Emory Law Journal


Ian M. Davis


Welcome to the digital age, where consumer data is more valuable than gold. In this era of information, companies treat personal data as a prized commodity, leveraging its potential to boost business and engage an ever-growing number of customers. Yet when companies fail to protect the sensitive data that they hold, consumers are left with few avenues to obtain redress for the harms they may have suffered. In an effort to protect consumers, the Federal Trade Commission (FTC) has been policing inadequate data security practices since the early 2000s. Using its broad authority under Section 5 of the Federal Trade Commission Act, the FTC routinely brings enforcement actions against companies that have sustained data breaches, yet could have implemented reasonable security measures to prevent them. In the vast majority of proceedings, the violating entity chooses to settle with the FTC rather than incur the various costs associated with litigation. The orders that accompany the conclusion of every enforcement proceeding typically require the violator to enact a comprehensive data security overhaul. In 2018, such an FTC order was vacated by the U.S. Court of Appeals for the Eleventh Circuit. On the heels of this decision, it is apparent that the FTC must recalibrate its approach to enforcing unlawful data security practices. This Comment contends that the Commission should draw on its substantial experience with data protection and promulgate a rule that transparently specifies the standard by which data security is to be regulated. Although the FTC’s decision to abstain from using its Magnuson-Moss rulemaking authority may have been prudent in the early days of its foray into data security, times have changed. Embracing the heightened public participation interwoven throughout the hybrid rulemaking process, the FTC is fully capable of delineating a data security standard in a reasonable amount of time. And once the rule-based standard is in place, the FTC can reap the benefits of a framework that provides the regulated community with enhanced guidance and the consumer public with greater protection from preventable data harms.