Moving Beyond “Reasonable”: Clarifying the FTC’s Use of Its Unfairness Authority in Data Security Enforcement Actions

March 31, 2016


Data security breaches, which compromise private consumer information, seem to be an ever-increasing threat.  To stem this tide, the Federal Trade Commission (FTC) has relied upon its authority to enforce the prohibition against unfair business practices under section 5 of the Federal Trade Commission Act (“section 5”) to hold companies accountable when they fail to employ data security measures that could prevent breaches.  Specifically, the FTC brings enforcement actions when it finds that companies have failed to implement “reasonable” data security measures.  However, companies and scholars argue that the FTC has not provided adequate notice of which data security practices it considers “reasonable” for the purposes of section 5.

This Note explains and critically analyzes several existing proposals that seek to bring clarity to the FTC’s application of its unfairness authority in the data security context and ultimately proposes a novel solution which encourages the FTC explicitly to outline its minimum data security requirements through nonlegislative rulemaking.  This Note contends that the FTC should incorporate a principle of proportionality in any rule to ensure that companies know which data security measures they should implement based on the relative sensitivity of the consumer data that they retain.  Additionally, this Note suggests that the FTC should incorporate a safe harbor provision so that compliant companies know that, by following the FTC’s guidelines, they will be immune from section 5 enforcement actions.

April 2016

No. 5