The Battle Against Breaches: A Call for Modernizing Federal Consumer Data Security Regulation.

• Author: Bossone, Alex

TABLE OF CONTENTS I. INTRODUCTION 228 II. THE CURRENT LEGAL FRAMEWORK FOR DATA SECURITY IS NEBULOUS--BUT THE THREAT OF BREACH IS VERY REAL 230 A. U.S. Federal Circuits Are Divided on an Individual Right of Action in the Event of a Breach 231 B. The FTC's Vague Role as the Unofficial U.S. Data 233 Protection Agency C. The FCC is Expanding its Role in Data Security 238 Regulation, and is Taking a More Focused Approach Than the FTC III. THE FTC SHOULD MOVE FORWARD WITH A SPECIFIC REQUIREMENTS 242 ENFORCEMENT MODEL SIMILAR TO THE FCC'S APPROACH DEMONSTRATED IN COX A. The FTC Needs to Provide Businesses with More Clarity 242 on What Data Security Practices to Adopt, and When a Breach Should be Actionable B. Data Breach Remedies Should Include Recourse for Consumers 245 Commensurate with the Modern Value of Personal Data IV. CONCLUSION 249 I. INTRODUCTION

In the United States, the years 2013 and 2014 were marked by a series of high-profile data breaches that resulted in the theft of consumer payment information from various retailers' data systems. By May 2015, data breaches were on pace to cost roughly $70 billion annually (1) in the United States. (2) While not every consumer who had their personal information stolen incurred harm due to fraudulent charges or identity theft, many consumers have become wary of which companies they choose to do business with, and some have chosen to avoid using electronic payment methods that have been compromised by hacks. (3) Companies have also suffered losses as cyber-attacks have become increasingly frequent and costly. (4) The average data breach in 2015 cost $3.79 million for the victim company, eight percent more than the year prior, as negative publicity and expensive security measures take their toll on the bottom line. (5)

Consumers who are affected by breaches have turned to the courts for recourse, but federal circuit courts are split over when an individual may recover for a data breach claim. In Remijas v. Neiman Marcus Group, LLC, the United States Court of Appeals for the Seventh Circuit held that customers have Article III standing to seek relief against a company from which the customers' data was stolen, even where the data has not yet been harmfully used (for example, via fraudulent credit card charges). (6) In contrast, the Third Circuit held in Reilly v. Ceridian Corporation that data breach plaintiffs in a separate incident lacked Article III standing to recover where the alleged harm of an increased risk of identity theft from exposure of the data was deemed to be too hypothetical and incapable of being quantified. (7)

The circuit split highlights the inadequacy of available remedies for consumers in the event of a data breach, and the lack of a regulatory scheme that sufficiently reflects the increasing value of personal data. In contrast to many other countries that have specialized data privacy agencies (DPA) to administer a national regulatory framework for data privacy, the United States has designated the Federal Trade Commission (FTC) as its "de facto federal DPA." (8) The FTC bases its data privacy authority on Section 5 of the FTC Act, (9) which establishes its power to guard against unfair or deceptive business practices. Other federal agencies claim narrower authority over the data practices of companies within their respective industries, with the Federal Communications Commission (FCC) pursuing enforcement actions over telecommunications and cable providers that suffer breaches. (10)

This Note will argue that Congress should augment the FTC's existing data security powers to preclude any challenges to the Commission's authority in that area, and to mandate a more effective framework by emulating the FCC Enforcement Bureau's approach. The Enforcement Bureau laid out its enforcement model in a 2015 data breach action that, for the first time, imposed specific technological requirements on a FCC licensee, in contrast to the FTC's approach of holding companies to a general "reasonableness" standard regarding data security practices. (11) The framework proposed in this Note would provide more specific guidelines to companies on how to keep their security practices up to date, and would provide incentives for businesses to follow the guidelines. The new regulations would also provide consumers with recourse in the event of a breach. As personal data becomes an increasingly valuable commodity, consumers face an unprecedented need for a reliable means of asserting their rights against the companies who profit from the use of data yet negligently handle it. As technology improves, data security systems will only become more complex, and hackers will only become more sophisticated. A new regulatory scheme addressing consumer data security requires specific solutions for businesses to ensure that data practices effectively keep pace with rapid technological developments and further integration of the Internet into individuals' daily lives. In addition, enforcement actions need to provide consumers with adequate remedies for the exposure of personal data, and should give businesses notice of the level of responsibility to which they will be held for failing to protect consumer data.

Accordingly, Part II of this Note will examine the circuit split over consumers' right of action in response to a breach, and will explore the FTC and FCC's roles in regulating the data security practices of U.S. businesses. Part III will discuss why the current regulatory framework for data security is insufficient to protect consumers from data breaches, and will outline what a new FTC regime of regulatory oversight based on the FCC's "specific requirements" enforcement method might look like. Finally, Part IV will offer conclusions and a brief summary of the proposed legislation.

2. THE CURRENT LEGAL FRAMEWORK FOR DATA SECURITY IS NEBULOUS--BUT THE THREAT OF BREACH IS VERY REAL

   The prevailing U.S. policy approach regarding consumer data security at both the federal and state levels can largely be described as "hands-off," especially when compared with the protectionist approaches of countries in the European Union (EU). (12) Until 2003, when California passed the first state law requiring entities to notify individuals whose personal data have been compromised by a breach, (13) no government entity in the U.S. had undertaken broad legislative measures to protect data owners from third-party theft. (14) As for the establishment of a comprehensive regulatory scheme that covers both data privacy and protection, the EU has proved to be perhaps the most aggressive legislative body through its creation of the Data Protection Directive (DPD) in 1995. (15) The DPD, which is binding on all EU member states, establishes personal data protection as a "fundamental [human] right," and requires each EU member to create its own independent Data Protection Agency (DPA) to oversee and enforce domestic data security regulations. (16)

   In contrast, the U.S. has designated the FTC as its own "de facto federal DPA," pursuant to the FTC's enforcement powers under Section 5 of the FTC Act regarding "unfair or deceptive business practices." (17) The FTC has also utilized a number of federal statutes related to the protection of very specific kinds of personal data. (18) Despite the FTC's recently expanded role in regulating data security practices, "its field of competence is more restricted than is typical for European DPAs." (19) One explanation for this divergence in policy approaches may be that U.S. corporations like Google and Facebook have lobbied for data legislation in the U.S. that EU authorities have viewed as insufficient to satisfy their own fundamentally held principle of data protection as a human right. (20) As the current data security paradigm stands in the U.S., the FTC has not been able to provide recourse for individual consumers who have had personal data stolen via increasingly costly retail data breaches, leaving them to fend for themselves in the courts--with varying measures of success. (21)

   This section will first explore how courts have struggled to fully appreciate the harm that a data breach causes the affected consumers, especially in cases where the victims do not suffer immediate financial costs. Next, this section will discuss the FTC's vague "reasonableness" standard for commercial data security practices and will argue that the standard fails to adequately promote best practices among companies that handle consumer data. Finally, an examination of the FCC's more focused regulatory approach will follow, before moving on to a discussion of the proposed legislation.

   1. U.S. Federal Circuits Are Divided on an Individual Right of Action in the Event of a Breach

      The U.S. judicial system is ill suited to address the pressing need for a federal legal standard on consumer data security, as it lacks expertise and clear statutory guidance in that area. The split between the Third and Seventh Circuits is an example that some courts do not yet understand the increasingly high value of personal data and the harmful impact of breaches. (22) While many U.S. consumers have been left without a remedy for stolen personal data, the Seventh Circuit in Remijas recognized the cognizable harm that a retail data breach poses to the affected consumers, even where the precise level of financial harm cannot be calculated. (23) In 2014, a number of customers at Neiman Marcus brought a consolidated action against the retailer for a data breach that exposed approximately 350,000 credit card numbers, 9,200 of which were subsequently used to make fraudulent purchases. (24) Though the plaintiffs conceded that they were reimbursed by Neiman Marcus for the fraudulent charges, they argued successfully that they had incurred redressable harm in the form of: (1) mitigation expenses (the time and money lost resolving the stolen data issue and protecting themselves from future fraudulent...