101 Iowa L. Rev. 955 (2016)

Download PDF

Abstract

There were more data breaches in 2014 than any prior year, including the well-publicized attacks on Sony, Target, JPMorgan, and Home Depot—and uncountably more on individuals and smaller companies. This pace continued into 2015, with attacks against Anthem BCBS, Hacking Team, eBay, Trump Hotels, and Ashley Madison, and with a notable expansion into attacks on government targets, including major breaches from OPM and the IRS. Over the past 15 years, and in response to the lack of any comprehensive legal framework for addressing data security concerns, the FTC has acted as the primary regulator of data security practices in the United States. In this role, the FTC has used ad-hoc enforcement of its statutory “unfair acts and practices” authority to develop a “common law” of data security.

This Article raises concerns that the FTC’s self-styled “common-law” approach to data security regulation is yielding an unsound body of law. It argues that the FTC’s approach lacks critical features of the common law that are necessary for the development of jurisprudentially legitimate rules, and also that this approach raises jurisdictional and due process concerns. It builds on these critiques to recommend an alternative approach for the FTC to consider: treating a firm’s lack of an affirmative data security policy as an unfair practice.

In so doing, this Article makes contributions to ongoing pressing discussions about how the law and regulators should respond to data security issues. It also makes contributions to ongoing scholarly discussions of agency choice of procedure and due process, both of which are of active and increasing interest in the administrative and regulatory law communities.