{
  "id": "R43723",
  "type": "CRS Report",
  "typeId": "REPORTS",
  "number": "R43723",
  "active": true,
  "source": "EveryCRSReport.com",
  "versions": [
    {
      "source": "EveryCRSReport.com",
      "id": 434220,
      "date": "2014-09-11",
      "retrieved": "2016-04-06T20:05:11.011851",
      "title": "The Federal Trade Commission\u2019s Regulation of Data Security Under Its Unfair or Deceptive Acts or Practices (UDAP) Authority",
      "summary": "The Federal Trade Commission Act established the Federal Trade Commission (FTC or Commission) in 1914. The protection of consumers from anticompetitive, deceptive, or unfair business practices is at the core of the FTC\u2019s mission. As part of that mission, the FTC has been at the forefront of the federal government\u2019s efforts to protect sensitive consumer information from data breaches and regulate cybersecurity. As the number of data breaches has soared, so too have FTC investigations into lax data security practices. The FTC has not been delegated specific authority to regulate data security. Rather, the FTC has broad authority under Section 5 of the Federal Trade Commission Act (FTC Act) to prohibit unfair and deceptive acts or practices. \nIn 1995, the FTC first became involved with consumer privacy issues. Initially, the FTC promoted industry self-regulation as the preferred approach to combatting threats to consumer privacy. After assessing its effectiveness, however, the FTC reported to Congress that self-regulation was not working. Thereupon, the FTC began taking legal action under Section 5 of the FTC Act. Section 5 of the FTC Act prohibits unfair or deceptive acts or practices. Since 2002, the FTC has pursued numerous investigations under Section 5 of the FTC Act against companies for failures to abide by stated privacy policies or engage in reasonable data security practices. It has monitored compliance with consent orders issued to companies for such failures. Using the deception prong of its statute, the FTC has settled more than 30 matters challenging companies\u2019 claims about the security they provide for consumers\u2019 personal data and more than 20 cases alleging that a company\u2019s failure to reasonably safeguard consumer data was an unfair practice. Because most of the FTC\u2019s privacy and data security cases were resolved with settlements or abandoned, there have been few judicial decisions. Against this backdrop, there are now two pending cases testing the FTC\u2019s unfairness authority under Section 5 of FTC Act as a means to respond to data breaches. These cases could have far-reaching implications for the liability of companies whose computer systems suffer a data breach. Both cases are the subject of a great deal of interest from Congress, businesses, trade groups, corporate law firms, and legal scholars.\nIn April 2014, in FTC v. Wyndham Worldwide Corp., a federal district court denied a motion to dismiss, thereby effectively lending support to the FTC\u2019s position that it possesses jurisdiction to regulate data security practices under its authority to bring enforcement actions against unfair or deceptive practices. In another case, In the Matter of LabMD\u2014an administrative enforcement action brought against a medical diagnostics laboratory\u2014the commission rejected a motion to dismiss that challenged the FTC\u2019s authority to impose sanctions under the FTC Act. Both decisions are currently being appealed. Wyndham is on appeal to the Third Circuit, and LabMD has asked the Eleventh Circuit for the third time to intervene. The FTC\u2019s administrative action against LabMD was stayed this summer pending a related congressional hearing.\nSeveral cyber and data security bills before Congress include provisions that would explicitly authorize the FTC to issue rules to implement data security standards and assess civil penalties. The FTC has called for federal legislation that would strengthen its existing authority governing data security standards and require companies to provide breach notification to consumers. This report provides background on the FTC and its legal authorities in the context of data security, and discusses the two aforementioned cases.",
      "type": "CRS Report",
      "typeId": "REPORTS",
      "active": true,
      "formats": [
        {
          "format": "HTML",
          "encoding": "utf-8",
          "url": "http://www.crs.gov/Reports/R43723",
          "sha1": "41c3a2f579d7d001138e378ac5b8d8743b07c3ec",
          "filename": "files/20140911_R43723_41c3a2f579d7d001138e378ac5b8d8743b07c3ec.html",
          "images": null
        },
        {
          "format": "PDF",
          "encoding": null,
          "url": "http://www.crs.gov/Reports/pdf/R43723",
          "sha1": "e59afe8051aadfa5d8d4c705770759f31fd06402",
          "filename": "files/20140911_R43723_e59afe8051aadfa5d8d4c705770759f31fd06402.pdf",
          "images": null
        }
      ],
      "topics": []
    }
  ],
  "topics": []
}