Court Sides with FTC on Sweeping Data Security Role

April 09, 2014

A U.S. District Court has ruled this week that the Federal Trade Commission (FTC) has authority under Section 5 of the FTC Act to bring enforcement litigation against companies whose data security practices are deemed to be “unfair” or “deceptive.” The ruling does not require the FTC to issue any standards or guidelines as to what data security practices are sufficient in the eyes of the FTC. The ruling is likely to lead to an increase in FTC enforcement actions and private litigation.

For more than a decade, the FTC has targeted companies for maintaining what the FTC believes are unreasonable data security safeguards. Because there is currently no federal law, regulation, or agency guidance that spells out the data privacy standards that all companies operating in the U.S. must satisfy, the FTC has proceeded under its general authority to address “unfair” or “deceptive” business practices. The FTC has stepped in not only in cases of actual data breaches involving the theft or unauthorized disclosure of customers’ personal data, but also in circumstances where the FTC believes there may be deficiencies in a company’s data security systems that create a risk of potential future consumer harm.

Read "Court Sides with FTC on Sweeping Data Security Role."