The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

The FTC’s Use of its Unfairness Jurisdiction in Data Security Breach Cases: Is it Fair?

by Lisa Jose Fales and Jennifer T. Mallon
In January 2006, the Federal Trade Commission (“FTC”) obtained record penalties of $10 million in civil fines and $5 million in consumer redress against ChoicePoint, Inc. (“ChoicePoint”), a data security broker, for compromising the personal financial records of more than 163,000 consumers.2 What is significant about this case is not only the size of the fine, but one of the legal theories upon which the FTC relied – its broad authority granted under the unfairness prong of Section 5 of the FTC Act. ChoicePoint and other data security breach settlements such as the December 2005 settlement with shoe warehouse retailer DSW Inc. (“DSW”) and the June 2005 settlement with BJ’s Wholesale Club. Inc. (“BJ’s”) reflect an overall enforcement strategy in data security breach cases that often either includes an unfairness claim, or, as in the case of DSW and BJ’s, rests exclusively on unfairness.3 The unfairness standard relies on a subjective analysis as to whether the respondent’s data security measures were “reasonable and appropriate to protect personal information and files.”

Continue reading