Data Security and the FTC's UnCommon Law

Data Security and the FTC’s UnCommon Law Justin (Gus) Hurwitz * ABSTRACT: There were more data breaches in 2014 than any prior year, including the well-publicized attacks on Sony, Target, JPMorgan, and Home Depot—and uncountably more on individuals and smaller companies. This pace continued into 2015, with attacks against Anthem BCBS, Hacking Team, eBay, Trump Hotels, and Ashley Madison, and with a notable expansion into attacks on government targets, including major breaches from OPM and the IRS. Over the past 15 years, and in response to the lack of any comprehensive legal framework for addressing data security concerns, the FTC has acted as the primary regulator of data security practices in the United States. In this role, the FTC has used ad-hoc enforcement of its statutory “unfair acts and practices” authority to develop a “common law” of data security. This Article raises concerns that the FTC’s self-styled “common-law” approach to data security regulation is yielding an unsound body of law. It argues that the FTC’s approach lacks critical features of the common law that are necessary for the development of jurisprudentially legitimate rules, and also that this approach raises jurisdictional and due process concerns. It builds on these critiques to recommend an alternative approach for the FTC to consider: treating a firm’s lack of an affirmative data security policy as an unfair practice. In so doing, this Article makes contributions to ongoing pressing discussions about how the law and regulators should respond to data security issues. It also makes contributions to ongoing scholarly discussions of agency choice of procedure and due process, both of which are of active and increasing interest in the administrative and regulatory law communities. * Assistant Professor of Law, University of Nebraska College of Law. J.D., University of Chicago Law School; M.A., Economics, George Mason University; B.A., St. John’s College. With thanks to participants at the George Mason University Law and Economics Center Roundtable on Data Security, IPSC 2014, workshop participants at the Universities of Nebraska, Oklahoma, and Indiana-Bloomington, and in particular to Berin Szoka, Woody Hartzog, and Dan Solove, as well as Jane Bambauer, Eric Berger, Derek Bambauer, James Cooper, Margaret Hu, Bruce Kobayashi, Steve Willborn, and Todd Zywicki, among others. This Article resulted from an earlier project co-authored with Berin Szoka. 956 IOWA LAW REVIEW [Vol. 101:955 I. INTRODUCTION ............................................................................. 957 II. THE FTC’S “COMMON” LAW ......................................................... 963 A. T HE FTC’ S “U NFAIRNESS ” P HOENIX ......................................... 964 B. W HAT I S THE FTC’ S “C OMMON L AW ”? .................................... 966 C. T HE G ENESIS OF THE FTC’ S “C OMMON L AW ” ........................... 967 D. E ARLY J UDICIAL R ESPONSES TO THE FTC’ S A PPROACH TO D ATA S ECURITY ...................................................................... 971 III. THE FTC’S “COMMON LAW” IS NOT COMMON LAW .................... 980 A. W HAT I S C OMMON L AW ? ........................................................ 980 B. T HERE ’ S N OTHING C OMMON A BOUT THE FTC’ S “C OMMON L AW ” ...................................................................................... 984 IV. RULEMAKING VS. ADJUDICATION IN ADMINISTRATIVE LAW .......... 988 A. T HE B ROAD C ONTEXT OF A GENCY C HOICE OF P ROCEDURE : R ULEMAKING & A DJUDICATION ............................................... 989 B. CHENERY II AND A GENCY C HOICE OF P ROCEDURE .................... 990 C. WYMAN-GORDON , BELL-AEROSPACE , AND THE F AILED C HALLENGE TO D ISCRETION .................................................... 993 D. F ROM CHEVRON TO MEAD ..................................................... 994 V. THE COMMISSION’S ADMINISTRATIVE JURISPRUDENCE ................ 997 A. T HE R ULEMAKING VS . A DJUDICATORY M INDSETS ...................... 998 B. T HE FTC’ S R ULEMAKING D OMAIN ......................................... 1000 C. O THER C ONCERNS : F AIR N OTICE & J URISDICTION .................. 1002 D. O THER C ONCERNS : C ONFLICTING I NCENTIVES ........................ 1006 VI. THE ROLE OF FTC ADJUDICATION IN LAW MAKING AND DATA SECURITY ..................................................................................... 1008 A. T HE N EED FOR AND C HALLENGE OF A DJUDICATION ................. 1008 B. E FFECTIVE A DJUDICATION ...................................................... 1012 C. A R OLE FOR THE FTC IN D ATA S ECURITY ............................... 1015 VII. CONCLUSION .............................................................................. 1017 AFTERWORD ................................................................................ 1018 2016] THE FTC’S UNCOMMON LAW 957 I. INTRODUCTION According to Federal Bureau of Investigation (“FBI”) Director James Comey, “There are two kinds of big companies in the United States. There are those who’ve been hacked . . . and those who don’t know they’ve been hacked . . . .” 1 Indeed, a recent report estimates that 43% of companies experienced data breaches in 2014. 2 In recent years, these breaches affected some of the largest, most sophisticated firms in the world, including Sony, Target, eBay, JPMorgan, Home Depot, Anthem BCBS, Hacking Team, Ashley Madison, and CHS Community Health Systems—as well as government targets such as OPM and the IRS. 3 These and other attacks result from a broad range of motivations, including politics, espionage, theft of financial or personal information, and simple vandalism. Yet, we have no effective—let alone comprehensive—legal framework to prevent or respond to these attacks. Over the past 15 years, the Federal Trade Commission (“FTC”) has attempted to fill this void, acting as the primary regulator of online privacy and data security in the United States. This Article questions both the jurisdiction and efficacy of the FTC’s role in addressing data security concerns. The Commission has come into this role largely because of the breadth and ill-defined boundaries of its authorizing statute, read in conjunction with some limited authority to regulate narrow privacy and data security issues under cognate statutes. 4 Since the advent of the consumer Internet, there has been a palpable regulatory vacuum in these areas. But regulation abhors a vacuum, and—though ill-suited to the task—the FTC has been quick to fill it. The FTC has brought over 50 enforcement actions relating to online data security over the past decade (and over another 100 privacy actions). 5 In its data security cases, the FTC generally takes action against firms whose computers have been compromised by hackers seeking access to customer 1. James Cook, FBI Director: China Has Hacked Every Big US Company , BUS. INSIDER (Oct. 6, 2014, 6:24 AM), http://www.businessinsider.com/fbi-director-china-has-hacked-every-big-us-company-2014-10 (quoting James Comey, FBI Director). 2. PONEMON INST. LLC, IS YOUR COMPANY READY FOR A BIG DATA BREACH?: THE SECOND ANNUAL STUDY ON DATA BREACH PREPAREDNESS 1 (2014), http://www.experian.com/assets/data-breach/brochures/2014-ponemon-2nd-annual-preparedness.pdf. 3. See, e.g. , PONEMON INST. LLC, 2014: A YEAR OF MEGA BREACHES 1 (2015), http://www. ponemon.org/local/upload/file/2014%20The%20Year%20of%20the%20Mega%20Breach% 20FINAL_3.pdf. 4. For instance, the FTC has some authority to regulate disclosures of information about consumers of financial products under the Gramm–Leach–Bliley Act, 15 U.S.C. §§ 6801–6809 (2012), and has authority to regulate privacy issues relating to children’s use of the Internet through the Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501–6506 (2012). 5. See FED. TRADE COMM’N, 2014 PRIVACY AND DATA SECURITY UPDATE (2014), http://www.ftc. gov/system/files/documents/reports/privacy-data-security-update-2014/privacydatasecurityupdate_ 2014.pdf. 958 IOWA LAW REVIEW [Vol. 101:955 information such as credit cards or social security numbers. Because there is no specific statutory framework relating to data security in the United States, the FTC brings these cases under its unfair and deceptive acts and practices (“UDAP”) authority. 6 For myriad reasons, these cases almost always settle prior to litigation, with the firm whose computers were breached agreeing to decades of ongoing monitoring and security audits and the threat of substantial fines for future breaches. 7 Only two cases to date have failed to settle, FTC v. Wyndham Worldwide Corp. and LabMD, Inc. v. FTC , both of which are currently in litigation. 8 A central question in these cases is whether the FTC’s past settlements form a common-law-like body of precedent sufficient to give firms notice of the FTC’s data security standards. The Commission has been quick to defend its efforts. This defensive attitude has increased in recent years, largely in response to three related issues. First, the two cases currently pending have for the first time subjected the FTC’s practices to judicial scrutiny. Second, Congress is actively considering the need for privacy and data security legislation; the FTC seeks to defend its record both to preserve its existing power and to capture greater power through any new legislation. And third, the Commission is seeking legitimacy for the enforcement actions that it has already taken over the past decade. This Article challenges the FTC’s approach to regulating data security and related issues. In particular, it raises concerns over the Commission’s self-styled “common law” approach to developing legal norms. While the Commission’s approach—based on case-by-case enforcement actions—does bear some resemblance to that of common-law courts, it also bears important differences that render the comparison inapposite. Perhaps most important, common-law courts shape legal norms because...