Since 1995, the Federal Trade Commission (FTC) has used its jurisdiction to police “unfair or deceptive acts or practices”
to force companies to adopt data security measures capable of protecting consumer data.
However, the FTC’s authority in the data security enforcement context came under scrutiny in LabMD, Inc. v. FTC, a 2018 Eleventh Circuit decision that invalidated the FTC’s attempted enforcement action against LabMD, a medical laboratory that suffered a data breach exposing patient records.
Finding that the FTC’s proposed consent order “commanded LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness,” the court held that the FTC could not enforce its order.
Specifically, the court cited the lack of specificity of what data security measures LabMD failed to take prior to the breach and would be ordered to take if the company agreed to the consent order as the reasons for its decision.
For the FTC, LabMD represented a significant defeat. Prior to the decision, the FTC used its authority under the “unfairness” prong of Federal Trade Commission Act Section 5 to bring cases against companies for failing to adopt what the Commission considers “reasonable” data security measures without any additional specificity.
Therefore, the LabMD decision called into question the FTC’s entire data security enforcement practice. In December 2018, the agency held a rare public hearing on the topic.
In 2019, FTC Chairman Joseph Simons asked Congress for “targeted rule-making authority” in the data security context governed by “clear and specific rules.”
And, the FTC claims to be making its data security orders more specific
—including almost entirely eliminating the word “reasonableness” from its consent decrees.
However, the Commission has still provided little guidance on what data security practices constitute an “unfair” practice within the ambit of the FTC’s statutory enforcement authority to remedy, and still continues to use the vague “reasonableness” standard in its complaints when bringing enforcement actions.
Congress could fix this problem by specifying the FTC’s data security enforcement authority, but so far it has failed to do so. And there is little hope for reform in the near future. Following California’s passage of a data privacy law in 2018 (the California Consumer Privacy Act (CCPA)) and the implementation of the General Data Protection Regulation (GDPR) in the European Union, the current focus in Congress is on data privacy—“user . . . control over how businesses collect, use, and share their information”—and not data security—“prevent[ing] unauthorized parties from accessing, altering, or rendering unavailable [consumers’] data.”
As a result, regulated parties—really any business operating online or using electronic records—are likely to continue to face the risk of FTC data security enforcement actions without clarified standards. Congress has failed “to make the ‘important policy choices’’’
with respect to data security regulation and has left regulated parties to contend with ad hoc FTC enforcement guided by both vague statutory authority (“unfairness”) and vague standards (“reasonableness”).
This Comment argues that regulated parties lack adequate notice of what the FTC considers “unfair” data security practices given the realities of the FTC’s current enforcement mechanisms, and that Congress should provide clearer data security standards as part of a larger privacy bill. Absent congressional action, regulated parties should begin commenting on the FTC’s complaints, orders, and consent decrees to force the Commission’s data security staff to clarify what data security practices companies must adopt to avoid FTC enforcement actions. Part I discusses the FTC’s current data security enforcement practices, the LabMD decision that called them into question, and the Commission’s reaction to LabMD. Part II identifies the problem with the current approach and argues that the changes the FTC has made post-LabMD fail to sufficiently clarify what the FTC considers “reasonable” data security practices. Part III provides two potential solutions, one involving congressional action and one involving congressional inaction, to provide regulated parties notice of what “reasonable” data security means.
I. FTC Data Security Enforcement Practice Before and After LabMD
The FTC has brought seventy cases alleging inadequate data security practices since 1995.
Section I.A provides a description of the statutory authority that the FTC uses for data security enforcement. Then, section I.B describes LabMD and explains why the case called into question the FTC’s data security enforcement practice. Section I.C discusses the FTC’s reaction to LabMD.
A. The FTC’s Claimed Statutory Authority to Regulate Data Security
The FTC uses its statutory authority to police “unfair or deceptive acts or practices”
in order to make companies adopt data security measures with the goal of protecting consumer data.
When the FTC is alerted to a data breach and has “‘reason to believe’ the law is being violated,”
the FTC has two methods for bringing an enforcement action against the company responsible for the data’s safekeeping, and two statutory provisions under which it can bring the action.
First, the FTC can choose whether to bring an enforcement action in an administrative proceeding or in federal court.
In the data security context, the FTC rarely brings cases in court and instead uses administrative adjudication to force defendants into consent decrees.
Second, and more relevant to the data security context, is what prong the FTC brings the action under. When the Commission decides to initiate an enforcement action, the FTC chooses whether to bring the enforcement action under the “deceptive” or “unfairness” prongs of Section 5 of the FTC Act.
If the Commission brings the enforcement action under the “deceptive” prong, the FTC looks at the statements a business that experiences a data breach has made to consumers about privacy protection, and alleges the business violated the privacy standards it promised to consumers (and, therefore, “deceived” them).
For the “deceptive” prong to be violated, the FTC has said in its Policy Statement on Deception that the alleged deception must be “material” to consumers, meaning “consumers are likely to have chosen differently but for the deception.”
If the FTC brings an enforcement action under the “unfairness” prong, the Commission alleges that the business engaged in an unfair trade practice that allowed it to gain an advantage over competitors by not offering “reasonable” data security to consumers.
While the early data security enforcement actions were brought under the “deceptive” prong, recent controversial cases like LabMD have been brought under the “unfairness” prong, which suggests a desire on the part of the FTC to expand its enforcement power in the data security area.
This tracks with the change from the early period of the FTC’s data security enforcement when the FTC “encouraged self-regulation” during which “the companies themselves . . . create[d] their own rules, and the FTC . . . enforce[d] them” using the “deceptive” prong of Section 5.
In recent years, the FTC has been using the “unfairness” prong of Section 5 to bring cases against companies for failing to adopt what the Commission considers “reasonable” data security measures.
This “reasonableness” standard requires a company to adopt “data security measures . . . [that are] reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.”
But, what are “reasonable” data security measures? As is discussed next, the LabMD case shows that the FTC did not make this clear.
B. The LabMD Decision
LabMD, Inc. was a “medical laboratory that previously conducted diagnostic testing for cancer . . . [that] used medical specimen samples, along with relevant patient information, to provide physicians with diagnoses.”
The company was a growing small business with thirty employees and four million dollars in annual sales prior to the litigation.
Then, LabMD’s billing manager used LimeWire on her computer to download music.
LimeWire is a “peer-to-peer file-sharing application” that makes anything within a “folder selected for downloads . . . available to others on the network.”
An employee from a data security firm was able to log onto LabMD’s network because of the billing manager’s mistake and download a file containing the personal information of 9,300 LabMD patients, which included their “names, dates of birth, social security numbers, laboratory test codes, and, for some, health insurance company names, addresses, and policy numbers.”
After LabMD refused to purchase the data security firm’s services to help investigate the data breach, the firm reported the breach to the FTC.
The FTC issued a complaint against LabMD alleging that the company engaged in “‘an unfair act or practice’ . . . by ‘engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.’”
LabMD was given an ultimatum: Go through costly litigation, or settle and sign a consent decree to revamp the company’s data security system and subject the company to FTC oversight.
LabMD’s founder chose the former option because the company feared doctors who used the company would think “that LabMD had been lax in protecting patient data and kill his business.”
A protracted litigation ensued, and ultimately the Eleventh Circuit found the FTC overstepped its authority in the case.
Concerned that the FTC’s “cease and desist order . . .” does not instruct LabMD “to stop committing a specific act or practice” and instead “commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness,” the Eleventh Circuit found the FTC’s order “unenforceable.”
The decision was perceived as having a significant impact on the FTC’s data security enforcement practice. Prior to LabMD, the FTC had “brought more than 60 cases related to data security. In all but one, the companies involved . . . settled, signing consent decrees that in many cases require 20 years of security audits by an outside firm and sometimes fines.”
Many of these cases were brought under the vague “reasonableness” standard the Eleventh Circuit found so problematic in LabMD. The next section discusses the FTC’s reaction to the decision.
C. FTC Data Security Enforcement Post-LabMD
LabMD brought attention to many of the problems with the FTC’s data security enforcement practices, and the Commission recognized this fact. After LabMD, the Commission scheduled a public hearing “to examine the FTC’s authority to deter unfair and deceptive conduct in data security . . . matters.”
Following the hearing, the FTC engaged in a public campaign to lobby Congress to provide the agency more authority over data security (and privacy) issues. The FTC has argued that the United States lags behind other western countries in its approach to data security. In an April 2019 congressional hearing, FTC Chairman Joseph Simons said that while the FTC only has forty employees dedicated to data security enforcement, the United Kingdom has 500.
As a result, the Commission has asked Congress to provide additional funding for data security (and privacy) enforcement staff, which the Commission hopes will provide funding for at least 160 new staffers who can help the Commission bring more cases.
The Commission has also asked for “comprehensive data security legislation . . . that would be enforced by the FTC.”
Specifically, Simons has asked for what he terms “targeted rule-making authority” in the data security context governed by “clear and specific rules.”
He has implored Congress to avoid “dump[ing] [the] question” of what rules to create on the FTC by granting the agency “broad rule-making authority.”
In other words, Simons is likely looking to avoid a repeat of LabMD by getting clear authority from Congress to regulate data security.
Additionally, the FTC claims to be making its data security orders more “specific.”
In a blog post, the Commission notes that the orders “continue to require that the company implement a comprehensive, process-based data security program, and [now] they require the company to implement specific safeguards to address the problems alleged in the complaint” such as “yearly employee training, access controls, monitoring systems for data security incidents, patch management systems, and encryption.”
This has included avoiding using the word “reasonable” in the “operative information security language” of the Commission’s data security consent decrees issued in 2019.
Of course, this is unsurprising given the LabMD court’s concern that the Commission tried to make the company implement a data security program “‘reasonably designed’ to the Commission’s satisfaction.”
However, the FTC continues to use “reasonableness” in its complaints alleging unfair data security practices.
This begs the question to which this Comment turns to next: Do regulated parties have notice about what the FTC considers “unreasonable,” and therefore “unfair,” data security practices that are within the Commission’s statutory authority to regulate?
II. Regulated Parties Lack Notice of What Constitutes “Unfair” Data Security Practices
Assuming the FTC has statutory authority to regulate data security under the “unfairness” prong and can make data security policy by adjudication, the Commission still must provide “fair notice” of what constitutes “reasonable,” and therefore “fair,” data security practices.
Even when looked at in the most positive light, the FTC has not provided fair notice to regulated parties about what data security measures the Commission considers appropriate. This is a result of (1) the lack of bright-line rules for when a party can be said to have engaged in “unreasonable,” and therefore “unfair,” data security practices and (2) the lack of information in the adjudicatory documents on the FTC’s website. Each of these will be discussed in turn.
A. Balancing Test Invites Arbitrary Enforcement
The FTC does not use bright-line rules in the data security context. In other words, there are no per se unreasonable data security practices. The Commission emphasizes that “it does not require perfect security” and “the mere fact that a breach occurred does not mean that a company has violated the law.”
Instead, the Commission will use a balancing test to determine whether to bring an action when a breach does occur. Before filing a complaint, the FTC will balance the costs and benefits of security measures that would have prevented the breach to determine whether the company behaved unreasonably by failing to adopt those measures, making the company’s behavior “unfair” within the meaning of the FTC Act.
While such a balancing test is common in administrative proceedings and allows agencies to use their prosecutorial discretion, the way the FTC pursues companies alleged to have engaged in unreasonable data security practices differs from many other administrative adjudications given its overly post hoc nature.
When a data breach occurs, the FTC decides whether or not to file a complaint based “only [on] those remedial measures it claim[s] would address the specific breach at issue,” and whether the company’s failure to institute those measures prior to the breach was unreasonable.
The FTC has the benefit of hindsight: The data breach happened. But what the company is prosecuted for is not the data breach itself; it is the specific measures the company failed to take that would have prevented the breach.
When determining whether to bring a data security case, the agency “ignores the overall compliance burden on a company to avoid excessive risk without knowing, ex ante, which specific harm(s) might occur.”
The FTC does not consider the overall risks the company faced and whether the failure to address the specific risk, when considered with all the others, was unreasonable.
Instead, the Commission’s data security staff make a post hoc determination of reasonableness without a “clear . . . baseline and a rigorous evaluation of the contribution of the company’s practices to any deviation from it.”
As a result, companies are penalized for the size of the data breach, not for their engagement in “unfair” or “unreasonable” data security practices.
For example, in LabMD, the Commission admitted that the company had a comprehensive data security program that “included ‘training, firewalls, network monitoring, password controls, access controls, antivirus, and security-related inspections.’”
But because the program did not protect against the specific LimeWire risk that caused the breach, the FTC brought an enforcement action against the company.
There was no consideration of the percentage chance such a risk would have been ex ante (which was actually very low), nor credit given to LabMD for having a comprehensive data security program.
Instead, the Commission waited until the breach occurred and then determined LabMD behaved unreasonably with this benefit of hindsight.
Such a post hoc approach invites arbitrary enforcement given that the reasonableness of ex ante data security measures is not the reason the FTC actually brings a case; it is the data breach itself that causes the FTC to become involved. As some scholars have described, the FTC “infer[s] a high prior probability, or even a certainty, of insufficient security from a single, post hoc occurrence . . . [and] imposes an effective strict liability regime on companies that experience a breach . . . .”
Companies that fail to adopt anything resembling “fair” or “reasonable” data security practices may never face FTC enforcement actions if they are lucky enough to never experience a data breach. Companies that have comprehensive data security programs, such as LabMD, may face FTC enforcement actions because a breach occurs. The single biggest factor in the “balancing test” employed by the FTC when deciding to bring a case is the breach that occurred, even if the company could not have, or reasonably would not have, considered the risk prior to the breach. Such an approach would be more acceptable if the FTC provided notice about what the ex ante “reasonable” data security measures are. But the Commission has failed on that metric, as is discussed next.
B. FTC Data Security Complaints, Consent Orders, and Security Assessments Provide Little Information
Even if parties were to look at the FTC’s published records in data security cases, the parties would find very little information about what the Commission considers appropriate data security practices. This is the result of the practical realities companies face following a data breach that cause quick settlements with the FTC, the lack of specificity in the materials the FTC makes available about its enforcement practices, and the fact that FTC complaints only detail what data security practices the FTC considers “unfair” post hoc (as in, after a data breach).
1. Practical Realities Make Settlements the Norm, Leading to Few Well-Reasoned Documents Explaining “Fair” or “Reasonable” Data Security Practices. — First, the practical realities for companies plagued with a data breach contribute to the limited nature of available documents on what the FTC considers appropriate data security practices. Companies exposed to data breaches typically want to mitigate the impact to their business and quickly settle with the FTC.
In fact, complaints and consent orders are often released on the same day, as companies already facing a data breach choose to settle before there is any public mention of an FTC complaint that could further harm their business.
As a result, there is a lack of well-reasoned adjudicatory decisions by the Commission. The parties must rely on complaints, investigatory notices, and consent orders on the FTC’s website to get an idea of what the Commission considers to be “fair” or “reasonable” data security practices.
This limited number of available documents contributes to a lack of fair notice to parties about what data security practices the FTC expects companies to adopt.
2. Available Documents Lack Specificity. — Second, the documents that do exist lack specificity about what the Commission considers appropriate data security practices. FTC complaints and investigatory notices only contain boilerplate language and make conclusory statements accusing companies of having “unreasonable” data security practices that led to data breaches.
The complaints include a list of what the companies did not do to protect consumer data with conclusory statements that the practices are data security measures the companies should reasonably have taken.
For example, in its complaint against HTC America, the FTC accused the company of: “(a) fail[ing] to implement an adequate program to assess the security of products it shipped to consumers; (b) fail[ing] to implement adequate privacy and security guidance or training for its engineering staff; . . . [and] (d) fail[ing] to follow well-known and commonly-accepted secure programming practices . . . .”
These accusations are written in general language and lack the specificity a party trying to comply with FTC data security regulations could look to in order to find what the standards are. How does the FTC define “adequate privacy and security guidance,” for example? What about “well-known and commonly-accepted secure programming practices”? As a result of this general language, the complaints provide little guidance on what constitutes appropriate data security measures companies can take to avoid FTC enforcement actions against them.
The complaints also provide little guidance to regulated parties because they include no mention of the weight of the individual “reasonable” practices the company did not take. Invariably, the complaints include a sentence along these lines: “Respondent has engaged in a number of practices that, taken together, failed to provide reasonable security . . . .”
This remains the case after LabMD.
Even if a party could discern a clear practice required by an FTC complaint, the agency does not assert that failure to follow that practice will be deemed unlawful in the next case.
It all depends on the practices “taken together,” which is a case-by-case determination.
Consent decrees are another place regulated parties may hope to get information about what the Commission considers to be appropriate data security practices, but they are similarly deficient. When a party settles with the FTC, the FTC typically imposes a twenty-year consent order that requires continuous monitoring by the FTC and annual or biennial privacy assessments.
Because most parties choose to settle with the FTC, every data security case (with the exception of LabMD) has one on the FTC’s website.
However, “[e]ach clause and provision [of these consent decrees] is carefully worded to limit its scope and cabin any corporate liability.”
The orders are negotiated by lawyers for the corporation and the FTC, and are written in a manner that includes no admission of guilt.
And, like the complaints, the orders contain general language about what the Commission considers to be appropriate data security measures that will bring the corporation into compliance.
Another area where parties could look for guidance are the third-party privacy assessments that companies subject to consent orders are required to undergo annually or biannually.
However, there are two problems with these documents. First, they can only be obtained through a Freedom of Information Act request; they are not available on the agency’s website for regulated parties to view.
Second, because these assessments can be released to the public, they contain little information about what the company is doing, or what the FTC is making the company do, to comply with a consent decree.
This benefits large corporations concerned about a decline in stock value from publicly available information about the corporation’s data security compliance. But the lack of meaningful public assessments also benefits the FTC because the compliance efforts the agency pursues do not have to follow a uniform approach for each corporation under a consent order. A particularly revealing quote from one FTC Commissioner suggests the efforts of the Commission staff go far beyond what can be gleaned from any assessment:
[A]ny privacy or data security assessment that is released to the public . . . will not provide a complete picture of a company’s compliance under an FTC order, or the FTC’s efforts in monitoring that company’s compliance. This is . . . because the FTC’s compliance monitoring efforts in many cases extend far beyond what can be gleaned from an isolated assessment.
As a result, what the FTC considers “reasonable” data security measures is further hidden from public view. This provides additional support for the Eleventh Circuit’s conclusion in LabMD that the FTC’s data security consent orders require companies “to implement and maintain . . . data-security program[s] ‘reasonably designed’ to the Commission’s satisfaction.”
Such a requirement provides regulated parties not subject to FTC consent decrees little information about what the Commission considers appropriate data security, and may allow the Commission to regulate parties facing similar security threats differently. Given these problems with the FTC’s current data security enforcement practice, the next Part discusses how regulated parties can be provided further notice of the FTC’s data security requirements.
III. Clarifying the FTC’s Data Security Enforcement Authority
Despite the lack of clear data security standards creating uncertainty for businesses about whether there will be an enforcement action following a data breach, a solution to the problem has “confounded Congress.”
This Part argues that there are two solutions to clarifying the FTC’s data security standards, one that requires congressional action and another that can be achieved without congressional action. Section III.A proposes that, as part of the larger privacy bill being considered already, Congress adopt a private security standard as a floor for data security requirements and create a special exception to the FTC’s burdensome rulemaking process specifically when more comprehensive data security regulations are necessary. Section III.B proposes that, with or without congressional action, regulated parties should begin commenting on FTC data security complaints, orders, and consent decrees to force the Commission to further specify what constitutes appropriate data security practices to avoid FTC enforcement actions.
A. Congress Should Adopt a Data Security Floor and Give the FTC Targeted Rulemaking Authority when Regulating Beyond the Floor Is Necessary
Part of the problem with current FTC data security enforcement practice is that Congress has provided no guidance as to whether the FTC is even the appropriate agency to police data security practices, never mind particular standards outside of a few specific industries.
Now, the Commission has asked Congress for “comprehensive data security legislation . . . that would be enforced by the FTC.”
Specifically, FTC Chairman Simons has asked for “targeted rule-making authority” in the data security context, governed by “clear and specific rules.”
He has implored Congress to avoid “dump[ing] [the] question” of what rules to create on the FTC by granting the agency “broad rule-making authority.”
Simons, an appointee of President Trump, is advocating the Republican position in the data security and privacy space, which seeks to avoid converting the FTC into “a massive rule-making regime”
and wants Congress to “create the rules, and the FTC . . . to enforce them.”
Democrats, on the other hand, advocate giving the FTC increased rulemaking powers in both the data privacy and security contexts.
This Comment proposes a middle ground to the disparate positions advocated by Democrats and Republicans in Congress. First, Congress should adopt one of the private data security standards set by various industry groups and other organizations as a floor for what constitutes “fair” data security practices.
If a company is not following those standards, the FTC would have the ability to begin an enforcement action to force compliance. Second, Congress should provide the FTC with targeted rulemaking authority for either establishing more specific standards in individual industries that face unique data security challenges (and only those industries with unique challenges) or creating standards to respond to new cybersecurity threats faced by all data-holding industries. Importantly, the targeted rulemaking authority should be a specific data security exception to the FTC’s burdensome Magnuson–Moss rulemaking procedures—which include requirements like an informal hearing where interested parties are entitled to present oral testimony and potentially cross-examine witnesses—and be guided by the Administrative Procedure Act.
While this would give the FTC more authority, it would also help clarify the requirements to regulated parties.
There are likely two primary objections to such an approach. The first objection would likely come from opponents of big business who would advocate that private standards are not as rigorous as those the FTC may adopt if given complete rulemaking authority for data security regulation. However, the FTC may not have the expertise, budget, or number of employees necessary to create the Commission’s own standards. Currently, the Commission has only forty employees dedicated to data security enforcement,
which may be contributing to the current lack of clear enforcement standards. And the last time the federal government attempted to create cybersecurity standards—the Department of Commerce’s voluntary National Institute of Standards and Technology (NIST) framework—the task force ended up adopting five separate sets of industry standards, each of which comprises only part of the seventy-two data security practices that can be found through examination of FTC data security actions.
Choosing one set of private industry standards would eliminate the complexity of establishing a floor and give the FTC the ability to focus on rulemaking in areas where more is needed as well as on enforcement.
The second objection would come from privacy advocates who have asked Congress to set up an entirely new data protection agency, contending that the FTC “has failed to enforce the orders it has established” and should be forced to focus on antitrust cases, not data security and privacy enforcement.
However, it is unlikely Congress will create such an agency,
so this Comment proposes clarifying the FTC’s authority in this space rather than starting over.
B. Regulated Parties Can Comment
Given the current doubts that Congress will address data security in new data privacy legislation,
regulated parties should get the FTC to defend its settlements and consent orders on the record to add to the short list of available resources the FTC provides on its website to explain what it considers “fair” data security measures. One of the main problems with the FTC’s current approach to data security enforcement is that the agency is rarely forced to explain what the agency considers “unfair” because companies settle right away.
This results in few well-reasoned decisions in which the FTC is forced to present why it undertakes an enforcement action.
However, there is an underutilized tool that forces the FTC to provide more information. When the Commission issues a proposed consent order, the order is placed in the Federal Register and permits a comment period of thirty days before it becomes final.
When the consent order does become final, the FTC posts replies to all of the comments received during that thirty-day window.
One possibility for receiving, and challenging, the FTC’s reasoning and enforcement authority might be to get the agency talking more by commenting on these proposed consent orders. While the FTC may be measured in the language it uses, asking specific questions about what the Commission plans to do to enforce the order, for example, could be a way to better understand how the current enforcement practices work.
For the past couple of decades, the FTC has increasingly sought to become America’s chief data privacy and security enforcer despite its mission as an antitrust agency. The FTC has used the broad language in Section 5 of the FTC Act to garner expansive authority to bring enforcement proceedings for what the Commission deems “unfair” data security practices. This Comment shows that regulated parties lack adequate notice about what “fair” data security practices means. Now, after the Eleventh Circuit called the FTC’s data security enforcement authority into question in LabMD, the FTC’s authority in this space faces significant uncertainty. To clarify data security standards to regulated parties, Congress should provide clear authority to the FTC—as part of the larger privacy bill being discussed in Congress—using a private industry standard as the floor and enabling the FTC to regulate beyond that only when an industry faces a unique data security challenge or new cybersecurity threats necessitate further base expectations for all data-holding industries. Whether or not Congress enacts new data security legislation, regulated parties should begin commenting on FTC data security complaints, orders, and consent decrees to force the Commission to better articulate its data security requirements.
The core tenet of American administrative law is the prevention of arbitrary government. While no one disagrees with having better protections for consumer data, businesses large and small deserve to know the minimum data security requirements the FTC expects, if only to ensure that the FTC is exercising lawful authority and not arbitrary power.