBay, JPMorgan, Home Depot, Anthem BCBS, Hacking Team, Ashley
Madison, and CHS Community Health Systems—as well as government
targets such as OPM and the IRS.3 These and other attacks result from a broad
range of motivations, including politics, espionage, theft of financial or
personal information, and simple vandalism. Yet, we have no effective—let
alone comprehensive—legal framework to prevent or respond to these
Over the past 15 years, the Federal Trade Commission (“FTC”) has
attempted to fill this void, acting as the primary regulator of online privacy
and data security in the United States. This Article questions both the
jurisdiction and efficacy of the FTC’s role in addressing data security
concerns. The Commission has come into this role largely because of the
breadth and ill-defined boundaries of its authorizing statute, read in
conjunction with some limited authority to regulate narrow privacy and data
security issues under cognate statutes.4 Since the advent of the consumer
Internet, there has been a palpable regulatory vacuum in these areas. But
regulation abhors a vacuum, and—though ill-suited to the task—the FTC has
been quick to fill it.
The FTC has brought over 50 enforcement actions relating to online data
security over the past decade (and over another 100 privacy actions).5 In its
data security cases, the FTC generally takes action against firms whose
computers have been compromised by hackers seeking access to customer
1. James Cook, FBI Director: China Has Hacked Every Big US Company, BUS. INSIDER (Oct. 6, 2014,
6:24 AM), http://www.businessinsider.com/fbi-director-china-has-hacked-every-big-us-company-2014-
10 (quoting J ames Comey, FBI Director).
2. PONEMON INST. LLC, IS YOUR COMPANY READY FOR A BIG DATA BREACH?: THE SECOND
ANNUAL STUDY ON DATA BREACH PREPAREDNES S 1 (2014), http://www.experian.com/assets/data-
3. See, e.g., PONEMON INST. LLC, 2014: A YEAR OF MEGA BREACHES 1 (2015), http://www.
4. For instance, the FTC has some authority to regulate disclosures of information about
consumers of financial products under the Gramm–Leach–Bliley Act, 15 U.S.C. §§ 6801–6809
(2012), and has authority to regulate p rivacy issues relating to children’s use of th e Internet through
the Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501–6506 (2012).
5. See FED. TRADE COMM’N, 2014 PRIVACY AND DATA SECURITY UPDATE (2014), http://www.ftc.