In 2013, Target reported that the credit card and personally identifiable information of "as many as 110 million customers" had been compromised. (1) In 2014, Yahoo! announced that a "state-sponsored actor" had gained access to personal information of 500 million users that year, and "all 3 billion user accounts had been compromised" in a data breach that occurred in 2013. (2) Nine months into 2014, nearly 2000 cybersecurity incidents were confirmed, "compromis[ing] almost [one] [b]illion records worldwide." (3) In 2017, Equifax reported a data breach that exposed nearly 150 million consumers. (4) Between January 2017 and August 2018, "[a]t least 16 separate security breaches occurred at retailers," including Macy's, Sears, Delta Air Lines, Best Buy, Panera, and Whole Foods. (5) Even after its Cambridge Analytica scandal, Facebook reported in 2018 that "at least 50 million users' data were confirmed at risk after attackers exploited a vulnerability that allowed them access to personal data." (6) Worse yet, it was found that "[t]he vulnerability was introduced on the site in July 2017, but Facebook didn't know about it until" mid-September 2018. (7)
One need not be a cybersecurity expert to recognize that cyber risk is escalating: companies that many of us regularly use, trust, and rely on are falling to data hacks left and right. The number of "[r]ecent highly publicized data breaches have underscored the growing reality that attacks on private corporations constitute a national security issue." (8) According to industry experts: "today it is a matter of when, not if, a company's data will be breached." (9) The Ponemon Institute reported in 2018 that "[t]he risk of cyber extortion and data breaches will increase in frequency," but that "[d]espite the growing cyber threat, cybersecurity is not considered a strategic priority." (10) In 2018, the average expenditures required to address a data breach continued to increase, with the average total expenditure increasing to $3.86 million and the average cost for each lost or stolen record increasing to $ 148. (11) Living "in a world where every action we take can be observed, recorded, analyzed, and storedf,]... consumers want better consumer protections over personal data." (12)
In Part I, this Note discusses the concerning regularity of high-profile data breaches that have occurred within the United States' weak and patchwork landscape of cybersecurity law. Part II discusses the challenges companies face when attempting to comply with the current cybersecurity law, and why companies who are deemed compliant are still falling victim to hackers and data breaches. Part III makes a call for federal legislation to replace the current, inadequate, fragmented, and uneven landscape of cybersecurity law. Part IV discusses numerous factors and incentives to consider in creating an omnibus federal cybersecurity law. Finally, Part V offers some critiques to creating an omnibus law.
CURRENT STATE OF CYBERSECURITY LAW IN THE UNITED STATES: A FRAGMENTED FRAMEWORK OF CYBERSECURITY OBLIGATIONS
Despite the increasing frequency of data privacy breaches compared to the rest of the world, "the legal framework to protect privacy and personal data in the United States is quite weak." (13) Part of this weakness is due to the fragmented, patchwork nature of cybersecurity laws, which in turn makes it difficult for companies to comply. As it stands, "[t]he United States does not have a national law that prescribes specific data security standards for all industries." (14) Instead, companies must figure out how to comply with a "fragmented and disconnected framework of state and federal laws governing cybersecurity obligations." (15) The United States' framework consists of "hundreds of state and federal statutes, regulations, binding guidelines, and court-created rules regarding data security, privacy, and other issues commonly considered to fall under the umbrella 'cybersecurity.'" (16) Once a breach occurs, "[c]ompanies... might face potential enforcement and private civil actions brought by" the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), state attorneys general, the Department of Justice (DOJ), plaintiffs whose data was compromised, shareholders of the company, the Consumer Financial Protection Bureau, the Federal Communications Commission, and the Department of Health and Human Services, to name a few. (17) Facebook's Cambridge Analytica scandal spurred "investigations by four federal agencies"--the FBI, the FTC, the SEC, and the DOJ. (18)
Federal Sectoral Approach
While many other industrialized nations "protect all personal data in an omnibus fashion, privacy law in the United States is sectoral, with different laws regulating different industries and economic sectors." (19) The only federal data security laws that exist in the United States are industry specific, only "applying] to companies that handle specific types of data, such as financial information or health records." (20) For example, "[t]here is a law for video records and a different law for cable records." (21) And even within a particular sector, the federal law may not govern the entirety of data privacy within that industry. While the Health Insurance Portability and Accountability Act (HIPAA) of 1996 is federal legislation protecting the privacy and security of health information, (22) "[n]ot all health data is covered by HIPAA, and various constitutional and state laws can protect health data more stringently than HIPAA." (23) The federal sectoral approach results in fragmentation that "leaves large areas unregulated ... at the federal level." (24) Without "a national law that prescribes specific data security standards for all industries," (25) data collection by companies like Facebook, Google, and Amazon will remain ungoverned by federal law. (26)
Federal Trade Commission
The FTC has been the most prominent federal agency to enforce cybersecurity practices over the past two decades. This Note will focus on the growth, limitations, and criticisms of the FTC's enforcement authority in the cybersecurity area. Because of the gaps that are left in the sectoral data privacy laws at the federal level, "many companies fall outside of specific sectoral privacy laws." (27) The FTC has stepped in to enforce within those gaps. The FTC's privacy jurisprudence "has become the broadest and most influential regulating force on information privacy in the United States--more so than nearly any privacy statute or common law tort." (28) Thus, "[t]he FTC is the closest thing that the U.S. federal government has to a centralized data security regulator." (29)
History of the FTC
The FTC was created in 1914 "to prevent unfair methods of competition in commerce as part of the battle to 'bust the trusts.'" (30) The FTC has the power to enforce "three targeted laws that oblige certain types of businesses to act reasonably in protecting consumer data." (31) However, for most of its privacy-related work, the FTC relies on its general authority under section 5(a)(1) of the Federal Trade Commission Act (FTCA) (32) to proscribe unfair or deceptive acts or practices. (33) This authority was given to the FTC when Congress passed the Wheeler-Lea Amendment in 1938, which included "a broad prohibition against 'unfair and deceptive acts or practices.'" (34)
"Despite the lack of a statute that sets minimum data security requirements, the Federal Trade Commission aggressively polices data security." (35) For the many companies that "fall outside of specific sectoral privacy laws, the FTC is in many cases the primary source of regulation." (36) The FTC has used FTCA section 5 to bring complaints against companies that violate their consumers' privacy rights or fail to meet the guarantees of their privacy policies. (37)
In 1995, when "the FTC became involved with consumer privacy issues[,]... [i]nstead of the FTC creating rules, the companies themselves would create their own rules, and the FTC would enforce them.... The FTC thus would serve as the backstop to the self-regulatory regime, providing it with oversight and enforcement... ." (38) To start, the FTC policed privacy policies "by focusing on deceptive trade practices." (39) "Prior to 1964, the [FTC] largely ignored the word 'or' in [FTCA section 5]," making little "attempt to distinguish between 'unfair'... and 'deceptive.'" (40) However, FTCA section 5 "gives the FTC two different tests for an organization's data privacy and cybersecurity practices." (41) The FTC uses the "deceptive" prong under FTCA section 5 to bring data privacy enforcement actions "[i]f an organization holds itself out as having implemented a certain data privacy practice... [and] act[s] outside that data privacy practice." (42) Thus, "[w]hile the United States doesn't have strong privacy rules like the [General Data Protection Regulation], the FTC has a rule that organizations must abide by their own privacy policies, and it can take action against those that fail to do so." (43)
The FTC uses the "unfair" prong under FTCA section 5 "to bring actions against entities with known data breaches," under the logic that "[l]ax cybersecurity ... is an unfair method of competition." (44) Today, the FTC applies a three-part test, which is codified in FTCA section 5(n), to determine whether a practice is "unfair": "[T]o warrant a finding of unfairness, an injury ' must be substantial;  it must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and  it must be an injury that consumers themselves could not reasonably have avoided.'" (45) Before FTC v. Wyndham Worldwide Corp., (46) "the FTC focused primarily on the deception prong of Section 5 to trip up companies that failed to live up to statements they made about their data use and security practices." (47)
Instead of defining or listing which specific...