FTC Process and the Misguided Notion of an FTC “Common Law” of Data Security


“Commissioner Brill and a few academics have described the FTC’s data security settlements as developing a “common law” of data security. It is not readily apparent, however, that the over 50 independent complaints and settlement agreements between the FTC and particular companies amounts to what is traditionally understood as the common law. Moreover, because the FTC’s enforcement and adjudication process differs so substantially from traditional civil adjudication, even if the FTC’s data security settlements have certain common law characteristics, it is likely that the content of the FTC’s data security law differs substantially from what would emerge from – and what would be desirable in – in a traditional common law process.

As it happens, however, we do have an actual common law of data security — that is, data security cases adjudicated in civil courts — with which to compare the FTC’s process and settlements.

Those who defend the notion of an FTC data security common law identify the shortcomings of common law in civil courts—alleging, in essence, a sort of “market failure”—and they suggest that the FTC’s common law approach can and should correct this market failure, in part because the FTC does have a common law process. These claims are often largely descriptive, but, as suggested, there must be a normative preference inherent in the “common law” conclusion – or else, who cares?

This paper attempts to analyze this alleged administrative “common law” with reference to the actual common law baseline of data security developing in federal courtrooms. We consider the dynamics in both processes, and assess to what extent they comport with the attributes of common law, and whether they likely further the desirable aspects of a common law process.”