If the reaction to recent data security breaches at national retailers Target, Michael’s and Apple is any indication, protecting consumer information will continue to be a hot topic. Yet while consumer concerns about theft are universal, as opposed to industry specific, regulatory protection lags behind. To date, no federal regulation or law sets forth data-security standards that apply to all companies engaged in interstate commerce.
The Federal Trade Commission (FTC) is doing its best to fill the void. Since 2000, the FTC has brought more than 40 data security enforcement actions, and just three months into 2014, the FTC has negotiated settlements with Fandango and CreditKarma for alleged failures to take reasonable steps to secure consumers’ personal information. The FTC relies on Section 5(a) of the FTC Act as its authority for enforcement actions; the statute provides that “unfair or deceptive acts or practices in or affecting commerce...are...declared unlawful.” Unfair practices are broadly defined as those that “cause or [are] likely to cause substantial injury to consumers…not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”