RESPONSES TO REGULATORY ENFORCEMENT AND CLASS ACTIONS ARISING FROM DATA BREACHES: TOO LITTLE, TOO LATE?

Seemingly every day there is news of another cyber attack or breach of private information. In the past two months alone we learned one identity theft ring accessed credit card or email data from several large companies, including Cupid Media, PR Newswire, Adobe and LexisNexis, affecting millions of individuals. More importantly, cybercrime shows no sign of abating, as hackers adapt to new technologies and become increasingly savvy at accessing private information. This rise in cybercrime, and the attendant media coverage, has resulted in a corresponding increase in the number of regulatory enforcement actions filed by the Federal Trade Commission (FTC), as well as a wave of consumer class actions. Companies face a substantial risk of financial and reputational harm from data breaches and related litigation. Businesses are nevertheless fighting back against such suits, by contesting the FTC’s authority to bring enforcement actions and challenging class actions based on several legal theories.

In the past few years, the FTC has initiated nearly 50 enforcement actions for data security violations. The vast majority of these actions have resulted in settlements that include large fines and require businesses to meet specific cyber security criteria and submit to audits. The FTC brings these regulatory actions for data breaches under the general authority of Section 5 of the FTC Act, which prohibits businesses from engaging in “unfair or deceptive acts or practices in or affecting commerce”. The FTC interprets this language as authorising it to ensure that companies are adequately protecting private consumer information. Recently, however, two companies have challenged the FTC’s authority to bring such actions.

Jan-Mar 2014 Issue

Governo Law Firm LLC