Resurrecting Magnuson-moss Rulemaking: the Ftc at a Data Security Crossroads

• Citation: Vol. 69 No. 4
• Publication year: 2020

Resurrecting Magnuson-Moss Rulemaking: The FTC at a Data Security Crossroads

Ian M. Davis

RESURRECTING MAGNUSON-MOSS RULEMAKING: THE FTC AT A DATA SECURITY CROSSROADS

Abstract

Welcome to the digital age, where consumer data is more valuable than gold. In this era of information, companies treat personal data as a prized commodity, leveraging its potential to boost business and engage an ever-growing number of customers. Yet when companies fail to protect the sensitive data that they hold, consumers are left with few avenues to obtain redress for the harms they may have suffered. In an effort to protect consumers, the Federal Trade Commission (FTC) has been policing inadequate data security practices since the early 2000s. Using its broad authority under Section 5 of the Federal Trade Commission Act, the FTC routinely brings enforcement actions against companies that have sustained data breaches, yet could have implemented reasonable security measures to prevent them. In the vast majority of proceedings, the violating entity chooses to settle with the FTC rather than incur the various costs associated with litigation. The orders that accompany the conclusion of every enforcement proceeding typically require the violator to enact a comprehensive data security overhaul.

In 2018, such an FTC order was vacated by the U.S. Court of Appeals for the Eleventh Circuit. On the heels of this decision, it is apparent that the FTC must recalibrate its approach to enforcing unlawful data security practices. This Comment contends that the Commission should draw on its substantial experience with data protection and promulgate a rule that transparently specifies the standard by which data security is to be regulated. Although the FTC's decision to abstain from using its Magnuson-Moss rulemaking authority may have been prudent in the early days of its foray into data security, times have changed. Embracing the heightened public participation interwoven throughout the hybrid rulemaking process, the FTC is fully capable of delineating a data security standard in a reasonable amount of time. And once the rule-based standard is in place, the FTC can reap the benefits of a framework that provides the regulated community with enhanced guidance and the consumer public with greater protection from preventable data harms.

[Page 782]

Introduction.............................................................................................783

I. The U.S. Administrative Approach to Data Security............787

A. The Federal Trade Commission: America's Primary Data Regulator.................................................................................. 789

1. A Brief Survey of the FTC's Consumer Protection Authority............................................................................. 790
2. Section 5: Unfair or Deceptive Acts or Practices .............. 792
3. Enforcing Violations of Section 5....................................... 795

B. The FTC's Rulemaking Authority............................................. 797

1. Nonlegislative Rules ........................................................... 798
2. Legislative Rules: The Magnuson-Moss Act & Trade Regulation Rules ................................................................. 800

II. Recent FTC Developments in Data Security...........................803

A. LabMD at the FTC: Demystifying Consumer Data Breach Harms ....................................................................................... 804
B. LabMD at the Eleventh Circuit: The Virtues of Specificity...... 808

III. The Path Forward: A Return to Magnuson-Moss Rulemaking.....................................................................................811

A. Why the FTC Should Promulgate a Magnuson-Moss Data Security Rule ........................................................................................... 813
B. Anticipating Judicial Review: How the FTC Can Formulate a Durable Data Security Rule ..................................................... 821

1. Expeditiously Sticking to Procedure................................... 821
2. Defining Unfair Data Security Acts with Specificity .......... 825
3. Preemption ......................................................................... 829

Conclusion.................................................................................................831

[Page 783]

Introduction

On September 7, 2017, the credit-monitoring service Equifax announced that it had sustained a data breach¹ of alarming proportions.² As the dust settled, it became apparent that the personally identifiable information³ of nearly 147 million U.S. consumers had been compromised.⁴ The unprecedented attack resulted in the loss of 146.6 million consumer names and dates of birth, 145.5 million Social Security numbers, 99 million addresses, 20.3 million phone numbers, 17.6 million driver's license numbers, 209,000 credit card numbers, and 97,500 taxpayer identification numbers.⁵

Although Equifax was the victim of a concerted criminal act, the company was publicly criticized for its allegedly insufficient security protocols and "ham-fisted" response to the breach.⁶ Consumers were understandably mortified at the extent of the breach and the knowledge that their private information was in the

[Page 784]

hands of nefarious hackers.⁷ Yet, as lawsuits⁸ and investigations⁹ commenced, the post-Equifax legal narrative has paid little attention to the plight of consumers.

But how can a consumer's post-breach harm be properly characterized? Under contemporary legal mechanisms, this task is notoriously difficult.¹⁰ To demonstrate, imagine that Bernard, an ordinary consumer, was notified that his personal data was implicated in the Equifax data breach.¹¹ Hackers are now capable of exploiting Bernard's Social Security number and credit card details to commit identity theft, financial fraud, or any number of other illicit acts.¹² Understandably, Bernard is anxious at the prospect of these potential outcomes. Accordingly, he takes a number of prophylactic steps to ensure that his data is not misused. He cancels and replaces his credit cards and checks, updates his new financial information with digital vendors, freezes his credit, and purchases identity theft protection. Through all this, Bernard has not yet suffered an actual injury. Instead, Bernard now faces an increased risk of future harm.¹³ Although Bernard's increased risk of harm is difficult to legally classify, it is not without merit. In the most basic of terms, Equifax's inadequate data security has left Bernard in a worse position than before.

Any business that hopes to compete in the modern marketplace must contend with the various risks and rewards that accompany the use of consumer data.¹⁴

[Page 785]

Such data can be a powerful analytic tool, providing profit-seeking entities with valuable insight into the expected habits and preferences of consumers.¹⁵ This insight can be leveraged in a variety of ways.¹⁶ For example, companies routinely use consumer data to launch targeted advertising campaigns, conduct market analysis, develop their latest products and services, and individualize consumer experiences.¹⁷ And unbeknownst to many consumers, there is even an entire industry of companies that broker personal data to other firms.¹⁸

When a company does sustain a data breach, the consequences can be immense.¹⁹ Hacked companies typically experience public naming-and-shaming,²⁰ with potentially harmful public relations and financial consequences.²¹ They must fulfill the many obligations imposed by state data breach notification laws²² and may be brought to court by a class of consumers whose data was implicated in the breach.²³ Finally, hacked companies may be

[Page 786]

subject to Federal Trade Commission investigations, which can result in enforcement proceedings, remedial measures, and even monetary penalties.²⁴

Yet to what extent do these various legal mechanisms protect the American consumer? In the digital age, consumers have little choice but to entrust profit-seeking companies with their personal information.²⁵ And when such information is compromised in a breach, affected individuals have few viable means of obtaining direct redress.²⁶

As the leading federal regulatory body in the realm of data security, the Federal Trade Commission (the "FTC" or the "Commission") has shown that it is uniquely situated to protect consumers.²⁷ And to date, its prominence has yielded laudable results.²⁸ However, the FTC can and should do more to protect consumers from inadequate data security practices.

Despite its congressional grant of rulemaking authority, the FTC has declined to promulgate a regulatory rule identifying the boundaries of unlawful data security.²⁹ This Comment contends that after nearly twenty years of regulating data security through cases brought and settled under Section 5(a) of the Federal Trade Commission Act of 1914, the FTC would be well-advised to chart a new course. While congressional action, either through the expansion of FTC authority or the enactment of comprehensive data security legislation, presents an ambitious way to wipe the data security regulatory slate clean, the FTC cannot simply wait around while hackers continue to exploit digital vulnerabilities. The FTC can and should operate sensibly, using the means currently available to it, in order to codify the most basic data security responsibilities required of corporate America. In this way, the FTC can better protect consumers in the digital world.

[Page 787]

This Comment will unfold in three parts. Part I begins by describing the current U.S. administrative approach to data protection and the FTC's central role in it. Focusing on the FTC's broad consumer protection authority under Section 5(a) of the Federal Trade Commission Act of 1914, the nuts and bolts of every FTC data security action are explained. Part II provides an overview of two recent...